A collection point
...and some of my own.
Pixel 4a is the first device to go through ioXt at launch The Internet of Secure Things Alliance (ioXt) manages a security compliance assessment program for connected devices. ioXt has over 200 members across various industries, including Google, Amazon, Facebook, T-Mobile, Comcast, Zigbee Alliance, Z-Wave Alliance, Legrand, Resideo, Schneider Electric, and many others. With so many companies involved, ioXt covers a wide range of device types, including smart lighting, smart speakers, webcams, and Android smartphones. ioXt’s baseline security requirements are tailored for product classes, and the ioXt Android Profile enables smartphone manufacturers to differentiate security capabilities, including biometric authentication strength, security update frequency, length of security support lifetime commitment, vulnerability disclosure program quality, and preloaded app risk minimization. NCC Group (a sanctioned auditor) has published an audit report that included assessments of the following: 1. The product shall not have a universal password; unique security credentials will be required for operation. 2. All product interfaces shall be appropriately secured by the manufacturer. 3. Product security shall use strong, proven, updatable cryptography using open, peer-reviewed methods and algorithms. 4. Product security shall be appropriately enabled by default by the manufacturer. 5. The product shall only support signed software updates. 6. The manufacturer shall act quickly to apply timely security updates. 7. The manufacturer shall implement a vulnerability reporting program, which will be addressed in a timely manner. 8. The manufacturer shall be transparent about the period of time that security updates will be provided. TikTok, WeChat Bans Not Crucial to US Security AFP: An all-in-one tool, WeChat provides messaging, financial transactions, group chats, and social media, all of which is stored on Chinese servers that a 2017 security law says must be accessible by Chinese intelligence. TikTok, a simple app for making and sharing short videos, meanwhile mines users' accounts and phones for lots of identifying information. "WeChat is bad," said Nicholas Weaver, a lecturer in computer security at the University of California in Berkeley. "It uses encrypted links to WeChat's servers in China... but the servers see all messages, so the Chinese government can see any message it wants," he said. However, Weaver said, there few alternatives if you want to communicate widely with people in China, from inside or outside the country. More of a concern are US companies in China who might be banned from the WeChat App. As it would effectively cut them out of huge amounts of online commerce in China. Smart Lock Vulnerability Bruce Schneier: Yet another Internet-connected door lock is insecure: Sold by retailers including Amazon, Walmart, and Home Depot, U-Tec's $139.99 UltraLoq is marketed as a "secure and versatile smart deadbolt that offers keyless entry via your Bluetooth-enabled smartphone and code." Users can share temporary codes and 'Ekeys' to friends and guests for scheduled access, but according to Tripwire researcher Craig Young, a hacker able to sniff out the device's MAC address can help themselves to an access key, too. UltraLoq eventually fixed the vulnerabilities, but not in a way that should give you any confidence that they know what they're doing. Travelex Forced into Administration (the UK's equivalent of the US' chapter 11) After Ransomware Attack. Ransomware victim Travelex has been forced into administration, with over 1000 jobs set to go. PwC announced late last week that it had been appointed join administrators of the currency exchange business. Despite operating over 1000 ATMs and 1000+ stores globally, and providing services for banks, supermarkets and travel agencies in over 60 countries, the firm was forced to cut over 1300 jobs as part of the restructuring. “The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business,” admitted PwC in a notice announcing the news. Have I Been Pwned to release code base to the open source community Data breach and record exposure search engine "Have I Been Pwned" is going open source. Developed and maintained by security expert Troy Hunt, the search engine has become increasingly popular over time as the volume of reported data breaches ramped up, prompted by legislation and demands for transparency by companies suffering such a security incident. Members of the general public can submit their email addresses into the Have I Been Pwned search engine to find out if they have been "pwned," and if their emails have been linked to a data breach, each one and a summary of what happened is displayed -- as well as what information has been exposed. At the heart, one main operator isn't enough to ensure future scalability or sustainability, and with this in mind, Hunt previously attempted to find a buyer to help expand his life's work. By going open source, Hunt says this will take the "nuts and bolts" of the service and "put them in the hands of people who can help sustain the service regardless of what happens to me." Have I Been Pwned was developed to improve the security landscape and give individuals impacted by a data breach the knowledge required to potentially improve their own security posture -- such as by changing passwords linked to compromised accounts and to hammer the lesson home that passwords should not be re-used across different services. With this in mind, going open source would also contribute to this concept by opening up code to other eyes -- increasing trust through transparency, and also potentially improving the platform's own security via the discovery of vulnerabilities. "All that backlog, all those bugs, all the great new ideas people have but I simply can't implement myself can, if the community is willing, finally be contributed back into the project," the security expert added. WhatsApp Users To Get This Ground-Breaking New Upgrade: Just Perfect Timing Zak Doffman: The biggest missing feature with WhatsApp are options for multiple device access. According to WABetaInfo a new release will make using WhatsApp seamless, from your phone(s) to your iPad to your desktop. And no more clunky front-end to the message store on your primary phone. This will work even if that main device is not switched on or online. “WhatsApp has also developed an iPad app, that will be released after the activation of the feature, so you will be able to use WhatsApp on your iPhone and your iPad at the same time.” Why is this so difficult? It all comes down to end-to-end encryption. Clearly, introducing linked devices means that you need to ensure the end-to-end encryption security extends to multiple endpoints on each side of a conversation, whether person-to-person or within groups. That’s challenging but achievable. The issue, though, is that to maintain a full user experience you need to sync the entire message history across each of those devices and keep them aligned. That’s significantly harder. WhatsApp’s closest rival—by feature if not install base—Signal, takes a similar approach to transferring an account from an old phone to a new one. But every one of its linked devices is a separate instance, with its message history limited to the time window during which it is linked. The reported WhatsApp approach is a significant step-up from that. The other serious update coming from WhatsApp is to extend end-to-end encryption to cloud backups. Right now, when you backup chats to Google’s or Apple’s cloud, you only have the protection of their encryption over your backup—not WhatsApp’s end-to-end protection. That means law enforcement or others can access your content with keys held by those platforms. The new update will fix this, extending the same protection from your devices to your backups. Huawei Confirms ‘Big Loss’ For Smartphones After New Trump Strike Zak Doffman: Back in May, the Trump administration tightened its blacklist restrictions on Huawei, denying the company access to the custom “Kirin” chips designed by its HiSilicon subsidiary, but fabricated by external suppliers. At the time, there were varying reports as to how well prepared Huawei was for the change, how many chips it had managed to stockpile, how long the company would have to shift from in-house designs to off-the-shelf alternatives, or find a design to fabrication process absent any American technology. The consensus seemed to be that the company might only have enough to see of through the next 12-months. Fast forward three-months and that impact seems to have come much faster than anticipated. This has been making headlines through the weekend, after Huawei’s fairly sovereign consumer boss, Ricard Yu, admitted that the imminent Mate 40 flagship would likely be the last to carry a Kirin chip. In the second quarter, ending June 30, Huawei finally achieved its long-stated goal of overtaking Samsung to lead the world’s smartphone makers. Leadership status, however, may be short lived. But the next three to six months will likely be the most telling yet as regards the impact they will have. Until now, Huawei has maintained its share of the smartphone market by replacing international sales softened by its loss of Google, with soaring growth in China. Meanwhile, Huawei’s 5G business is also heavily impacted by reversals like those used by the U.K. to reverse a decision to allow Huawei into its new networks, claiming new security vulnerabilities might be introduced. How the International Space Station Enables Cybersecurity Sean Michael Kerner: “Now we know that our key infrastructure is at risk on the ground as it is in space, from both physical and cyber-threats,” former NASA astronaut Pamela Melroy stated. Attacks against space-based infrastructure including satellites are not theoretical. Melroy noted that the simplest type of attack is a Denial of Service (DoS) which is essentially a signal jamming activity. She added that it already happens now, sometimes inadvertently, that a space-based signal is blocked. There is also a more limited risk that a data transmission could be intercepted and manipulated by an attacker. The entire network by which NASA controllers at Mission Control communicate with ISS is a private network, operated by NASA. Melroy emphasized that the control does not go over the open internet at any point. There is also a very rigorous verification system for any commands and data communications that are sent from the ground to ISS. Melroy noted that the primary idea behind the verification is not necessarily about malicious hacking, but rather about limiting the risk of a ground controller sending a bad command to space. “There’s a very rigorous certification process required for controllers in the International Space Station Mission Control Center (MCC) to allow them to send commands to the space station,” she explained. “In addition there are screening protocols both before a message ever leaves MCC going up to the ISS and once it’s on board ISS, to check and make sure that the command will not inadvertently do some damage to the station.” There is also a local area network on the station with support computers used for limited internet access including email and social media like Twitter. While the local ISS network has internet access, it is not directly connected to the public internet. Melroy explained that there is a proxy computer inside the firewall at the Johnson Space Center, in Houston, Texas, that is connected with ISS. As such, the space station support computers talk to the proxy computer, which then goes out onto the public internet. “The most serious problem I think we have in space is complacency. We are going to have to figure out how to insert cybersecurity and an awareness of that into the values and the culture of aerospace, all the way from the beginning in design and through to operations.” Meetup Critical Flaws Allow ‘Group’ Takeover, Payment Theft A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup “group,” access the group’s member details and even redirect Meetup payments to an attacker-owned PayPal account. Meetup is a service with a user base of over 35 million users, used to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal. While events are typically in person, in light of the ongoing pandemic, many events have moved to virtual settings. “Checkmarx found several ‘more-common’ API security issues like lack of resources and rate-limiting and excessive data exposure, as well as some serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk,” said researchers with Checkmarx, in research disclosed last week at Black Hat USA 2020. Zoom Just Made A Major China Move Amid TikTok Ban Fears Kate O'Flaherty: Video conferencing platform Zoom has confirmed it will suspend all direct sales to mainland China from August 23 as it looks to distance itself from the country amid growing scrutiny of firms such as TikTok in the U.S. Zoom made the announcement today (August 3) that it would move to a partner-only model in China in an email seen by Reuters. Bizconf Communications, Suiri Zhumu Video Conference, and Systec Umeet were listed as the partners that can offer Zoom’s commercial services to customers in China. Zoom has already pulled back in China. In May it confirmed there would be no new free user registrations in the country and enterprise customers would be restricted to those signing up through authorized sales reps. In June, Zoom was criticized after banning three users organizing memorials to mark the Tiananmen Square massacre at the request of Beijing. It’s reversed the decision, but Forbes’ Thomas Brewster reported how the firm was still going to help China block accounts of users in the country. It had also been in trouble when researchers found Zoom routed data through China—although the video conferencing firm quickly made changes to address this. Also in June, Justice Department Assistant Attorney General John Demers, Hawley and Blumenthal said in a letter that they were “extremely concerned” Zoom and TikTok had potentially disclosed private American information to the Chinese Communist Party (CCP) and censored content on the CCP’s behalf. “As tens of millions of Americans turn to Zoom and TikTok during the COVID-19 pandemic, few know that the privacy of their data and their freedom of expression is under threat due to the relationship of these companies to the Chinese government,” the senators wrote. “Of particular concern, both Zoom and TikTok have sought to conceal and distract from their meaningful ties to China, holding themselves out as American companies.” But the two companies are very different. TikTok (which is earmarked for a sale to Microsoft) is currently owned by a Chinese company with its HQ in Beijing, ByteDance. Meanwhile, Zoom is based in Silicon Valley, and while its CEO Eric Yuan was born in China, he is now a U.S. citizen. Even so, the senators were also concerned about a Citizen Lab report which alleged that Zoom “appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software.” The issue is of course political, as Ian Thornton-Trump, former Canadian forces intelligence operator and CISO for threat intelligence firm Cyjax says. “In recent congressional testimony several witnesses attested to China's continued aggressive innovation and intellectual property theft. My view is this, in part is political pandering and all linked to the deteriorating relationship between China and the U.S.” So, a sensible move by Zoom, but will it help prevent growing scrutiny in the U.S., where the focus is growing on all firms perceived to have a link—however tenuous—with China? Havenly Breach Hits Over 1.3 Million Accounts Phil Muncaster: Havenly has become the latest online firm to suffer a serious breach of customer data after hackers published the information for free on the dark web. Notorious dark web trader ShinyHunters was spotted last week posting the data of nearly 1.4 million accounts online. They’re said to be part of a much bigger 386 million record trove including data from customers of Dave, Promo and HomeChef, which has been previously disclosed. According to breach notification site HaveIBeenPwned, the data from Havenly customers includes email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes. However, an email to customers from the interior design company last week failed to mention the compromise of personal data at all, instead focusing on the fact that no financial details were disclosed. Promo Data Breach Hits 14.6 Million User Accounts An Israeli marketing video firm this week announced a major breach of user data which appears to have impacted over 14 million accounts. Promo, which describes itself as “the world’s #1 marketing video maker,” revealed in an online notice that a vulnerability in a third-party service was to blame for the incident, which also affected customers of its Slidely business. “The exposed data includes first name, last name, email address, IP address, approximated user location based on the IP address, gender, as well as encrypted, hashed and salted password to the Promo or Slidely account,” said Promo. “Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded.” In fact, this does seem to be the case, after dark web traders were spotted selling the haul, including 1.4 million cracked passwords. Finland: The Data that Remains: Testing Android Phones after Factory Resets Juho Pörhönen: one of the hazards of giving a mobile phone a second life is that data from the previous user could be discoverable by later owners. Second-Hand Android Devices Hold Onto Data After Factory Reset. During a test of 100 Android devices, 19 percent of the sample (19/100), with ten of those phones containing non-critical data (SMS and call logs from the carrier). More concerning, however, was that on eight phones, we recovered critical personal data. One phone had critical corporate data. “Analysis of Data Remanence After Factory Reset, and Sophisticated Attacks on Memory Chips” For our next analysis, we wanted to expand a recognized Cambridge study on Android’s factory reset performance. Using a sample of 68 phones, we focused again on the most popular models circulating on the European market. The idea was to simulate the user’s real experience using our own test data and accounts, populating the device with multimedia files, SMS, contacts, email accounts, social media, etc. After that, we performed a factory reset, then a memory extraction via forensic tools. We then analyzed the results. In the end, we were able to recover data on 14 phones (20 percent of the sample). In conclusion, our first study suggests that many IT asset disposal facilities can fail to successfully sanitize a significant percentage of Android devices. Despite claims of phones going through data sanitization processes, previously owned devices still stored user data. This did not seem to depend on the OS version, as data was found up to Android OS 6.0. Moral of this story? Ensure your phone is fully encrypted. Then wipe it and if you want that absolute certainty ... use a hammer on it, although NIST SP 800-88 media sanitation guidelines now point out that with components getting smaller and smaller, even breaking them into small pieces may leave recoverable data. US: Foreign Threats Loom Ahead of US Presidential Election AP: Intelligence officials confirmed in recent days that foreign actors are actively seeking to compromise the private communications of “U.S. political campaigns, candidates and other political targets” while working to compromise the nation’s election infrastructure. Foreign entities are also aggressively spreading disinformation intended to sow voter confusion heading into the fall. There is no evidence that America’s enemies have yet succeeded in penetrating campaigns or state election systems, but Democrat Joe Biden’s presidential campaign confirmed this week that it has faced multiple related threats. The former vice president’s team was reluctant to reveal specifics for fear of giving adversaries useful intelligence. Bitcoin Transactions Led FBI to Twitter Hackers By Eduard Kovacs: Court documents made public last week by U.S. authorities following the announcement of charges against three individuals allegedly involved in the recent Twitter attack revealed how some of the hackers were identified by investigators. News of the charges came shortly after Twitter revealed that the attackers gained access to its internal systems and tools, which they later used to take control of tens of high-profile accounts, by using phone spear-phishing. The hackers targeted 130 accounts, but reset the passwords for only 45 of them, many of which were used to post tweets that were part of a bitcoin scam. The U.S. Department of Justice announced on Friday that it charged 22-year-old Nima Fazeli (aka Rolex, Rolex#0373, and Nim F) of Orlando, Florida, 19-year-old Mason John Sheppard (aka Chaewon and “ever so anxious#001”) of the United Kingdom, and 17-year-old Graham Ivan Clark (aka Kirk#5270), of Tampa, Florida. Clark is believed to be the mastermind of the operation — he is the one who allegedly broke into Twitter’s systems. Fazeli and Sheppard are believed to have helped him sell access to Twitter accounts. According to court documents, a user with the online moniker Kirk#5270 on the chat service Discord claimed to work for Twitter and offered to provide access to any user account. That is how he met Rolex and Chaewon, who helped him sell access to Twitter accounts, including on the OGUsers.com hacking forum, which specializes in the trading of social media and other online accounts. In the case of Fazeli, the FBI found information on his OGUsers account in a database that was leaked earlier this year after the hacker website was breached. The FBI reached out to cryptocurrency exchange Coinbase to obtain information on a bitcoin address shared by Rolex on the OGUsers forum. Coinbase records showed that the address received funds from a user named Nim F, which had been registered with an email address that was also used to register the Rolex account on OGUsers. In order to register the Nim F account on Coinbase, the user had to provide an ID for verification, and they provided a driver’s license with the name Nima Fazeli. One of the Coinbase accounts registered by Fazeli had made roughly 1,900 transactions totaling approximately 21 bitcoin (worth $230,000). The investigation showed that Fazeli apparently accessed the Discord and Coinbase accounts using the same IP addresses, which pointed to locations in Florida. In the case of Sheppard, who also allegedly helped Clark sell access to Twitter accounts, he used the online monikers Chaewon and Mas on OGUsers and “ever so anxious#0001” on Discord. An analysis of the leaked OGUser records led to the discovery of an email address that was also associated with a Coinbase account. Information obtained from Coinbase showed that the account belonged to one Mason Sheppard, an account that had been verified using a driver’s license in the name Mason John Sheppard from the United Kingdom. The driver’s license listed Sheppard’s address and date of birth. A judge set Clark’s bail at $725,000 on Saturday. David Anderson, U.S. Attorney for the Northern District of California, said Sheppard faces 45 years in prison for the charges brought against him, while Fazeli faces a statutory maximum penalty of 5 years in prison. |
Linking the world
Sharing is caring Archives
May 2024
Categories |