A collection point
...and some of my own.
Caught in a bad romance: Feds indict 80 alleged members of romance scam ring Federal prosecutors today unsealed a 252-count indictment against 80 individuals – mostly Nigerian nationals – who allegedly conspired to bilk at least $46 million from victims via romance scams, business email compromises and other online fraud schemes. The grand jury indictment was filed in the Central District of California back in October 2018 and unsealed only after the arrest this morning of 14 defendants in the U.S. – 11 in the Los Angeles area, the apparent epicenter of the scam. Two others were placed in federal custody prior to the law enforcement crackdown, and another was arrested earlier this week. The remaining 63 individuals are believed to be abroad, with most in Nigeria. Hong Kong protesters warn of Telegram feature that can disclose their identities For the past few months, Hong Kong citizens have been protesting against an extradition bill proposed by the government of Hong Kong, which would make it easier to send Hong Kong residents to mainland China to face legal charges put forward by the Chinese state. Massive protests with over a million attendees have been taking place almost daily, due to what locals see as a massive intrusion of the Chinese state into their daily lives. In all of these protests, the Telegram instant messaging app has played a major role in helping residents organize their gatherings. For example, Telegram played a central role in a protest that took place today, with protesters forming a human chain across the city on the 30th anniversary of the Baltic Chain demonstration from 1989. The app is loved because it supports encrypted anonymous communications, and its group chatting feature has helped users organize protests and pass instructions to all attendees. A state law enforcement agency, or intelligence service, can then force local mobile telcos to disclose the names of the persons behind those phone numbers. In the case of the Hong Kong protests, Chinese officials could get a list of people who organized or coordinated protests via Telegram. "We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters, in some cases posting immediate dangers to the life of the protestors," Lenovo High-Severity Bug Found in Pre-Installed Software Another flaw has been found in Lenovo’s decommissioned Lenovo Solution Centre software, preinstalled on millions of older-model PCs made by the world’s leading computer maker. The vulnerability is a privilege escalation flaw that can be used to execute arbitrary code on a targeted system, giving an adversary Administrator or SYSTEM-level privileges. “The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” Did Denmark Make the Wrong Call on Location Data? Danish authorities are reviewing 10,700 court cases over concerns that cellphone location-tracking data given as evidence may have been flawed. On Monday Denmark's director of public prosecutions, Jan Reckendorff, announced a two-month ban on the use of cellphone data in criminal cases while the large-scale review of verdicts is carried out. Speaking to the country's state broadcaster, Reckendorff said: “We cannot live with incorrect information sending people to prison.” Concerns were raised after police discovered a glitch in an IT system used to convert data supplied by phone companies into evidence that can be used to place a suspect at a crime scene. The identified error was fixed in March, but a second problem emerged that could potentially place an innocent person at the scene of a crime. It transpired that some cell phone tracking data had linked phones to the wrong cellphone towers. $1.1 million Bitcoin stash will compensate victims Grant West, was arrested in September 2017 and pleaded guilty three months later in December. Earlier this year, a UK court sentenced West to 10 years and eight months in prison for multiple hacking and drug-related crimes. And his stash? Well, West didn't want to give up his Bitcoin willingly, so, the judge told him he'd spend an additional four years in prison if he didn't, according to a report from The Guardian. We understand he changed his mind. Although targeted as compensation to the victims, it will probably end up covering legal fees. Hostinger resets customer passwords after security incident Hostinger, one of the biggest web hosting providers on the internet, has disclosed today a security incident that impacted its platform and users. The company said the hacker made API calls against a database storing the personal information of about 14 million customers, such as Hostinger usernames, customers' IP addresses, first and last names, and contact information such as phone numbers, emails, and home addresses. The database also stored information about user passwords in a hashed format. As a result, the web hosting provider said it decided to forcibly reset passwords for all impacted accounts, as it discovers affected customers. New Zealand Dept of Conservation's mission to save the kakapo The kakapo, native to New Zealand, is one of the world's rarest birds and is at risk of being wiped out by pests and habitat destruction. Up until last year, the New Zealand Department of Conservation relied solely on spreading toxins on the ground and placing physical traps across over 8 million hectares of land in New Zealand to keep the biggest predators of the kakapo – rats, possums, and stoats – at bay. But it was not working so "We built a new database last year for us to manage the digital twin of every one of these birds. We've been able to share this externally. It made the life of every ranger looking after the kakapo a lot easier, since building the database we have had the most successful [kakapo] breeding season ever, growing from 137 birds to 200 birds," Mastercard says German Priceless Specials loyalty program breached The data breach revealed information such as names, payment card numbers, email addresses, home addresses, phone numbers, gender and dates of birth, from 90,000 mostly German customers” said the Belgian Data Protection Authority., which “is working closely with its German counterpart and the other competent authorities to defend the interests of the persons affected by this incident.” Judge Orders Woman in Capital One Case to Remain in Custody Paige Thompson aka Erratic, has been ordered to remain in custody pending trial because she is a flight risk and poses a physical danger to herself and others. U.S. Magistrate Judge Michelle Peterson said Paige Thompson’s “bizarre and erratic” behavior makes her a risk. The judge also said Thompson has no stable employment, residence or ties to the community and has stated that she wanted to die. Thompson got caught earlier this year with PII from 106 million Capital One credit card holders and data from 30 other companies. At least 40 lawsuits have been filed in the U.S. against Capital One following the breach (8 more have been filed in Canada). Astronaut accused of identity theft, accessing estranged wife’s bank account, from International Space Station Lt. Colonel Anne McClain, who recently made headlines when a scheduled historic all-female spacewalk was scrapped because her spacesuit didn’t fit, has been accused of identity theft and unauthorized access of financial records after she accessed the bank account of Summer Worden, using Worden’s login information, via a NASA computer on the ISS. After Worden discovered the intrusion, which she contended was motivated by McClain’s desire to get custody of Worden’s son, she reported it to the Federal Trade Commission (FTC) and to NASA, according to a report by the New York Times. More on that “New Encryption Technology”... Crown Sterling, a Newport Beach, California-based biz that calls itself "a leading digital cryptographic firm," is suing UBM, the UK-based owner of the Black Hat USA conference, in America for allegedly violating its sponsorship agreement. The complaint, filed late last week in a New York district court, blames the conference organizers for allowing Black Hat attendees to disrupt Crown Sterling's talk about supposedly disruptive cryptographic technology – a presentation Crown Sterling paid $115,000 to present to hackers. Described as "Snake Oil Crypto", the heckling spilled online. One Black Hat attendee said Crown Sterling was trying to "mix mysticism and magic into science" and that "none of it made any sense. The kinds of things they were discussing can't be found in the realm of reality," he said. The paper, published without peer review on preprint server ArXiv, garnered these comments: "At best, it's badly worded stuff. At worst, there's a fundamental misunderstanding of algebra." 61 impacted versions of Apache Struts left off security advisories 61 unique versions of Struts were affected by at least one previously disclosed vulnerability but not reported or reported incorrectly and left off security advisories for those vulnerabilities. The analysis was done by the Black Duck Security Research (BDSR) team which investigated 115 distinct releases for Apache Struts and correlated those releases against existing Apache Struts Security Advisories. Brooklyn man sentenced to just under 5 years for $1M in Fraud. Between 2008 and last year, Elcock and co-conspirator Shoshana Marie McGill bought stolen financial and identity data on tens of thousands of businesses and individuals, according to the Department of Justice. They also obtained this material by hacking victims’ email accounts, bank accounts and password vaults. The duo then monetized the stolen data by: buying goods online with victims’ card data, which they resold, opening new lines of credit in other people’s names, transferring money out of victim bank accounts, creating and cashing fraudulent checks in victims’ names and selling the data and check-making kit to other fraudsters in return for a cut of their earnings. UK Teen Gets 2 years. 19-year-old Elliot Gunton, of Norwich, was sentenced at Norwich Crown Court on Friday after pleading guilty to multiple offenses, money laundering, the hacking Australian Instagram accounts, and breach of a Sexual Harm Prevention Order. pecifically, Gunton offered to supply stolen personal information to those that hired him. This information, which could include personally identifiable information (PII) such as names, addresses, and online account details, could then be used to commit fraud and SIM-swapping attacks. Payments were made in cryptocurrency including Bitcoin (BTC) in an attempt to mask his activities. Business was booming for Gunton, it seems, considering that he must pay back over £400,000 ($484,000). Class action facial recognition lawsuit given to go ahead to pursue Facebook Yes, yet another US court has reaffirmed, Facebook users can indeed sue the company over Its use of facial recognition technology. Though a stream of courts has refused to let Facebook wiggle out of this lawsuit – and boy oh boy, has it tried – this is the first decision of an American appellate court that directly addresses what the American Civil Liberties Union (ACLU) calls the “unique privacy harms” of the ever-more ubiquitous facial recognition technology, that’s increasingly being used without our knowledge or consent. Judge Sandra Segal Ikuta wrote that the court concludes that Facebook’s development of a “face template” using facial recognition, allegedly without consent, could well invade an individual’s privacy rights: "The facial-recognition technology at issue here can obtain information that is ‘detailed, encyclopedic, and effortlessly compiled,’ which would be almost impossible without such technology." The lawsuit was originally raised in Illinois before being moved to California, where the Illinois Biometric Information Privacy Act (BIPA) – bans collecting and storing biometric data without explicit consent, including “faceprints.” ‘NULL’ license plate gets security researcher $12K in tickets A vanity plate reading “NULL” sounded good to security researcher/hacker “Droogie,” at least in theory: maybe it would make his plate invisible to Automatic License Plate Reader (ALPR) systems?! Maybe entering the characters – NULL is the marker used in structured query system (SQL) databases in order to indicate that a data value doesn’t exist – would just return error messages when his plate was spotted during one of his traffic violations…? That’s not what happened, he told an audience at the recent Defcon security conference. Instead, $12,000 in traffic violation fines happened. "I thought,] ‘I’m gonna be invisible’. Instead, I got all the tickets." Every single speeding ticket earned by cars that lacked valid license plates wound up getting assigned to Droogie’s car – turning it into a veritable NULL bucket. Fortunately for Droogie, the $12,000 worth of fines for the Null plates to date were scrapped by police, but apparently he's still getting tickets. Poor Droogie. No more secret recordings from your Nest Cam The setting that enabled users to turn off the status light is being removed on all new cameras. When the cameras’ live video is streamed from the Nest app, the status light will blink. The update will be done over-the-air for all Nest cams: Google’s update notice said that the company was rolling out the changes as of Wednesday, 14 August 2019 – in furtherance of Google’s newest commitment to privacy. UK: Police catch Braggart DDos-er A UK man who DDoS-ed police websites was caught and imprisoned after he jeered at police about the attacks on social media. Liam Reece Watts, 20, targeted the Greater Manchester Police (GMP) website in August 2018 and then the Cheshire Police site in March 2019, according to ITV News. Both of the public-facing websites were each disabled for about a day, The Register reported. According to news outlets and Watts’s Twitter posts, the distributed denial-of-service (DDoS) attacks were done in retaliation for Watts having been convicted of calling in bomb hoaxes just days after the 2017 Manchester Arena suicide attack left 22 people dead and 500 injured. Watts, who was 19 at the time of the DDoS attacks, was caught after he taunted police through Twitter. He used the handle Synic. Last Monday, he was sentenced to 16 months in a young offenders’ institution, was given a five-year restraining order to stop him from deleting his browsing history, and had to hand over his computers for destruction. (One assumes the restraining order pertains to whatever computer(s) he buys to replace the demolished ones.) Watts was also handed a victim surcharge tax of £140 (USD $169). “Sorry”, Microsoft won’t shift on AI recordings policy Microsoft recently admitted that humans sometimes hear your sensitive voice conversations, but that doesn’t mean it’s going to stop. Rather than abandoning the use of human contractors to improve its AI accuracy, the company has simply decided to be more transparent about it. Earlier this month, Microsoft was found sharing conversations with its Skype Translator product, an AI-powered system that translates in near real-time between 10 languages. It also let contractors listen to audio from user conversations with its Cortana voice assistant. Whereas other companies have made a cursory effort to suspend the sharing of voice recordings from AI technology, Microsoft has instead just updated its privacy policy. US: Galaxy S10 is the first US DoD approved 5G phone. Samsung Electronics America, Inc., announces that its flagship products continue to obtain federal certification with the recent approval of the Samsung Galaxy S10 series, Note9 and Galaxy S9 join the Galaxy S8/S8+ and Note8 in the receiving Security Technical Implementation Guide (STIG) approval necessary for deployment within the Department of Defense (DoD).” reads the official announcement published by Samsung. “With the full S10 series approved, including the S10 5G, this marks the first 5G device to receive STIG approval for the US federal government that will allow the federal workforce to take advantage of 5G-enabled environments.” Uganda, Zambia Deny Huawei Helped Spy on Political Opponents The Wall Street Journal (WSJ) reported last week that Huawei technicians helped the two African governments intercept communications and social media activity of their opponents, while also tracking their movements. The article also reported that Huawei operated a video and cyber surveillance system in Algeria, which the company denied. (Algeria's foreign ministry did not respond to requests for comment.) In Uganda, WSJ reported that Huawei technicians helped Ugandan authorities use spyware to monitor pop star turned opposition icon Bobi Wine. Wine, whose real name is Robert Kyagulanyi, became a lawmaker in 2017 and is preparing to challenge President Yoweri Museveni in Uganda's 2021 presidential election. According to The Wall Street Journal, Huawei's assistance enabled Ugandan authorities to disrupt Wine's plans for concerts they feared would turn into political rallies. Ransomware attack hits local Texas government. A wide-ranging ransomware attack has hit 23 government entities in Texas, most of them “smaller, local governments. At this time, the evidence gathered indicates the attacks came from one single threat actor," the Texas Department of Information Resources (DIR) confirmed Saturday. The attack took place on Friday morning, August 16, US time, when several smaller local Texas governments reported problems with accessing their data to the Texas Department of Information Resources (DIR). Point-of-sale breach hits Hy-Vee locations. Iowa based Hy-Vee, one of the biggest employee owned supermarket chains in the US with over 250 stores, is warning customers that card transactions made at Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Expresses, and Wahlburgers) may have been recorded by hackers. Customers who believe they might have had their card data compromised should check credit card statements regularly for suspicious transactions. "If you see an unauthorized charge, immediately notify the financial institution that issued the card because cardholders are not generally responsible for unauthorized charges reported in a timely manner". Chrome add on notifies of leaked password used, but only 26% change it on warning. In March this year, after Google released a Chrome extension called Password Checkup to check whether people's username and password combinations had been stolen or leaked from website databases, computer scientists at Stanford University gathered anonymous telemetry from 670,000 people who installed the add-on. In the data from 21M logins, they found that only 1.5% used exposed credentials. "Our results highlight how surfacing actionable security information can help mitigate the risk of account hijacking." The risk, to which the title of the paper alludes, is credential stuffing (which we covered in last weeks SMU). 4.1B Records Exposed in Breaches in First Half of 2019 Tara Seals: Across the board, email addresses and passwords remain prized targets, with email addresses exposed in approximately 70 percent of reported breaches and passwords exposed in approximately 65 percent of reported breaches. Troves of username and password combinations continue to become available on forums and file-sharing sites, according to the report, while phishing for access credentials — a perennially popular method for gaining access to systems and services – is surging. Businesses accounted for 67 percent of reported breaches and 84.6 percent of records exposed. This was followed by medical (14 percent), government (12 percent) and education (7 percent). UK ICO Investigates Facial Recognition Technology in King's Cross The UK Information Commissioner's Office (ICO) has launched an investigation into the use of facial recognition technology in London's King's Cross station area calling the technology "a potential threat to privacy that should concern us all." The announcement followed news of the technology's use at Granary Square, a large, private development nearby. Granary Square is a 67-acre development comprising 50 buildings. Press reports detailing the use of facial recognition in security cameras at the site first surfaced on Monday. According to the Guardian, it's developers, Argent, Hermes Investment Management and AustralianSuper, admitted to using facial recognition technology "in the interest of public safety and to ensure that everyone who visits has the best possible experience." CafePress Slammed After Major Breach Affecting 23 Million Online merchandise store CafePress has been criticized for poor incident response and cybersecurity after it emerged that over 23 million customers had their personal data stolen. Breach notification site HaveIBeenPwned? was apparently the first many customers heard about the incident, which it said occurred in February this year. “The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes,” it said in a brief note. The site appears to have been notified about the incident by security researcher Jim Scott. There still doesn’t appear to be any kind of notification on the official CafePress website or Twitter feed. In fact, according to some customers who logged in to their accounts, the firm is forcing users to change their credentials but merely as part of a claimed ‘update’ to its password policy. “The bad habit of user password reuse means that while CafePress logins may be protected by the forced password reset, any re-use of passwords may lead to consequences for users. Sadly withholding this information is a very bad practice.” Credential stuffing - What is it? Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky, Dunkin’ Donuts, State Farm and last week Transport for London (TFL) learned with their Oyster cards. So what are they? Wikipedia says, "Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. The attacker automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks like Sentry MBA". What can you do to prevent becoming a victim to this type of attack? Figure out a system for yourself where you have a different password for all the websites you visit. "What? I could never remember all that" ... you won't need to. Let me explain. First: Consider creating a unique e-mail address not containing your username ... and a unique password that can be used with each account. next: Start with a new Gmail account. As an example. I might create an account called [email protected] and use it as a name at various sites with the website name or the first 3 letters of the site name appended to the end. For AWS it becomes [email protected]. Gmail drops anything after the + so it's still [email protected] and any mail going to that account can be forwarded from that account to my primary account, but it's unique as a username. (Just remember that Google tracks purchases by reading your e-mails as covered in a previous weekly update.) Next consider a similar scheme for your passwords. These can be tracked in something as simple as a password manager or an encrypted spreadsheet. Put 2-factor/multi-factor authentication in place for every website that supports it. Even SMS beats just a password and authenticator mechanisms like Google Authenticator, Authy or the new open source andOTP are better options. When a website is compromised (plan on that happening these days) You won't have to worry about your other accounts being compromised too! iPads to steer destroyers? The Navy Destroyer USS John S. McCain crashed into a chemical tanker in a shipping lane off Singapore in August 2017. The investigation found multiple causes but among them was confusion created when throttle and steering functions were split between two different iPad consoles. Control of the port and starboard throttles was split between two helm stations so when a helmsman thought he was slowing both throttles in fact he was only slowing one causing a sharp turn into the tanker. Another issue raised was ships' AIS (Automatic Identification Systems) receivers. These are currently based on laptops relying on a cable connection to other systems. Sailors complained that the laptops were often stuck behind other equipment and hard to access. South Wales Police Slammed for New Facial Recog App South Wales Police In the UK seem set are set to begin a trial of controversial facial recognition technology this month, even as rights groups challenge its legality in the courts. The police force is reported to be using hardware from NEC and an in-house developed software UI to provide it with a second set of eyes to scan crowds of people and identify those that may be on a watch list. The app-based automatic facial recognition (AFR) system measures the distance between individuals’ facial features to match those on the list with people in a crowd. However, it has been heavily criticized: a report from Big Brother Watch last year claimed that false positives in a trial by the Metropolitan Police reached 98%, while South Wales Police stored images of 2400 innocent people incorrectly matched by AFR for a year without their knowledge. DEF CON 2019: Picture Perfect Hack of a Canon EOS 80D DSLR This one had me giggling: Crypto Malware on your digital SLR. "All you pictures have been encrypted". Security researcher Eyal Itkin discovered several security vulnerabilities in the firmware of Canon cameras that can be exploited over both USB and WiFi, allowing attackers to compromise and take over the camera and its features. All these vulnerabilities, listed below, reside in the way Canon implements Picture Transfer Protocol (PTP) in its firmware, a standard protocol that modern DSLR cameras use to transfer files between camera and computer or mobile devices via wired (USB) or wirelessly (WiFi). NSA program trains high school students in work study program The National Security Agency (NSA) is tapping high school students, as part of a work study program, to polish their cyber skills and lure them into careers in intelligence. “Once they’re here they get that sense of purpose from what they’re doing every day and they see that they can do things here that they can’t do anywhere else,” a CNN report cited an NSA recruiter as saying. “We want to get them in and get them interested early to the mission so they can have a long career here. There’s more emphasis now on student programs than I think there’s ever been to try to get them when they’re young.” Participants in the program, which is 150 students strong, must obtain top secret security clearance to handle ultra-sensitive information. Over 40 Drivers Could Let Hackers Install Persistent Backdoor On Windows PCs A team of security researchers has discovered high-risk security vulnerabilities in more than 40 drivers from at least 20 different vendors that could allow attackers to gain most privileged permission on the system and hide malware in a way that remains undetected over time, sometimes for years. For sophisticated attackers, maintaining persistence after compromising a system is one of the most important tasks, and to achieve this, existing hardware vulnerabilities sometimes play an important role. Worse, all the vulnerable drivers covering kit listed below have been certified by Microsoft. American Megatrends International (AMI), ASRock, ASUSTeK Computer, ATI Technologies (AMD), Biostar, EVGA, Getac, GIGABYTE, Huawei, Insyde, Intel, Micro-Star International (MSI), NVIDIA, Phoenix Technologies, Realtek Semiconductor, SuperMicro, Toshiba and 3 more that could not be divulged due to security concerns. Should Facebook have a “quiet period” of no algorithm changes before a major election? Jennifer Grygiel: Several Facebook News Feed updates leading up to the 2016 U.S. election disadvantaged traditional news sources and favored less reliable information shared by your uncle. Should regulation keep the playing field static? In mid-2015, Facebook introduced a major algorithm change that pivoted readers away from journalism and news, to deliver more updates from their friends and family. The change was couched in friendly language suggesting Facebook was trying to make sure users didn’t miss stories from friends. But social media data shows that one effect of the change was to reduce the number of interactions Facebook users had with credible news outlets. A few months before the 2016 election, an even bigger algorithm change toward friends and family posts took a second toll on publisher traffic. A wide range of news publishers found that their content was significantly less visible to Facebook users. In my research, I looked at Facebook engagement for mainstream news outlets surrounding the 2016 election. My findings support others’ conclusions that Facebook’s algorithm greatly suppressed public engagement with these publishers. Voter interest in the presidential election was higher in 2016 than in the previous two decades, and misinformation was rampant. Facebook’s changes meant that key news organizations across the political spectrum had a harder time getting the word out about credible election news and reporting. Just after the election, reporter Craig Silverman’s research at BuzzFeed showed that fake election news had outperformed “real news.” In late 2018, Facebook’s own company statement revealed issues with how its algorithm rewarded “borderline content” that was sensational and provocative, like much of the hyperpartisan news that trended in advance of the election. More recent research by Harvard’s Shorenstein Center shows that Facebook traffic continued to decrease significantly for publishers after a further Facebook algorithm change in January 2018. In the financial industry “quiet periods” in advance of major corporate announcements seek to prevent marketing and public relations efforts from artificially influencing stock prices. Similar protections for algorithms against corporate ma nipulation could help ensure that politically active, power-seeking Facebook executives — or any other company with significant control over users’ access to information — can’t use their systems to shape public opinion or voting behavior. Hack of High-End Hotel Smart Locks Shows IoT Security Fail The name of the hotel group has been withheld over security concerns, but here is how the compromise works: First, using Android devices, white hat hackers enabled debug mode and activating the HCI snoop log, while on iOS devices, they installed the Apple Bluetooth Debug Certificate on the device. Then, in order to actually monitor the traffic, they were then able to use wireless sniffing, which are packet analyzers that specifically capture data on wireless networks, and can be done using classic sniffing tools like Support Wireshark live view or Adafruit Bluefruit LE Sniffer (through researchers created their own tool for more a more reliable attack). After monitoring the traffic and specifically inspecting the credential packet, hackers found the mobile key system to be vulnerable to a key stealing attack, which would allow them to circumvent the vendor’s method of replay protection. They then developed an exploit that allowed them to perform an array of malicious functions. There are some drawbacks: An attacker would need to be local and would need to identify the lock’s MAC address in advance. However, with these requirements, researchers were able to break into a hotel room. Update Issues After discovering the vulnerabilities, white hat hackers first notified the lock vendor April 18. In May, the vendor acknowledged the vulnerability, and on June 28, the vendor discussed update plans – however, the system remains unpatched as of last Thursday. And from Black Hat Phony Phones: These phones look great, but they're actually low-cost fakes from China. Each costs about $50, and come preloaded with malware for no extra charge! The bogus iPhone is particularly impressive. It runs a highly modified version of Android that's a dead ringer for iOS. Heavy dependence on GPS? GPS is great; it helps you get where you need to go and you don't have to keep a musty atlas in your car anymore. But Global Navigation Satellite Systems (GNSS) like GPS are easily spoofed, and that's a problem if you're designing an autonomous vehicle that relies too heavily on GNSS. A fundamental problem with GNSS systems, Murray said, is they lack integrity mechanisms. That means there's no way for the receiving antenna to know if the signal it sees is legitimate. GNSS signals are also very low power, meaning it's easy to drown out legitimate GNSS broadcasts with malicious ones. Murray put it in blunt terms: "All of our receivers are susceptible to spoofing." In the demo, the team changed the velocity data to make it appear that the car was going faster, causing it to miss its turn and drive itself off the road. In another example, the team sent bogus signals indicating that the car was stopped as it slowed to approach an intersection. In a video showing the attack, the car starts to turn and lurch erratically. "As soon as it stops it becomes unstable," said Murray. "It has no feedback and doesn't know where to turn." Pwned by Text. Every now and again you'll see a story about a security company or a government that has a super-secret iPhone vulnerability it's using for some such nefarious activity. One Google security researcher wondered if such things could really exist, and found 10 bugs in the process. In the end, she and her colleague were able to extract files and partially seize control of an iPhone just by sending it text messages. APT41 Is Not Your Usual Chinese Hacker Group. APT41 is 'highly agile and persistent,' In one instance, the group deployed over 150 unique pieces of malware in a year-long campaign against a single target. But what makes APT41 unique are the efforts it has allegedly taken to enrich itself. Security firm FireEye identified two forum users trading under the names "Zhang Xuguang" and "Wolfzhi" who advertised their hacking skills. The hours of operation of these accounts matches the hours when APT41 is actively attacking video game targets, suggesting APT41 is taking jobs on the side —"moonlighting." In order to bring in revenue, "APT41 has manipulated virtual currencies and even attempted to deploy ransomware," writes FireEye. APT41 has allegedly targeted developers, breaking into their networks and stealing digital certificates in order to sign malicious code. Properly signed, this malware is accepted as legitimate, allowing it to be distributed to targets. FireEye describes this as a "supply chain" attack, and says it's a hallmark of APT41's operations. APT41 has enjoyed much success, but its best trick appears to be its pursuit of profit. "APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them," writes FireEye. "It is also possible that APT41 has simply evaded scrutiny from Chinese authorities." 5G is better, but there are weaknesses. At the heart of the attacks demonstrated at Black Hat is a mechanism modems use to communicate with cellular base stations and the core network to which those base stations are connected. Each modem has a little list inside of it that outlines what the modem is allowed to do. These are called capabilities, Shaik explained, and are set by the companies that build the modems. For example, a phone will have a voice calling capability enabled, while a smart fridge will probably have the voice calling capability disabled. There are "thousands of optional features defined for the modem. And they all get passed in clear text before the encrypted communication begins. This allows network mapping of device type, manufacturer and use. Bidding down, means a rogue interceptor can reset the speed of communication down low enough for it to consume havoc (for up to 7 days) and last is forcing a device out of power-save mode causing it to run down in a fraction of it's intended lifespan. And that Boeing 787 hack. Well it turns out the Ruben Santamarta who made the discovery has a fear of flying, his research tells you why, but because he won't go into a plane it remains largely untested. Boeing says, "Nothing to worry about" but peers see it differently. He has deconstructed the firmware and found that all navigation (IDN), entertainment (CDN) and inflight radio (ODN) come together into one cabinet. First suggestion? Triggering a firmware update while in flight. Boeing isn't talking, but expect more on this topic over the coming months. Amazon's New 'Prime Air' Drone Can Morph From Helicopter to Plane The redesigned Prime Air drone is a 'hybrid' craft, which can take off and land like a helicopter, but also glide through the air like a plane. The FAA on Wednesday also gave the company a special certificate to run R&D-related flights with the drone. "Through the use of computer-vision techniques we've invented, our drones can recognize and avoid wires as they descend into, and ascend out of, a customer's yard," Amazon said. The goal of "Prime Air" is to create a fully electric machine capable of flying up to 15 miles that can also deliver a package under five pounds within 30 minutes. US military purchased $32.8m worth of electronics with known security risks These acquisitions were made by Army and Air Force employees using payment cards issued by the government for micro-purchases of under $10,000. As a result of these purchases, the Department of Defense (DOD)'s Inspector General (IG) believes the Army and Air Force are introducing vulnerable equipment into their networks that may be exploited by US adversaries. The report specifically listed Lexmark printers, GoPro cameras, and Lenovo computers as problematic products, as examples. Purchasing printers from Lexmark was a big mistake, auditors said, citing a 2018 Congressional report on supply chain vulnerabilities that warned against using Lexmark devices, claiming the China-based company had connections to the Chinese military, and the country's nuclear, and cyberespionage programs. In addition, the DODIG also pointed out that Lexmark printers have been impacted by more than 20 vulnerabilities in the past, "including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer." Furthermore, the Army and Air Force also bought 117 GoPro action cameras worth nearly $98,000. "However, the cameras have vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams," auditors sai in 2006, the State Department banned the use of Lenovo computers on their classified networks after reports that Lenovo computers were manufactured with hidden hardware or software used for cyberespionage. The DHS issued a similar warning in 2015 about Lenovo computers containing pre-installed spyware, along with various critical vulnerabilities. The DODIG report blamed these purchases on DOD management errors. Auditors said the DOD failed to establish a department to develop a strategy for managing cybersecurity risks and which could put together a list of approved products that DOD staffers could consult before making purchases. And because the DoD is having such a tough time sorting out its' shopping lists two senators introduced.... Wait for it... the MICROCHIPS act, short for.. Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (MICROCHIPS), in an attempt to get the US government to pass a law for the creation of a state agency for testing hardware and software that goes into the supply chain of the US military and other federal agencies. Honestly, I couldn't make this up. E3 Website Accidentally Doxed Contact Info for 2,000 Journalists For some reason, E3's public website featured a link to a spreadsheet containing the sensitive information, which includes email addresses, addresses and phone numbers for media members who attended the annual gaming show. The "doxing" from the E3 leak risks unleashing a new wave of harassment on the gaming media when many gaming journalists already face personal attacks from online trolls who disagree with their reviews and view points. The danger was underscored in 2014 during the Gamergate controversy when an online harassment campaign targeted several women in the gaming industry, and resulted in death and rape threats against them. My browser, the spy: How extensions slurped up browsing histories from 4M users Dan Goodin. For ARS Technical's: DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.” As the founder of Internet hosting service Host Duplex, Sam Jadali first looked into Nacho Analytics late last year after it published a series of links that listed one of his client domains. Jadali said he was concerned because those URLs led to private forum conversations—and only the senders and recipients of the links would have known of the URLs or would have the credentials needed to access the discussion. So how had they ended up on Nacho Analytics? He forensically tested more than 200 different extensions, including one called "Hover Zoom"—and found several that uploaded a user's browsing behavior to developer-designated servers. But none of the extensions sent the specific links that would later be published by Nacho Analytics. He correlated time stamps posted by Nacho Analytics with the time stamps in his own server logs, which were monitoring the client’s domain. That’s when Jadali got the first indication he was on to something; two of his three users told him they had viewed the leaked forum pages with a browser that used Hover Zoom. He set up a fresh installation of Windows and Chrome, then used the Burp Suite security tool and the FoxyProxy Chrome extension to observe how Hover Zoom behaved. This time, though, he found no initial sign of data collection, so he remained patient. Then, he said, after more than three weeks of lying dormant, the extension uploaded its first batch of visited URLs. Within a couple of hours, he said, the visited links, which referenced domains controlled by Jadali, were published on Nacho Analytics. more testing revealed these extensions were also compromising user data: Fairshare Unlock, a Chrome extension for accessing premium content for free. (A Firefox version of the extension, available here, collects the same browsing data.) SpeakIt!, a text-to-speech extension for Chrome. Hover Zoom, a Chrome extension for enlarging images. PanelMeasurement, a Chrome extension for finding market research surveys Super Zoom, another image extension for both Chrome and Firefox. Google and Mozilla removed Super Zoom from their add-ons stores in February or March, after Jadali reported its data collection behavior. Even after that removal, the extension continued to collect browsing behavior on the researcher’s lab computer weeks later. SaveFrom.net Helper a Firefox extension that promises to make Internet downloading easier. Jadali observed the data collection only in an extension version downloaded from the developer. He did not observe the behavior in the version that was previously available from Mozilla’s add-ons store. Branded Surveys, which offers chances to receive cash and other prizes in return for completing online surveys. Panel Community Surveys, another app that offers rewards for answering online surveys. Principals with both Nacho Analytics and the browser extensions say that any data collection is strictly "opt in." They also insist that links are anonymized and scrubbed of sensitive data before being published. Ars, however, saw numerous cases where names, locations, and other sensitive data appeared directly in URLs, in page titles, or by clicking on the links. Class-action lawsuit filed in California against Capital One and GitHub Capital One and GitHub have been sued this week as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach during which the personal details of more than 106 million users were stolen by a hacker. While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted details about the hack on the code-sharing site. The lawsuit claims that "decisions by GitHub's management [...] allowed the hacked data to be posted, displayed, used, and/or otherwise available." According to the lawsuit, details about the Capital One hack were available from April 21, 2019, to mid-July before they were taken down. "GitHub knew or should have known that obviously hacked data had been posted to GitHub.com," the lawsuit claims. The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. Satellites and planes are not enough, now the US Gov't will use balloons to track activity on the ground below. Government contractor Sierra Nevada Corporation – the aerospace company, not the brewery – has released balloons that will drift over a large area in the United States' Midwest: South Dakota, Iowa, Minnesota, Wisconsin, Missouri, and Illinois, to form a network capable of monitoring and tracking activity on the ground over massive distances. The Pentagon-ordered tests, involving 25 balloons cruising at 65,000-odd feet, will run from July 12 to September 1. It is understood the craft are carrying radar equipment to track the movement of vehicles far below. The Guardian newspaper noted that Sierra Nevada's other contracts with the US government are for small aircraft that have been equipped with cameras and sensors and used to provide images and surveillance in Mexico, Central America, and the Caribbean. Poshmark Tells Users to Reset Passwords After Data Breach Hackers have breached Poshmark, a popular online marketplace for used clothing, and stolen customer information. The looted data includes customers' full names, genders, cities, email addresses, linked social media profiles, and account passwords—but in a hashed cryptographic form. The breach only ensnared the US-based constituents of its 40 million members. Hey, Apple! 'Opt Out' Is not good enough. Let People Opt In Brian Barrett: Like Google and Amazon before it, Apple has been caught sending voice assistant recordings to contractors, who listen to snippets of your requests and conversations, without telling anyone. In response to the privacy concerns that raises, Apple says it will eventually give users control over whether their Siri data gets sent to third-party eavesdroppers, but it's unclear whether that consent will be opt-in or opt-out. Google and Amazon offer the latter. And it's not nearly good enough. |
Linking the world
Sharing is caring Archives
May 2024
Categories |