A collection point
...and some of my own.
The Octopus Scanner Malware: Attacking the open source supply chain Github Security Lab: On March 9, we received a message from a security researcher informing us about a set of GitHub-hosted repositories that were, presumably unintentionally, actively serving malware. After a deep-dive analysis of the malware itself, we uncovered something that we had not seen before on our platform: malware designed to enumerate and backdoor NetBeans projects, and which uses the build process and its resulting artifacts to spread itself. In the course of our investigation we uncovered 26 open source projects that were backdoored by this malware and that were actively serving backdoored code. The malware is capable of identifying the NetBeans project files and embedding malicious payload both in project files and build JAR files. Below is a high -evel description of the Octopus Scanner operation: Identify user's NetBeans directory Enumerate all projects in the NetBeans directory Copy malicious payload cache.dat to nbproject/cache.dat Modify the nbproject/build-impl.xml file to make sure the malicious payload is executed every time NetBeans project is build If the malicious payload is an instance of the Octopus Scanner itself the newly built JAR file is also infected. Even though the malware C2 servers didn't seem to be active at the time of analysis, the affected repositories still posed a risk to GitHub users that could potentially clone and build these projects. Unlike other GitHub platform abuse cases, the repository owners were most likely completely unaware of the malicious activity, and therefore swiftly blocking or banning the maintainers was not an option for GitHub’s Security Incident Response Team (SIRT). The malware would proceed to backdoor NetBeans project builds through the following mechanisms:
OPENSSH WILL DEPRECATE SHA-1 By Dennis Fisher for Duo.com: In January, a pair of researchers published details of the first practical chosen prefix collision on SHA-1, showing that the aged hash algorithm, which had already far outlived its usefulness, was now all but useless. All of the major browsers had already abandoned SHA-1, as had most of the large certificate authorities, but it is still in use in many other places, including embedded systems and some cryptography systems. One of the more widely deployed applications that still supports SHA-1 is OpenSSH, the open source implementation of the SSH protocol that is included in a huge number of products, including Windows, macOS, many Unix systems, and several popular brands of network switches. On Wednesday, the OpenSSH developers said that a future version of the app will drop support for the use of the RSA public key algorithm, which uses SHA-1. “It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the "ssh-rsa" public key signature algorithm by default in a near-future release,” the OpenSSH developers said in the release notes for version 8.3 on Wednesday. “This algorithm is unfortunately still used widely despite the existence of better alternatives, being the only remaining public key signature algorithm specified by the original SSH RFCs.” Boris Johnson to reduce Huawei’s role in national 5G network Early this year, the UK Government agreed on the involvement of Huawei in the national 5G network, while the United States expressed its disappointment for the Johnson decision and threatened to limit intelligence sharing with the ally. “The Prime Minister plans to reduce Huawei’s involvement in Britain’s 5G network in the wake of the coronavirus outbreak, the Telegraph has learned.” reported The Telegraph. “Boris Johnson has instructed officials to draw up plans that would see China’s involvement in the UK’s infrastructure scaled down to zero by 2023.” New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps Mohit Kumar: Norwegian cybersecurity researchers, last week, unveiled details of a new critical vulnerability (CVE-2020-0096) affecting the Android operating system that could allow attackers to carry out a much more sophisticated version of Strandhogg attack. Dubbed 'Strandhogg 2.0,' the new vulnerability affects all Android devices, except those running the latest version, Android Q / 10, of the mobile operating system—which, unfortunately, is running on only 15-20% of the total Android-powered devices, leaving billions of rest of the smartphones vulnerable to the attackers. StrandHogg 1.0 was resided in the multitasking feature of Android, whereas the new Strandhogg 2.0 flaw is basically an elevation of privilege vulnerability that allows hackers to gain access to almost all apps.
"Utilising StrandHogg 2.0, attackers can, once a malicious app is installed on the device, gain access to private SMS messages and photos, steal victims' login credentials, track GPS movements, make and/or record phone conversations, and spy through a phone's camera and microphone," the researchers said. You can recognize an attack through the following actions on your phone:
Joomla team discloses data breach The incident took place after a member of the Joomla Resources Directory (JRD) team left a full backup of the JRD site (resources.joomla.org) on an Amazon Web Services S3 bucket owned by their own company. The Joomla team said the backup file was not encrypted and contained details for roughly 2,700 users who registered and created profiles on the JRD website -- a portal where professionals advertise their Joomla site-making skills. Data includes: Full name Business address Business email address Business phone number Company URL Nature of business Encrypted password (hashed) IP address Newsletter subscription preferences NTT warns its Singapore cloud was hacked, Japanese customer data compromised NTT was infiltrated on May 7 via Active Directory services running in its Singapore operations. The intrusion was confirmed on May 11. The Active Directory deployment was accessed remotely and then used internally as a stepping stone to other systems. While a production server that ultimately came under attack was quickly triaged and the service provider quickly cut off its communications links, the hacker had managed to gain a toehold in an information management server, and reach into the company’s Japanese hosting and cloud services. GE switches off light bulb business after almost 130 years The lighting business is GE's oldest segment, dating all the way back to the company's founding through a series of mergers with Thomas Edison's companies in the late 1880s and early 1890s. The company became a conglomerate early, investing in a wide array of technology and communications businesses. It moved toward aviation and energy and away from consumer products through the 1980s and 1990s under CEO Jack Welch. That industrial mindset lasted into the 21st century, under CEO Jeff Immelt, from 2001 through 2017 and then Larry Culp. "Today’s transaction is another important step in the transformation of GE into a more focused industrial company," Culp said in a written statement. "Together with Savant, GE Lighting will continue its legacy of innovation, while we at GE will continue to advance the infrastructure technologies that are core to our company and draw on the roots of our founder, Thomas Edison," even though GE has now spun off the last of Edison's original business. Microsoft lays off journalists to replace them with AI Business Insider first reported the layoffs on Friday, and says that around 50 jobs are affected in the US. The Microsoft News job losses are also affecting international teams, and The Guardian reports that around 27 are being let go in the UK after Microsoft decided to stop employing humans to curate articles on its homepages. Microsoft has been in the news business for more than 25 years, after launching MSN all the way back in 1995. At the launch of Microsoft News nearly two years ago, Microsoft revealed it had “more than 800 editors working from 50 locations around the world.” Microsoft has gradually been moving towards AI for its Microsoft News work in recent months, and has been encouraging publishers and journalists to make use of AI, too. Microsoft has been using AI to scan for content and then process and filter it and even suggest photos for human editors to pair it with. Microsoft had been using human editors to curate top stories from a variety of sources to display on Microsoft News, MSN, and Microsoft Edge. EasyJet reveals cyber-attack exposed 9m customers' details The Guardian: Of the 9 million people affected, 2,208 had credit card details stolen, easyJet told the stock market. No passport details were uncovered. Those customers whose credit card details were taken have been contacted, while everyone else affected will be contacted by 26 May. EasyJet did not immediately give details of how the breach occurred, but said it had “closed off this unauthorized access” and reported the incident to the National Cyber Security Centre and the Information Commissioner’s Office (ICO), the data regulator. AT&T tracked its own sales team using GPS and then secretly Charged Them For It, lawsuit claims. Daniel Gunther has sued the American telecom giant, and hopes to lead a class-action lawsuit against it in California, where he is based. He alleges the cellular network used the GPS in its cars to keep tabs on sales reps. and then withhold an unagreed $85 to $135 a month from his payroll for use of the car as one of a fleet of "In-home experts". "In-home experts" make up to 33% of their pay in upselling existing cable and phone customers, but ATT has classed them as exempt sales reps. Although ATT didn't classify him as an employee, it may be hard to make a case that workers like Gunther are independent when they have to use its cars, are under constant surveillance and spend much of their time supporting existing sales. Given that Uber and Lyft just lost similar cases in Cali. we would not bet on ATT. Criminal forum trading stolen data suffers ironic data breach John Dunn: There is a certain irony when hackers' data gets hacked. It now appears that when the FBI seized WeLeakInfo.com .... another website called WeLeakData.com also went dark. Now it seems that some of the owner's data has been found for sale on the dark web. This data turns out to contain nuggets such as email addresses of account holders, their usernames, hashed passwords, and IP addresses – pretty much what would be part of any data breach. The haul also contained private messages between the criminal members. These details could be of big interest to law enforcement and rival criminals. Illinois blames ‘glitch’ for exposure of Pandemic Unemployment Assistance (PUA) applicant Social Security numbers, private data Charlie Osborne: The Illinois Department of Employment Security (IDES) has acknowledged a security lapse that exposed the private information of independent contractors and the self-employed. Names, Social Security numbers, and other data points -- including phone numbers and addresses -- related to unemployment claims were leaked through the scheme's website, which has been set up to give gig workers access to funds if they have lost their jobs due to the COVID-19 pandemic. Over 44,000 applicants opened a claim within the first 24 hours. IDES' data leak was uncovered by a business owner who applied for benefits and realized she was able to view information belonging to others. Restriction on Chipmakers Deals Critical Blow to Huawei AP: Huawei Technologies Ltd. is one of the biggest makers of smartphones and network equipment, but that $123 billion-a-year business is in jeopardy after Washington announced further restrictions on use of American technology by foreign companies that make its processor chips. The conflict is politically explosive because Huawei is more than just China’s most successful private company. It is a national champion among industries the ruling Communist Party is promoting in hopes of transforming China into a global competitor in profitable technologies. On Monday, China’s Ministry of Commerce warned it will protect “the legitimate rights and interests of Chinese enterprises,” but gave no details of potential retaliation. Beijing has threatened in the past to issue an “unreliable entities list” that might restrict operations of dozens of American companies in China. Crypto-Miners Take Out Supercomputers Working on #COVID19 Supercomputers across Europe appear to have been targeted by cryptocurrency miners over the past few days, forcing offline key IT resources working on COVID-19 research. One of the first to report problems was the University of Edinburgh’s Archer supercomputer, which was taken offline last Monday after “a security exploitation on the Archer login nodes.” Working with the National Cyber Security Centre (NCSC), the institution has been forced to rewrite all existing passwords and SSH keys. It is still down 2020 05 18. Face masks prompt London police to consider pause in rollout of facial recognition cameras The United Kingdom has been a keen adopter of surveillance technology including facial recognition cameras in recent years, despite concerns that widespread spying erodes citizen rights to privacy. In two recent Live Facial Recognition LFR deployments, in which over 13,000 faces were scanned, six individuals were stopped -- and five of the six were misidentified. Results like that did not stop the Metropolitan police, but it seems a pandemic may do so. The police force is reportedly considering a pause on the scheme as so many in the capital are now wearing face masks. Woman stalked by sandwich server via her COVID-19 contact tracing info A woman in Auckland New Zealand told the local news outlet: Newshub that Subway required her to put her contact details on a contact-tracing form so as to place her food order. She didn’t think anything about it: we all want to stop the spread of the pandemic, after all. The form asked for her name, home address, email address and phone number, all of which she put down. Subsequently, she was contacted by a Subway employee on Facebook, Instagram, Messenger and via Text. She complained and the worker has since been fired, but she has been left with a feeling of unease that she is having a hard time getting over. Last Tuesday's Windows update ...Patched 111 different things, with 16 rated as "Critical". d! Australia wins AI 'Eurovision Song Contest' Jane Wakefield for the BBC: An Australian team has won a competition to write a hit Eurovision song using artificial intelligence. An editor for Dutch broadcaster VPRO had the idea, after the Netherlands won last year's Eurovision Song Contest. And it grew into an international effort after this year's contest was cancelled because of the coronavirus pandemic. The winning song, Beautiful the World, was inspired by nature's recovery from the bushfires earlier this year. A total of 13 teams took part, from the Netherlands, Australia, Sweden, Belgium, the UK, France, Germany and Switzerland. The Australian team, called Uncanny Valley in a nod to how humans and robots may one day merge, was made up of maths, computer-science and social-anthropology students, as well as music producers. The melody and lyrics were written by an AI system, trained with audio samples of koalas, kookaburras and Tasmanian devils. Clearview AI won’t sell vast faceprint collection to private companies Clearview AI – the web-scraping, faceprint-amassing biometrics company that’s being sued over collecting biometrics without informed consent – says it’s no longer going to sell access to its program to a) private entities or b) any entity whatsoever that’s located in Illinois. Clearview’s artificial intelligence (AI) program can identify someone by matching photos of unknown people to their online photos and the sites where they were posted. Clearview AI founder and CEO Hoan Ton-That has claimed that the results are 99.6% accurate. The company’s change of heart was revealed in court documents submitted during the course of a class action suit against Clearview that was filed in Illinois in January. It’s just one of multiple suits: Clearview’s also up against similar lawsuits in Vermont, New York and California. The Illinois suit charges the company with breaking the nation’s strictest biometrics privacy law – Illinois’s Biometric Information Privacy Act (BIPA) – by scraping some 3 billion faceprints from the web to sell to law enforcement and to what’s turned out to be a motley collection of private entities, including Macy’s, Walmart, Bank of America, Target, and Major League Baseball team The Chicago Cubs. From a court declaration by their legal counsel last Wednesday: "Clearview is in the process of cancelling the accounts of every remaining user who was not either a law enforcement body or other federal, state, or local government department, office or agency. At the same time, Clearview is in the process of cancelling all user accounts belonging to any entity located in Illinois." However, that statement doesn't quite mesh with reports that Clearview had been aggressively pursuing clients outside of law enforcement, including in law, retail, banking, and gaming, and that the company had been trying to gain traction outside of the US and Canada by pushing into Europe, South America, Asia Pacific, and the Middle East. More Chrome extensions Removed by Google Danny Bradbury: Google deleted 49 malicious Chrome extensions from the Chrome Web Store in mid-April after security researcher Harry Denley found them phishing cryptocurrency users. The extensions impersonate Chrome extensions for legitimate cryptocurrency wallets, but when installed they pilfer the users’ private keys and other secrets used to access digital wallets so that their authors can steal victims’ funds. Now Denley has found more. Talking to Naked Security, Denley explained that he finds new ones each day. He pointed us to this Pastebin entry showing the original 49 he reported in April, along with another 22. The new ones impersonated the Ledger, KeepKey, MetaMask, and Jaxx wallets. The IDs on the left are extension IDs, which show up at the end of an extension’s URL when viewed in the Chrome store. Google had already taken down most of the offending wallets at the time of writing, and has been generally pretty responsive. How do you keep yourself safe? Install as few extensions as possible and, despite the above, only from official web stores. Check the reviews and feedback from others who’ve installed the extension. Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates. Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change. Black Hat USA and DEF CON Cancelled Due to #COVID19 Black Hat USA and DEF CON have become the latest victims of the COVID-19 pandemic, after organizers announced plans to cancel the cybersecurity conferences and replace them with virtual events. For DEF CON, the decision has turned a long-running joke on its head. For the past few years mischief-makers have taken to the internet to spread fake news about the event being cancelled. “The #DEFCONiscanceled meme has crossed over into real life, courtesy of #COVID19,” wrote the organizers on Twitter on Friday. “In early March we had hopes that things would be stable by August. That is no longer realistic.” DEF CON 28 Safe Mode will now run online from August 7-9, with 101 orientation Thursday. “Expect events like a new on-line Mystery Challenge, a DEF CON is Canceled music album, remote CTFs like Hack-a-Sat, Villages like the Packet Hacking Village, contests like the TeleChallenge, Ham Exams, and more. We are also planning a remote movie night and drink-up.” Google Authenticator 2SV codes transferable across Android devices In celebration of World Password Day on the 7th of May), Google updated its Authenticator app to make it easier to transfer 2-Step Verification (2SV) codes from one Android device to another. Touting it as "one of the most anticipated features", the Chocolate Factory said the ability to port "2SV secrets, the data used to generate 2SV codes across devices" would be particularly useful "when upgrading from an old phone to a new phone"... but only if your new phone is an Android too. The feature is available in v5.10 of Google Authenticator. MobiFriends data on 3.6 million users available for download online Teri Robinson: The leaked personal data of more than 3.6 million users registered on dating site MobiFriends was made all the more vulnerable because the site used the notoriously weak MD5 hashing. The information posted online – including mobile numbers, usernames, birthdates and app activity – was taken during a January 2019 breach. Thunderspy: More Thunderbolt Flaws Expose Millions of Computers to Attacks The new attack method, dubbed Thunderspy, was discovered by Björn Ruytenberg of the Eindhoven University of Technology in the Netherlands. The researcher has discovered a total of 7 vulnerabilities related to improper firmware verification, weak device authentication, the use of unauthenticated device metadata, downgrade attacks, unauthenticated controller configurations, SPI flash interface issues, and the lack of Thunderbolt security when using Boot Camp, the tool that allows users to install Windows on Apple computers. Thunderbolt is the hardware interface created by Intel and Apple for connecting peripheral devices to a computer. Millions of laptops and desktop computers with a Thunderbolt port could be vulnerable to Thunderspy attacks. NBA star loses Twitter account to rude hackers Without any games to play, pro athletes are just as bored as the rest of us, and as they spend more time on social media, they are also more prone to having their accounts hijacked. Such was the case with NBA star Giannis Antetokounmpo, whose account was taken over and used to make a series of profane and insulting tweets about, among other people, the late Kobe Bryant and his daughter. "With these kinds of attacks, it is often less of a typical compromise and more of a drive-by graffiti of these accounts." Nintendo console details leak Shaun Nichols: Fans of Nintendo were treated this week to a rare look at the most basic workings of some of the gaming giant's best-known consoles. An anonymous hacker leaked some 2TB worth of source code related to the Nintendo Wii, GameCube, and Nintendo 64 designs. This cache includes Verilog code for the hardware – essentially the coded blueprints for the various chips. Malware miscreants hits German medical group European hospital operator Fresenius has become the latest organization to fall victim to ransomware. The German company, said to be one of the largest operators of private hospitals in the region, is reportedly dealing with an infection from the Snake ransomware, a relatively new malware group that exclusively targets large businesses. Cognizant counts cost of malware attack IT services company Cognizant has put an eye-watering price tag on the damage from its April ransomware ordeal. CEO Brian Humphries told analysts tuned into the company's quarterly earnings call that the clean-up from the infection would be as high as $70m. DigitalOcean Inadvertently Exposed Customer Data Last week, the company started alerting customers that some of their data might have been accessed by third-parties after a document from 2018 was unintentionally made available via a public link. “This document contained your email address and/or account name (the name you gave your account at sign-up) as well as some data about your account that may have included Droplet count, bandwidth usage, some support or sales communications notes, and the amount you paid during 2018.” The email alert also informed customers that the document had been accessed at least 15 times before the leak was noticed and plugged. UK: Cyber-Attacks on Orgs Up 30% in Q1 2020 Michael Hill: New research from business ISP specialist Beaming has revealed that the volume of cyber-attacks on UK businesses increased by almost a third in the first three months of 2020. Beaming analysts identified 394,000 unique IP addresses used to attack UK businesses in the first quarter of 2020, discovering that companies with internet connections experienced 157,000 attacks each, on average – the equivalent of more than one a minute. This rate of attack was 30% higher than the same period in 2019 when UK businesses received 120,000 internet-borne attempts to breach their systems each. Microsoft, Intel Introduce 'STAMINA' Approach to Malware Detection We couldn't resist, in part due to the fascination as to why acronyms are so important to some elements of business and military: Referred to as STAtic Malware-as-Image Network Analysis (STAMINA), the research leverages Intel’s previous work on static malware classification through deep transfer learning and applies it to a real-world dataset from Microsoft to determine its practical value. The approach is based on the inspection of malware binaries plotted as grayscale images, which has revealed that there are textural and structural similarities between binaries from the same malware families, and differences between different families or between malware and benign software. The technique is good, but only seems to work in small scale models, however the researchers have plans to increase their stamina (sampling). Sorry, we could not resist. Got a TPLink cloud camera? It might be time to patch. TP-Link has released firmware updates to address several vulnerabilities in its NC series cloud cameras, including bugs that could lead to the remote execution of arbitrary commands. CVE-2020-12109,12110,12111 all had fixes release April 29 that protect you against having the cameras taken over with commands run in the root context. You also get protection against sensitive data access on your network from the compromised device. Users are advised to install them as soon as possible to ensure that they remain protected. US: Trump signs new executive order to protect US power grid. The U.S. government appears to be concerned that foreign adversaries could be trying to plant malicious or vulnerable equipment in the country’s power grid. That is why the latest executive order prohibits the acquisition of bulk-power system electric equipment that is designed, developed, manufactured or supplied by an entity that is “controlled by, or subject to the jurisdiction or direction of a foreign adversary.” After the executive order was signed, the U.S. Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) posted a tweet saying that “malicious actors have sought to leverage unauthorized access to the bulk power system against the U.S.for over a decade.” Maximator: European signals intelligence cooperation, from a Dutch perspective Bart Jacobs: 07 Apr 2020. The post-Second World War signals intelligence (SIGINT) cooperation between five Anglo-Saxon countries – Australia, Canada, the United Kingdom, New Zealand, and the United States – is well-documented. This alliance is often called Five Eyes and is based on the 1946 UKUSA Agreement. What is not publicly known so far is that there is a second, parallel, western signals intelligence alliance, namely in north-western Europe, also with five members. It has existed since 1976 and is called Maximator. It comprises Denmark, France, Germany, Sweden, and the Netherlands and is still active today. Yes the name comes from a Bavarian bier and was of an earlier time that used hardwire for encryption. Of interest also, were the countries that were not allowed to join the alliance, namely Belgium and Italy, or the fact that the Maximator alliance told GCHQ how the Argentinian cypher worked, but made them figure it out themselves, which gave the Brits the upper hand in the Falklands war. Coronavirus pandemic coincides with spike in online puppy scams The Better Business Bureau (BBB) last week raised the alarm on what it says is a spike in online puppy scams it’s seeing now that the pandemic has so many people stuck at home, wistfully imagining that it’s the perfect time to train and bond with a little fluff ball. According to the BBB, nearly 85% of people who post pictures of puppies online are just trying to scam you. The scammers have up until now charged victims for the fictitious pet, plus delivery fees, vaccines, cage fees, vet bills or all of the above. But now, they’re also trying to bilk people out of fees for “special” shipping costs, including for a made-up “COVID-19 permit” to send the pet. Business is booming due to the pandemic. Besides the BBB in the US, police have issued alerts in the UK and in Canada. How to protect yourself? Don’t pay in ways that can’t be traced. Search online for the sender’s email address or mobile phone number. Ask for copies of the pet’s inoculation history, breed paperwork and certification before agreeing to buy it. Buy your pet locally from someone you can meet in person. The ASPCA recommends that you never buy a puppy online: even if you actually get an animal, it could have been mistreated by a “puppy mill” breeder along the way. And lastly, Don’t let the crooks intimidate you. Uncle Sam to agencies: No encrypted DNS for you! The Department of Homeland Security’s (DHS) Cybersecurity & Infrastructure Security Agency (CISA) published a memorandum on April 21 warning agency CIOs that they’re legally bound to use its internal EINSTEIN network security system when resolving DNS queries. That means that they can’t yet take advantage of technologies that stop people from snooping on or even hijacking their DNS queries. EINSTEIN began as an intrusion detection system designed by the DHS’s US-CERT. Version 1 allowed the Agency to monitor traffic across all government networks, while version 2 spotted suspicious traffic. Version 3 (Einstein 3 Accelerated, or Einstein 3A), went further, preventing unwanted intrusions by known bad actors. It offers useful DHS-specific services like sink-holing that override public DNS records by blocking access to destinations that the DHS knows to be malicious. It also lets the DHS examine all DNS requests made by government users, of course. Why is the DHS reminding federal government CIOs about this now? The advisory itself points to one likely reason: browser developers are introducing support for DNS over HTTPS (DoH). Mozilla announced last September that it would be a default feature in Firefox, and Google has also announced an “experiment” with DoH in Chrome. The two organisations approach this differently, with Firefox choosing a DoH resolver of its own (Cloudflare) and Google just using the protocol if the user’s existing resolver supports it. Twitter turns off SMS-based tweeting in most countries "We’ve always been big fans of trusty SMS messaging. In fact, sending a text was originally the only way users could tweet. This is why Tweets are 140 characters — they need to fit into a text message." But last week, Twitter said on its support account that it’s killed SMS tweeting in order to keep our accounts safe, referring to SMS-enabled vulnerabilities for which it didn’t give any details. "We want to continue to help keep your account safe. We’ve seen vulnerabilities with SMS, so we’ve turned off our Twitter via SMS service, except for a few countries. Everyone will still have access to important SMS messages needed to log in to and manage their accounts." Hackers are targeting UK universities to steal coronavirus research, NCSC warns State-sponsored hackers from Russia, Iran, and China are suspected. Charlie Osborne: The coronavirus pandemic has prompted a surge in vaccine research, and whatever country makes the breakthrough will likely financially benefit due to global demand. As a result, the coronavirus research area has become competitive -- and not just for scientists. It is believed that state-sponsored groups hailing from Russia, Iran, and China have pivoted to this valuable data and are targeting British universities and research departments in increasing numbers. In April, Health Secretary Matt Hancock said the UK government was "throwing everything" at developing a COVID-19 vaccine, pledging over £40 million ($49m) to universities including the University of Oxford and Imperial College London, both of which are working to create a viable vaccine. The University of Oxford has begun human vaccine trials, and both Imperial College London and Bristol University are hoping to reach this milestone soon. Oxford University is aware of the hacking attempts -- of which it is not thought any information breaches have, so far, taken place -- and a spokesperson told the publication that "Oxford University is working closely with the NCSC to ensure our COVID-19 research has the best possible cybersecurity and protection." Xiaomi phones at the center of tracking brouhaha A Forbes report last week outlined how some Xiaomi Android phones track their owners' web browsing and online activities. It was claimed the handsets collect things like browsing history, search queries, and news feed activity, and send the data off to servers in China, even when using the bundled Xiaomi browser's private incognito mode. Xiaomi, in response, claimed it anonymizes the harvested data for performance monitoring, though it did admit that this "aggregated data collection" included URLs even in incognito mode using per-user unique ID numbers that do not frequently change. Today, the phone vendor issued an update for its Mi Browser, Mi Browser Pro on Google Play, and Mint Browser on Google Play to "include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection." Which should stop Xiaomi's software harvesting URLs and other details in private mode. Tokopedia Breach: 91 Million Records Asian e-commerce giant Tokopedia is investigating a potentially major data breach after researchers revealed that 91 million user records are up for sale on the dark web. The same actor was subsequently found to be selling a much larger data trove containing a purported 91 million records for just $5000. There appears to have been at least two buyers over the weekend. “This is really bad, make sure you change your passwords for other services in case you are re-using passwords,” advised those researching the data. India has made use of a COVID-19 contact-tracing app compulsory in some parts of the nation. The country yesterday extended its national lockdown for two weeks from today. But the extension is not total: regions that have experienced no new cases at all or none in the last 21 days will be designated “green zones”. Locales with known cases or insufficient data will become “red” or “orange” zones subject to ongoing stay-at-home orders and extensive restrictions on business activity. This new order may well be impossible to enforce because the app doesn’t run on feature phones, which comprise over half of India’s national phone fleet. However it’s not hard to see why India wants more installs: it’s had around 80 million to date, which is not just over six percent of the country’s population and not a particularly useful sample in a nation where mega-cities top the ten-million-resident mark. Additionally, the privacy policy promises data collected will only be used for anonymous heat maps and informing those who encounter COVID-19 sufferers. But the privacy policy also includes a clause saying “All personal information collected from you under Clause 1(a) at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force.” US: Spies Say Covid-19 Wasn't Man Made The Office of the Director of National Intelligence released a brief statement this week confirming that "the Covid-19 virus was not man made or genetically modified." It left open the possibility that it may have originated in a Chinese lab, but it did tamp down some of the rampant, unfounded speculation from certain conservative commentators and politicians. (The scientific community dismissed those rumors from the start, but it's nice that the spies have caught up.) The statement also comes as the White House has reportedly pressured the intelligence committee to find links between Covid-19 and China, a type of "conclusion shopping" that critics say may result in less reliable reports. EventBot Malware Steals Banking Info and Two-Factor Codes Stop us if you've heard this one: Android malware poses as a legitimate app, only to steal your credentials once installed. That's EventBot in a nutshell, according to new research from security firm Cybereason. One unfortunate added trick: EventBot also intercepts your two-factor authentication codes, meaning it can break into the accounts whose passwords it stole with relative ease. The good news is that EventBot appears not to have slipped into the Google Play Store yet, so as long as you stick to official channels you should be fine. NSO Group Employee Reportedly Spied on a Love Interest The NSO Group sells spyware to governments around the world and has been at the center of several controversies over how its software gets used. WhatsApp recently sued the company, alleging that its Pegasus malware had been used against journalists and human rights advocates. This week, Motherboard reports that several years ago an NSO Group employee used the company's powerful surveillance tools to look up a woman he knew personally. It's a jarring report and a reminder that companies too often don't put tight enough controls on who can access their most sensitive systems. Israel Says Hackers Targeted SCADA Systems at Water Facilities Eduard Kovacs: According to an alert published by Israel’s National Cyber Directorate, the attacks targeted supervisory control and data acquisition (SCADA) systems at wastewater treatment plants, pumping stations and sewage facilities. Organizations in the water and energy sectors have been advised to immediately change the passwords of internet-accessible control systems, reduce internet exposure, and ensure that all control system software is up to date. According to Israeli media reports, the attacks were launched on Friday and Saturday and they targeted facilities across the country. Representatives of Israel’s Water Authority claimed the attacks did not cause any operational damage. Collection of South Korean, U.S. Payment Cards Emerges on Underground Market Ionut Arghire: Uploaded on a popular darknet cardshop on April 9, this collection represents the largest sale of South Korean records on underground markets this year, the cyber-security company warns. It also shows the growing popularity of APAC-issued card dumps among cyber-criminals. The total number of records in the database is 397,365, and the dump has a total price of $1,985,835, at $5 per record. The dump has a 30-40% validity rate, infamous underground marketplace Joker’s Stash announced. The database mainly contains Track 2 information, such as bank identification number (BIN), account number, and expiration date, and may include the card verification value (CVV) as well. Such data is usually harvested from infected POS terminals, ATM skimmers, or breached payment systems. While the provenance of the data is still unknown, Group-IB discovered that 49.9% of the records in it were from South Korea (198,233 items valued at $991,165). Furthermore, 49.3% of the items were related to banks and financial organizations in the United States. Nintendo Breach Affects 160,000 User Accounts Last week we reported that many Nintendo accounts were being mysteriously compromised. This week Nintendo has begun restricting log-ins and resetting affected passwords after admitting that as many as 160,000 accounts may have been illegally accessed by hackers. The Japanese gaming giant said it was disabling access to accounts via the legacy Nintendo Network ID (NNID), which was associated with its now-defunct Nintendo 3DS handsets and Wii U consoles. That’s because, since the beginning of April, hackers have been using NNIDs “obtained illegally by some means other than our service” to access user accounts and buy digital items using stored cards. Unauthorized third parties may also have been able to view personal information including name, date of birth, gender, country/region and email address. Specialists speculate that Nintendo has a functioning API for which gaming services have been deprecated that is probably being hit with credential stuffing attacks. 309 million Facebook users’ phone numbers found online Last week researchers at cybersecurity intelligence firm Cyble came across a database with 267m Facebook user profiles being sold on the Dark Web. Looking to verify the records and add them to the firm’s breach notification service, the researchers bought it … for the grand total of £500. That works out to USD $540 — or about 0.0002 cents — per record. The records held Facebook users’ IDs, which are unique, public numbers associated with specific accounts that can be used to figure out an account’s username and other profile info. The records also included full names, email addresses, phone numbers, timestamps for last connection, relationship status and age. Fortunately, there were no passwords exposed, but the breach still forms a perfect tool kit for an email or text phishing campaign that looks like it’s coming from Facebook itself. If enough users get fooled into clicking on spearphishers’ rigged links, it could lead to the exposure of even more, and more valuable, data. How did the data get leaked? Probably via Facebook's developer API. The initial breach exposed 267,140,436 records of what were mostly Facebook users in the US and most of the records seemed to be valid. The same 267m records were exposed on a US Elasticsearch server in March 2020, but this time, the exposure included an additional 42 million records. Included were Facebook IDs, phone numbers, and usernames, gender, email address, birth date and other personal data. Want to turn access to your records off? In Facebook, go to “Settings & privacy”.
Facebook Users Beware: Here’s Why Messenger Rooms Is Not Actually Private Kate O'Flaherty: Facebook has just launched Messenger Rooms, a video chat app with the ability to add up to 50 people in a virtual room. In a blog, the company has outlined the security and privacy it claims underpin the service, taking a clear swipe at rival app Zoom. But when Facebook talks about “privacy” in Rooms, it defines this as the ability to block or report people, as well as the option to “lock” a room to prevent uninvited guests from crashing your chat. So it’s not that private at all–Messenger Rooms uses the same data collection policies as Facebook, which includes sharing your information with third parties. “Privacy settings on Facebook don’t protect data from Facebook, or its partners’ exploitation of the data." AU: Rabobank security cert expires and gives its Australian Android app a case of internet-blindness “There was a recent issue which was caused by an expired security certificate within the bank’s mobile banking app. It only affected Android users causing the ‘connection error’ message when customers tried to log in to their app. This security certificate problem has since been fixed, with a new app update released which has resolved the issue for the majority of impacted customers.” However the fix didn’t work for all users. “The bank is assisting those still-impacted customers to provide a work-around solution (i.e. un-installing, reinstalling and re-registering the app), while we continue to work on the system fix required to resolve the problem.” Complicating matters is that customers need to chat to Rabobank’s contact centre to resolve the problem. However that “has recently experienced a higher volume of calls … as a function of the current market conditions, which is not unexpected given present circumstances.” Chinese ‘Frontline’ COVID-19 Research Firm Reported Hacked: Data Now On Dark Web Zak Doffman: It’s a controversial subject—the use of CT scans to diagnose coronavirus—but it’s an emerging field. And while the likes of the U.S. Centers for Disease Control and Prevention and the American College of Radiology have cautioned against it, one Chinese medical company has harnessed Intel’s technology and Huawei’s marketing channels to push Huiying Medial's solutions into frontline hospitals. Cyber researchers at Cyble now report that a threat actor they describe as “credible,” has gained access to the medical company’s “COVID-19 detection technology source code and COVID-19 experimental data.” Huiying Medical has not yet responded to a request for comment from the day before publishing. According to Cyble, the threat actor “THE0TIME” is selling the data for 4 BTC, around $30,000. That data is said to include user information, technology source code, and reports on experiments. Cyble “reviewed the exclusive and non-public samples and verified the claim.” The team identified confidential images from the breached data, which they are not making public. Signal Says It Will Leave the US Market If the EARN IT Act Passes Congress The end-to-end encrypted messaging app Signal, which is respected and trusted for its transparent, open source design, says that it will be one of the immediate casualties should the controversial EARN IT Act pass Congress. Written by South Carolina Republican senator Lindsey Graham and Connecticut Democrat Richard Blumenthal and introduced in the Senate last month, the EARN IT Act claims to be a vehicle for improving how digital platforms reduce sexual exploitation and abuse of children online. But the law would really create leverage for the government to ask that tech companies undermine their encryption schemes to enable law enforcement access. Signal developer Joshua Lund said in a blog post on Wednesday that Signal is not cool with that! More specifically, he noted that Signal would face insurmountable financial burdens as a result of the law and would therefore be forced to leave the US market rather than undermine its encryption to stay. Given that Signal is recommended and used across the Department of Defense, Congress, and other parts of the US government, this would be a seemingly problematic outcome for everyone. WhatsApp Takes New Steps to Stop the Spread of Misinformation on Its Platform WhatsApp announced on Tuesday that it will restrict forwarding of highly forwarded messages, so users can only send them to one chat at a time. The idea is to make it much more difficult and tedious to bulk-forward a message. WhatsApp has put other restrictions on forwarding in the past. Last year it started labeling highly forwarded messages with a double-arrow icon, and it has been particularly focused on curbing the spread of misinformation in recent months, given the Covid-19 pandemic. Travelex Paid $2.3 Million to Hackers After Being Hit by Ransomware Hackers hit the currency exchange firm Travelex with ransomware at the beginning of January, crippling the company's operations. This turned out to be just the beginning of the company's problems and financial woes. The Wall Street Journal reports, though, that before it was embroiled in the drama of a major accounting scandal, Travelex paid its ransomware attackers a whopping $2.3 million in an attempt to get them to go away. Paying hackers their requested ransom is not illegal in the United Kingdom where Travelex is based, but it is frowned upon by the international law enforcement community and security experts. Victims can't be sure that attackers will actually retreat after they receive the ransom, and paying emboldens hackers to attempt more ransomware schemes. ON FRIDAY, APPLE and Google announced a joint collaboration to make a Covid-19 "contact-tracing" framework available for legions of Android and iOS smartphones. Slated for release next month, the platform will give public health organizations the ability to track infections and use Bluetooth proximity analysis to warn people if they've come into contact with someone who has reported that they're infected. The service will be opt-in only and is designed to preserve privacy, the companies say. The pandemic has fueled debate about contact-tracing apps, but researchers say that it is possible to design encryption schemes for such services in a way that would successfully protect user privacy. San Francisco International Airport Discloses Data Breach The incident involved SFOConnect.com and SFOConstruction.com, two low-traffic websites designed to keep visitors informed on a variety of SFO-related topics, such as the COVID-19 crisis, alternate AirTrain routing, airfield operations, airport construction contracts, and the like. In March 2020, the websites were targeted by cyber-criminals who injected malicious code into them, aiming to steal the login credentials of visiting individuals. The hackers, SFO says, appear to have targeted the usernames and passwords that people use “to log on to those personal devices.” Basically, they were after the victims’ Windows login credentials. This data was stolen directly from the users’ browsers even before it reached SFO systems. Since this happened on the users’ devices, the website administrators would have had no visibility into it. “Attackers know that people tend to reuse passwords across different websites and take credentials collected from other sites, then try to use them to log into more valuable websites, such as banks. It is vital to ensure that people are taught about the dangers of reusing passwords across multiple websites and that people enable multi-factor authentication, such as a text message with a code or a code generated from an app on a smart phone, wherever possible.” Apple and Google Team Up on Virus 'Contact Tracing' by Smartphone The companies next month plan to release software interface technology to allow for interoperability -- so that an alert would work regardless of the operating system. Apple and Google contended that "privacy, transparency, and consent" were top priorities in the joint initiative, addressing concerns about systems which could disclose personal data on individuals. "Contact tracing can help slow the spread of COVID-19 and can be done without compromising user privacy," Apple chief executive Tim Cook said in a tweet. Technology-enabled or digital contact tracing has played a "conspicuously visible" part of the pandemic responses of South Korea, Singapore, Israel, and other nations, law professor and privacy researcher Ryan Calo said in Senate testimony this week. "I understand the intuition behind digital contact tracing," Calo said in prepared remarks. "But I see the gains in the fight against the virus as unproven and the potential for unintended consequences, misuse, and encroachment on privacy and civil liberties to be significant." Drones Take Italians' Temperature and Issue Fines Authorities in Italy are using Drones equipped with heat sensors to take the temperature of citizens and send the information to a drone operator, who has a thermal map on his hand-held screen -- shining orange and purple blobs. The hovering drone emits a mechanical buzz reminiscent of a wasp and shouts down instructions in a tinny voice. "Attention! You are in a prohibited area. Get out immediately," commands the drone, about the size of a loaf of bread. "Violations of the regulations result in administrative and criminal penalties," the drone says. "Once a person's temperature is read by the drone, you must still stop that person and measure their temperature with a normal thermometer," Matteo Copia, a police commander, said. Copia says the local police force has received new powers that allow it to check people's temperature without their knowledge or permission. Thousands of Zoom credentials available on a Dark Web forum “In a recent investigation of deep and dark web forums, IntSights researchers came across a cybercriminal who shared a database containing more than 2300 usernames and passwords to Zoom accounts. An analysis of the database revealed that aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others. While some of the accounts “only” included an email and password, others included meeting IDs, names and host keys.” Nine Amazon workers describe the daily risks they face in the pandemic LOUISE MATSAKIS, WIRED.COM As the novel coronavirus pandemic sweeps the globe, an otherwise marginalized class of workers is suddenly in the spotlight. Often undervalued and poorly paid, they are grocery store clerks, sanitation workers, medical professionals, and other employees who can’t stay home—even when the nation is on lockdown. In the United States, hundreds of thousandsof these so-called essential workers are employed by or contract for Amazon, whose delivery network has emerged as a vital service for millions of Americans stuck inside their homes. Warehouse worker, early forties, Texas: Since the virus came, for the last couple of weeks, we’ve taken advantage of the unpaid—not paid—time off. This next upcoming paycheck, I think I will be paid for six hours of work. I’m staying home because my mom, she had a pacemaker put in not too long ago, and she lives with me. We don’t want to go without money. In fact, I don’t know how we’re going to pay our bills this month. I’m down to about $200, and this stimulus check is probably not going to come for another month. When we walk through the main front doors, we hit these turnstiles to enter. Everyone has to touch them, and I have never, not one time in my life, seen anybody clean those things. I know that in my fulfillment center, we’ve got over 900 people who work there, and we have three entrances to choose from. All it’s going to take is one infected person. The day this interview was conducted, Amazon notified the worker about a confirmed case of Covid-19 at their workplace. Food Catering, early thirties, Ohio It’s kind of impossible to socially distance with our jobs, because our storage room is so small. They had us take out at least 70 percent of the microwaves, in the hopes that things would be more spaced out in the break rooms. But the problem is now we have an overwhelming amount of employees trying to use way fewer microwaves. It’s a big job, there’s a lot to do. During peak, which is usually around Christmastime, we can be there up to 11, 12 hours a day. But it’s starting to be more like that now, as Amazon is hiring more and more people to keep up with demand for essential items. They just hired another 100 people today. I’m petrified. It’s just me and my 16-year-old son, and he’s a type 1 diabetic. After this interview was conducted, multiple confirmed cases of Covid-19 were reported at their workplace. They are now taking unpaid time off. Warehouse worker, late thirties, Illinois A couple of weeks ago, they started doing superficial stuff for the coronavirus. They put tape on the ground by the time clocks for social distancing, and they removed some of the time clocks. But then they hired more people, which made the crowding worse in some areas. Now, when you walk in the door, they scan your head for your temperature. If it’s high, they send you home. But the issue is if you come in late, nobody is there to scan your head. Also, none of the managers know how to use the scanners, which I don’t get. You pull the trigger, aim at the person’s temple, and done. So they were just waiving people in anyway. Yesterday we got emails and text messages saying that there’s now several confirmed cases at our warehouse. I think they should at least close the warehouse down for cleaning. Once somebody in the building has got it, they’ve touched so much, and everybody else has touched it, too. Warehouse worker, early sixties, California": One problem we’re encountering is that once we’re on the floor and we’re doing our work, they don’t mandate social distancing. People aren’t staying 6 feet away. Instead of going around me, workers cut right in front of me, they bump into me. We have no hand sanitizers. We have no wipes. They’re not providing face masks. Grocery warehouse worker, late twenties, Washington Cooler space and the freezer space are very compact. The suits were the final nail in the coffin for me. In the freezer, it’s around zero degrees Fahrenheit. Amazon has these big puffy bodysuits that you put on over your whole body, including your mouth, which you need to keep you insulated. You find one that fits you, you do your time in the freezer, then you come out and you take it off, and some other poor bastard uses it. Because of the coronavirus, I haven’t been going in. For me, it’s just not worth the risk. While they are taking basic precautions, the fact of the matter is there are over 200, maybe 300 people that come in and out of this warehouse every day. They can’t possibly sanitize every single surface every two hours. New IRS Site Could Make it Easy for Thieves to Intercept Some Stimulus Payments Brian Krevs: Each year, scam artists file phony tax refund requests on millions of Americans, regardless of whether or not the impersonated taxpayer is actually due a refund. In most cases, the victim only finds out when he or she goes to file their taxes and has the return rejected because it has already been filed by scammers. In this case, fraudsters would simply need to identify the personal information for a pool of Americans who don’t normally file tax returns, which may well include a large number of people who are disabled, poor or simply do not have easy access to a computer or the Internet. Armed with this information, the scammers need only provide the target’s name, address, date of birth and Social Security number, and then supply their own bank account information to claim at least $1,200 in electronic payments. Unfortunately, SSN and DOB data is not secret, nor is it hard to come by. As noted in countless stories here, there are multiple shops in the cybercrime underground that sell SSN and DOB data on tens of millions of Americans for a few dollars per record. A review of the Web site set up to accept bank account information for the stimulus payments reveals few other mandatory identity checks to complete the filing process. It appears that all applicants need to provide a mobile phone number and verify they can receive text messages at that number, but beyond that the rest of the identity checks seem to be optional. To check the filer’s identity, the site asks for a state-issued driver’s license ID number, and the ID’s issuance and expiration dates. However, the instructions say “if you don’t have a driver’s license or state issued ID, you can leave the following fields blank.” Alas, much may depend on how good the IRS is at spotting phony applications, and whether the IRS has access to and bothers to check state driver’s license records. But given the enormous pressure the agency is under to disburse these payments as rapidly as possible, it seems likely that at least some Americans will get scammed out of their stimulus payments. Dutch authorities launch sudden strike against DDoS-for-hire operators; taking down 15 sites in a week. The Distributed Denial of Service or DDoS-for-hire websites, also known as DDoS booters or DDoS stressors, allowed users to sign up and launch DDoS attacks against websites and other internet infrastructure. Dutch authorities said the takedowns took place last week, and they received support from web hosting companies, domain registrars, Europol, Interpol, and the FBI. Authorities did not release the name of the 15 DDoS services. CA: Rogers Data Breach Exposed Customer Info in Unsecured Database. Lawrence Abrams for Bleeping Computer: Canadian ISP Rogers Communications has begun to notify customers of a data breach that exposed their personal information due to an unsecured database. In a data breach notification posted to their site, Rogers states that they learned on February 26th, 2020 that a vendor database containing customer information was unsecured and publicly exposed to the Internet. The following customer information was exposed by this data breach: address, account number, email address, telephone number. "Some wireless account numbers were included in the vendor database. If a customer’s wireless account number was included, we added a block to their account (called port protection) to prevent their phone number from being transferred to another carrier without their authorization. Customers can call us if they wish to remove this block." FR: France warns of new ransomware gang targeting local governments Catalin Cimpanu for Zero Day: CERT-FR says the Pysa gang has moved to target French organizations, with the agency receiving reports of multiple infections. CERT-FR said there was evidence suggesting that the Pysa gang launched brute-force attacks against management consoles and Active Directory accounts. These brute-force attacks were followed by the exfiltration of a company's accounts & passwords database. Victim organizations also reported seeing unauthorized RDP connections to their domain controllers, and the deployment of Batch and PowerShell scripts. Our Smartphone Data Can Predict How Coronavirus Will Spread Rebecca Sadwick: In May of 2019, Facebook’s data science team introduced disease-prevention maps to help nonprofits and universities identify future outbreaks. They include movement maps chronicling how people travel, and population density maps leveraging satellite imagery and census data to include insights on demographics such as the ages of population. “We’re coming off years of intense criticism of these companies ... but at some point we need to rely on them,” said Michelle Richardson, director of the Privacy & Data Project at the Center for Democracy & Technology. “If people are scared because of past overreaches, this is an opportunity [for these companies] to rebuild trust.” Google spokesman Johnny Luu echoed the sentiment by stating that the company is “exploring ways that aggregate anonymized location information could help in the fight against COVID-19,” in a statement to The Washington Post. This could include determining the “impact of social distancing, similar to the way we show popular restaurant times and traffic patterns in Google Maps… and would not involve sharing data about any individual’s location, movement or contacts.” It remains to be seen which of these new trends and paradigm shifts endure once the imminent threat of the COVID-19 pandemic is behind us. By any account, increased cross-functional collaboration between teams with different perspectives and skill sets should continue to advance our collective human knowledge and ongoing fight against pandemics, which are projected to become more likely in the future. UK: Military Secrets Exposed by Printing Company Security researchers have warned that as many as 100,000 customers of a UK-based printing company including military organizations may have had sensitive personal and business documents exposed in another cloud leak. A misconfigured Amazon Web Services S3 bucket on January 22 owned by Doxzoo, a British document printing and binding company with global clients. The 343GB database contained over 270,000 records from a range of clients, including “complete scripts and screenplays, full-length books, sought-after paid wellness plans and internal military handbooks. Additionally, Doxzoo seems to regularly request full scans of photo IDs (such as passports) to fulfill orders.” UK: COVID-19 Vaccine Test Center Hit By Cyber Attack, Stolen Data Posted Online Davey Winder: The latest victim is Hammersmith Medicines Research, a British company that previously tested the Ebola vaccine and is on standby to perform the medical trials on any COVID-19 vaccine. The cyber-attack, which took place on March 14, was spotted in progress, stopped, and systems restored without paying any ransom. The hackers sent Hammersmith Medicines Research sample files containing details of people who participated in testing trials between eight and 20 years previously and then published samples of data on the dark web in an attempt to extort payment. USA: NY: New York's SHIELD Act could change companies’ security practices nationwide The Stop Hacks and Improve Electronic Data Security Act, otherwise known as the SHIELD Act, is a New York State bill signed into law July 2019. One key provision in the legislation that could significantly change security practices across the country took effect March 21, possibly inducing companies big and small to change the way they secure and transmit not only New Yorkers' private data but all consumers' sensitive information. Technically an amendment to the state's data breach notification law, the SHIELD Act has as much of an impact on internet and tech companies' privacy and security practices as the more famous California Consumer Privacy Act (CCPA) or even the European Union's General Data Protection Regulation (GDPR). The bill substantially broadens the scope of consumer privacy and data security protection by: - Expanding the range of information subject to the current data breach notification law to include biometric information and email addresses and their corresponding passwords or security questions and answers - Broadening the definition of a data breach to include unauthorized access to private information. - Applying the notification requirement to any person or entity with private information of a New York resident, not just to those that conduct business in New York State. - Updating the notification procedures companies and state entities must follow when there has been a breach of private information. - Creating data security requirements tailored to the size of a business. The first four of these requirements took effect on October 23, 2019, while the last provision went into effect on March 21, 2020 RU: Leaked Plans Reveal Mirai-Like Russian IoT Botnet BBC Russia: Digital Revolution is well known for hacking organizations that do business with the Federal Security Service (FSB). Last week it published technical documents detailing a project known as “Fronton.” It proposes a scheme to compromise unsecured smart devices by cracking their factory default passwords. The resulting zombie devices would be formed into a botnet and used to launch DDoS attacks on FSB targets. Originally created in 2017-18, the 12 documents list the Fronton, Fronton-3D and Fronton 18 projects. They appear to be the work of Moscow-based FSB contractor, 0Day, which Digital Revolution claimed to have hacked back in April 2019. CN: Hacker selling data of 538 million Weibo users The personal details of more than 538 million users of Chinese social network Weibo are currently available for sale online, according to ads seen by ZDNet and corroborating reports from Chinese media. In ads posted on the dark web and other places, a hacker claims to have breached Weibo in mid-2019 and obtained a dump of the company's user database. Personal details include names, site usernames, gender, location, and -- for 172 million users -- phone numbers but no passwords, hence the bargain sales price of only US$250.00. The hacker provided samples of the data which Weibo users confirmed to be accurate. UK: Unprotected Database Exposed 5 Billion Previously Leaked Records An Elasticsearch instance containing over 5 billion records of data leaked in previous cybersecurity incidents was found exposed to anyone with an Internet connection. Keepnet Labs, a UK Security firm said that the data was “collected and correlated” for its customers only, to inform them if their accounts were part of previous breaches. “There is a certain irony in an exposed database of previously compromised data. While the data exposed in this breach appears to be collected from previously known sources, the fact that it was all readily available, indexed, and publicly exposed makes it a big concern." CovidLock coronavirus victim tracking app demands ransom payment from Android users Graham Cluley: Android app that pretends to warn users about those infected with the COVID-19 Coronavirus in their vicinity. What actually happens is the app locks users out of their devices and demands that $100 worth of Bitcoin ransom payment is made within 48 hours. If payment is not made, the ransomware claims, the phone will be completely erased and pictures, videos, and social media accounts shared online. Be careful. This is a 3rd party (side loaded app) that you really don't want to get involved with. US Health Department Hacked Amid Coronavirus Pandemic The intrusion occurred on Sunday night and is thought to have been motivated by a desire to slow the agency down and spread misinformation among the public. After compromising the department's system, attackers circulated a false claim that the American government planned to introduce a nationwide lockdown. The erroneous rumor that every American would be ordered to self-quarantine at home was quashed by the National Security Council. Just before midnight on Sunday, the NSC published the following statement on Twitter: “Text message rumors of a national #quarantine are FAKE. There is no national lockdown. @CDCgov has and will continue to post the latest guidance on #COVID19.” President Trump followed the next day with the declaration of a national emergency and a statement that people might want to self isolate, but the two events were unrelated. Europol busts up two SIM-swapping hacking rings After a months-long, cross-border investigations, Europol announced on Friday that it’s arrested more than two dozen people suspected of draining bank accounts by hijacking victims’ phone numbers via SIM-swap fraud. SIM swaps work because phone numbers are actually tied to the phone’s SIM card – in fact, SIM is short for subscriber identity module, a special system-on-a-chip card that securely stores the cryptographic secret that identifies your phone number to the network. Most mobile phone shops out there can issue and activate replacement SIM cards quickly, causing your old SIM to go dead and the new SIM card to take over your phone number… and your telephonic identity. By stealing your phone number, the crooks start receiving your text messages along with your phone calls, and if you’ve set up SMS-based two-factor authentication (2FA), the crooks now have access to your 2FA codes – at least, until you notice that your phone has gone dead, and manage to convince your account providers that somebody else has hijacked your account. Investigators arrested the suspects in simultaneous raids throughout Romania. Europol says that this gang’s thefts targeted dozens of victims in Austria. The alleged crooks carried out the thefts through a series of SIM-swapping attacks in the spring of 2019 and stole over half a million euros, Europol says (£456,975, USD $558,350) EU: Oops! Microsoft Teams goes down as Europe starts working from home Remote not-working during the Coronavirus pandemic. As millions of people across Europe choose to work remotely rather than head into the office in the wake of the Coronavirus pandemic, a widely-used communication and collaboration tool that allows workers to have video meetings, chat, and share files has gone down. Microsoft Teams posted on its Twitter support account that it was aware that users were experiencing problems using the service: "We’re investigating messaging-related functionality problems within Microsoft Teams. Please refer to TM206544 in your admin center for further details." WFH. Tips to remember if you move around with personal computers. Full-disk encryption ensures that even if the device falls into the wrong hands, the company’s data is not accessible. Log out when not in use – both at home and in public places. An inquisitive child accidentally sending an email to the boss or a customer is easily prevented, as is limiting the opportunity for someone to access the machine while your back is turned in the local coffee shop. Strong password policy – enforce passwords on boot, set inactivity timeouts, and ban sticky notes with passwords on them: people still do this! Never leave the device unattended or on public display. If it’s in the car, then it should be in the trunk. US: Senate bill would ban TikTok from government phones The bill comes from Senators Josh Hawley (R-MO) and Rick Scott (R-FLA). It would expand on current TikTok bans from the State Department, the Department of Homeland Security (DHS), the Department of Defense (DoD), and the Transportation Security Administration (TSA). "TikTok is owned by a Chinese company that includes Chinese Communist Party members on its board, and it is required by law to share user data with Beijing. The company even admitted it collects user data while their app is running in the background – including the messages people send, pictures they share, their keystrokes and location data, you name it. As many of our federal agencies have already recognized, TikTok is a major security risk to the United States, and it has no place on government devices." UK: Telephone, TV and internet provider Virgin Media has suffered a data breach, or not, depending on whom you ask. Paul Ducklin: "No, this was not a cyber-attack. […] No, our database was not hacked. […] Certain sources are referring to this as a data breach. The precise situation is that information stored on one of our databases has been accessed without permission. The incident did not occur due to a hack but as a result of the database being incorrectly configured." TurgenSec, an unassociated IT security company that alerted Virgin Media to the breached information – found the database where 900,000 users had their name, email address, home address, phone number and date of birth exposed. Since this is only a percentage of the total of Virgin's customer base, customers should expect one of two things: A real email from Virgin informing them of the breach, or a phish email from someone trying to steal their details. So it's a lose-lose either way. US: From Last week you'll need a notarized document to get a .gov domain Danny Bradbury: The US government tightened its rules around the registration of government web domains to stop fraudsters impersonating government sites The General Service Administration (GSA) said: "Effective from March 10, 2020, the DotGov Program began requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain. This was a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain. This step helps maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations." US: Phone carriers may soon be forced to adopt anti-robocall tech (and you will love the acronyms!) US carriers haven’t been doing enough to block robocalls, according to the Federal Communications Commission (FCC), so its chairman, Ajit Pai, has proposed a set of rules that would force carriers to block robocalls. In November 2018, Pai asked the phone carriers to adopt a technology framework called SHAKEN/STIR to help solve the problem. STIR (Secure Telephone Identity Revisited) defines a set of protocols used on SIP networks for applying digital signatures to telephone numbers from calling parties. SHAKEN (Signature-based Handling of Asserted information using toKENs) is a framework for STIR, providing implementation guidelines for carriers to roll out STIR so that it is compatible with all their networks and operates in real-time. A year later, the take up had been minimal, but with the passage of the (wait for it) Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act last December it all became law. From June 30 2021 the rules blocking robocalling become mandatory. FBI arrests alleged owner of Deer.io, top market for stolen accounts The FBI on Saturday arrested the alleged owner of Deer.io: a Russia-based marketplace for buying and selling credentials for hacked accounts siphoned off of malware-infected computers, victims’ personally identifiable information (PII), as well as financial and corporate data. According to the arrest warrant, the suspect, Kirill Victorovich Firsov, was arrested at the John F. Kennedy Airport, in New York. EU: Data of millions of eBay and Amazon shoppers exposed Researchers have discovered another big database containing millions of European customer records left unsecured on Amazon Web Services (AWS) for anyone to find using a search engine. A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe. The AWS instance containing the MongoDB database became visible on 3 February, where it remained indexable by search engines for five days. Data in the records included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and partially redacted credit cards. US: EARN IT Act threatens end-to-end encryption EARN IT was introduced by Republican Lindsey Graham, Democrat Richard Blumenthal and other legislators who’ve used the specter of online child exploitation to argue for the weakening of encryption. This comes as no surprise: in December 2019, while grilling Facebook and Apple, Graham and other senators threatened to regulate encryption unless the companies give law enforcement access to encrypted user data, pointing to child abuse as one reason. What Graham threatened at the time: "You’re going to find a way to do this or we’re going to go do it for you... Period. End of discussion." The bill would undercut Section 230 of the Communications Decency Act (CDA) from certain apps and companies so that they could be held responsible for user-uploaded content. The Electronic Frontier Foundation (EFF) frames the importance of Section 230: "Section 230 enforces the common-sense principle that if you say something illegal online, you should be the one held responsible, not the website or platform where you said it (with some important exceptions). The [senator] discusses weakening security and requiring government access to every aspect of Americans’ lives. That means the EARN IT Act would backfire for its core purpose, while violating the constitutional rights of online service providers and users alike." US: Dept. of Homeland Security sued over secretive use of face recognition The American Civil Liberties Union (ACLU) and the the New York Civil Liberties Union are suing the Department of Homeland Security (DHS), US Customs and Border Protection (CBP), Immigration and Customs Enforcement (ICE), and the Transportation Security Administration (TSA) over their failure to provide details about the use of facial recognition at airports. "The public has a right to know when, where, and how the government is using face recognition, and what safeguards, if any, are in place to protect our rights. This unregulated surveillance technology threatens to fundamentally alter our free society and is in urgent need of democratic oversight," lawyers for the ACLU stated. Confessions app Whisper spills almost a billion records The Washington Post: Whisper offers a kind of anonymous social network service that allows people to post their innermost fears and desires, supposedly without risk. Its users post everything from dark family secrets to stories of infidelity. It gathers these up and uses them for articles on its website, including “Naughty Nannies Confess To Sleeping With The Fathers They Work For”, “Alcoholism Runs In My Family”, and “I Married The Wrong Person”. The problem is that Whisper didn’t steward that data very well. 900m records in a 5 TB database spanning 75 different servers, logged between the app’s release in 2012 and the 8 years to present day were exposed. The data was stored in plain text on ElasticSearch servers and included 90 metadata points per account. The leak divulged stated age, gender, ethnicity, home town, nickname and ... wait for it... the exact geolocation of the user's most recent post. Microsoft Edge Shares Privacy-destroying Telemetry According to the analysis, from the School of Computer Science and Statistics at Trinity College in Ireland, Edge sends privacy-invasive telemetry, used to link requests (and associated IP address/location) to Microsoft’s back-end servers — including “persistent” device identifiers and URLs typed into browsing pages. Edge sends hashed identifiers that are linked to device hardware, called the hardware UUIDs (universally unique identifiers) to Microsoft, which are “strong and enduring identifier[s] that cannot be easily changed or deleted.” Worse, this behavior can’t be disabled by users. In addition, Edge features a search autocomplete functionality that shares details of web pages visited. Part of this functionality transmits web page information to servers unrelated to search autocomplete. Nice. So if you have any Microsoft boxes at home, stay away from the Edge! NG: Rise and fall of ‘Dton,’ Elizabeth Montalbano: Ever wonder who’s behind one of those Nigerian cybercrime email campaigns asking you to enter into a shady business deal and how they’re enacted? Well security researchers tracked him for years hoping to expose all his exploits and those of his accomplices. “By day, he is Dton, administrator of businesses and achiever of organizational goals,” researchers wrote in the report. “But by night, he is Bill Henry, cybercriminal entrepreneur.” The first phase of Dton’s cybercriminal enterprise was to purchase stolen credit card details from Ferrum Shop, an online marketplace flogging more than 2.5 million stolen payment card credentials, then charge about $550 to each card he purchased. This netted him a tidy six-figure income that should have been enough for a lucrative side hustle from his day job. But, becoming a little more greedy, Dton began buying “leads,” or email addresses of potential marks, in bulk, and then launching campaigns of his own to steal user credentials they wrote. With these leads, Dton escalated his cybercrime activity by sending a variety of malware, comprised of infostealers, keyloggers and crypters, to the bulk email addresses he purchased, researchers said. These campaigns included the type of emails many people have already come across in their inboxes—the ones that include a formal greeting and request the potential victim to enter into a financial deal with the sender of the email based on the recommendation of a mutual contact. To engage in his newfound cybercrime activities, Dton bought and tested various malware—such as packers and crypters, infostealers and keyloggers, exploits and remote VMs. “Dton now disguises his custom-built malware into everyday email attachments, blasts them out to each of the email addresses on his lists, and harvests user credential details without the email owners ever knowing,” researchers wrote. Cybercriminal activities have similar structures to legitimate businesses, researchers revealed in their report. During his criminal activity, Dton also had partners in crime and even had to report to managers, with the same every-day headaches and disagreements with coworkers that people in legitimate jobs have to contend with. Eventually, these frustrations led him to, rather than use malware he bought from other people, hire someone to create a customized RAT that he could use in his cybercriminal campaigns. But eventually Dton turned on the developer of the RAT, using it to compromise the developer’s own machine, researchers said. Eventually Dton got busted, and he lost the hundreds of thousands stolen, but his 7-year side job did get him free room and board and a nice striped outfit to wear. As the CoronaVirus (Covid-19) takes hold, all else seems trivial, but things will go back to some form of normalcy. While you read these updates you can practice not touching your face......
Ironpie automatic vacuum with camera According to Trifo, the Ironpie is “An AI-powered robot vacuum that vacuums up dirt, dust, crumbs – even sand – like no one’s business” and it claims that its “mission is to clean and protect your home, so you can do more important things. I keep your home safe from dirt, dust, crumbs, sand and more; and also use my advanced vision system to keep intruders out. I am always alert and never sleep on the job.” The Trifo can be connected to the internet via WiFi, and be controlled remotely for vacuuming, as well as for remote video stream viewing, since it incorporates a video camera. The security concerns of connecting video cameras to the internet should be obvious. So Checkmarx tested the device and found some really worrying deficiencies: Insecure encryption, Access to video feed, insecure app update. They also contacted Trio last December to let them know and have yet to receive a response. So if you have an Ironpie, pop it into the oven, set the temp to 400 and give it a good grilling. We are sure that cooking your Ironpie will resolve all the security issues associated with it, but it might not get your house quite as clean. "Watch out!" Stripe customers. A new scam involving anyone who has paid by Stripe has the baddies just copying the Stripe validation web interface and sending an email like this: "We don’t recognize the device that was just used to sign in to your Stripe account. If this was you, you don’t need to do anything. If you don’t recognize it, please update your password." Don't take the bait! UK: Why Free WiFi isn't really free. Jeremiah Fowler discovered Mid-Feb 2020 yet another unsecured database with 146 million user data records from a company that offers "free wifi" at UK train stations and airports. They collect things like names, email addresses, age ranges and device data of users of the service. "In this case anyone with an internet connection could see what station the user was at, a time stamp, ads they may have seen, the postcode where they live and much more. Every little piece of information is essentially a puzzle piece that can be used to paint a bigger picture of the user." GoodRx stops sharing personal medical data with Google, Facebook GoodRx – a mobile app that saves US consumers money on prescription drugs – has apologized and sworn to do better after a Consumer Reports investigation found that it was sharing people’s data with 20 other internet-based companies. Consumer Reports had discovered that GoodRx was sharing the names of medications that people were using the app to research, including those of a highly sensitive, personal nature. For example, the consumer-focused nonprofit found it could use the app to look for discounts on Lexapro, an antidepressant; PrEP and Edurant, used to prevent and treat HIV, respectively; Cialis, for erectile dysfunction; Clomid, a medication used in fertility treatments; and Seroquel, an antipsychotic often prescribed to control schizophrenia and bipolar disorder. The details GoodRx was sharing could lead to companies being able to infer “highly intimate details” about users, Consumer Reports said: "With the information coming off our test phone and browser, a company could infer highly intimate details about GoodRx users suffering from serious chronic conditions, and make educated guesses about their sexual orientation." Facebook: No, we are not killing Libra by Lisa Vaas: Late last Tuesday, multiple reports suggested that Facebook has decided not to support its Libra virtual currency in its own products and will instead offer users the ability to make payments with government-issued currencies, or that the platform and its partners are weighing whether they should recast it as mostly a payments network that could operate with multiple coins. According to a report from The Information that cited three sources, Facebook has been mulling offering digital versions of currencies such as the US dollar and the euro, in addition to its proposed Libra token. The Information also reported that Facebook will still launch a digital wallet to enable users to make purchases and send and receive money, but that the rollout would be delayed by several months. A Facebook spokesperson sent this statement: "Reporting that Facebook does not intend to offer the Libra currency in its Calibra wallet is entirely incorrect. Facebook remains fully committed to the project." Google launches FuzzBench service to benchmark fuzzing tools Researchers integrate the fuzzer they want to test using an easy API and 50 lines of code. FuzzBench then throws real-world benchmarks and many trials at the tool until, after 24 hours, the results appear: Based on data from this experiment, FuzzBench will produce a report comparing the performance of the fuzzer to others and give insights into the strengths and weaknesses of each fuzzer. Fuzzing software involves throwing large numbers of random, tweaked and permuted (fuzzed) input files at an application in the hope of triggering unexpected or hard to find bugs, thereby highlighting security vulnerabilities. Developers submit the fuzzer they want to test to the FuzzBench platform which generates the report by running 20 trials of 24 benchmarks over a 24-hour period using 2,000 CPUs. The fuzz also runs ten other popular fuzzers (including AFL, LibFuzzer, Honggfuzz, QSYM, Eclipser) to provide a comparison. Statistical tests are part of the suite to estimate how much of the difference between one fuzzer and another is down to chance as well as providing the raw data so developers or pen-testers can make their own assessment. Crashes aren’t included as a metric but will be in future. You can see a sample report at fuzzbench(dot)com. Zynga faces class action suit over massive Words With Friends hack Lisa Vaas: Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – is facing a potential class action lawsuit over the September 2019 breach in which hackers got access to more than 218 million Words with Friends accounts. Zynga admitted to the breach at the time, saying that hackers got their hands on “certain player account information” but that, at least during the early stages of its investigation, it didn’t think any financial information was accessed. The game maker didn’t disclose how many accounts were affected, saying only that they’d contact players with affected accounts. Have I Been Pwned confirmed in December 2019 that more than 173 million accounts were hit. Hacker News, which scrutinized a sample sent over by GnosticPlayers, said that the breached data included names, emails, Login IDs, hashed passwords – “SHA1 with salt”, password reset tokens, Zynga account IDs, and connections to Facebook and other social media services. We don’t know exactly what “SHA1 with salt” means, but we do know that it isn’t bcrypt, scrypt, PBKDF2 or any other of the recognized password hashing functions you’d hope and expect to have been used. HK: Cathay Pacific fined over crooks slurping its database for over 4 years The UK’s Information Commissioner’s Office (ICO) said on Wednesday that it’s fined Cathay Pacific Airways £500,000 (USD $647,015, €576,992) for failing to secure passengers’ personal details, leading to malware being installed on its server that harvested 9.4 million people’s names, passport and identity details, dates of birth, postal and email addresses, phone numbers and historical travel information over a period of 4 years. The ICO found back-up files that weren’t password-protected, unpatched internet-facing servers, use of operating systems that were no longer supported by the developer, and inadequate anti-virus protection. UK: Boots stops loyalty card payouts after 150K accounts get stuffed The loyalty cards award shoppers with four points for every £1 they spend. One point will get you one penny’s worth of spending power, so if your card has a balance of, say, 199 points, you could use it to buy something that costs £1.99 at a store or online at boots.com… which, of course, means that anybody who gets access to your account can do the same, regardless of where they’re located. That’s why Boots shut down the program, so nobody can shop with points at either stores or online.) Boots suggests that the suspicious activity spotted in customers’ accounts is coming from baddies trying to get at their accounts by using credentials that were exposed in some other breach – credentials that those customers have used, reused, re-reused and refused to let go of. It’s called credential stuffing. Sticking (reused!) passwords into every online place you can think of is a simple way to get into somebody else’s account without permission: just go online and look for lists of breached credentials, often available for sale or for free, then try them out until you get lucky. 5 Tips From Homeland Security To Help You Avoid COVID-19 Scams Lee Mathews: Use Trusted Sources, Avoid Clicking On Links In Unsolicited Emails, IMs, or Texts, Avoid Opening Attachments In Unsolicited Emails, Do Not Reveal Personal Or Financial Information In Email, IMs, or Texts and finally: Verify A Charity’s Authenticity Before Making Donations. New Android ‘Dangerous’ Download Warning: 61,669 Malicious Apps Hiding On App Store China features front and center in the RiskIQ report: With 40% of app spending, “China remains the largest app market,” an ecosystem that goes way beyond the official stores. “The top-three most prolific app stores in 2019 were Chinese, ahead of both Google and Apple.” In fact, China’s leading app store, ApkGK, accounted for more than twice the number of new apps as the Play Store. Putting all that together, it’s little surprise that the four most dangerous app stores (by concentration of malicious apps) are all Chinese: 9Game, VmallApps, Xiamoi and Zhushou. And 9Game leads the way overall—RiskIQ warns that it is the most dangerous of all the app stores, with a staggering 61,669 blacklisted apps. Microsoft Confirms ‘Really, Really High’ Hacking Risk For Millions Of Users: Here’s What You Do Now. the company warns that 1.2 million accounts were compromised in January, almost all of which were preventable by one simple security measure...multi-factor authentication or MFA. A truly alarming 80% of those compromised enterprise accounts, which if you do the quick math is almost 1 million hacked accounts in January alone, were hit by either “password spray” or “replay” attacks. A list of security conferences canceled or postponed due to coronavirus concerns. These are just security conferences. Gatherings like the Geneva auto show or Baselworld, they've been cancelled too... Wild West Hacking Fest - March 10 to March 13, San Diego - Current status: Virtual. Red Team Summit - March 11 to March 12, Menlo Park - Current status: Postponed to June 11-12. Women in Cybersecurity - March 12 to March 14, Aurora (Colorado) - Current status: Canceled. ICS West (trade show) - March 17 to March 20, Las Vegas - Current status: Postponed to July, new date to be announced. Pwn2Own CanSecWest (hacking contest) - March 18 to March 20, Vancouver - Current status: Optional remote-participation. Hackers participating in the Pwn2Own hacker contest can attend, but they can also ask content organizers to execute exploits on their behalf. InsomniHack - March 19 to March 20, Geneva - Current status: Postponed to June 4 - June 5. Black Hat Asia - March 31 to April 3, Singapore - Current status: Postponed for September 29 - October 2. BSidesCharm - April 4 to April 5, Baltimore - Current status: Proceeding on adjusted rules. Remote speakers will be given the option to use video conferencing and avoid traveling to the conference. BountyCon - April 4 to April 5, Singapore - Current status: Postponed to August 31. Kaspersky's Security Analyst Summit - April 6 to April 9, Barcelona - Current status: Postponed for September. Exact date to be announced later. DEF CON China - April 17 to April 19, Beijing - Current status: Postponed, new date to be announced. Internet Freedom Festival - April 20 to April 24, Valencia - Current status: Canceled. Area41 - June 11 to June 12, Zurich - Current status: Postponed to June 2021, next year. Chinese Security Firm Attributes Attacks to the CIA It's maybe not surprising that the CIA actually uses its trove of Vault 7 hacking tools—and more—to sneak past the defenses of US adversaries. But it's certainly rare to see the agency get publicly called out, as Chinese security firm Qihoo 360 did this week. US security firms regularly attribute, or at least strongly imply, attacks to Chinese hacking groups like APT10. Regardless of whether Qihoo 360 actually has the goods, it'll be interesting to see if other countries feel similarly emboldened to start calling out US hackers, especially when the US itself has become more aggressive with its own "naming and shaming" campaigns. An Unfixable Flaw Exposes 5 Years of Intel Chips Ever since speculative execution bugs Spectre and Meltdown upended security for the majority of computers a little over two years ago, newly discovered hardware flaws seem to bedevil Intel every few months. This time it's a flaw in Intel's Converged Security and Management Engine's mask ROM, a particularly nasty spot for a bug because it can't be patched with a firmware update. "Because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole," wrote security firm Positive Technologies in a blog post announcing the issue. Intel argues that pulling off an attack would require local access, specialized gear, and a high level of skill, making it relatively impractical in the real world. Given the potential impact, though, it's still a concerning flaw—one that affects every Intel CPU and chipset released in the last five years. Virgin Media Exposes Database of Nearly 1 Million Customers Leaving a database exposed on the internet is bad enough as it is. It's worse when that database includes personally identifiable information, like home addresses and emails. And worse still when someone outside the company actually finds and accesses those details. Virgin Media has checked all three, with a database of 900,000 customers left vulnerable. Data breaches happen all the time, but that by no means excuses them. There are some steps you can take to protect yourself when they happen, but the onus is on corporations to make sure they don't in the first place. Someone Accessed Thousands of J. Crew Online Accounts Oh, hello again. Nearly a year ago, J. Crew suffered a so-called credential stuffing attack that impacted the the online accounts of fewer than 10,000 customers. It did, though, include some payment information, like the type of credit or debit card used and the last four digits of the card numbers, plus expiration dates and associated addresses. Not ideal! Regulators may raise an eyebrow at how long it took J. Crew to come forward with this one. Hackers can clone millions of Toyota, Hyundai, and Kia keys Over the past few years, owners of cars with keyless start systems have learned to worry about so-called relay attacks, in which hackers exploit radio-enabled keys to steal vehicles without leaving a trace. Now it turns out that many millions of other cars that use chip-enabled mechanical keys are also vulnerable to high-tech theft. A few cryptographic flaws combined with a little old-fashioned hot-wiring—or even a well-placed screwdriver—lets hackers clone those keys and drive away in seconds. Researchers from KU Leuven in Belgium and the University of Birmingham in the UK earlier this week revealed new vulnerabilities they found in the encryption systems used by immobilizers, the radio-enabled devices inside of cars that communicate at close range with a key fob to unlock the car's ignition and allow it to start. Specifically, they found problems in how Toyota, Hyundai, and Kia implement a Texas Instruments encryption system called DST80. A hacker who swipes a relatively inexpensive Proxmark RFID reader/transmitter device near the key fob of any car with DST80 inside can gain enough information to derive its secret cryptographic value. That, in turn, would allow the attacker to use the same Proxmark device to impersonate the key inside the car, disabling the immobilizer and letting them start the engine. The researchers say the affected car models include the Toyota Camry, Corolla, and RAV4; the Kia Optima, Soul, and Rio; and the Hyundai I10, I20, and I40. Earn it?? The Register.co.uk: On Thursday, a bipartisan group of US senators introduced legislation with the ostensible purpose of combating child sexual abuse material (CSAM) online – at the apparent cost of encryption. The law bill is called the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act, which folds up into the indignant acronym EARN IT. (See also the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, aka the USA PATRIOT Act.) Backed by senators Lindsey Graham (R-SC), Richard Blumenthal (D-CT), Josh Hawley (R-MO) and Dianne Feinstein (D-CA), the proposed law intends to make technology companies "earn" their exemption from liability allowed under Section 230 of the US Communications Decency Act by requiring internet companies to follow a set of best practices to keep CSAM off their networks. For the uninitiated, Section 230 gives internet platforms blanket legal protections: simply put, websites can't be held liable for any bad stuff shared by users, plus or minus some minor caveats. Critics say today's rules are too broad, and let technology giants off the hook too easily. 7 Cloud Attack Techniques Credential Exposure Leading to Account Hijack: The exposure of API credentials leading to an account hijack is a high-severity, high-likelihood attack kill chain in the cloud. Misconfiguration Mishaps: "Just about anyone can get an S3 bucket and do whatever they want with it." Attacks linked to misconfiguration still happen because organizations so frequently fail to protect their information in the public cloud. Major Cloud Services Are Hot Targets As organizations move to the cloud, cybercriminals continue to do the same. This is evident in phishing attacks mimicking the login pages of popular cloud services, like Office 365. Cybercriminals are after credentials that will give them the keys to cloud services. "Unfortunately, a lot of people still use weak credentials." Cryptomining When they do get into the cloud, many intruders continue to engage in cryptomining: a low-severity, high-likelihood attack that most businesses face. An attacker can obtain credentials with RunInstance, virtual machine, or a container, run a large instance or virtual machine, run and inject a cryptominer and connect to a network, and exfiltrate the results. Server-Side Request Forgery Server-side request forgery (SSRF) is a dangerous attack method and growing issue in cloud environments. SSRF is a threat due to the use of metadata API, which lets applications access configurations, logs, credentials, and other information in the underlying cloud infrastructure. Metadata API can only be accessed locally; however, an SSRF vulnerability makes it accessible from the Internet. Gaps in the Cloud Supply Chain "A lot of the services we consume, applications we use ... it's never just from one company." Brute Force and Access-as-a-Service Brute-force attacks are top-of-mind for Trend Micro's Clay, who says attackers have begun to craft phishing emails with links to malicious pages tied to cloud infrastructure and accounts. Pop-ups may prompt victims to enter their usernames and passwords into fake login pages for Office 365 and other cloud applications. "They're all looking for credentials." Venezuela offline A power outage and fluctuations in supply across Venezuela 1 March 2020, knocked out approximately 35% of the country’s telecommunications infrastructure. Smart speakers mistakenly eavesdrop up to 19 times a day Virtual assistants like Siri and Alexa are programmed not to listen to your conversation constantly. Instead, they listen for a ‘wake phrase’. When they hear it, it’s their cue to listen to what you subsequently say, which could be an instruction or a request. Google Assistant responds to “OK Google”, Apple’s Siri perks up when you say “Hey Siri” and Microsoft’s Cortana pricks up its digital ears when you say “Hey Cortana”. The problem is that just like humans, virtual assistants often mishear things. Siri might think that “Seriously” sounds enough like its wake word to start listening to what you’re saying, but that’s just one of a range of sounds that might trigger it. That’s why it’s been reported recording everything from sex to criminal deals. Until now, we haven’t known just how (in)accurate these voice assistants are at listening for wake phrases. Thanks to research by academics at Northeastern University and Imperial College London, now we do. It turns out they’re not that accurate at all. Set up in front of playing videos, they found that devices would activate up to 19 times each day on average. The HomePod device was the worst, with an over-enthusiastic Siri switching on for lots of phrases. Speech that triggered it started with “Hi” or “Hey” followed by something starting with something sounding like an “S” and a vowel, or something that sounds like “ri”. Examples of speech that set it off included “He clearly”, “Hey sorry” or “I’m sorry”, and “Okay, yeah”, so watch who you’re apologising to or agreeing with. Even “historians” would set it off. When the devices did wake up, they’d often do so for relatively long periods. The HomePod and the Echos would wake up for at least six seconds more than half the time. The second-generation Echo Dot and the Harman Kardon speaker had the longest activations, earwigging for between 20 and 43 seconds. EU Commission to staff: Switch to Signal messaging app The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications. The instruction appeared on internal messaging boards in early February, notifying employees that "Signal has been selected as the recommended application for public instant messaging." The app is favored by privacy activists because of its end-to-end encryption and open-source technology. "It's like Facebook's WhatsApp and Apple's iMessage but it's based on an encryption protocol that's very innovative," said Bart Preneel, cryptography expert at the University of Leuven. "Because it's open-source, you can check what's happening under the hood," he added. Signal was developed in 2013 by privacy activists. It is supported by a nonprofit foundation that has the backing of WhatsApp founder Brian Acton, who had left the company in 2017 after clashing with Facebook's leadership. Taking someone else's GPS tracker off your car isn’t ‘theft,’ court rules A suspected meth dealer is off the hook for at least one of the charges he’s facing: that he “stole” the GPS device that police stuck on his car to track his movements. That’s what the supreme court in the US state of Indiana ruled last week. On Thursday, Chief Justice Loretta Rush handed down an opinion with which four justices concurred: that affidavit accompanying warrants had failed to establish probable cause that the suspect – Derek Heuring – had stolen the tracking device placed on his SUV by police who suspected he was dealing methamphetamine. The tracker had been streaming out Heuring’s location data for six days. Then, it abruptly stopped. For 10 days, police couldn’t track their target’s movements. Because the GPS device was a critical element in discovering subsequent offenses: unregistered gun, drugs, drugs paraphernalia, it may turn out that none of the evidence could be used against the dealer. The case continues.... Brave beats other browsers in privacy study Douglas Leith, professor of computer systems at Trinity University, examined six browsers: Chrome, Firefox, Safari, Brave, Edge, and Yandex. It used several tests to deduce whether the browser can track the user’s IP address over time, and whether it leaks details of web page visits. To do this, it looked at the data shared on startup after a fresh install, on a restart, and after both pasting and typing a URL into the address bar. It also explored what the browser did when it was idle. Even though Mozilla makes a talking point of privacy in Firefox, it was Brave, developed by Mozilla’s founder (and creator of JavaScript) Brendan Eich, that won out. Brave, which has accused Google of privacy violations, is “by far the most private of the browsers studied” when used with its out of the box settings, according to the paper. Worst was Yandex. Yandex didn’t respond to the paper’s allegations that its browser, popular among Russian speakers, sends user browsing data to Yandex servers as part of its autocomplete API, along with the text of web pages to its translation service. It also sends the SHA-1 hashed MAC address of a machine to Yandex, along with browser identifiers, enabling them to be tied together, Leith’s paper said. Clearview AI loses entire database of faceprint-buying clients to hackers Clearview AI, the controversial facial recognition startup that’s gobbled up more than three billion of our photos by scraping social media sites and any other publicly accessible nook and cranny it can find, has lost its entire list of clients to hackers – including details about its many law enforcement clients. The company told its customers that an intruder “gained unauthorized access” to its list of customers, to the number of user accounts they’ve set up, and to the number of searches they’ve run. If you’re a law-enforcement agency, it’s a big deal, because you depend on Clearview as a service provider to have good security, and it seems like they don’t. "Clearview continues to give us a clear view of why biometric surveillance is an unsalvageable trash fire." UK: Lawmakers Warned of “Persistent” Hacking Threat Parliamentary email holders were sent nearly 21 million spam messages in 2018-19 financial year but internal security systems blocked them before they reached the inboxes of MPs, Lords and their staffers. Spam can also come from unexpected places: in 2016 the speaker John Bercow was forced to intervene after MPs complained of being bombarded by emails from Donald Trump’s election team. UK: Home Office Admits 100 GDPR Breaches in EU Scheme The Home Office breached the GDPR 100 times in its handling of EU citizens’ data in the space of just five months, an inspector’s report has revealed. Between March 30 and August 31 2019 the government department admitted a catalog of errors including misplaced passports, documents sent to the wrong recipient’s address and unauthorized disclosure, according to the Independent Chief Inspectorate of Borders and Immigration (ICIBI) “Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said. US: Congress passed legislation offering $1 billion to help telecom carriers “rip and replace” equipment from Chinese giants Huawei and ZTE. On Thursday, US lawmakers have passed legislation that plans to give $1 billion to telecom carriers to “rip and replace” equipment from Chinese tech giants Huawei and ZTE. The measure approved by the Senate is now passed to the White House for the final signature from President Donald Trump. “Telecommunications equipment from certain foreign adversaries poses a significant threat to our national security, economic prosperity, and the future of US leadership in advanced wireless technology,” said Senator Roger Wicker. “By establishing a ‘rip and replace’ program, this legislation will provide meaningful safeguards for our communications networks and more secure connections for Americans.” A few weeks ago, the Wall Street Journal reported that U.S. officials say Huawei can covertly access telecom networks where its equipment is installed. China cracks down on 'sexual innuendo' and 'celebrity gossip' in new censorship rules Sweeping new internet censorship rules have gone into effect in China, prompting concerns that authorities will further control information and online debate as the country reels from the coronavirus outbreak. China’s cybersecurity administration has since Saturday implemented a set of new regulations on the governance of the “online information content ecosystem” that encourage “positive” content while barring material deemed “negative” or illegal. The regulations, released last year, come as Chinese internet users have become increasingly critical of censorship because of the removal of news and comments about the government’s handling of the coronavirus outbreak. Volunteers have been preserving removed content while internet users have been trying new ways to evade censors. Walgreens' mobile app leaked users' personal data "Our investigation determined that an internal application error allowed certain personal messages from Walgreens that are stored in a database to be viewable by other customers using the Walgreens mobile app," the company said. The mobile app error allowed users to view other users' personal data and drug prescription details between Thursday, January 9, and Wednesday, January 15. 2020 and exposed; First and last name, prescription number and drug name, store number, shipping address. If you are one of the 12.5 million people with the app on your phone and you used it Mohave a prescription filled, it's just another few bits of your personal details leaked. US: Intuit’s $7 billion deal to buy Credit Karma is a test for antitrust regulators. According to Intuit CEO Sasan Goodarzi, the merger will benefit not just the companies, but also consumers. “What you’re now able to bring together with the two companies is the customers’ complete financial identity so they can get the best loan and insurance products for them,” he said in a conference call announcing the merger Monday, as reported by American Banker. By combining the two companies’ datasets, in other words, Intuit will be able to build more richly detailed dossiers of the financial backgrounds for millions of people. That, in turn, will allow lenders—and Intuit itself—to target offers even more efficiently. (When reached for comment, a spokesperson for Intuit pointed me to smartmoneydecisions.com, a website the companies created about their deal.) Does this sound familiar? It should. It’s the entire value proposition behind the ad-supported Internet. Facebook and Google, two of the most profitable companies in the world, make their billions by monitoring as much of our online (and, increasingly, offline) behavior as possible and selling ads against that data. They, and other websites and apps like them, justify the surveillance by arguing that consumers appreciate having ads that are more relevant to them. Read a privacy policy, and it will probably mention something about “sharing your data with advertising partners” in order to “present offers that might interest you.” It’s not about extracting more money out of us, the story goes; it’s about helping us find what we really want. And companies don’t just seek out people with good scores or lots of money. In fact, people with weaker credit scores can in some ways be more lucrative customers for credit products. “Being weaker is not bad to the industry,” said Martha Poon, a sociologist who studies credit scoring technology. “The weaker you are, the higher the interest rate they can charge you. That, for them, is good.” In the modern credit industry, she added, “what’s at stake is not selecting borrowers who are so-called ‘worthy’ of credit. It’s extending as much credit as possible in a way that allows the lender to have an economically viable business.” Samsung Reveals Galaxy S20 Security Surprise Davey Winder: The all-new and S3K250AF-based "Secure Element" security solution, which will first feature in the Galaxy S20, brings the concept of standalone and isolated sensitive data storage to Samsung smartphones for the first time. Google has the Titan M in its Pixel devices, and Apple has the T2 chip-powered secure enclave in iPhones. This Is Huawei’s Alarming New Surprise For Google: Here’s Why You Should Be Concerned Zak Doffman: Huawei "Search" is on its way, and will soon launch “as part of the Huawei ecosystem.” Not only does this represent a further business risk to Google from the ongoing technology split, east versus west, but it also raises some significant questions around who curates and filters our news. Huawei is the second largest supplier of smartphones worldwide, its global audience stretches way beyond China’s borders. This isn’t a mapping app, it’s not a new front-end for our email or a payment processing engine. This is a potential filter that sits atop the World Wide Web, serving up content for hundreds of millions of users worldwide. Whether or not you believe the U.S. allegations that Huawei is controlled by the Chinese state, that it is subsidised and subject to Beijing’s national security laws, it is unarguably a company based in the most highly censored country on the planet. There is also the fact that search related data would be captured from the search history of those users. The NSA’s $100 Million Call Records Surveillance Program Only Led to a Single Investigation The NSA’s vast phone metadata collection, authorized under Section 215 of the Patriot Act, has been one of the most controversial practices in the intelligence agency’s history since it was exposed in 2013 by the leaks of Edward Snowden. But only now, a year after the program was officially ended, has the public learned not only the sweeping scope of that surveillance but also how expensive it was—and how expensive. A declassified study by the intelligent community’s Privacy and Civil Liberties Oversight Board shared with Congress this week revealed that the metadata program cost $100 million, and only on two occasions produced information that the FBI didn’t already possess. On one of those occasions, the investigation was dropped after the FBI looked into the lead. In another case, the NSA’s findings led to an actual foreign intelligence investigation. For that one case, the report doesn't reveal the nature of the investigation or what may have resulted. Hopefully whatever happened, it was worth $100 million of taxpayer funds—and an enormous controversy that has tarnished the NSA’s reputation for years. US: Schools Are Using Radio Frequency Scanners to Track Students CNET took a close look this week at Inpixon, a company that provides technology that allows schools to keep track of students' locations accurate down to a meter. The company touts its safety benefit, but raises obvious surveillance concerns, especially given that the affected group is definitionally minors. Its scanners pick up Wi-Fi, Bluetooth, and cellular signals from student smartphones, smartwatches, tablets, and more. And while it technically anonymizes data, it's easy enough to pair it with ubiquitous in-school camera systems to tie the individual to the activity. Alleged White Supremacist Arrested in Connection With Swatting Attacks The Justice Department this week announced the arrest of John Cameron Denton, an alleged former leader of the white supremacist group Atomwaffen Division, in connection with a series of swatting events between November 2018 and April 2019. (Swatting is the practice of calling 911 to report a serious crime at an address where none is occurring to get a heavily armed SWAT team to show up; it has gotten people killed, though not in the instances Denton is alleged to have participated in.) If convicted, Denton faces up to five years in prison. US Defense Agency Notifies Users of Serious Breach. A US government agency that provides secure communications to the White House has notified individuals of a data breach that may have compromised their personal information. The Defense Information Systems Agency (DISA), provides IT support for the President, Vice-President, US Secret Service, Joint Chiefs of Staff and others, employs around 8000 military and civilian staff. It’s also unclear whether the incident affected just DISA employees or a wider base of users of its services. Some reports have speculated that as many as 200,000 could be involved. FBI recommends using passphrases instead of complex passwords “Instead of using a short, complex password that is hard to remember, consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.” Ring makes 2FA mandatory to keep hackers out of your doorbell account Last week, Google announced that it would soon begin forcing users of its Nest gadgets to use 2FA, and this week, security came knocking for Amazon’s Ring video doorbells. On Tuesday, Ring president Leila Rouhi said in a blog post that starting immediately, the once-optional authentication is going to be mandatory for all users when they log in to their Ring accounts. That will prevent unauthorized users from getting into Ring accounts, even if they have your username and password. US and UK call out Russian hackers for Georgia attacks The US and UK governments have both accused Russia of launching a cyber attack against the Georgian government last year. The attacks, mounted on 28 October 2019, came from Russia’s notorious GRU military intelligence unit, according to announcements from the US State Department and the UK’s National Cyber Security Centre. "This action contradicts Russia’s attempts to claim it is a responsible actor in cyberspace and demonstrates a continuing pattern of reckless Russian GRU cyber operations against a number of countries. These operations aim to sow division, create insecurity, and undermine democratic institutions. The Russian government has a clear choice: continue this aggressive pattern of behavior against other countries, or become a responsible partner which respects international law." Data of 10.6m MGM hotel guests posted for sale on Dark Web forum The personal data of 10,683,188 MGM hotel guests that leaked sometime in or before 2017 was posted for sale on the Dark Web this week, ZDNet reports. Users included Twitter CEO Jack Dorsey, pop star Justin Bieber, and government officials from the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA). The dump included full names, addresses, phone numbers, emails and birthdays. Over 120 Million US Consumers Exposed Security company UpGuard found the misconfigured Amazon S3 bucket on February 3 this year, eventually tracing it back to market analysis company Tetrad. The result was a database of 120 million Americans including full name, gender, address and “type” of consumer. It’s unclear how long it was exposed for, although Tetrad is said to have finally closed access a week after first being notified. “As a result, data that was collected by multiple entities, and affecting with varying degrees of intensity every household in the US, was made available not just to businesses and other intended audiences, but to anyone at all.” Slickwraps says customer trust was ‘violated’ in data breach caused by glaring security holes Slickwraps is an online store that offers skins for a variety of smartphones, tablets, gaming consoles, and laptops. Slickwraps' "abysmal cybersecurity" permitted anyone to upload a file to root, leading to remote code execution (RCE) attacks and the ability to execute shell commands. A single upload.php file was at fault, In total, 857,611 customer accounts were compromised. Hackers Are Hammering The Financial Sector With Login Attacks Forbes: Over a two-year period ending in November of last year, Akamai Technologies tracked more than 85.4 billion malicious login attempts. In one example a financial firm faced 55 million malicious login attempts in a single day. Over the past few years cybercriminals have increasingly turned their attention to API (application programming interface) endpoints. Apple Just Demanded Santander And A $50 Billion US Intelligence Contractor Reveal How They Use iPhone Hacking Tech Thomas Brewster. Forbes Staff. In a move that’s sure to raise eyebrows, Apple has subpoenaed Santander Bank and the $50 billion-valued intelligence contractor L3Harris Technologies for information on their use of Corellium, Forbes has learned. In both subpoenas, which are not yet publicly available, Apple demands L3Harris subsidiary Azimuth Security and Santander provide data including: all communications between the companies and Corellium, details on how they use the iPhone-virtualizing technology, all internal communications about the use of the tech, all contracts, and all information they have on the startup’s cofounder Chris Wade. Hackers Trick a Tesla Into Going 50 MPH Over the Limit Researchers at McAfee have demonstrated a new spin on an old trick. By subtly tampering with a speed limit sign—in this case, literally adding a two-inch strip of black tape—they were able to trick the Mobileye EyeQ3 camera on a 2016 Tesla Model X and Model S into feeding bad information to the vehicles' autonomous driving features, sending both cars into a rapid acceleration. The good news is that the problem doesn't affect 2020 Teslas, which no longer use Mobileye technology. Ransomware Disrupted a Natural Gas Facility for Two Days The hackers appear not to have targeted industrial control system components specifically. They got lucky with a phishing email, and were only able to impact the Windows-based portions of the victim's network. Google Kicks Out 600 Android Apps With 4.5 Billion Downloads From the App Store Adware is like gnats: everywhere, annoying, impossible to get rid of but relatively harmless. But you still have to try, which Google did this past week by expelling nearly 600 apps both from the Play Store and its ad networks. That includes 45 apps from a single developer, China-based Cheetah Mobile. Google cited "disruptive ads" as the reason for the removal, framing it as part of a broader crackdown on fraudulent behavior. “Pending the restoration of Google collaboration,” Cheetah said, “the Company expects its ability to attract new users and generate revenue from Google may be materially adversely affected.” The company reported revenue of $258 million from “mobile entertainment” in FY2018. WhatsApp Users Beware: Here’s How Chats Are Available To Anyone Via Google Basically, the "Invite to Group via Link" feature “allows groups to be indexed by Google” and “they are generally available across the internet.” In other words, Wildon explained: “Any group link that is shared it outside of secure, private messaging can relatively easily be found and joined.” Renowned ethical hacker Jane Manchun Wong confirmed this in a tweet, adding that 470,000 search results can be found on Google for the term “chat.whatsapp.com”–a section of the URL used for WhatsApp group invites. Facebook admitted it was “surprised” that the links are indexed by Google, it said. After a slew of data scandals, privacy issues and breaches, many people don’t trust Facebook, so it might make sense to try something else. ESET’s Moore recommends using Signal or Telegram chat apps which, he says, “focus more heavily on user security and privacy.” cannot control what Google indexes. The CISA Google Chrome 80 ‘update again’ advice The United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued a notification that "encourages" users and administrators to update the Google Chrome web browser to version 80.0.3987.116. The new release for Windows, Mac and Linux users, addresses several high-rated vulnerabilities that could, the CISA warns, be exploited by an attacker to take control of the affected system. While it is unusual for a web browser to be updated so quickly after a major release, it is not unknown. In January, CISA issued similar update advice for users of Mozilla Firefox within days of the version 72 release.....Not a lot is known, publicly at least, about the vulnerabilities concerned. Russia Doesn't Want Bernie Sanders. It Wants Chaos Wired: The point of Kremlin interference has always been to find democracy’s loose seams, and pull. The Washington Post first reported Friday, US officials warned Bernie Sanders that Russia is “attempting to help” his presidential campaign. It also shouldn’t be read as any kind of endorsement. Lawsuit Claims Google Collects Minors’ Locations, Browsing History “Google Education is now used by more than 80 million educators and students in the United States… essentially giving Google sole and exclusive access to millions of students’ digital lives and their personal data,” according to the lawsuit, filed on Thursday. “More valuable still, Google has captured generations of future customers who are trained to use Google’s platform as early as kindergarten.” The lawsuit claims that when students log into their Chromebook, the Chrome Sync function – which is used by Google to sync apps, auto-fill information, and more – is turned on by default. The feature then automatically starts uploading Chrome usages data to Google servers, including online browsing habits, web searches and passwords. If true, this level of data collection would be a blatant violation of the Children’s Online Privacy Protection Act (COPPA), which requires parental consent for the collection and use of that personal data if a user is under the age of 13. It would also violate the Family Educational Rights and Privacy Act (FERPA), a federal law that governs the access to educational information and records by public entities. US troops deploying to the Middle East told to leave the phone at home Amid growing tensions with Iran, the US deployed emergency troops to the Middle East a couple weeks back. But before being sent overseas, paratroopers part of the US Army 82nd Airborne Division were told to leave personal devices like smartphones, tablets, and laptops at home, according to CNN Pentagon correspondent Barbara Starr, citing US Army Maj. Gen. James Mingus. The primary concern was that poor operational security (OpSec) practices might put soldiers in danger and expose military operations, US Army 82nd Airborne Division officials told the Army Times last Monday. Citrix Admins Urged to Act as PoC Exploits Surface Phil Muncaster: IT administrators are being urged to put in place mitigations for a serious Citrix vulnerability which the vendor says won’t be patched until next week at the earliest, after proof-of-concept (PoC) exploits were published. The tech giant revealed the CVE-2019-19781 vulnerability in its Citrix Application Delivery Controller (ADC) and Citrix Gateway back in mid-December last year. If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution, the firm warned, strongly advising customers to apply the relevant mitigations and update the firmware when a new version becomes available. However, in a new blog post, Citrix revealed that these fixes would not be available until January 20 at the earliest, with version 10.5 not receiving one until January 31. PoCs have started to emerge on GitHub over the past few days which could allow attackers to gain full control over affected devices. Mursch, chief research officer at Bad Packets, warned that he had detected multiple exploit attempts from a host in Poland over the weekend. Current status? Tripwire researcher Craig Young claimed that 39,378 of the 58,620 IP addresses he detected likely to be NetScaler or ADC VPN portals did not have mitigations enabled. UK: National Lottery Hacker Jailed for Nine Months Michael Hill: Following a National Crime Agency (NCA) investigation, Anwar Batson, 29, of Notting Hill, London, was sentenced at Southwark Crown Court on 10 January. He admitted four offenses under the Computer Misuse Act 1990 and one fraud charge. The NCA was notified of the attack against National Lottery accounts in November 2016. The customer database affected contained around nine million records. The NCA stated that Batson was responsible for using a widely available hacking tool – Sentry MBA – to create a file that launched the attack, telling others they could make quick cash by using the tool against Camelot (which runs the National Lottery). EU: Hundreds of Millions of Haunted Broadcom Modems. Discovered by three researchers from security consultancy Lyrebirds and an independent, the so-called “Cable Haunt” bug (CVE-2019-19494) is described as a buffer overflow, “which allows a remote attacker to execute arbitrary code at the kernel level via JavaScript run in a victim's browser.” Specifically, the flaw is found in Broadcom chip’s spectrum analyzer component, which is designed to identify problems with the modem cable connection. If attackers can first trick the user into opening a web page containing malicious JavaScript, possibly via a phishing email, then they can affect the buffer overflow, giving them access to the modem. The scale of the problem is potentially immense — affecting many more devices than the 200 million estimated in Europe. “The reason for this is that the vulnerability originated in reference software, which has seemingly been copied by different cable modems manufacturers when creating their cable modem firmware,” the researchers warned. “This means that we have not been able to track the exact spread of the vulnerability and that it might present itself in slightly different ways for different manufacturers.” ISPs have been contacted by the team with a fix prior to disclosure, but the quartet claimed only to have had “limited success” with this approach. Models from Netgear, Sagemcom, Technicolor and Compal are among the 10 identified as affected. Facebook bans deepfakes, but not cheapfakes or shallowfakes. Last week, Facebook banned some doctored videos, but only those made with artificial intelligence (AI), in a way that an average person wouldn’t easily spot. What the policy doesn’t cover are videos made with simple video-editing software, or what disinformation researchers call “cheapfakes” or “shallowfakes.” Facebook will be using its own staff, as well as independent fact-checkers, to judge a video’s authenticity. Facebook Says Encrypting Messenger by Default Will Take Years In March of last year, Mark Zuckerberg made a dramatic pledge: Facebook would apply end-to-end encryption to user communications across all of its platforms by default. The move would grant strong new protections to well over a billion users. It's also not happening anytime soon. What Zuckerberg didn't spell out at the time is just how difficult that transition would be to pull off, and not just in terms of political hurdles from encryption-averse law enforcement or a shift in Facebook's business model. Jon Millican, Facebook's software engineer for Messenger privacy, in a talk Friday at the Real World Crypto conference in New York. Millican readily admitted that means Facebook users shouldn't expect to see a default encryption rollout for several years. That also likely means the company's planned integration of WhatsApp, Facebook, and Instagram messaging will take at least as long, given that all three would likely need to be end-to-end encrypted to avoid undermining the existing default protections in WhatsApp. A Facebook Bug Exposed Anonymous Admins of Pages A bug that was live last Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one. All software has flaws, and Facebook quickly pushed a fix for this one—but not before word got around on message boards like 4chan, where people posted screenshots that doxed the accounts behind prominent pages. All it took to exploit the bug was opening a target page and checking the edit history of a post. Facebook mistakenly displayed the account or accounts that made edits to each post, rather than just the edits themselves. "We quickly fixed an issue where someone could see who edited or published a post on behalf of a Page when looking at its edit history," Facebook said in a statement. Using Firefox? Update it now, according to the U.S. Department of Homeland Security Friday the U.S. Department of Homeland Security issued an alert about a “critical vulnerability” affecting Mozilla’s Firefox browser. The DHS advised all Firefox users to update their browser software immediately. The vulnerability was due to a flaw in the “IonMonkey JIT compiler”, which could “lead to a type confusion”... essentially a bug in the part of Firefox that helps to render JavaScript in your browser, which could allow an attacker to run malicious code on your computer. Typically, this type of attack is targeted to a limited number of people and would be done by luring you to a specific website. Most Firefox installs have auto-update turned on by default, so should be safe, but you can check the status of Firefox by looking in the menu bar under Firefox/about Firefox for version 71.0.1 BR: Major Brazilian Bank Tests Homomorphic Encryption on Financial Data Kelly Sheridan: Banco Bradesco, S.A., a prominent Brazilian financial institution, has for the past year been working with IBM Research to apply a technique called homomorphic encryption to banking data. The pilot showed it was possible to apply machine learning algorithms to encrypted data without decrypting it, creating a new level of privacy that could be applied to other industries. The idea behind homomorphic encryption (HE), now emerging in real-life applications like this one, is to keep data encrypted while it's being processed. This type of cryptography was first proposed in the 1970s; it wasn't until 2009 that IBM scientist Craig Gentry created the first fully homomorphic encryption system. HE is based on the mathematics of lattices and, researchers say, protects the confidentiality of data from complex attacks – even by quantum computers. "In the past, we've used encryption for transmitting data," says Flavio Bergamaschi, IBM researcher and lead author of this project. When you shop online and enter your credit card number, it's encrypted to transfer but must be decrypted to do anything with it. The number is encrypted when stored on a disk, but it must be decrypted to act on it. With HE, these machines can perform computations while the data remains encrypted. As a result, the entity can act on data without gathering or storing any sensitive information. HE won't prevent data breaches but will prevent data thieves from grabbing usable information. They claim the tech has reached an "inflection point" at which it's ready for practical use. The bank experiment used AI to determine likelihood for a loan application within the coming 90 days. IBM claimed the same prediction accuracy rate with encrypted data as unencrypted data. We were hoping for a little bit more from this research. HE rolls on, but it may not be ready for prime time for quite a while yet. CN: Intrusion Truth is back The anonymous group known in the cybersecurity world for publishing detailed blog posts about suspected nation-state hackers released new information Thursday alleging that Chinese technology companies are providing the infrastructure for attackers working on Beijing’s behalf. By identifying job postings seeking offensive cybersecurity skills, Intrusion Truth found a number of companies in Hainan, a province in South China, all using the same language in their advertisements. Some of those companies have only a small web presence outside the job ads seeking offensive-minded computer specialists, suggesting that employers actually are trying to recruit hackers for advanced persistent threat groups. US: Amid Senate scrutiny, Ring responds Ring has answered questions about its data protection policies following a string of security incidents in which hackers breached the company’s cameras to view customers' footage. In a letter to five Senate Democrats this week, Ring said it was promoting two-factor authentication with users and scouring the web for credentials sucked up in third-party breaches. For at least one lawmaker, however, the company needs to do more. “There are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers,” Sen. Ron Wyden, D-Ore., said in a statement. Scant details about that Vegas incident Las Vegas officials said that the city experienced a network security incident that may result in “brief interruptions of service” to its residents and visitors, though there are few details about the event. A post from the city’s official Twitter account referred to the incident as a “cyber compromise” that was initially detected about 4:30 a.m. on Tuesday, and quickly addressed by the city’s Department of Information Technologies. A spokesman said the incident was likely set off by a malicious email, and that like many other large local-government organizations, Las Vegas is on the receiving end of hundreds of thousands of breach attempts every month. UK: A tech retailer was lucky to be breached when it was Malicious software lurking inside point-of-sale systems at Dixons Carphone stores from July 2017 through April 2018 collected payment card data of 5.6 million people. Attackers accessed personal information including names, email addresses and details about failed credit checks on some 14 million thanks to weaknesses in the $10.5 billion retailer’s networks. The U.K.’s Information Commissioner’s Office fined the company £500,000 ($653,000) for the incident, the highest penalty authorized under the U.K.’s 1988 Data Protection Act. The incident occurred just before the EU started enforcing the General Data Protection Regulation and, the ICO’s top investigator openly suggested the penalty would have hurt much more if they could use that landmark data protection law. US: Blockchain Developer Gets Busted After Talk in North Korea Tim B Lee: The prominent hacker and Ethereum developer Virgil Griffith was arrested by the US government Friday after he spoke at an April conference on blockchain technologies in North Korea. The US government considers his presentation to be a transfer of technology—and therefore a violation of US sanctions. In a charging document, an FBI agent wrote that Griffith "discussed how blockchain and cryptocurrency technology could be used by the DPRK to launder money and evade sanctions, and how the DPRK could use these technologies to achieve independence from the global banking system." Griffith made little effort to hide his travel plans. He tweeted out a photo of his travel documents and voluntarily talked to the FBI after his trip. He even allowed the authorities to inspect his cell phone. The Feds say Griffith's electronic communications show a clear intention to violate US sanctions laws. US: Tens of Millions Exposed by SMS Data Leak VPN Mentor Website: Tens of millions of Americans may have been caught in another data leak after business SMS provider TrueDialog left a massive database exposed online, according to researchers. TrueDialog is based in Austin, Texas USA, and has been around for more than 10 years. It specializes in creating SMS solutions for large and small businesses. There are several different SMS programs including mass text messaging, marketing SMS options, urgent alerts, an Education SMS solution, and more. Currently, TrueDialog works with over 990 cell phone operators and reaches more than 5 billion subscribers around the world. The TrueDialog database was hosted by Microsoft Azure and runs on the Oracle Marketing Cloud in the USA. When we last looked at the database it included 604 GB of data. This included nearly 1 billion entries of highly sensitive data apparently left wide open, exposing all 604GB — one billion entries — of that sensitive information. “It’s difficult to put the size of this data leak into context. Tens of millions of people were potentially exposed in a number of ways. It’s rare for one database to contain such a huge volume of information that’s also incredibly varied." The leak exposed the full names, email addresses and phone numbers of SMS recipients as well as the content of messages, plus clear-text and easily decryptable base64-encoded account log-ins for TrueDialog clients. Reveton ransomware schemer stripped of six years of freedom, £270,000, and a Rolex Charlie Osborne: UK prosecutors say 25-year-old computer science student needs to pay up or face more time behind bars. On Monday, the UK's National Crime Agency (NCA) said Zain Qaiser, a resident of Essex and a computer science student, admitted to being a member of the cybercriminal gang and was jailed in April following a long-term investigation by law enforcement. Security Over the course of six years, the 25-year-old was tied to what is believed to be the Russian Lurk group, in which 50 suspected members and associates were arrested back in 2016. The student's role was to pose as legitimate companies to buy advertising space from pornographic and adult websites and these spaces would actually be used for malvertising purposes. Victims were accounted for in over 20 countries and millions of PCs were infected with malware including Reveton. Financial accounts linked to Qaiser were eventually discovered, including a cryptocurrency account stored overseas, which contained over £100,000. Law enforcement has now demanded that Qaiser pay back £270,000 ($355,000), together with the sale of a £5000 Rolex, "based on an assessment of his available assets." US Probe Finds Cambridge Analytica Misled Facebook Users on Data US regulators concluded Friday that British consultancy Cambridge Analytica -- at the center of a massive scandal on hijacking of Facebook data -- deceived users of the social network about how it collected and handled their personal information. The Federal Trade Commission said its investigation launched in March 2018 concluded that the political consulting firm "engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting." The FTC said the British firm, which worked on Donald Trump's 2016 presidential campaign, made "false and misleading" claims when it offered Facebook users a "personality quiz" -- stating it would not download names or any personally identifiable information. The personality prediction app was downloaded by 270,000 people but also scooped up data from their friends, and fed into an effort by the firm to predict the behavior of US voters. Facebook's own investigation found that some data from 87 million users in the US and elsewhere had been compromised by the firm, and claimed the practices violated the social network's terms of service. Facebook, which did not immediately respond to a query on the FTC decision, paid a record $5 billion penalty early this year in a settlement with the regulator over mishandling users' private data. CN: The “Great Cannon” has been deployed again. ATT: The Great Cannon is a distributed denial of service tool (“DDoS”) that operates by injecting malicious Javascript into pages served from behind the Great Firewall. These scripts, potentially served to millions of users across the internet, hijack the users’ connections to make multiple requests against the targeted site. These requests consume all the resources of the targeted site, making it unavailable: The Great Cannon was the subject of intense research after it was used to disrupt access to the website Github.com in 2015. Little has been seen of the Great Cannon since 2015. However, we’ve recently observed new attacks, which are detailed below. The Great Cannon is currently attempting to take the website LIHKG offline. LIHKG has been used to organize protests in Hong Kong. Using a simple script that uses data from UrlScan.io, we identified new attacks likely starting Monday November 25th, 2019. Websites are indirectly serving a malicious javascript file from either: http://push.zhanzhang.baidu.com/push.js; or http://js.passport.qihucdn.com/11.0.1.js Normally these URLs serve standard analytics tracking scripts. However, for a certain percentage of requests, the Great Cannon swaps these on the fly with malicious code: The code attempts to repeatedly request the following resources, in order to overwhelm websites and prevent them from being accessible. It is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US based services. Timeline of historical Great Cannon incidents Below we have described previous Great Cannon attacks, including previous attacks against LIHKG in September 2019. 2015: GreatFire and GitHub: During the 2015 attacks, DDoS scripts were sent in response to requests sent to a number of domains, for both Javascript and HTML pages served over HTTP from behind the Great Firewall. A number of distinct stages and targets were identified: March 3 to March 6, 2015: Initial, limited test firing of the Great Cannon starts. March 10: Real attacks start against a Chinese-language news site (Sinasjs.cn). March 13: New attacks against an organization that monitors censorship (GreatFire.org). March 25: Attacks against GitHub.com start, targeting content hosted from the site GreatFire.org and a Chinese edition of the New York Times. This resulted in a global outage of the GitHub service. March 26th - Attacks began using code hidden with the Javascript obfuscator “packer”: Research by CitizenLab identified multiple likely points where the malicious code is injected. The Great Cannon operated probabilistically, injecting return packets to a certain percentage of requests for Javascript from certain IP addresses. As noted by commentators at the time, the same functionality could also be used to insert exploitation code to enable “Man-on-the-side” attacks to compromise key targets. 2017 and onward: attacks against Mingjingnews: In August 2017, Great Cannon attacks against a Chinese-language news website (Mingjingnews.com) were identified by a user on Stack Overflow. The code in the 2017 attack is significantly re-written and is largely unchanged in the attacks seen in 2019. We have continued to see attacks against Mingjingnews in the last year. 2019: Attacks against Hong Kong democracy movement: On August 31, 2019, the Great Cannon initiated an attack against a website (lihkg.com) used by members of the Hong Kong democracy movement to plan protests. The Javascript code is very similar to the packer code used in the attacks against Mingjingnews observed in 2017 and onward, and the code was served from at least two locations: http://push.zhanzhang.baidu.com/push.js http://js.passport.qihucdn.com/11.0.1.js Initial versions targeted a single page on lihkg.com. Later versions targeted multiple pages and attempted (unsuccessfully) to bypass DDoS mitigations that the website owners had implemented. BMW and Hyundai hacked by Vietnamese hackers, report claims German media is reporting that hackers suspected to have ties to the Vietnamese government have breached the networks of two car manufacturers, namely BMW and Hyundai. The report, coming from Bayerischer Rundfunk (BR) and Taggesschau (TS), claims that hackers breached the network of a BMW branch sometime this spring. The attackers allegedly installed a penetration testing toolkit named Cobalt Strike on infected hosts, which they used as a backdoor into the compromised network. BMW had supposedly allowed the hackers to persist on its network, and followed their every move, cutting off their access the last weekend in November. Amazon Battles Leaky S3 Buckets with a New Security Tool From the AWS Announcement last Tuesday: Access Analyzer for S3 is a new feature that monitors your access policies, ensuring that the policies provide only the intended access to your S3 resources. Access Analyzer for S3 evaluates your bucket access policies and enables you to discover and swiftly remediate buckets with potentially unintended access. Access Analyzer for S3 alerts you when you have a bucket that is configured to allow access to anyone on the internet or that is shared with other AWS accounts. You receive insights or ‘findings’ into the source and level of public or shared access. For example, Access Analyzer for S3 will proactively inform you if read or write access were unintendedly provided through an access control list (ACL) or bucket policy. With these insights, you can immediately set or restore the intended access policy. In short, the new feature is supposed to help avoid accidental misconfigurations that could result in sensitive data being exposed, and subsequently damaging a company's brand and even - potentially - putting its customers at risk. If the Access Analyzer tool discovers that a bucket is misconfigured you can respond to the alert by making a single click to "Block All Public Access," and then use the tool's report to understand the nature of the problem so you can fully address it. Of course, it's perfectly possible that there is data on your AWS cloud servers which is supposed to be shared on the general internet (webpages, for instance), and these can be marked as intentionally public to avoid repeat warnings. Aside from Amazon S3 buckets, IAM Access Analyzer can also analyse the permissions granted using policies for your AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions. Why the iPhone 11 Tracks Your Location Even When You Tell It Not To Wired: Last week started with a minor mystery. Security journalist Brian Krebs noted that the iPhone 11 and 11 Plus check in on your location even when you turn off all location-related settings. That doesn't happen on older iPhones, and more importantly, goes against Apple's privacy policy and general gestalt. Rather than clearing the issue up at the time, Apple brushed off Krebs, giving no explanation other than that it was expected behavior. Well! A few days later, the company finally gave a real answer. It turns out to be related to the new ultra wide band technology enabled by the U1 chip inside of Apple's latest phones. “Ultra Wideband technology is an industry standard technology and is subject to international regulatory requirements that require it to be turned off in certain locations,” Apple's statement reads. The location pings are there to make sure you're not in one of those locations, and the info never leaves the phone itself. All of which sounds reasonable enough, although it's still extremely unclear why Apple couldn't have just said all of that in the first place. Hackers Steal VC Seed Money With Classic Man-in-the-Middle Attack There's nothing especially fancy about the way hackers parted a Chinese venture capital company from its million-dollar investment in an Israeli startup, but it's an impressive example of the genre. The attackers noticed an email telegraphing the upcoming money transfer, and created fake domains that looked like the two companies respectively. By sending emails to each organization pretending to be from the other, the hackers were able to intercept every step of the ensuing correspondence, altering details along the way—like banking details. It's all very clever! Highly illegal, of course, and morally wrong. But clever! How they did it: A few months before the transaction was scheduled to happen, the attackers noticed an email thread containing information about a multimillion-dollar seeding fund from the Chinese VC. Rather than simply monitoring the thread and having emails forwarded to them, the attackers registered two domains. One of the domains was a look-alike of the Chinese investment company's domain; the other was a spoof of the Israeli firm's domain. In both instances, the threat actors simply added an "s" to the end of the original domain name. The next phase of the scam involved the attackers sending two emails with the same subject header as the original email thread about the planned seed funding. The attackers used the Israeli firm's look-alike domain to send an email to the Chinese VC firm that appeared to be from the startup's CEO. They also used the Chinese firm's look-alike domain to send an email to the Israeli company that purported to be from the email account of the manager in charge of the transaction at the investment firm. "This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack." Thus, all email communication that both sides carried out in response to those two initial emails were being sent directly to the attackers first. The threat actors would review each email, make whatever changes they felt they needed to make, and then forward the messages from the look-alike domains to the original destination. In total, the attacker sent 14 emails to the Israeli side and 18 to the Chinese VC firm using the look-alike domains. Over the course of these communications, the attackers managed to change the bank account information for the VC firm and replace it with their own, so any money that the VC firm sent to the Israeli firm would end up with the attackers instead. The attackers were so brazen they even managed to cancel a scheduled meeting in Shanghai between the CEO of the Israeli company and the Chinese VC firm. They basically sent emails with different excuses to both sides using the rogue domains. The goal in thwarting the meeting apparently was to minimize the risk of the bank account number switch being discovered. "This operation was unique because the threat actor successfully spoofed both sides of the transaction and was able to disrupt physical meetings between the parties involved," says Tim Otis, team leader, incident response operations at Check Point Security. Some VPNs Vulnerable to Traffic Hijacking A virtual private network ostensibly keeps your internet browsing safe from prying eyes. But a newly disclosed vulnerability in Unix-based operating systems—that's everything from Linux to macOS—leaves those VPN connections at risk of sniffing or even hijacking. The good news is that it's a tricky exploit to pull off, so you're probably not at risk unless a particularly talented hacker has eyes on you. The bad news? VPNs were already hard enough to trust. Reddit Ties UK Document Dump to Russian Campaign On October 21, documents hit the internet that purported to show sensitive details about UK trade talks with the US. On Monday, Reuters reported that the release had the hallmarks of a coordinated Russian disinformation campaign. Friday afternoon, Reddit itself confirmed as much. Remember, friends! Russian intelligence operations haven't slowed down since 2016, and they're not going to. Data of 21 million Mixcloud users put up for sale: Emails, usernames, and strong-hashed passwords sold for just $2,000.
The breach appears to have taken place on or before November 13, which is the registration date for the last user profile included in the data dump. Tech news sites TechCrunch and Motherboard verified the data authenticity by contacting newly registered applicants. The company said that most users had signed up through Facebook, and did not have a password associated with their account. For those that did, Mixcloud said that passwords should be safe, as each one was salted and passed through a strong hashing function (SHA256 algorithm, according to the sample we received), making it currently impossible to reverse back to its cleartext form. his means that the data advertised on the dark web right now is just a long list of email addresses and uncrackable passwords. California DMV Makes $50 Million a Year Selling Driver Info Insert your own joke about yet another reason to hate the DMV here. Motherboard reports that California’s Department of Motor Vehicles has made anywhere from $41 million to $52 million each year by selling names, addresses, and car registration info of drivers. The customers include insurance companies and car companies. California’s not the only state to do this, but the number alone is eye-popping, as is the fact that most people don’t realize that the simple act of registering their car or getting their license puts their personal info in a third-party’s hands. Vistaprint Leaves Customer Calls and Chats Exposed Online Another week, another unsecured database. This time its online printing company Vistaprint’s turn. Security researcher Oliver Hough found a database with information related to 51,000 customer service interactions, which included some personally identifiable information and full online chats. As is often the case, it’s unclear if anyone other than Hough accessed the database before it was secured, but either way, it’s an inexcusable lapse. It's the end of the year and time for the top 25 list. This time of year we typically look back over the top movies, top stars or top songs of the past year, but this being security matters, we thought, with the help of the US department of homeland security, we would reveal the top 25 list of cyber weaknesses. Rank ID Name Score [1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 75.56 [2] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 45.69 [3] CWE-20 Improper Input Validation 43.61 [4] CWE-200 Information Exposure 32.12 [5] CWE-125 Out-of-bounds Read 26.53 [6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 24.54 [7] CWE-416 Use After Free 17.94 [8] CWE-190 Integer Overflow or Wraparound 17.35 [9] CWE-352 Cross-Site Request Forgery (CSRF) 15.54 [10] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.10 [11] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 11.47 [12] CWE-787 Out-of-bounds Write 11.08 [13] CWE-287 Improper Authentication 10.78 [14] CWE-476 NULL Pointer Dereference 9.74 [15] CWE-732 Incorrect Permission Assignment for Critical Resource 6.33 [16] CWE-434 Unrestricted Upload of File with Dangerous Type 5.50 [17] CWE-611 Improper Restriction of XML External Entity Reference 5.48 [18] CWE-94 Improper Control of Generation of Code ('Code Injection') 5.36 [19] CWE-798 Use of Hard-coded Credentials 5.12 [20] CWE-400 Uncontrolled Resource Consumption 5.04 [21] CWE-772 Missing Release of Resource after Effective Lifetime 5.04 [22] CWE-426 Untrusted Search Path 4.40 [23] CWE-502 Deserialization of Untrusted Data 4.30 [24] CWE-269 Improper Privilege Management 4.23 [25] CWE-295 Improper Certificate Validation 4.06 Happy holidays! And now the top 5 worst states in the US for Cybercrime. This list was created by payments platform CardConnect and is based on data from the FBI.By analyzing four of the most prominent types of online crime - credit card fraud, identity theft, personal data breaches, and phishing - they have built a Risk Index to identify the states which may be most at risk of suffering cybercrime. 1. Alaska (Risk Index: 195 out of 200) 2. Nevada (Risk Index: 194 out of 200) 3. Arizona (Risk Index: 181 out of 200) 4. Colorado (Risk Index: 180 out of 200) 5. Virginia (Risk Index: 179 out of 200) For those in the Tri-state area: NJ was 10th., Connecticut was 18th. And New York was 22nd. Apparently the safest state in the US as a low population and is famous for corn. Iowa. Third-Party Vendor Exposes Data of Palo Alto Employees American cybersecurity firm Palo Alto Networks has suffered a data breach after a third-party vendor accidentally published personal data regarding the firm's employees online. The breach took place in February. Details included names, dates of birth, and Social Security numbers. Absent from the press reports on the incident are exact details of how the breach came to occur, but that it was a very small subset of the company's employees. Netflix and chill: account freeze is a scam. If you got this wonderfully worded email last week: "This is a notice to remind you that you have an invoice due on 27/11/2019. We tried to bill you automatically but you local bank being held a transaction." The domain used in this attack was only registered on 2019-11-17, and the web certificate was created 2019-11-28, so the site was probably set up specially for this scam, perhaps along with a bunch of others. If you deleted the original email without clicking anything, you did the right thing. The crooks have tried and failed, so you win. If you clicked through to the fake login page but bailed out without entering anything, you’re also safe. If you went as far as trying to login on the bogus site, the crooks know your password. Get yourself to the genuine Netflix login page as soon as you can and change your password. If you gave away your credit card details, the crooks know those too. Call your bank as soon as you can to cancel your card. (Look on the back of your actual card number to call, for safety’s sake!) If you think your card was compromised, keep a close eye on your statements. You should keep your eye on your financial records anyway, but you might as well step up your scrutiny after a security scare of this sort. Amazon Plans Ring Facial Recognition-Based ‘Watch List’, Report Lindsey O'Donnell: Amazon’s Ring Planned Neighborhood “Watch Lists” Built on Facial Recognition Sam Biddle at The Intercept: Ring, Amazon’s crime fighting surveillance camera division, has crafted plans to use facial recognition software and its ever-expanding network of home security cameras to create AI-enabled neighborhood “watch lists,” according to internal documents reviewed by The Intercept. The planning materials envision a seamless system whereby a Ring owner would be automatically alerted when an individual deemed “suspicious” was captured in their camera’s frame, something described as a “suspicious activity prompt.” It’s unclear who would have access to these neighborhood watch lists, if implemented, or how exactly they would be compiled, but the documents refer repeatedly to law enforcement, and Ring has forged partnerships with police departments throughout the U.S., raising the possibility that the lists could be used to aid local authorities. The documents indicate that the lists would be available in Ring’s Neighbors app, through which Ring camera owners discuss potential porch and garage security threats with others nearby. Once known only for its line of internet-connected doorbell cameras marketed to the geekily cautious, Ring has quickly turned into an icon of unsettling privatized surveillance. The Los Angeles company, now owned by Amazon, has been buffeted this year by reports of lax internal security, problematic law enforcement partnerships, and an overall blurring of the boundaries between public policing and private-sector engineering. Earlier this year, The Intercept published video of a special online portal Ring built so that police could access customer footage, as well as internal company emails about what Ring’s CEO described as the company’s war on “dirtbag criminals that steal our packages and rob our houses.” A “proactive” approach to information sharing could mean flagging someone who happens to cross into a Ring video camera’s frame based on some cross-referenced list of “suspects,” however defined. Paired with the reference to a facial recognition watch list and Ring’s generally cozy relationship with local police departments across the country, it’s easy to imagine a system in which individuals are arbitrarily profiled, tracked, and silently reported upon based on a system owned and operated solely by Amazon, without legal recourse or any semblance of due process. Here, says Tajsar, “Ring appears to be contemplating a future where police departments can commandeer the technology of private consumers to match ‘suspect’ profiles of individuals captured by private cameras with those cops have identified as suspect — in fact, exponentially expanding their surveillance capabilities without spending a dime.” Researchers and legal scholars have for years warned that facial recognition and self-teaching machine learning technologies are susceptible to racial biases, and in many cases, can amplify and propagate such biases further — of particular concern in a law enforcement or security context, where racial prejudice is already systemic. A February review of the Neighbors app by Motherboard found that out of “100 user-submitted posts in the Neighbors app between December 6 and February 5, the majority of people reported as ‘suspicious’ were people of color.” In an interview with The Intercept, Liz O’Sullivan, a privacy policy advocate and technology director at the Surveillance Technology Oversight Project, described Ring’s planned “proactive suspect matching” feature as “the most dangerous implementation of the word ‘proactive’ I’ve ever heard,” and questioned the underlying science behind any such feature. “All the AI attempts I’ve seen that try to detect suspicious behavior with video surveillance are absolute snake oil,” said O’Sullivan, who earlier this year publicly resigned from Clarifai, an AI image-analysis firm, over its work for the Department of Defense. Ring’s spokesperson declined to answer a list of specific questions about the planned features, including what the company’s institutional definition of “suspicious” is, whether someone on a Ring “watch list” would ever be informed of this fact, or what someone would have to be “suspected” of in order to be labeled a “suspect” in Ring’s systems. Adobe’s Magento Marketplace suffers data breach John E Dunn: The company hasn’t said when the breach happened, merely that its security team discovered a vulnerability on 21 November 2019 that had allowed an “unauthorized third party” to access account information. Data compromised includes names, email addresses, MageID, billing and shipping addresses and phone numbers, plus limited commercial information such as “percentages for payments to developers.” No passwords or payment data was compromised, and none of Magento’s core products or services (i.e. software hosted on the site) were affected, the statement added. The two missing pieces of important information are how many accounts were affected and how long the breach lay undiscovered. Pressure mounts for federal privacy law with second bill Danny Bradbury: Pressure is gathering for a federal privacy law in the US with the introduction of a second bill that would protect consumer data. The Consumer Online Privacy Rights Act from Washington Senator Maria Cantwell not only outlines strict privacy and security rules, but also establishes a dedicated FTC office to enforce them. Cantwell also pointed out in her Bill announcement that it defines privacy as a right in federal law. The proposed law would prevent companies from mishandling data to cause individuals harm. They’d also have to hand over a copy of the data to the individual owning it at their request and name any third party that they’d given it to. They’d also have to delete it when asked. The text of the bill doesn’t specify the FTC’s penalties but it does allow for an award of up to $1,000 per violation per day in individual civil suits, which could run into billions of dollars. This isn’t the only federal law on the hustings. In October, Oregon Senator Ron Wyden announced the Mind Your Own Business Act (formerly the Consumer Data Protection Act), which would impose fines and jail sentences of up to 20 years on senior executives that flouted strict privacy rules. Master Go player retires citing AI supremacy AI just won another battle in the war for supremacy against humans. Master Go player Lee Se-dol has handed in his stones after deciding that there’s just no way to beat a machine when playing the ancient Chinese board game. The ninth dan South Korean player reportedly submitted his retirement letter to the Korea Baduk Association (KBA), which governs the professional Go community there. Se-dol, 36, who began his career at 12, told the Korean Yonhap News Agency about his retirement in an interview on Monday 25 November, explaining: "With the debut of AI in Go games, I’ve realized that I’m not at the top even if I become the number one through frantic efforts. Even if I become the number one, there is an entity that cannot be defeated." He’s referring to AI, and in particular to AlphaGo, the computerised Go player from Google’s AI subsidiary DeepMind. The two squared off in a five-game match in 2016, where AlphaGo beat him four times after he had predicted his own “landslide” win. Programming an AI algorithm to play Go is no mean feat. The 2,500-year-old game is more complex than chess, featuring a 19 x 19 grid as a board with a broader array of alternative moves than chess on average. AlphaGo’s programmers used neural networks to teach the computer about millions of past Go matches, and also enabled it to play against itself. This isn’t the first time that AI creations have competed with humans in gaming tournaments. IBM’s Deep Blue won in a series of chess games against world champion Garry Kasparov in 1997. Some 14 years later, the company’s Watson machine defeated two reigning champions over three episodes of the general knowledge game show Jeopardy, winning 69% more prize money than the humans combined. Security Giant Prosegur Struck by Ransomware The Spanish firm — which produces building alarms, and offers physical security services including cash transit vans — has over 60,000 employees around the globe and declared profits of €118m ($130m) for the first nine months of 2019. Prosegur posted a statement to its Twitter account on Wednesday claiming the company had been struck by the Ryuk variant. They added that it had “enabled maximum security measures” to prevent the spread of malware, including the “restriction of all communications.” That reassurance didn't, however, silence the customers complaining that their alarm systems had stopped working. Data Breaches Batter Stock Prices at Public Companies, For Months Much has been made of the fallout that companies face after a data breach. But for public companies, shaken investor confidence adds a whole new dimension to recovery concerns. A recent study from Comparitech shows that share prices for large breached companies will hit a low point approximately 14 market days after an incident becomes public. Share prices fall 7.27 percent on average to reach that low, and they underperform the NASDAQ by -4.18 percent. Further, the firm found that finance and payment companies saw the largest drop in share price performance following a breach, while healthcare companies were least affected. And unsurprisingly, breaches that exposed credit-card and Social Security numbers saw larger drops in share price on average than companies that leaked less-sensitive data. The study analyzed stock performance for 28 very large companies listed on the New York Stock Exchange that have 33 well-known data breaches between them: Apple, Adobe, Anthem, Capital One, Community Health Systems, Dun & Bradstreet, Facebook, First American Financial, eBay, Equifax, Global Payments, Home Depot, Health Net, Heartland Payment Systems, JP Morgan Chase, LinkedIn, Marriott International, Monster, T-Mobile, Sony, Staples, Target, TJ Maxx, Under Armour, Vodafone and Yahoo. All of them resulted in at least 1 million records leaked, and some (Capital One, Equifax, Target, Yahoo) are among the largest breaches in American history. In analyzing their closing share prices prior to and after the data breach incidents, Comparitech found that after about a month, share prices actually tended to rebound and catch up to NASDAQ performance on average. However, in the longer term, breached companies went on to underperform the market. This effect perhaps stems from more details on the incidents coming to light, or due to ongoing media attention or the impact of fines, according to researchers. Joker's Stash Puts $130M Price Tag on Credit Card Database Payment card data is among the most widely distributed information on the Dark Web. The breadth of data for sale in underground marketplaces can prove helpful to security teams, who can analyze this information and combine it with other threat data to learn their potential exposure and mitigate the impact of an incident, Flashpoint researchers advise in a new report. The ecosystem for stolen payment card data ranges from low-level markets selling cards recycled from past breaches, to top-tier sellers with unused card data directly pulled from a new breach. Joker's Stash is one of the most prominent payment card retailers on the Dark Web, where it has been selling credit cards from online and physical transactions since 2014. In 2015, it began to also sell personally identifiable information including Social Security numbers. A recent update on Joker's Stash arrived on Oct. 29, when it added data pertaining to more than 1.3 million credit and debit cards reportedly taken from banking customers in India. The data dump released was one of the largest in Joker's Stash's history, researchers report, with pricing information valued at $100 per card, which put the total for the database at $131 million. Retailer Orvis.com Leaked Hundreds of Internal Passwords on Pastebin Brian Krebbs: Based in Sunderland, VT. and founded in 1856, privately-held Orvis is the oldest mail-order retailer in the United States. The company has approximately 1,700 employees, 69 retail stores and 10 outlets in the US, and 18 retail stores in the UK. In late October, this author received a tip from Wisconsin-based security firm Hold Security that a file containing a staggering number of internal usernames and passwords for Orvis had been posted to Pastebin. Reached for comment about the source of the document, Orvis spokesperson Tucker Kimball said it was only available for a day before the company had it removed from Pastebin. “The file contains old credentials, so many of the devices associated with the credentials are decommissioned and we took steps to address the remaining ones,” Kimball said. “We are leveraging our existing security tools to conduct an investigation to determine how this occurred.” However, according to Hold Security founder Alex Holden, this enormous passwords file was actually posted to Pastebin on two separate occasions last month, the first being on Oct. 4, and the second Oct. 22. That finding was corroborated by 4iq.com, a company that aggregates information from leaked databases online. Orvis did not respond to follow-up requests for comment via phone and email; the last two email messages sent by KrebsOnSecurity to Orvis were returned simply as “blocked.” It’s not unusual for employees or contractors to post bits of sensitive data to public sites like Pastebin and Github, but the credentials file apparently published by someone working at or for Orvis is by far the most extreme example I’ve ever witnessed. For instance, included in the Pastebin files from Orvis were plaintext usernames and passwords for just about every kind of online service or security product the company has used, including: -Antivirus engines -Data backup services -Multiple firewall products -Linux servers -Cisco routers -Netflow data -Call recording services -DNS controls -Orvis wireless networks (public and private) -Employee wireless phone services -Oracle database servers -Microsoft 365 services -Microsoft Active Directory accounts and passwords -Battery backup systems -Security cameras -Encryption certificates -Mobile payment services -Door and Alarm Codes -FTP credentials -Apple ID credentials -Door controllers By all accounts, this was a comprehensive goof: The Orvis credentials file even contained the combination to a locked safe in the company’ server room. Texas Health Agency Fined $1.6m for Data Breach A fine of $1.6m has been meted out to the Texas Health and Human Services Commission for unintentionally exposing the personal health information of thousands of vulnerable people online. The Texan commission inadvertently made the names, addresses, Social Security numbers, and treatment information of 6,617 people visible on the internet between 2013 and 2017. The breach occurred when an internal application was moved to a public server from a private server. A flaw in the app's software then made the sensitive information visible to the public without any need for access credentials to be entered. An investigation into the breach by the OCR found the audit controls in place at the Health and Human Services Commission to be inadequate. Because of this, the federal agency was unable to come up with an exact number for how many unauthorized people had viewed the private information. A further determination of the OCR investigation was that the Texas health agency failed to conduct a risk analysis and implement access and audit controls on its information systems as required by the Health Insurance Portability and Accountability Act, commonly known as HIPAA. NSA won’t collect phone location data, promises US government The last 18 months have seen significant changes to the US’s collection of phone location data. Since 1994, law enforcement agencies in the US had been able to access court records thanks to an amendment to the 1996 Stored Communications Act. Under this legislation, a judge could give prosecutors access if they could justify that call records were relevant and material to an ongoing investigation. That all changed in a lawsuit brought by Tim Carpenter, who was convicted in 2011 after federal prosecutors trawled location cell phone data, tying his phone to the time and location of several robberies. Carpenter sued in appeals court, claiming that the trawling violated his Fourth Amendment rights. He lost on appeal, but then the case went to the Supreme Court, which ruled in his favor in a 5-4 vote. That decision stopped the warrantless collection of phone location data by police and federal law enforcement. However, since the Since the request to terminate the Call Detail Records (CDR) program, the National Security Agency (NSA) has asked that it maintain its right to reintroduce the program. GitHub launches Security Lab to boost Open Source Security When it comes to open source software security, nobody could accuse Microsoft-owned development platform GitHub of not thinking big when it came up with the idea for Security Lab. Launched last week at its GitHub Universe developer conference, the idea sounds simple enough – create a global platform for reporting and fixing security vulnerabilities in open source projects before they do serious damage. It sounds so obvious that it’s surprising that nobody’s thought of it before. That might have something to do with the size of the job, admitted GitHub’s vice president of security product management in Security Lab’s launch blog: Securing the world’s open source software is a daunting task. The JavaScript ecosystem alone encompasses more than a million projects, not helped by the 500:1 ratio of developers to security experts with the knowledge of how to fix things. To boost credibility, GitHub has already signed up big companies – namely Google, Oracle, Mozilla, Intel, Uber, VMWare, J.P. Morgan, F5, NCC Group, IOActive, Trail of Bits, HackerOne, as well as Microsoft and LinkedIn. These partnerships have already borne fruit, with these companies collectively finding more than 100 CVE-level security vulnerabilities in open source code. Anyone who joins them will qualify for bug bounties of up to $3,000, GitHub said. Security Lab is also making available a free-to-use analysis engine, CodeQL which GitHub acquired when it bought Semmle in September. So if you know of a coding mistake that caused a vulnerability, you can write a query to find all variants of that code, eradicating a whole class of vulnerabilities forever. Perhaps the simplest innovation of all is that Security Lab will operate as a CVE Numbering Authority (CNA) – a critical piece of security architecture for a project that aims to shine a wider light on security problems in open source projects. Currently, GitHub says at least 40% of security flaws affecting open source don’t receive a CVE when they’re announced, which means they are excluded from public databases that tell customers they have something to patch. Security Lab will sort this with security advisories for users of affected projects, backed by automated security updates when patches are available and a Security Advisory API to integrate the flaw database into third-party tools. GitHub also announced its Archive Code Vault. Github will provide a cold storage vault for open source code located in an underground Arctic bunker. Just like lifeforms, it turns out that code can go extinct too. If developers can’t find every flaw today, at least in years to come they’ll know where to look. Two men busted for hijacking victims’ phones and email accounts Police busted two alleged SIM-jackers in Massachusetts on Thursday and charged them with draining fat cryptocurrency wallets and hijacking social media accounts. An 11-count indictment charges the two men – Eric Meiggs, 21, of Brockton, Massachusetts, and Declan Harrington, 20, of Rockport, Massachusetts – with wire fraud, conspiracy, computer fraud and abuse, and aggravated identity theft for their alleged crime spree, which stretched from November 2017 to May 2018 and stripped $550,000 worth of crypto coins from at least 10 victims in the US. Undercover reporter tells all after working for a Polish troll farm Investigative journalist Katarzyna Pruszkiewicz spent six months working undercover, creating fake social media accounts and sending them out to troll on either side of the political spectrum, for Cat@Net – a troll farm in Wroclaw, Poland that calls itself an “ePR firm.” Together with her troll colleagues, the undercover journalist managed almost 200 fake accounts on Facebook, Twitter and Instagram, has written thousands of messages and comments, has promoted her clients’ products, has trolled their competitors, and has run hidden support campaigns for, and smear campaigns against, politicians. Some of what Pruszkiewicz, working with Polish journalism NGO Fundacja Reporterów (Reporters Foundation), discovered: Cat@Net employs a mere 14 people to run 170 troll accounts on social media. Don’t let that small workforce fool you, though: Pruszkiewicz says that this constitutes a “powerful army,” as many of those accounts have thousands of followers, and they work hard to make sure their posts are viewed as much as possible – sometimes up to tens of thousands of times. The farm has both left- and right-wing troll accounts. That makes their smear and support campaigns more believable: instead of just taking one position for a client, it sends trolls to work both sides, blowing hot air into a discussion, generating conflict and traffic and thereby creating the impression that people actually care about things when they really don’t – including, for example, about the candidacy of a recently elected member of the Polish parliament. Cat@Net’s customers include “large and small companies […] as well as other entities, including public administration institutions and private individuals.” The firm was unaware that Pruszkiewicz was an investigative journalist, since she had a “clean” online record, with no profile to identify her as such. Some of the things her fake account accordingly posted about: April is the time of a nationwide teachers’ strike in Poland; they demand higher pay. The ruling party and their public radio and TV propaganda portray teachers as parasites, losers and sly dogs. My fictitious account chooses the #notsupportingteachersstrike hashtag. I write that teachers are holding students hostage; they are selfish and that their demands are unjustified. In the coming weeks I lash out at the LGBT movement. I say that I fell asleep while watching ‘Tell No One’, a documentary about child sex abuse in Poland’s Roman Catholic Church. Two men kissing on Eurovision? That’s outrageous! How can you expose children to such content? Pride parade? – more like #PervertsParade Those kinds of posts impressed her bosses. By June 2019, after her 3-month troll trial, Pruszkiewicz had become a trusted troll. She was invited to a private Cat@Net Slack channel called “Kulawa Rebelia” – which translates as “Lame Rebellion” or “Rebellion on Crutches.” The name has to do with the fact that most of Cat@Net’s employees are believed to be disabled, which enables the company to get public subsidies from Poland’s National Disabled Rehabilitation Fund. According to the Reporters Foundation, the company has received about 1.5 million zloty (USD $388,044) from the fund since November 2015. The Guardian details one such campaign, which sought to influence what kind of fighter jet the Polish government spent its zloty on: The accounts were used to undermine public support for the Polish government’s decision to place a major order with the American contractor Lockheed Martin for the F-35 fighter jet, promoting instead the Eurofighter Typhoon. […] Cat@Net employees were reminded by their managers that “the F-35 is our enemy number one” but “don’t be too pushy with the Eurofighter, otherwise they will know they are being trolled”. Political favors, corruption, money: these are hard to disentangle. They’re all part of the same ball of wax. All those motivations well might also be at play in the fake-news industry that fake-news writers are part of. Office 365 Admins Singled Out in Phishing Campaign “Office 365 admins have administrative control over all email accounts on a domain. Depending on the current configuration of the Office 365 instance, a compromised admin account may enable retrieval of user emails, or complete takeover of other email accounts on the domain. In addition, Office 365 admins often have elevated privileges on other systems within an organization, potentially allowing further compromises to take place via password reset attempts or abusing single-sign-on systems.” Once an administrator is phished the attackers are able to set up new accounts within the compromised organization, which are then used to send out more legitimate-seeming phishing emails. “This is beneficial for attackers because many email filtering solutions leverage the reputation of a sender domain as a major component of determining whether to block an email,” said PhishLabs. “Well established domains with a track record of sending benign messages are less likely to be quickly blocked by these systems. This increases the deliverability and efficiency of phishing lures.” By setting up new accounts to carry out this phishing activity, the hackers are also more likely to stay under the radar. The phishing lures themselves are spoofed to appear as if sent by Microsoft — for example a messaging asking the recipient to sign-in to the Office 365 Admin center to update payment information. Apparently over 1.5 million malicious and spam emails were sent from thousands of compromised accounts in the space of just one month earlier this year. Attackers using WhatsApp MP4 video files vulnerability can remotely execute code Last week, Facebook said in a security advisory that the WhatsApp bug, tracked as CVE-2019-11931, is a stack-based buffer overflow issue which can be triggered by attackers sending crafted .MP4 video files to victims. While there are not many details available, the technology giant said that the problem was caused by how the encrypted messaging app parses .MP4 elementary stream metadata. If exploited, the vulnerability can lead to denial-of-service (DoS) or remote code execution (RCE) attacks. Zero-Day Exploits Earn Hackers Over $500K at Chinese Competition White hat hackers have earned $545,000 for successfully demonstrating zero-day exploits targeting products from VMware, Microsoft, Google, Apple, D-Link, and Adobe at the 2019 Tianfu Cup hacking competition that took place over the weekend in Chengdu, the capital of China's Sichuan province. The highest single reward, $200,000, was received by the team named 360Vulcan for a VMware exploit that allows an attacker to escape from the guest virtual machine to the host. VMware representatives were present at the event and confirmed that the exploit was successful against its VMware vSphere ESXi product. The company says it’s investigating the security flaws that made the attack possible and is working on addressing them. After last year’s Tianfu Cup, it took VMware only a few days to patch a $100,000-worth vulnerability disclosed at the contest. The 360Vulcan team also demonstrated attacks against Microsoft Office, Microsoft Edge, Adobe Reader, and qemu-kvm on Ubuntu. The qemu-kvm vulnerabilities earned them $80,000, Edge vulnerabilities earned them $55,000, and for the Office exploit they received $40,000. Here's How Scammers Tried to Dupe Trend Micro Customers Unlucky Trend Micro customers ensnared in the insider hack at the antivirus company are being bombarded with fake tech support calls seeking access to their computers. "The first call seemed very legitimate to me, I almost fell for it." Rona, who requested her last name be withheld, was among the estimated 68,000 Trend Micro users who had their names, email addresses, phone numbers, and customer support ticket numbers exposed in the breach. Since August, Trend Micro has been investigating why customers were receiving fake tech support calls and sourced it back to a rogue employee who was selling customer information to an unknown third party. Rona, who is based in Alberta, Canada, said she tried to warn Trend Micro about the potential hack in early October when she received a mysterious call on her cell phone from the scammers. The man, who had an "Indian or Pakistani accent," said he was contacting her on behalf of Trend Micro to report a problem with the company's antivirus software, which she's used for the past decade. The mysterious man knew Rona's name, as well as how she had recently called Trend Micro's help line to install the company's antivirus software on her mother's computer. He then asked Rona to open an email he had sent, which outlined the steps she needed to take to fix the problem. "I asked why they were not sending the fix through normal downloads. They said the servers were also infected and that is why they needed to do the fix via email, Rona said. "Since I was at work we decided that they would call me on Saturday, when I would be at my laptop." If Rona had been at her laptop when the scammer had called, she might have simply followed the man's instructions, assuming the request to be legit. But after the call, she thought the whole story of an infected Trend Micro server was suspicious. "So I phoned Trend Micro (the real company) and they told me it was scam," she said, which caused her to promptly delete the email the mysterious man had sent. Two more calls followed and then, scammers tried another tactic: bombarding her phone number with robocalls—sometimes three times a day—claiming Trend Micro was going to charge or credit her bank account, and that she need to respond. In all cases, the calls came from different numbers, making them unblockable. Users feel "It was really hypocritical of them. They put announcements on their web page about different companies having security problems, but they don't talk about their own," she said. "It feels like they are trying to hide it. There are people like my mother who could have easily fallen for this." Understanding the Ripple Effect: Large Enterprise Data Breaches Threaten Everyone Tara Seals: “Breaches against large enterprises are becoming more frequent. There are several reasons for this – notably, breaches are no longer standalone incidents, they are part of larger organized cybercrime networks, The second reason, is that the price of data is skyrocketing: Beyond data tied to financial institutions being an attractive target, so is data tied to healthcare, education, infrastructure, elections and national security. Even though we live in a “breach-of-the-week” era, where data-thieving and inadvertent information exposures have become an expected part of the landscape, large enterprises can’t afford to see data stewardship as anything other than a critical risk, experts warn. “Fortune 500 companies have a much larger attack surface,” he said. “It’s more difficult to promote an effective security culture across a base of tens of thousands of employees than for a company with only a handful. Add in the fact that people tend to reuse passwords for different services and often mix personal and corporate use of email and mobile devices, the attack surface becomes even wider. Someone using company email on an insecure personal device represents an easy path to the corporate jewels. “In most cases, carefully planned attacks can find data that is pertinent in a smaller company that is a subsidiary or a contractor to a larger enterprise. In this case the smaller company proves to be the weakest link to attain the same data.” “Large enterprises and Fortune 500s tend to have a unique risk profile in many aspects. These enterprises tend to have a lot of assets, end users and employees, making them much more lucrative target than a small organization— in a world where most data breaches are financially motivated, and selling loads of compromised personal data in the Dark Web can make a fortune.” Also, consider suppliers and partners, which can be caught in the crosshairs. IT systems consulting behemoth Wipro Ltd. in April for instance said that its network was hacked using stolen and phished credentials, and used for mounting attacks on its customers. Globally, participants consistently identified the same solutions as having the most positive impact on their organization’s ability to prevent a breach. Vulnerability management and security software took the lead (slightly above 16 percent). Employee training was the third (14 percent) followed by response plans and security hardware (both slightly above 12 percent). While the survey found that regulatory compliance is the main driver for most cybersecurity programs, the loss of sensitive data is what keeps senior executives awake at night, not fear of compliance fines. Bugcrowd breaks its weekly bounty payout record For the first time in Bugcrowd’s seven-year history it paid out more than $500,000 in bounty fees to its white hats in a one-week period. For all of October more than 550 white-hat hacker working with Bugcrowd earned $1.6 million with the top recipient taking home $40,000. “As those on the Bugcrowd platform know, and often look forward to, we pay out for valid findings on a weekly basis. We’re extremely excited to announce that we’ve hit a milestone: last week, we paid out over a half million dollars, straight to our hackers’ pockets,” said Bugcrowd’s David Baker. Lessons from the Final Season of Mr. Robot Sensitive data often resides in very mundane and easily accessible places – Some data-loss prevention (DLP) providers have estimated that nearly 90 percent of an organization’s intellectual property may reside in email. It is very hard to defend against an insider exercising legitimate privilege – It stands to reason that any user would have access to their own inbox, and it is not uncommon for users to create email archives as backups. Once the data is stolen, it can’t be “recovered” “Ambient computing” can be a significant threat to privacy and safety". The ubiquity of transmitters in all of our devices enables everything from individual user tracking to monitoring beacons from laptops to identify a car worth breaking into. Windows users lookout! New Buran ransomware-as-a-service tempts criminals with discount licenses The VegaLocker malware strain has provided the base for new ransomware-as-a-service (RaaS) Buran which is taking on competitors through discounted rates. First announced on a Russian forum, Buran operators appear to be focusing on establishing personal relationships with criminal customers. In total, 25 percent of illicit earnings made through successful infections are taken by the authors -- a substantial discount on the 30 to 40 percent usually required by RaaS operators. The rate, too, can be negotiated "with anyone who can guarantee an impressive level of infection with Buran," the researchers say. Buran is described in the advert as a stable strain of malware that uses an offline crypto-locker, 24/7 support, global and session keys, and no third-party dependencies such as libraries. The malware is also able to scan local drives and network paths and contains optional features including the encryption of files without changing extensions; removing recovery points and clearing logs; backup catalog deletion, and the means to self-delete. Buran operators claim the ransomware is compatible with all versions of the Microsoft Windows operating system, but McAfee found during its investigation that some older versions, including Windows XP, are immune. The malware will check to see if the victim machine is registered in Russia, Belarus or Ukraine, and if these checks come back positive, Buran will exit. After making sure the malware is able to create files and store them in temporary folders, Buran will create registry keys to maintain persistence, assign the victim an ID, encrypt files, and post a ransom note. Apple Mail stores parts of encrypted emails in plaintext DB Apple expert Bob Gendler discovered that the Apple Mail app available on macOS stores leaves a portion of users encrypted emails in plaintext in a database called snippets.db. The issue affects all macOS versions, including the latest Catalina. The issue is yet to be fixed and even if Apple plans to address it, the company did not provide a timeline. “But if you send encrypted emails from Apple Mail, there’s currently a way to read some of the text of those emails as if they were unencrypted — and allegedly, Apple’s known about this vulnerability for months without offering a fix.” reads a post published by The Verge. “Apple saya it’s aware of the issue and says it will address it in a future software update. The company also says that only portions of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they’re explicitly supposed to be encrypted, obviously isn’t good.” The expert discovered the issue while he was investigating how macOS and Siri suggest contacts and information to the user. “This led me to the process called , run by the system level LaunchAgent apple, and the Suggestions folder in the user-level Library folder, which contains multiple files and some potentially important database files ( files).” reads a post published by Gendler on Medium. “These are databases with information from Apple Mail and other Apple applications that enable and Siri to become better at suggesting information.” Gendler explained that Siri uses a process named “suggestd” to collect contact information from various apps. Data collected by the process are stored in the snippets.db file. The expert discovered that if the Apple Mail is used to send and receive encrypted email, Siri would collect a plaintext version of the emails storing them in the database. “Let me say that again… The snippets.db database is storing encrypted Apple Mail messages…completely, totally, fully — UNENCRYPTED — readable, even with Siri disabled, without requiring the private key. Unfortunately, disabling Siri will not solve the issue because the ‘suggestd‘ process will continue to scrape emails. The expert proposed the following three ways to disable these processes from scraping messages from Apple Mail:
Gendler also suggests to manually remove the snippets.db file that is located in “/Users/(username)/Library/Suggestions/”. Twitter Spy Case Highlights Risks for Big Tech Platforms Companies should be required to inform victims if their data has been compromised "so they can take measures to protect themselves."The allegations of spying by former Twitter employees for Saudi Arabia underscores the risks for Silicon Valley firms holding sensitive data which make the platforms ripe for espionage. The two Saudis and one US citizen allegedly worked together to unmask the ownership details behind dissident Twitter accounts on behalf of the Riyadh government and royal family, according to a federal indictment. Analysts say the incident shows how massive databases held by Silicon Valley giants can be juicy targets for intelligence agencies, which can often apply pressure to company insiders. "For companies collecting massive amounts of data, the challenge is how to keep it secure not only from hackers, but from rogue employees." Platforms such as Twitter and Facebook remain important tools for human rights activists, however users should be aware of the potential for data leaks -- both in their countries, and from insiders. It's been alarming to see how governments using tactics to exploit the inherent weaknesses of the internet... go after people expressing dissent.. Bruce Schneier, a security researcher and fellow at Harvard University's Berkman Klein Center for Internet & Society, said it is not surprising to see governments targeting databases of tech platforms. "We all assume it happens a lot. But this (prosecution) rarely comes up," Schneier said. Schneier said there have long been fears about Chinese or Russian insiders pressured to introduce vulnerabilities in major software platforms, and that companies may be ill-equipped to thwart those efforts. "The government of Russia versus Twitter is not a fair fight," he said. "It's hard to blame the tech companies." According to an indictment unsealed Wednesday, US citizen Ahmad Abouammo and Saudi national Ali Alzabarah were recruited in 2014-2015 to use their positions in Twitter to gain access to private information related to accounts of critics of Riyadh. Ahmed Almutairi, a marketing official with ties to the royal family, was a critical go-between who arranged contacts, prosecutors said. "Most employers do cursory background checks for the most obvious stuff such as criminal records or bankruptcy," he said. "None of them does any semblance of a background check on nation-state threats." "There's a case for collecting the bare minimum of data from users and allowing users to opt out" of certain kinds of data collection. Experts believe Artificial intelligence (AI) and 5G will introduce new cybersecurity concerns Kayla Matthews: Information Risk Management (IRM) recently published its 2019 Risky Business Report. the report also brings up how cybercriminals will use AI to carry out attacks, and clarifies that at least one such incident has occurred already. The report also notes that increased deployment of distributed network data centers would increase the size of the attack surface associated with the 5G network. Moreover, the presence of new and third-party applications once 5G arrives will increase the possibility of threats. A good sign is that 93% of the people who gave answers for the report said they had incident management plans in place. The study cautioned how the 7% of organizations that don’t should never assume they’re not targets for hackers. It brought up the example of a Missouri radio station that had its audio files compromised. These new rules were meant to protect our privacy. They don’t work Stephanie Hare: The GDPR was billed as the gold standard of data protection, offering the strongest data rights in the world. It has forced companies everywhere to modify their operating models, often at great cost. It inspired the state of California to pass a similar law and where California leads, the rest of the US often follows; there have been calls for a federal version of the GDPR. Before it came into effect last year, we faced an onslaught of emails from organisations asking if we were happy to continue a relationship most of us never knew we were in, or if we wanted them to delete our data and unsubscribe us from their data gathering. Most websites nudge us into clicking “I consent” by making it harder for us not to. Those that do offer an “I do not consent” option force us to navigate a complicated menu of privacy settings, all of which offer only the veneer of privacy. They know that no one has the time or inclination to do this for every website and they are betting that most of us will choose convenience over data protection. And so we click “I consent” to cookies and other web trackers that follow us around, creating an ever-growing digital self that is monitored, used, bought and sold. Under the GDPR, we gained the right to find out what data is held on us and to request its deletion. Again, this puts the onus on us, not the companies or the government, to do the work. Again, most of us don’t. Yet the GDPR could have solved this easily by making privacy the default and requiring us to opt in if we want to have our data collected. But this would hurt the ability of governments and companies to know about us and predict and manipulate our behaviour, as Shoshana Zuboff demonstrated powerfully in her book, The Age of Surveillance Capitalism. It grows harder to shrug this off when our own parliamentary joint committee on human rights (JCHR) warned last week that data is already being used to discriminate in housing and job ads online. It notes that it is “difficult, if not nearly impossible, for people – even tech experts – to find out who their data has been shared with, to stop it being shared or to delete inaccurate information about themselves”. And the JCHR says that it is “completely inappropriate to use consent when processing children’s data”, noting that children aged 13 and older are, under the current legal framework, considered old enough to consent to their data being used. The collection of biometric data, which occurs with facial recognition technology, is prohibited under the GDPR unless citizens give their explicit consent. Yet there are exceptions when it is in the public interest, such as fighting crime. This is how an exception becomes the rule. After all, who doesn’t want to fight crime? And since the security services and police can use it, many companies and property owners use it too. Amid signs of a growing backlash, the GDPR offers little help and even less consistency. In August, Sweden’s data regulator fined a high school for using facial recognition to register student attendance, but did not rule it illegal. France’s regulator ruled last month that it is illegal to use facial recognition in secondary schools, but it has not challenged the government’s plan to use facial recognition for a compulsory national digital identity programme. A UK court upheld the use of facial recognition by South Wales police this autumn, but the main data regulator, the Information Commissioner’s Office (ICO), warned last month that this should not be taken as a blanket permission for the police to use the technology. In Permanent Record, Edward Snowden explains that it was his close study of the US constitution, specifically the Bill of Rights, which persuaded him that Americans’ civil liberties were being violated by the US government’s mass surveillance activities, which were carried out with and without the active participation of US technology companies. And even though non-US citizens are not protected by the Bill of Rights, Snowden believed that the US government was violating their human rights. This is what drove him to blow the whistle in 2013. Last week, Snowden said that the GDPR is “a good first effort… but it’s not a solution”. He thinks that legislation should address the collection of our data, not its protection after it is collected. Huge Data Leak Doxes Members of Notorious Neo-Nazi Forum The IronMarch forum was one of the internet's worst places until it shut down in November 2017, a breeding ground and online meeting place for neo-nazi groups. This week, someone dropped a 1GB SQL database filled with information like usernames, IP addresses, private messages, public posts, and the emails people used to register accounts. In sum, it amounts to a major doxing of extremist hate group members from just a few years ago. The independent journalists at Bellingcat have put together a guide to searching through and interpreting the data—and have raised the possibility that several IronMarch members were active US military personnel. Facebook Reveals Yet Another Data Exposure Stop us if you've heard this one: Facebook said this week that it had granted around 100 developers access to more data than they should have, specifically related to Groups. At least 11 of those developers actually accessed that data, and Facebook has asked them to delete it. It's not as comprehensive or devastating as the Cambridge Analytica fiasco, but making your name and profile picture available to unauthorized developers clearly isn't ideal. At a certain point, it's easy to become numb to these missteps. Try not to; you and your data are worth more than that. Alphabet's Chronicle Is Fading Fast According to a report this week from Motherboard, Chronicle—a touted cybersecurity company within Google parent-company Alphabet—has been beset by staff departures and a "lack of clarity about Chronicle’s future." It's still a functioning operation, but seemingly diminished from the grand visions with which it launched almost two years ago. Major US hosting provider hit by a ransomware attack, impacts hundreds of thousands of customers. SmarterASP.NET claims to operate three ‘world-class’ data centers “delivering the reliability and flexibility necessary to support your mission-critical Internet operations.” However, the websites of its 440,000+ customers, as well as its own, went offline yesterday following the attack. “Your hosting account was under attack and hackers have encrypted all your data. We are now working with security experts to try to decrypt your data and also to make sure this would never happen again,” SmarterASP.NET said in a notice dated 11/11/2019. It’s unclear whether the firm has been able to decrypt the locked files, either by paying up or via a third-party key, or is restoring from backups. I Accidentally Uncovered a Nationwide Scam on Airbnb Allie Conti: Kris and Becky’s unit looked identical, save for a coffee table that was rectangular instead of round. Alex and Brittany had an additional armchair in their living room. Rachel and Pete’s place showed the most variation, but was still eerily similar to the rest of the bunch. When I finally plugged the original address of the place that I’d booked from Becky and Andrew into Google Street View, I felt like I was losing my mind. Becky and Andrew’s photos had no floor-to-ceiling windows, but the building on Street View at the same address clearly did. It seemed as if one person or group might have created numerous phony accounts to run a much larger Airbnb operation. If that proved true, it meant whoever ran the five accounts I’d located was controlling at least 94 properties in eight different cities. How many other people who had been scammed out of money like me? Feeling as if I was entering a Pynchonian nightmare, I sent a message to Airbnb alerting them to what increasingly seemed like an elaborate scam. The specific details of Airbnb nightmares aside, those of us who’ve fallen for a crappy or nonexistent listing may well wonder how in the world a company that’s been around for 11 years – one that’s due to go public and is estimated to be worth $35 billion – could fail to have the technologies and processes in place to weed out the fraudsters who find it so easy to take advantage of the platform. Well, it hasn’t had those abilities. Nor has it apparently prioritized putting them into place. But Airbnb, which plans to go public next year, seemed to have little interest in rooting out the rot from within its own platform. When I didn’t hear back from the company after a few days, and saw that the suspicious accounts were still active, I took it upon myself to figure out who exactly had ruined my vacation. Airbnb’s refund policy is based on a complicated rubric that doesn’t say guests need written evidence in order to obtain a full refund but does note the company has “final say in all disputes.” It’s easy enough to see how a scammer might exploit the policies as laid out. If a guest stays even one night in a rental, for example, it is difficult to obtain a full refund, according to Airbnb’s rules. If a host asks a guest to stay at a property that’s different from the one they rented, Airbnb advises the guest to request a cancellation if they’re “not okay with the switch.” In both cases, the rules favor a would-be scammer and place the onus on guests who have just parachuted into an unfamiliar locale with their luggage and have nowhere else to stay that night. The issue with leaving a scammer a bad review is that they will do the same to you and if you are a regular traveller, using AirBnB, that could be fatal to your ability to ever book anything nice ever again. Airbnb’s Community Standards state that no host should “provide inaccurate information,” but Airbnb does not rigorously police the request, according to the report. “In spite of the fact that Becky and Andrew received a verified ID, badge on their profile page, we have no way of knowing if they had any role in the properties other than having their photo taken,” the report stated. “This case also undermines one of the cornerstones of AirBnB’s business model, namely that the company’s ratings and identity verification system are a viable means by which travelers can vet their prospective hosts.” Of the six other accounts I'd connected to the scheme, five are still active weeks later. Only one has disappeared from the site. Update: 11/01/2019, the morning after the article was published, the FBI made contact about the claims made above. A week after that Airbnb chief executive Brian Chesky said that starting next month – on 15 December – the new Airbnb Guest Guarantee will ensure that guests who stay in listings that don’t meet Airbnb’s “accuracy standards” will either be rebooked into someplace that’s “just as nice” or, failing that, they’ll get a 100% refund. Airbnb says that it will verify each and every Airbnb listing and host by December 2020. Chesky didn’t say how. What we do know is that there are an awful lot of listings to scrub: according to one property management site, the platform currently has more than 650,000 hosts and over 6 million listings worldwide. Until that happens, make sure you take photographs of every little shard of beer bottle or dirty sheets and suggest to all your friends they do the same. UK: Facebook Won’t Ban Political Ads, Despite Controversy Phil Muncaster: Facebook will not remove political advertising from its platform ahead of the UK’s upcoming General Election, despite complaints that the ruling Conservative Party is already trying to influence users with misleading information. The social network has been under pressure to ban such advertising completely, after Twitter announced plans to do so earlier this month and the Mozilla Foundation and several rights groups signed an open letter urging it and Google to follow suit. The UK Electoral Commission, Information Commissioner’s Office (ICO) and the cross-party DCMS Select Committee have all called for urgent legislation to regulate political advertising. However, in an update late last week, Facebook argued that it was not in the business of censoring politicians. Although such ads will be pulled if they incite violence, share previously debunked content or spread misinformation about where, when and how to vote, they won’t be fact-checked like other content, explained head of UK public policy, Rebecca Stimson. After months of worry, BlueKeep vulnerability is now being exploited in mass-hacking campaign British researcher Kevin Beaumont raised the alarm this past weekend, after discovering that BlueKeep honeypots he had set up (to act as an early alarm that the vulnerability was being exploited) began to crash and reboot themselves. "I built a worldwide honeypot network to spot exploitation, which I called BluePot. Since then it has been remarkably quiet. I’ve been keeping in contact with people at threat intelligence and anti-malware companies and, essentially, the protection built has been eerily quiet. That isn’t to say exploitation hasn’t happened — of course, advanced threat actors would absolutely look to leverage this — but there’s been a complete lack of data to suggest any kind of widespread exploitation. That changed on October 23rd — one of the BlueKeep honeypots crashed and rebooted. Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity." The good news is that the current attack appears to be flawed – crashing the computers it is attempting to infect rather than successfully installing the hackers’ code. News first broke of the BlueKeep vulnerability earlier this year, when Microsoft took the unusual step of issuing patches for old versions of Windows which it no longer officially supports, and publishing reminders on its blog for users to take action. At the time, it was reported that almost one million vulnerable PCs were connected to the internet, and potentially open to exploitation. The threat was considered serious enough that the likes of the NSA urged administrators and users to patch vulnerable legacy Windows computers. US: Licenses to Sell to Huawei Coming Soon The US government will soon partially relax its block on Huawei by allowing domestic tech firms to sell it components, according to the Commerce Department. Although Donald Trump in June signaled a softening of Washington’s hardline approach to the Chinese giant, when he said he’d allow some US firms to start supplying the company again, the all-important licenses have still not appeared. Commerce secretary Wilbur Ross said on Sunday that these “will be forthcoming very shortly,” according to Bloomberg. This will help US firms which have seen rival companies in Asia pick up lucrative contracts to sell Huawei various components, after Trump approved a decision to put the Shenzen firm and 70 affiliates on an “entity list.” The Commerce Department has already received 260 requests from US firms for licenses to circumvent Huawei’s blacklisting. US grounds Chinese-made drones as part of security review Adding to the growing chorus of concern about Chinese technology and potential espionage, the US Department of the Interior (DOI) announced on Wednesday that it’s grounding all Chinese-made drones or drones with Chinese-made parts as it reviews its drone program. According to a 2018 use report, the department owned 531 drones and had conducted 10,342 flights across 42 states and US territories – a 108% increase over 2017. That number apparently jumped yet again: according to the Wall Street Journal, the department now has more than 800 drones. A person familiar with the matter told the WSJ that all of the devices are either made in China or have Chinese parts. Secretary Bernhardt is reviewing the Department of the Interior’s drone program. Until this review is completed, the Secretary has directed that drones manufactured in China or made from Chinese components be grounded unless they are currently being utilized for emergency purposes, such as fighting wildfires, search and rescue, and dealing with natural disasters that may threaten life or property. As the WSJ reports, the DOI’s concerns include that the drones could be used to transmit data, including photography and video, of sensitive US infrastructure that may be the subject of future cyberattacks. This is the latest move the US government has taken to push away China, which security experts have pointed to as the most active nation-state when it comes to cyber-espionage against the US government, its corporations and its allies. What you need to know about the US CLOUD Act and the UK COPOA Act Dan Swingde: The UK and US governments have signed a new data sharing agreement that allows law enforcement officials quicker and easier access to data held by digital service providers in their counterpart countries. While this law doesn’t allow law enforcement to request data directly from companies on the other side of the Atlantic, data companies store in the cloud could be more easily accessed by foreign agencies. Brought about partly due to difficulties the FBI faced in forcing Microsoft to hand over data stored on servers in Ireland, the Clarifying Lawful Overseas Use of Data (CLOUD Act) Act was signed into law in 2018. Under the act, US law enforcement can compel US technology companies to hand over data stored on servers, whether the data is stored in the US or on foreign soil. It also allows bilateral agreements with foreign governments to request electronic data from the US in exchange for reciprocal arrangements. US Department of Justice push for encryption backdoors might run afoul of First Amendment By Cynthia Brumfield: Running counter to the now decades-long on-again and off-again pursuit by the Justice Department and law enforcement for a backdoor that would allow access to encrypted communications, Baker wrote that encryption “is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China. This is true even though encryption will impose costs on society, especially victims of other types of crime.” What triggered Baker to write the piece is the recently renewed push by the Justice Department under William Barr to raise again the idea that law enforcement is “going dark” thanks to the rise of end-to-end. Nikkei Hit in $29m BEC Scam Media giant Nikkei has become the latest firm to suffer a humiliating Business Email Compromise (BEC), after it admitted losing $29m to scammers following human error. The Tokyo-headquartered firm, which owns the Financial Times, revealed in a brief statement that an employee of its US subsidiary made the crucial mistake. “In late September 2019, an employee of Nikkei America, Inc. … transferred approximately $29m Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei,” it noted. Global Registrar Web.com Suffers Major Breach US-based Web.com, and subsidiaries Network Solutions and Register.com, discovered on October 16 that they were hit by an attack late in August. “Our investigation indicates that account information for current and former Web.com customers may have been accessed,” the firm said in a statement. “This information includes contact details such as name, address, phone numbers, email address and information about the services that we offer to a given account holder. We encrypt credit card numbers and no credit card data was compromised as a result of this incident.” “We are notifying affected customers through email and via our website, and as an additional precaution are requiring all users to reset their account passwords,” it added. NCR Barred Mint and QuickBooks from Banking Platform During Account Takeover Storm Brian Krebs: Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in response to a series of bank account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded. But the incident raises fresh questions about the proper role of digital banking platforms in fighting password abuse. “The weird part is sometimes the attackers are getting the multi-factor challenge, and sometimes they aren’t,” said the source, who added that he suspected a breach at Mint and/QuickBooks because NCR had just blocked the two companies from accessing bank Web sites on its platform. NCR wouldn’t say what methods were used, but it seems clear the hacked accounts were tied to customers re-using their online banking passwords at other sites that got hacked. Please remember that if you bank online and choose weak or re-used passwords, there’s a decent chance your account could be compromised by cyber-thieves. Proton Technologies makes the code of ProtonMail iOS App open source Pierluigi Paganini: Recently the cybersecurity firm SEC Consult reviewed the source code of the ProtonMail iOS App and found seven low-risk vulnerabilities in the popular mobile mail client. “During the initial code review, SEC Consult found seven low-risk vulnerabilities in the reviewed source code and the mobile app.” reads the report published by SEC Consult. “Although issues with certificate validation have been identified within the encrypted communication between the mobile application and the backend system, the inner layer of end-to-end encryption could not be broken.” The company explained that developers are free to implement and build upon the methods that it has documented and published. The contribution of the cyber security community could help the company to solve real-world privacy challenges, making popular privacy-focused applications safer and more robust. Government Officials in More Than 20 Countries Targeted via WhatsApp Hacking Last May, WhatsApp revealed that hackers at NSO Group had been exploiting a vulnerability in its software that allowed them to compromise a phone simply by targeting it with a voice call that planted malware on the device capable of silently stealing a victim's messages. Now, in the same week when WhatsApp revealed that NSO Group had in fact targeted 1,400 of its users, Reuters reports that government officials in more than 20 countries have also been targeted via WhatsApp hacking. Reuters didn't name the countries, nor did it explicitly confirm that hacking was carried out by NSO or using the company's tools, but the newswire's story seems to suggest a link to the notorious hacker-for-hire firm. WhatsApp this week already confirmed that, based on an investigation carried out by the nonprofit cybersecurity research group Citizen Lab, NSO targeted more than 100 members of civil society, including journalists, human rights defenders, lawyers, and activists. If NSO has in fact aided in the compromise of government officials, that would represent yet more evidence that its tools and targeting haven't been limited to criminals and terrorists, as the company has long portrayed its work. Counter-Strike's Gaming Marketplace Disabled Over Rampant Fraud, Money Laundering The multiplayer game Counter-Strike: Global Offensive made a matter-of-fact announcement last Monday: It would no longer allow its "container keys"—digital items that players can buy and sell to open containers that contain valuable digital items in the game—to be sold or traded on the marketplace of Steam, the online platform run by the game's owner, Valve. That's because, according to the company, the large majority of those trades and sales were being carried out by criminals seeking to launder money through those keys, using them as an unregulated currency. "Worldwide fraud networks have recently shifted to using CS:GO keys to liquidate their gains," the company wrote in a statement. "At this point, nearly all key purchases that end up being traded or sold on the marketplace are believed to be fraud-sourced." Canada Credit Union Data Breach Bigger Than First Thought: Desjardins AFP: A massive data breach last year at Desjardins credit union has turned out to be bigger than originally thought, affecting all 4.2 million of its customers, Canada's largest banking co-operative said Friday. Quebec provincial police "informed us that this breach of personal information concerns a greater number than that which was communicated in June," Desjardins president and chief executive Guy Cormier told a news conference. "It is 4.2 million, so all of our individual members, who are affected," he said. Originally the number was announced as 2.9 million... Wi-Fi signals let researchers ID people through walls from their gait
11 months ago, a team of researchers led by Yasamin Mostofi, at University of California Santa Barbara demonstrated using a streamlined set of technologies – just a smartphone and some clever computation – how to see through walls and successfully track people in 11 real-world locations, with accuracy rates of between 82% and 89%. XModal-ID, is a novel video-WiFi cross-modal gait-based person identification system, it establishes a unique pattern of movement with each unique individual with as little as a couple of Wifi transmitters and a phone. Consider a smart home, where each resident has personal preferences (e.g., lighting, music, and temperature). The home WiFi network can use XModal-ID and one-time video samples of the residents to identify a person walking in an area of the house and activate his/her preferences, without the need to collect wireless/video data of each resident for training purposes. New residents can also be easily identified without a need for retraining. Now consider surveillance: Match Video with each individuals unique movements and you can track and ID them even in areas where there is no CCTV. Scary. Iranian Hackers Targeted a US Presidential Candidate Friday, Microsoft sounded an alarm that serves as a timely reminder that Russia doesn't have a monopoly on election hacking. In an aggressive new email phishing push, the company says, Iranian hackers targeted a US presidential campaign. "Due to the success of the Russians in the 2016 US election, their model is being emulated across the globe," says Jeff Bardin, chief intelligence officer of the cybersecurity intelligence firm Treadstone 71, which monitors Iranian hacking activity. "In terms of who Iran might target in the US, you would have to ask yourself what candidate or candidates would best suit Iranian needs as a president of the United States. And the interesting thing with that is that Iran's effort would likely be counter to the efforts of Russian cyber-operations and those of other countries. So what you end up having is the potential for numerous massive attempts to manipulate the American voter that may turn to absolute noise and contradictory data." Microsoft wouldn't say which candidate's operations the Iranian assailants hit, but Reuters reported on Friday that the target was President Donald Trump's re-election campaign, which is known to use Outlook as its email provider. Microsoft noted that the attacks on the campaign did not succeed. In a 30-day stretch during August and September, Microsoft saw hackers launch 2,700 attempts to identify specific target email accounts, including those belonging to current and former US government officials, journalists, and Iranians living outside Iran. They ultimately attacked 241 of those and successfully compromised four—none of which were associated with the US presidential candidate or government officials. Microsoft has notified the victims. Political Operatives Are Faking Voter Outrage With Millions Of Made-Up Comments To Benefit The Rich And Powerful Jeremy Singer-Vine & Kevin Collier at Buzzfeed: Sarah Reeves sat on her couch in Eugene, Oregon, staring at her laptop screen in furious disbelief. She was reading the website of a government agency, where her mother appeared to have posted a comment weighing in on a bitter policy battle for control of the internet. Something was very wrong. Her mother, a soft spoken advocate for free speech died a year before the comment was posted. “Net neutrality” was designed to protect the open web by requiring internet providers to treat traffic from all sites equally — and under Trump, the FCC was planning to scrap it. Conservatives had long branded the regulation as an assault on free enterprise, but advocates warned that its repeal would allow the broadband giants to manipulate traffic in favor of the highest-paying platforms, crowding out competition and stifling free speech. The stakes were high, and the public comment period attracted a staggering 22 million submissions. The problem was, many of the comments were fake. Despite polling showing substantial support for net neutrality, Americans appeared to be flocking online to defend the rights of the telecom giants. Almost immediately, observers started sounding alarms. The tech publication ZDNet found that “anti-net neutrality spammers are flooding FCC's pages with fake comments” and that several people whose names appeared as commenters said they had not posted a word. Reporters at Gizmodo and the Verge found similar examples. In a key part of the puzzle, two little-known firms, Media Bridge and LCX Digital, working on behalf of industry group Broadband for America, were shown to have misappropriated names and personal information as part of a bid to submit more than 1.5 million statements favorable to their cause. The New York attorney general opened an investigation and has since issued subpoenas to more than a dozen entities — estimating that “as many as 9.6 million comments may have used stolen identities.” But the FCC went ahead and scrapped the net neutrality rule in a massive victory for the broadband industry and a huge blow, consumer advocates said, for users. Some suspicious comments have been tracked back to particular political operatives. But the question of how millions of identities were marshaled without consent had largely remained a mystery. Social media manipulation as a political tool is spreading According to the Oxford University’s Computational Propaganda Research Project, the use of algorithms, automation, and big data to shape public opinion – i.e. computational propaganda – is becoming “a pervasive and ubiquitous part of everyday life.” For its third annual report, the project examined what it calls “cyber troop” activity in 70 countries. Cyber troops is the collective term for government or political party actors that use social media to manipulate public opinion, harass dissidents, attack political opponents or spread polarizing messages meant to divide societies, among other things. Over the past two years, there’s been a 150% increase in the number of countries using social media to launch manipulation campaigns, the project found. 80% of countries use bot accounts 11% of countries use cyborg accounts 7% of countries use hacked/stolen accounts 71% of these accounts spread pro-government or pro-party propaganda 89% attack the opposition or mount smear campaigns 34% spread polarizing messages designed to drive divisions within society 75% of countries used disinformation and media manipulation to mislead users 68% of countries use state-sponsored trolling to target political dissidents, the opposition or journalists 73% amplify messages and content by flooding hashtags ESET sounds alarm over Casabaneiro attack The research team at ESET has detailed a bank hacking operation that is hitting both fiat and cryptocurrency operations in Mexico and Brazil. Known as Casabaneiro, the attack uses fake pop-up windows to trick users into entering their account details, which are then sent by the malware to a command and control server. What is particularly unique about this attack, says ESET, is the way it runs its command and control system. Infected machines do not go directly to the command server, but rather a YouTube page where a link to the C&C machine is embedded in the video description. The infected machines access the page then follow the link, making it appear to admins as if the user is just watching a video. "What makes this technique dangerous is that it does not raise much suspicion without context," ESET explains. Incognito mode for Google Maps will start rolling out later this month, first on Android, with the iOS version following soon after. Incognito mode in Maps is going to keep your device from recording your Maps activity on that device. For example, the places you search for won’t be saved to your Google Account, nor will they be used to personalize your Maps experience. It’s easy to turn on and off, Google says: you just select it from the menu that appears when you tap your profile photo. Make no mistake, Incognito mode won’t make you a silent, trackless online ghost. If you want to leave everyone guessing, the only game in town is the Tor browser. Maps is a standalone app that isn’t affected by (or even able to read) your browser cookies. It keeps its own stash of data, locally and remotely, about what you have searched for, where you have been, and so on. Google is very keen for you to access its maps via the app and not your browser – every time you visit maps.google.com on your phone you’ll get a popup urging you to try the app instead. (The app has many more features than you get in a mobile browser, and is indeed more useful as a result, but it does get to collect its own data that doesn’t get cleared along with browser cookies.) Feds to boost scrutiny of airliner cybersecurity vulnerabilities Doug Olenick: The Wall Street Journal is reporting a new program to run tests on actual airplanes to probe for weaknesses, much like was done several years ago when an older Boeing 757 was put to the test by researchers who found the plane could be penetrated using its radio communications setup. Chrome cripples movie studio Mac Pros Danny Bradbury: It’s not often that a single software bug can bring an entire industry to a virtual standstill, but it happened last week – and experts finally found an unlikely culprit. The problem began on Monday 22 September when reports emerged of a problem with Macs running Avid software. Avid is an editing suite that production companies use to put movies and TV programs together. A few days ago, movie editors started reporting that Mac Pros running Avid software were crashing. If users tried to restart their machines, they wouldn’t reboot. Imagine how you’d be feeling if you were working on something with a deadline of hours, like a news segment. According to a Google post explaining the incident, Chrome damaged the file system on macOS. Chrome removed a symbolic link (symlink), which is a shortcut to a linked object. The system treats the symlink as the linked object. Keystone removed the /var symlink, which threw the affected Macs into disarray. If your computer is on OS X 10.11 or later and you haven’t taken steps to disable SIP, this issue cannot affect you. If it isn't you will have to reinstall the MacOS from macOS recovery. Vimeo sued for storing face-prints of people without their say-so. Lisa Vaas: You didn’t tell me that you’re collecting and storing my faceprint, you didn’t tell me why or for how long, you didn’t get my written OK to do it, and you haven’t told us how long you’re retaining our biometrics or how we can get you to nuke them, another Illinois resident has said in yet another proposed facial recognition class action lawsuit based on the state’s we’re-not-kidding-around biometrics law. This one’s against the video-sharing, face-tagging website Vimeo. The complaint was filed on 20 September on behalf of potentially thousands of plaintiffs under the Illinois Biometric Information Privacy Act (BIPA). Illinois resident Bradley Acaley is lead plaintiff. The suit takes aim at Vimeo’s Magisto application: a short-form video creation platform purchased by Vimeo in April 2019 that uses facial recognition to automatically index the faces (along with the gender, age, race, and location) of people in videos so they can be face-tagged. Facebook is facing a similar class-action suit. Patel v. Facebook, first filed in 2015 for violating Illinois privacy laws by “secretly” amassing users’ biometric data without getting consent in what Facebook has claimed is the largest privately held database of facial recognition data in the world. Google wins landmark case: Right To Be Forgotten (RTBF)only applies in EU Since 2015, Google and the French data privacy regulator, CNIL, have been wrestling over how wide a net that implies. Does the amnesia only include results returned to Europeans? Or does it pertain to Google’s worldwide list of domains? Last Tuesday, the European Court of Justice (ECJ) ruled in Google’s favor: RTBF is EU-only, it decreed. Google was inundated with RTBF requests after Launching its RTBF form in May 2018. One man who tried to kill his family wanted a link to a news article about it taken down. Other requests came in from a politician with a murky past and a convicted pedophile. By the end of the first day, 12,000 Europeans had submitted the form. For a while, the rate hummed along at 10,000 requests per day. Nearly a third of the requests related to a fraud or scam, one-fifth concerned serious crime, and 12% were connected to arrests having to do with child abuse imagery. By May 2018, the initial flood had ebbed. Google was refusing a majority of them anyway: it was accepting between 42% and 44% of the requests per year. According to its most recent transparency report, as of 7 Sept. 2019, it had cumulatively granted 45% of RTBF search requests, or about 846,000 links. Microsoft rushes out fix for Internet Explorer zero-day The zero-day (CVE-2019-1367) was reported to Microsoft by Clément Lecigne of Google’s Threat Analysis Group. It’s a remote code execution (RCE) flaw in the browser’s scripting engine that could allow an attacker to install programs; view, change, or delete data or create new accounts with full user rights. No further details have been made public in the advisory, but as with most browser vulnerabilities, exploitation would involve luring unpatched users to a malicious website on a Windows machine where IE is set as the default browser. Microsoft’s own security chief told everyone back in February of this year, to stop using IE, and move on to a more modern browser, a better Security solution is just to uninstall IE in the first place in W10…. Settings > Apps > optional features. Apps Selling for Hundreds of Dollars on Google Play Store Giulio Saggin.: Android apps that are being sold by unscrupulous developers who are abusing a loophole in the policy that allows users to download and use apps at no cost for a short trial period. If the user doesn't want to use the app beyond the trial period, they need to uninstall the app and inform the developer they no longer wish to use the app. If this isn't done, the app developer charges the user. Usually this is a few dollars. The loophole lies in 'charging the user'. Deceitful developers start by making users sign up with payment information before they can use the app. Many users don't read the fine print which tells them that, in order to fully stop using the app, they have to explicitly tell the developer they are cancelling the trial period. When users fails to do this, the exorbitant charges start. In the case of one app, the developer charges users €104.99 (US$115) after 72 hours, while the makers of another app go even further and charge users €214.99 (US$235) when the trial ends. Airbus Suppliers Hit in State-Sponsored Attack Paris (AFP):There have been four major attacks on Airbus in the last 12 months, according to two security sources involved in investigating the hacking. The group has long been considered a tempting target because of the cutting-edge technologies that have made it one of the world's biggest commercial plane manufacturers, as well as a strategic military supplier. In January, it admitted to a security incident that "resulted in unauthorized access to data", but people with knowledge of the attacks outlined a concerted and far bigger operation over the last year. Hackers targeted British engine-maker Rolls-Royce and the French technology consultancy and supplier Expleo, as well as two other French contractors working for Airbus. "Very large companies are very well protected, it's hard to pirate them, so smaller companies are a better target," said Rhomain Bottan of BoostAerospace. How did they do it? "The sophisticated attack targeted the VPN which connected the company to Airbus," the source said. Airbus suppliers sometimes operate in a VPN linking them with colleagues at the plane-maker. What were they after? A particular nation state has been repeatedly failing certification of a couple commercial passenger aircraft they were/are developing and "At the time of the intrusions, a state-owned aerospace company was working to develop a comparable engine." Has the "like" button had its last "thumbs up"? A mounting body of research points to the number of content Likes – or lack thereof – negatively influencing some users’ self-esteem, it may be time to question whether the "like" button might have turned out to be a force for bad. Recent studies have linked increased depression, poor sleeping habits, and unhealthy body image in children and teens with higher use of social media and digital devices. Facebook and Instagram are currently running tests in Canada, Australia, Brazil, Ireland, Italy, Japan and New Zealand to determine the outcome of the "like" button. Extinction may be on the horizon. Marriott hotels data breach: post mortem Josh Fruhlinger: On September 8, 2018, an internal security tool flagged as suspicious an attempt to access the internal guest reservation database for Marriott's Starwood brands, which include the Westin, Sheraton, St. Regis, and W hotels. This prompted an internal investigation that determined, through a forensics process that Marriott has not discussed in detail, that the Starwood network had been compromised sometime in 2014 — back when Starwood had been a separate company. Marriott purchased Starwood in 2016, but nearly two years later, the former Starwood hotels hadn't been migrated to Marriott's own reservation system and were still using IT infrastructure inherited from Starwood. In their investigation, Marriott found data that the attackers had encrypted and attempted (probably successfully) to remove from the Starwood systems. By November, they had managed to decrypt that data and discovered that it included information from up to 500 million guest records, though those undoubtedly include duplicate records or multiple records pertaining to individual guests. Many of the records include extremely sensitive information like credit card and passport numbers. Now aware of the severity of the breach, Marriott released a statement on November 30, 2018. Marriott first became aware that they'd been hacked when a security tool flagged an unusual database query. (The tool was actually monitored by Accenture, who had been running IT and infosecurity for Starwood before the merger and continued to do for the legacy network afterwards.) The database query was made by a user with administrator privileges, but analysis quickly revealed that the person to whom that account was assigned was not the one who made the query; someone else had managed to take control of account. A Remote Access Trojan (RAT) along with MimiKatz, a tool for sniffing out username/password combos were found in system memory. Together, these two tools could have given the attackers control of the administrator account. It's not clear how the RAT was placed onto the Starwood server, but such Trojans are often downloaded from phishing emails. Cultural and business factors that we might label the root cause of the breach. What stands out here is not the attack's success in breaching Starwood's systems — most security experts today believe it's almost impossible to keep all attackers at bay all the time — but rather that the attack went undetected for four years, because after Marriott acquired Starwood in September 2016, most of Starwood's corporate staff, including those managing information technology and security, were laid off. Hundreds of millions of people had their passport and credit card numbers stolen. Credit card numbers were stored in encrypted form, but the encryption keys were stored on the same server, and were also taken in the breach. As for the passport numbers, while some were encrypted, the majority were simply saved in the clear. Who did it? Techniques used point to a nation state looking for details on high profile business people. And now you know. Data of Nearly 5 Million DoorDash Users, Dashers, Merchants is Breached In early September the company became aware of unusual activity by a third-party service provider and launched an investigation, engaging the services of external security experts to assess what happened. From this, it was determined the third party had accessed some DoorDash user data on May 4 this year. DoorDash said in a statement that "users who joined after April 5, 2018 are not affected ... and the data accessed includes names, email addresses, delivery addresses, phone numbers and hashed, salted passwords." Some consumers had the last four digits of their payment cards exposed, but not the full card number or CVV. Similarly, some Dashers and merchants had the last four digits of their bank account number exposed but not the full account information. Around 100,000 Dashers had their driver’s license numbers accessed. Cybercriminals shop for admin access to healthcare portals When people think about hackers and their targets, most assume cybercriminals are after bank account numbers or financial institutions. But a new study from cybersecurity firm IntSights shows hackers are now honing in on healthcare institutions for lucrative information to steal. IntSight's new research report "Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry" looks at what methods cybercriminals are using and what healthcare organizations can do to protect themselves. "If you would have told me 15 years ago, 'Hey let's go target the database manager for this insurance company,' I wouldn't even know where to begin," said IntSight chief security officer Etay Maor. "But today, I go online, and there's websites and free software which will map it out and give you an organizational chart from CEO to secretary, all based on Linkedin information and other things. Working out spearfishing attacks then becomes easy at that point. The infrastructure is not as advanced as other places, and healthcare data is extremely valuable. There's so much info that can be used for all kinds of things," Maor said. "If I'm a cybercriminal, and I steal a credit card, great, maybe I can use it or not. If I steal a patient's data? I can do insurance fraud, I can do account takeover, or financial fraud. I can create static IDs or order drugs. That's why credit cards on the dark web go for $1, and healthcare information or patient data goes for $50." What Are Zero-Knowledge Proofs? Lily May Newman: Zero-knowledge techniques are mathematical methods used to verify things without sharing or revealing underlying data. Think of a payment app checking whether you have enough money in your bank account to complete a transaction without finding out anything else about your balance. Or an app confirming a password's validity without needing to directly process it. In this way, zero-knowledge proofs can help broker all sorts of sensitive agreements, transactions, and interactions in a more private and secure way. Zero-knowledge protocols are probabilistic assessments, which means they don't prove something with the complete certainty that simply revealing it would. Instead, they provide small pieces of unlinkable information that can accumulate to show that the validity of an assertion is overwhelmingly probable. Researchers at MIT first started developing the concept of a zero-knowledge proof in the 1980s. A classic example of the utility of zero-knowledge proofs describes two millionaires, Alice and Bob, who want to know which of them has more money without revealing how much wealth they each have. The techniques have come into prominence over the past decade in a more concrete way thanks in part to their usefulness in blockchain applications like cryptocurrencies. For example, zero-knowledge proofs can be used to validate cryptocurrency transactions managed on a blockchain and combat fraud without revealing data about which wallet a payment came from, where it was sent, or how much currency changed hands. By contrast, digital currency that doesn't incorporate zero-knowledge proofs, like Bitcoin, reveals all of that information. As is unfortunately often the case, the enormous potential of zero-knowledge proofs can sometimes lead the phrase to be over-used. "Zero-knowledge is one of the most misused terms," says Jean-Philippe Aumasson, CEO of the Swiss IoT encryption company Teserakt AG. "It's sometimes used to refer to user encryption when the server has 'zero knowledge' of the data. And there's also 'zero-knowledge architecture,' but these don't necessarily have much to do with zero-knowledge proofs." "Zero-knowledge is probably the most useful technology we've got, and we've barely begun to use it," iPhone iOS 13 Lockscreen Bypass Flaw Exposes Contacts Lindsey O'Donnell: The hack was first discovered by researcher Jose Rodriguez, an Apple enthusiast based in Spain who has found a slew of previous iPhone bypasses. This latest one could enable someone with physical access to a vulnerable iPhone to bypass the passcode authorization screen, and exists in the beta version of Apple’s soon-to-be-released mobile operating system, iOS 13. iOS 13 won’t be released to the masses until Sept. 19, but Rodriguez confirmed that the flaw works on the Gold Master (GM) version of iOS 13, which has been shipped out to developers (although it does appear to be fixed in beta versions of iOS 13.1, which is slated to be released on Sept. 30, Rodriguez said). Once the victim’s phone receives the FaceTime call, instead of answering the attacker clicks the “custom” option, and then respond with a text message. From there, the user must use Apple’s voice-over feature — which allows users to make requests to Siri using voice commands — to request to change the “to” field of the text message, and the “to” field then pulls up the phone’s contact list. That allows a user to look through the victims’ address book and siphon contacts, phone numbers and email addresses. The attack has been tested and confirmed by various news outlets in the iOS 13 GM running on an iPhone X. So, if you are worried about your contacts being exposed this way, it might be worth waiting for 13.1 at the end of the month. National Security Is in Trump's Hands Matt Laslo for Wired: The week began with revelations, first reported by CNN, that US intelligence agencies had pulled a high-level spy who gained the trust of senior officials inside the Kremlin, over fears the asset could be compromised. Then on Tuesday, the president jettisoned yet another national security advisor even as global conflicts, from Afghanistan and Iran to Venezuela, continue to simmer. It's not comforting to know that while most presidents just a single national security advisor during their whole presidential stay, Trump is on his fourth. Telegram fixes ‘unsend message’ bug that held on to your pictures by Danny Bradbury: Imagine this: you’re at a party one Saturday night and, at 1 a.m. decide to send your best pal a picture of yourself doing a headstand wearing nothing but a pink tutu, slamming a liter of Smithwick’s finest from a beer bong. Unfortunately, your best pal’s name is Sue, which also happens to be your boss’s name, and you selected the wrong contact. Telegram introduced its ‘unsend message‘ feature in version 3.16 back in 2017. It’s another feature in an app that has attracted privacy advocates everywhere for its ability to cloak communications, but security researcher Dhiraj Mishra has uncovered a flaw. The Android version of Telegram stores any images received in the /Telegram/Telegram Images/ folder. When deleting a message, you’d expect it to delete the image as well. In fact, it left the picture intact in the folder. The recipient would have to know to look there, of course, but if they checked, they’d be able to see you in all your tutu-sporting, beer-bonging glory. Bang goes your promotion. The company fixed the bug in version 5.11 so one again, it is safe to don you're dancing apparel. Facebook says location data in iOS 13, Android 10 may be "confusing" The post explains how Facebook’s app collects and uses background location data from smartphones: “background,” as in, when you’re not actually using the app. iOS 13 will show users a map of where apps have been tracking you when requesting permission. The notifications show a map of the specific location data a given app has tracked, displaying the snail-slime trails that we all leave behind in our daily travels and which so many apps are eager to sniff at for marketing purposes. iOS 13 will also give users reports on what apps are up to if you do choose to grant them the ability to continually monitor your location in the background. Android 10 also addresses apps that snoop on location data using other means, including by looking at Wi-Fi access points or checking folders for location data left by other apps. Android 10 requires specific fine location permissions for apps accessing selected Wi-Fi, telephony, and Bluetooth functions. It also has a new feature called scoped storage, which restricts an app’s access to files on external storage, only giving it access to its specific directory and media types. Make no mistake: Facebook thinks it’s better with location data: "It powers features like check-ins and makes planning events easier. It helps improve ads and keep you and the Facebook community safe. Features like Find Wi-Fi and Nearby Friends use precise location even when you’re not using the app to make sure that alerts and tools are accurate and personalized for you." Massive email fraud bust snares 281 suspects by Lisa Vaas: Operation reWired – a globe-spanning, four-month-long crackdown on email fraud involving law enforcement agencies in 10 countries – has resulted in the arrest of 281 people suspected of running BEC (business email compromise) scams. The US Department of Justice (DOJ) on Tuesday announced that the operation, which kicked off in May 2019, led to the seizure of nearly $3.7 million in assets and repatriations. Out of the 281 arrests, 167 were in Nigeria, 74 in the US, 18 in Turkey, and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the UK. Chief Don Fort, with the US Internal Revenue Service’s (IRS’s) Criminal Investigation unit, said in the DOJ’s release that the criminal network was complex, and it had a lot more going on besides talking businesses into making bogus wire transfers. Investigators discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in tax refunds, he said. What’s a BEC (business email compromise) scam? These scams typically involve legitimate business email accounts that have been hijacked, be it through social engineering or hacking, to initiate unauthorized transfers. The scammers often target employees who hold the pursestrings and businesses that work with foreign suppliers and/or businesses that are in the habit of executing wire transfer payments. As the DOJ explained in its announcement, the criminal networks that run BEC scams also go after individuals, be it through people buying real estate, the elderly, and others, by convincing them to make wire transfers to bank accounts that the crooks control. We saw an example of a real estate scam earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia. Sometimes the fraudsters will impersonate a key employee or business partner after they’ve seized control of that person’s email account. Sometimes, they’ll find their victims through romance and lottery scams. And sometimes, they’ll use dating sites to recruit money mules to help them launder the ill-gotten booty. Last month, the FBI said that this recruitment of money mules on dating sites is on the rise. BEC scammers aren’t fussy: Besides fraudulent wire transfers, they’ll sometimes go after fraudulent requests for checks… or sensitive personally identifiable information (PII)… or employee tax records… or any/all of the above. Google experiments with DNS-over-HTTPS in Chrome Following hot on Mozilla’s trail, Google officially announced its own DNS-over-HTTPS (DoH) experiment in Chrome this week. Mozilla recently announced that it would turn on DoH by default for users of the Firefox browser’s desktop version in the US. This provides some privacy protections compared with regular DNS queries. Nevertheless, Google clearly doesn’t want to be outdone. It published a blog post on Tuesday providing more detail on DoH functionality that it will include in Chrome 78. Google is taking a slightly different approach to Mozilla, though. For one thing, it won’t change the user’s DNS provider. When Chrome makes a web request, it will check to see if that provider is on a list of DoH-friendly DNS services which Google says it has vetted for strong security and privacy. Only if it is on that list will it switch to DoH. This brings a significant benefit, according to the search and advertising giant: "By keeping the DNS provider as-is and only upgrading to the provider’s equivalent DoH service, the user experience would remain the same. For instance, malware protection or parental control features offered by the DNS provider will continue to work." Right now, there are six providers in that list alongside Google itself: CleanBrowsing, Cloudflare (which is Mozilla’s DoH provider of choice), DNS.SB, OpenDNS, and IBM’s Quad9. Google is making the service available on all Chrome-supported platforms with the exception of Linux and iOS. For now, the experiment will roll out to “a fraction” of Chrome users, although Google didn’t respond to questions about how they will be selected or where they are. If you’re one of them, you will be able to opt-out by disabling the flag, accessible in Chrome 78 by typing the following into your address bar: chrome://flags/#dns-over-https Chrome 78 will enter beta sometime between 19 and 26 September 2019, and is due for a stable release on 22 October 2019. Cyber-security incident at US power grid entity linked to unpatched firewalls A cyber-security incident that impacted a US power grid entity earlier this year was not as dangerous as initially thought, the North American Electric Reliability Corporation (NERC) said last week. In a report highlighting the "lessons learned" from a past incident, NERC said hackers repeatedly caused firewalls to reboot for about ten hours, on March 5, 2019. The incident impacted firewalls deployed at multiple power generation sites operated by a "low-impact" operator and did not cause any disruption in the electric power supply. The inciden impacted network perimeter firewalls, which, on March 5, were mysteriously going down for periods of up to five minutes. The firewall reboots continued for hours, prompting the power grid operator to start an investigation. "Subsequent analysis determined that the reboots were initiated by an external entity exploiting a known firewall vulnerability," The reboots stopped after the operator deployed the proper patches. The power grid operator eventually discovered that they had failed to apply firmware updates for the firewalls that were under attack. The reboots stopped after the operator deployed the proper patches. Parts of Wikipedia Offline After 'Malicious' Attack The server of the Wikimedia Foundation, which hosts the site, suffered a "massive" Distributed Denial of Service (DDoS) attack, the DDoS attacks involved legions of zombie computers -- machines infected with viruses and commanded to simultaneously visit a website. Such a massive onslaught of demand can overwhelm website computer servers, slowing service or knocking them offline and in this case did. Wikimedia condemned the breach of its server, saying it threatened "everyone's fundamental rights to freely access and share information." Chinese Group Built Advanced Trojan by Reverse Engineering NSA Attack Tool APT3 quietly monitored an NSA attack on its systems and used the information to build a weapon of its own. Chinese threat actor APT3 quietly monitored the US National Security Agency's use of a highly sophisticated cyber attack tool and then reverse engineered the code to build an advanced Trojan of its own called Bemstour. That conclusion is based on analysis of Bemstour after attacks on targets in multiple countries, including Belgium, Hong Kong and the Philippines. APT3 developed the exploit by reverse-engineering the NSAs EternalRomance, but then tweaked it so it could be used to target more systems. APT3's Bemstour leveraged the same Windows zero-day as the one used in EternalRomance (CVE-2017-0143). In addition the group also created an exploit for another Windows zero-day (CVE-2019-0703). Both flaws have been patched. "The main takeaway is that we see evidence for the first time of a nation-state collecting and reusing foreign attack tools to recreate their own. We heard of that happening in theory; but now we have evidence to support it." Police Use of Facial Recognition is OK, Say Americans According to the Pew Research Center, 56 percent of Americans said that they trusted police and government officials to use facial recognition technology responsibly, including situations in which no consent is given. Around 50% said it is OK for law enforcement to use facial recognition tools to assess security threats in public spaces. But, when asked about other types of organizations using the technology, survey respondents were much less enthusiastic with 36 percent saying they could trust technology companies... and a less enthusiastic 18 % saying they trusted advertisers to use facial recognition responsibly. Note that there are age and racial skews to this data with caucasians coming in with the highest trust ratings and blacks and hispanics far lower. Age wise, younger respondents trusted less while older demographics seemed to be more trusting of the police using this data. Apple: Your iPhone Is Secure, Google Is Just 'Stoking Fear' Michael Kan: Apple is pushing back on reports that iOS has a security problem. Apple said Friday that an iPhone hack disclosed last week by Google was targeting members of the Uighur Muslim community—not the public at large, as some had feared. "Google's post, issued six months after iOS patches were released, creates the false impression of 'mass exploitation' to 'monitor the private activities of entire populations in real time,' stoking fear among all iPhone users that their devices had been compromised. This was never the case," Apple said a statement. "Second, all evidence indicates that these website attacks were only operational for a brief period, roughly two months, not 'two years' as Google implies," Apple added. Google researchers uncovered 14 previously unknown vulnerabilities in iOS that were being used by a mysterious group to deliver spyware to iPhones. "Splintering" Makes Hacking Passwords 14 Million Percent Harder Kevin Townsend: The Australian Tide Foundation has announced details of a distributed ledger technology (DLT) password protection system using 'splintering' to deliver password security that is massively greater than the traditional central hashed database. This is a component of a wider project to develop a new marketplace for a new personal data economy. The Tide Protocol will use distributed ledger (blockchain and encryption) technology to create a secure but open marketplace where PII can be safe, but sold. The infrastructure creates a secure vault for personal data where only the user has a key to his/her own data. This ensures that only the user can agree to the sale of that data. In its own words, Tide is creating "an open-source framework that operates on a decentralized blockchain-based architecture. The Tide cryptocurrency (Tide Settlement Tokens) will power the economy, managing both access permissions and remuneration across the ecosystem." The Tide Protocol runs on an EOS-based DLT, using EOS' asynchronous Byzantine Fault Tolerance Delegated Proof of Stake (aBFT-DPoS). This has already achieved more than 4,000 transactions per second (TPS) where the Bitcoin network handles 7 TPS, and Ethereum handles 15 TPS. As the first stage of launching its full vision of a new personal data economy, Tide has announced its 'splintering' encryption technology for the secure storage of passwords. Rather than the traditional method of storing user passwords as hashed and salted entries in a single centralized database, splintering breaks the password into tiny sections, hashes and salts each of them individually, and then stores them in the vaults of a distributed ledger. "This technique," says Tide, "makes it tremendously more difficult to reconstruct one complete password, let alone all the passwords, using either reverse engineering or common brute force attack methods." It mentions that breaches "like those suffered by Capital One, Equifax and Marriott cost companies in many ways, including large fines, legal problems and PR crises, not to mention loss of customer trust." The splintering technology was tested against the 60 million passwords stolen and leaked from LinkedIn. Tide's engineers found that splintering reduced the odds of a successful dictionary attack from 100% to 0.00072%; that is, a 14 million percent improvement. Scams and Ransomware Cost Kiwis $6.5m in 3 Months Sarah Coble: A report published Thursday by the government's national Computer Emergency Response Team (CERT NZ) revealed that $6.5 million in direct financial losses reported nationwide in the second quarter of 2019. CERT NZ's findings show a marked increase in the number of cybersecurity attacks inflicted on businesses and individuals across NZ between quarters one and two of this year. Q2 showed a 21% increase over quarter one. Out of all the cybercrime reported in quarter two, 23% involved some type of financial loss. "Scams and Fraud" was the highest reported category in quarter two, making up 38% of all reports. 19% were related to buying and selling goods online. Hackers who hit Texas with ransomware attack demanded $2.5 million and got zip In the early morning hours of Friday August 16th 2019, hackers managed to infiltrate the networks of 22 local government organizations in Texas via a third-party services provider, planting ransomware that encrypted data and disrupted business-critical services. The hackers’ demand? $2.5 million for the decryption keys to unlock the data. But Texas decided to do something different from the other states hit by ransomware: they didn’t pay up. Within hours of receiving notice of the event, state and federal teams were executing the plan and in the field at the most critically impacted sites to begin eradicating the malware and assessing impact to systems. By day four, response teams had visited all impacted sites and state response work had been completed at more than 25% of those sites. One week after the attack began, all sites were cleared for remediation and recovery. This is all very impressive, of course, but chances are that the clean-up and recovery – combined with the disruption to normal services – has actually cost more money than it would have cost to pay the cybercriminals who were holding it to ransom…. And that cost is likely to be passed on to taxpayers ultimately, but at least it is a step in the right direction, discouraging ransom attacks. Caught in a bad romance: Feds indict 80 alleged members of romance scam ring Federal prosecutors today unsealed a 252-count indictment against 80 individuals – mostly Nigerian nationals – who allegedly conspired to bilk at least $46 million from victims via romance scams, business email compromises and other online fraud schemes. The grand jury indictment was filed in the Central District of California back in October 2018 and unsealed only after the arrest this morning of 14 defendants in the U.S. – 11 in the Los Angeles area, the apparent epicenter of the scam. Two others were placed in federal custody prior to the law enforcement crackdown, and another was arrested earlier this week. The remaining 63 individuals are believed to be abroad, with most in Nigeria. Hong Kong protesters warn of Telegram feature that can disclose their identities For the past few months, Hong Kong citizens have been protesting against an extradition bill proposed by the government of Hong Kong, which would make it easier to send Hong Kong residents to mainland China to face legal charges put forward by the Chinese state. Massive protests with over a million attendees have been taking place almost daily, due to what locals see as a massive intrusion of the Chinese state into their daily lives. In all of these protests, the Telegram instant messaging app has played a major role in helping residents organize their gatherings. For example, Telegram played a central role in a protest that took place today, with protesters forming a human chain across the city on the 30th anniversary of the Baltic Chain demonstration from 1989. The app is loved because it supports encrypted anonymous communications, and its group chatting feature has helped users organize protests and pass instructions to all attendees. A state law enforcement agency, or intelligence service, can then force local mobile telcos to disclose the names of the persons behind those phone numbers. In the case of the Hong Kong protests, Chinese officials could get a list of people who organized or coordinated protests via Telegram. "We have suspected that some government-sponsored attackers have exploited this bug and use it to target Hong Kong protesters, in some cases posting immediate dangers to the life of the protestors," Lenovo High-Severity Bug Found in Pre-Installed Software Another flaw has been found in Lenovo’s decommissioned Lenovo Solution Centre software, preinstalled on millions of older-model PCs made by the world’s leading computer maker. The vulnerability is a privilege escalation flaw that can be used to execute arbitrary code on a targeted system, giving an adversary Administrator or SYSTEM-level privileges. “The bug itself is a DACL (discretionary access control list) overwrite, which means that a high-privileged Lenovo process indiscriminately overwrites the privileges of a file that a low-privileged user is able to control,” Did Denmark Make the Wrong Call on Location Data? Danish authorities are reviewing 10,700 court cases over concerns that cellphone location-tracking data given as evidence may have been flawed. On Monday Denmark's director of public prosecutions, Jan Reckendorff, announced a two-month ban on the use of cellphone data in criminal cases while the large-scale review of verdicts is carried out. Speaking to the country's state broadcaster, Reckendorff said: “We cannot live with incorrect information sending people to prison.” Concerns were raised after police discovered a glitch in an IT system used to convert data supplied by phone companies into evidence that can be used to place a suspect at a crime scene. The identified error was fixed in March, but a second problem emerged that could potentially place an innocent person at the scene of a crime. It transpired that some cell phone tracking data had linked phones to the wrong cellphone towers. $1.1 million Bitcoin stash will compensate victims Grant West, was arrested in September 2017 and pleaded guilty three months later in December. Earlier this year, a UK court sentenced West to 10 years and eight months in prison for multiple hacking and drug-related crimes. And his stash? Well, West didn't want to give up his Bitcoin willingly, so, the judge told him he'd spend an additional four years in prison if he didn't, according to a report from The Guardian. We understand he changed his mind. Although targeted as compensation to the victims, it will probably end up covering legal fees. Hostinger resets customer passwords after security incident Hostinger, one of the biggest web hosting providers on the internet, has disclosed today a security incident that impacted its platform and users. The company said the hacker made API calls against a database storing the personal information of about 14 million customers, such as Hostinger usernames, customers' IP addresses, first and last names, and contact information such as phone numbers, emails, and home addresses. The database also stored information about user passwords in a hashed format. As a result, the web hosting provider said it decided to forcibly reset passwords for all impacted accounts, as it discovers affected customers. New Zealand Dept of Conservation's mission to save the kakapo The kakapo, native to New Zealand, is one of the world's rarest birds and is at risk of being wiped out by pests and habitat destruction. Up until last year, the New Zealand Department of Conservation relied solely on spreading toxins on the ground and placing physical traps across over 8 million hectares of land in New Zealand to keep the biggest predators of the kakapo – rats, possums, and stoats – at bay. But it was not working so "We built a new database last year for us to manage the digital twin of every one of these birds. We've been able to share this externally. It made the life of every ranger looking after the kakapo a lot easier, since building the database we have had the most successful [kakapo] breeding season ever, growing from 137 birds to 200 birds," Mastercard says German Priceless Specials loyalty program breached The data breach revealed information such as names, payment card numbers, email addresses, home addresses, phone numbers, gender and dates of birth, from 90,000 mostly German customers” said the Belgian Data Protection Authority., which “is working closely with its German counterpart and the other competent authorities to defend the interests of the persons affected by this incident.” Judge Orders Woman in Capital One Case to Remain in Custody Paige Thompson aka Erratic, has been ordered to remain in custody pending trial because she is a flight risk and poses a physical danger to herself and others. U.S. Magistrate Judge Michelle Peterson said Paige Thompson’s “bizarre and erratic” behavior makes her a risk. The judge also said Thompson has no stable employment, residence or ties to the community and has stated that she wanted to die. Thompson got caught earlier this year with PII from 106 million Capital One credit card holders and data from 30 other companies. At least 40 lawsuits have been filed in the U.S. against Capital One following the breach (8 more have been filed in Canada). Astronaut accused of identity theft, accessing estranged wife’s bank account, from International Space Station Lt. Colonel Anne McClain, who recently made headlines when a scheduled historic all-female spacewalk was scrapped because her spacesuit didn’t fit, has been accused of identity theft and unauthorized access of financial records after she accessed the bank account of Summer Worden, using Worden’s login information, via a NASA computer on the ISS. After Worden discovered the intrusion, which she contended was motivated by McClain’s desire to get custody of Worden’s son, she reported it to the Federal Trade Commission (FTC) and to NASA, according to a report by the New York Times. More on that “New Encryption Technology”... Crown Sterling, a Newport Beach, California-based biz that calls itself "a leading digital cryptographic firm," is suing UBM, the UK-based owner of the Black Hat USA conference, in America for allegedly violating its sponsorship agreement. The complaint, filed late last week in a New York district court, blames the conference organizers for allowing Black Hat attendees to disrupt Crown Sterling's talk about supposedly disruptive cryptographic technology – a presentation Crown Sterling paid $115,000 to present to hackers. Described as "Snake Oil Crypto", the heckling spilled online. One Black Hat attendee said Crown Sterling was trying to "mix mysticism and magic into science" and that "none of it made any sense. The kinds of things they were discussing can't be found in the realm of reality," he said. The paper, published without peer review on preprint server ArXiv, garnered these comments: "At best, it's badly worded stuff. At worst, there's a fundamental misunderstanding of algebra." 61 impacted versions of Apache Struts left off security advisories 61 unique versions of Struts were affected by at least one previously disclosed vulnerability but not reported or reported incorrectly and left off security advisories for those vulnerabilities. The analysis was done by the Black Duck Security Research (BDSR) team which investigated 115 distinct releases for Apache Struts and correlated those releases against existing Apache Struts Security Advisories. Brooklyn man sentenced to just under 5 years for $1M in Fraud. Between 2008 and last year, Elcock and co-conspirator Shoshana Marie McGill bought stolen financial and identity data on tens of thousands of businesses and individuals, according to the Department of Justice. They also obtained this material by hacking victims’ email accounts, bank accounts and password vaults. The duo then monetized the stolen data by: buying goods online with victims’ card data, which they resold, opening new lines of credit in other people’s names, transferring money out of victim bank accounts, creating and cashing fraudulent checks in victims’ names and selling the data and check-making kit to other fraudsters in return for a cut of their earnings. UK Teen Gets 2 years. 19-year-old Elliot Gunton, of Norwich, was sentenced at Norwich Crown Court on Friday after pleading guilty to multiple offenses, money laundering, the hacking Australian Instagram accounts, and breach of a Sexual Harm Prevention Order. pecifically, Gunton offered to supply stolen personal information to those that hired him. This information, which could include personally identifiable information (PII) such as names, addresses, and online account details, could then be used to commit fraud and SIM-swapping attacks. Payments were made in cryptocurrency including Bitcoin (BTC) in an attempt to mask his activities. Business was booming for Gunton, it seems, considering that he must pay back over £400,000 ($484,000). Class action facial recognition lawsuit given to go ahead to pursue Facebook Yes, yet another US court has reaffirmed, Facebook users can indeed sue the company over Its use of facial recognition technology. Though a stream of courts has refused to let Facebook wiggle out of this lawsuit – and boy oh boy, has it tried – this is the first decision of an American appellate court that directly addresses what the American Civil Liberties Union (ACLU) calls the “unique privacy harms” of the ever-more ubiquitous facial recognition technology, that’s increasingly being used without our knowledge or consent. Judge Sandra Segal Ikuta wrote that the court concludes that Facebook’s development of a “face template” using facial recognition, allegedly without consent, could well invade an individual’s privacy rights: "The facial-recognition technology at issue here can obtain information that is ‘detailed, encyclopedic, and effortlessly compiled,’ which would be almost impossible without such technology." The lawsuit was originally raised in Illinois before being moved to California, where the Illinois Biometric Information Privacy Act (BIPA) – bans collecting and storing biometric data without explicit consent, including “faceprints.” ‘NULL’ license plate gets security researcher $12K in tickets A vanity plate reading “NULL” sounded good to security researcher/hacker “Droogie,” at least in theory: maybe it would make his plate invisible to Automatic License Plate Reader (ALPR) systems?! Maybe entering the characters – NULL is the marker used in structured query system (SQL) databases in order to indicate that a data value doesn’t exist – would just return error messages when his plate was spotted during one of his traffic violations…? That’s not what happened, he told an audience at the recent Defcon security conference. Instead, $12,000 in traffic violation fines happened. "I thought,] ‘I’m gonna be invisible’. Instead, I got all the tickets." Every single speeding ticket earned by cars that lacked valid license plates wound up getting assigned to Droogie’s car – turning it into a veritable NULL bucket. Fortunately for Droogie, the $12,000 worth of fines for the Null plates to date were scrapped by police, but apparently he's still getting tickets. Poor Droogie. No more secret recordings from your Nest Cam The setting that enabled users to turn off the status light is being removed on all new cameras. When the cameras’ live video is streamed from the Nest app, the status light will blink. The update will be done over-the-air for all Nest cams: Google’s update notice said that the company was rolling out the changes as of Wednesday, 14 August 2019 – in furtherance of Google’s newest commitment to privacy. UK: Police catch Braggart DDos-er A UK man who DDoS-ed police websites was caught and imprisoned after he jeered at police about the attacks on social media. Liam Reece Watts, 20, targeted the Greater Manchester Police (GMP) website in August 2018 and then the Cheshire Police site in March 2019, according to ITV News. Both of the public-facing websites were each disabled for about a day, The Register reported. According to news outlets and Watts’s Twitter posts, the distributed denial-of-service (DDoS) attacks were done in retaliation for Watts having been convicted of calling in bomb hoaxes just days after the 2017 Manchester Arena suicide attack left 22 people dead and 500 injured. Watts, who was 19 at the time of the DDoS attacks, was caught after he taunted police through Twitter. He used the handle Synic. Last Monday, he was sentenced to 16 months in a young offenders’ institution, was given a five-year restraining order to stop him from deleting his browsing history, and had to hand over his computers for destruction. (One assumes the restraining order pertains to whatever computer(s) he buys to replace the demolished ones.) Watts was also handed a victim surcharge tax of £140 (USD $169). “Sorry”, Microsoft won’t shift on AI recordings policy Microsoft recently admitted that humans sometimes hear your sensitive voice conversations, but that doesn’t mean it’s going to stop. Rather than abandoning the use of human contractors to improve its AI accuracy, the company has simply decided to be more transparent about it. Earlier this month, Microsoft was found sharing conversations with its Skype Translator product, an AI-powered system that translates in near real-time between 10 languages. It also let contractors listen to audio from user conversations with its Cortana voice assistant. Whereas other companies have made a cursory effort to suspend the sharing of voice recordings from AI technology, Microsoft has instead just updated its privacy policy. US: Galaxy S10 is the first US DoD approved 5G phone. Samsung Electronics America, Inc., announces that its flagship products continue to obtain federal certification with the recent approval of the Samsung Galaxy S10 series, Note9 and Galaxy S9 join the Galaxy S8/S8+ and Note8 in the receiving Security Technical Implementation Guide (STIG) approval necessary for deployment within the Department of Defense (DoD).” reads the official announcement published by Samsung. “With the full S10 series approved, including the S10 5G, this marks the first 5G device to receive STIG approval for the US federal government that will allow the federal workforce to take advantage of 5G-enabled environments.” Uganda, Zambia Deny Huawei Helped Spy on Political Opponents The Wall Street Journal (WSJ) reported last week that Huawei technicians helped the two African governments intercept communications and social media activity of their opponents, while also tracking their movements. The article also reported that Huawei operated a video and cyber surveillance system in Algeria, which the company denied. (Algeria's foreign ministry did not respond to requests for comment.) In Uganda, WSJ reported that Huawei technicians helped Ugandan authorities use spyware to monitor pop star turned opposition icon Bobi Wine. Wine, whose real name is Robert Kyagulanyi, became a lawmaker in 2017 and is preparing to challenge President Yoweri Museveni in Uganda's 2021 presidential election. According to The Wall Street Journal, Huawei's assistance enabled Ugandan authorities to disrupt Wine's plans for concerts they feared would turn into political rallies. Ransomware attack hits local Texas government. A wide-ranging ransomware attack has hit 23 government entities in Texas, most of them “smaller, local governments. At this time, the evidence gathered indicates the attacks came from one single threat actor," the Texas Department of Information Resources (DIR) confirmed Saturday. The attack took place on Friday morning, August 16, US time, when several smaller local Texas governments reported problems with accessing their data to the Texas Department of Information Resources (DIR). Point-of-sale breach hits Hy-Vee locations. Iowa based Hy-Vee, one of the biggest employee owned supermarket chains in the US with over 250 stores, is warning customers that card transactions made at Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (Market Grilles, Market Grille Expresses, and Wahlburgers) may have been recorded by hackers. Customers who believe they might have had their card data compromised should check credit card statements regularly for suspicious transactions. "If you see an unauthorized charge, immediately notify the financial institution that issued the card because cardholders are not generally responsible for unauthorized charges reported in a timely manner". Chrome add on notifies of leaked password used, but only 26% change it on warning. In March this year, after Google released a Chrome extension called Password Checkup to check whether people's username and password combinations had been stolen or leaked from website databases, computer scientists at Stanford University gathered anonymous telemetry from 670,000 people who installed the add-on. In the data from 21M logins, they found that only 1.5% used exposed credentials. "Our results highlight how surfacing actionable security information can help mitigate the risk of account hijacking." The risk, to which the title of the paper alludes, is credential stuffing (which we covered in last weeks SMU). 4.1B Records Exposed in Breaches in First Half of 2019 Tara Seals: Across the board, email addresses and passwords remain prized targets, with email addresses exposed in approximately 70 percent of reported breaches and passwords exposed in approximately 65 percent of reported breaches. Troves of username and password combinations continue to become available on forums and file-sharing sites, according to the report, while phishing for access credentials — a perennially popular method for gaining access to systems and services – is surging. Businesses accounted for 67 percent of reported breaches and 84.6 percent of records exposed. This was followed by medical (14 percent), government (12 percent) and education (7 percent). UK ICO Investigates Facial Recognition Technology in King's Cross The UK Information Commissioner's Office (ICO) has launched an investigation into the use of facial recognition technology in London's King's Cross station area calling the technology "a potential threat to privacy that should concern us all." The announcement followed news of the technology's use at Granary Square, a large, private development nearby. Granary Square is a 67-acre development comprising 50 buildings. Press reports detailing the use of facial recognition in security cameras at the site first surfaced on Monday. According to the Guardian, it's developers, Argent, Hermes Investment Management and AustralianSuper, admitted to using facial recognition technology "in the interest of public safety and to ensure that everyone who visits has the best possible experience." CafePress Slammed After Major Breach Affecting 23 Million Online merchandise store CafePress has been criticized for poor incident response and cybersecurity after it emerged that over 23 million customers had their personal data stolen. Breach notification site HaveIBeenPwned? was apparently the first many customers heard about the incident, which it said occurred in February this year. “The exposed data included 23 million unique email addresses with some records also containing names, physical addresses, phone numbers and passwords stored as SHA-1 hashes,” it said in a brief note. The site appears to have been notified about the incident by security researcher Jim Scott. There still doesn’t appear to be any kind of notification on the official CafePress website or Twitter feed. In fact, according to some customers who logged in to their accounts, the firm is forcing users to change their credentials but merely as part of a claimed ‘update’ to its password policy. “The bad habit of user password reuse means that while CafePress logins may be protected by the forced password reset, any re-use of passwords may lead to consequences for users. Sadly withholding this information is a very bad practice.” Credential stuffing - What is it? Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky, Dunkin’ Donuts, State Farm and last week Transport for London (TFL) learned with their Oyster cards. So what are they? Wikipedia says, "Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. The attacker automates the logins for thousands to millions of previously discovered credential pairs using standard web automation tools like Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks like Sentry MBA". What can you do to prevent becoming a victim to this type of attack? Figure out a system for yourself where you have a different password for all the websites you visit. "What? I could never remember all that" ... you won't need to. Let me explain. First: Consider creating a unique e-mail address not containing your username ... and a unique password that can be used with each account. next: Start with a new Gmail account. As an example. I might create an account called [email protected] and use it as a name at various sites with the website name or the first 3 letters of the site name appended to the end. For AWS it becomes [email protected]. Gmail drops anything after the + so it's still [email protected] and any mail going to that account can be forwarded from that account to my primary account, but it's unique as a username. (Just remember that Google tracks purchases by reading your e-mails as covered in a previous weekly update.) Next consider a similar scheme for your passwords. These can be tracked in something as simple as a password manager or an encrypted spreadsheet. Put 2-factor/multi-factor authentication in place for every website that supports it. Even SMS beats just a password and authenticator mechanisms like Google Authenticator, Authy or the new open source andOTP are better options. When a website is compromised (plan on that happening these days) You won't have to worry about your other accounts being compromised too! iPads to steer destroyers? The Navy Destroyer USS John S. McCain crashed into a chemical tanker in a shipping lane off Singapore in August 2017. The investigation found multiple causes but among them was confusion created when throttle and steering functions were split between two different iPad consoles. Control of the port and starboard throttles was split between two helm stations so when a helmsman thought he was slowing both throttles in fact he was only slowing one causing a sharp turn into the tanker. Another issue raised was ships' AIS (Automatic Identification Systems) receivers. These are currently based on laptops relying on a cable connection to other systems. Sailors complained that the laptops were often stuck behind other equipment and hard to access. South Wales Police Slammed for New Facial Recog App South Wales Police In the UK seem set are set to begin a trial of controversial facial recognition technology this month, even as rights groups challenge its legality in the courts. The police force is reported to be using hardware from NEC and an in-house developed software UI to provide it with a second set of eyes to scan crowds of people and identify those that may be on a watch list. The app-based automatic facial recognition (AFR) system measures the distance between individuals’ facial features to match those on the list with people in a crowd. However, it has been heavily criticized: a report from Big Brother Watch last year claimed that false positives in a trial by the Metropolitan Police reached 98%, while South Wales Police stored images of 2400 innocent people incorrectly matched by AFR for a year without their knowledge. DEF CON 2019: Picture Perfect Hack of a Canon EOS 80D DSLR This one had me giggling: Crypto Malware on your digital SLR. "All you pictures have been encrypted". Security researcher Eyal Itkin discovered several security vulnerabilities in the firmware of Canon cameras that can be exploited over both USB and WiFi, allowing attackers to compromise and take over the camera and its features. All these vulnerabilities, listed below, reside in the way Canon implements Picture Transfer Protocol (PTP) in its firmware, a standard protocol that modern DSLR cameras use to transfer files between camera and computer or mobile devices via wired (USB) or wirelessly (WiFi). NSA program trains high school students in work study program The National Security Agency (NSA) is tapping high school students, as part of a work study program, to polish their cyber skills and lure them into careers in intelligence. “Once they’re here they get that sense of purpose from what they’re doing every day and they see that they can do things here that they can’t do anywhere else,” a CNN report cited an NSA recruiter as saying. “We want to get them in and get them interested early to the mission so they can have a long career here. There’s more emphasis now on student programs than I think there’s ever been to try to get them when they’re young.” Participants in the program, which is 150 students strong, must obtain top secret security clearance to handle ultra-sensitive information. Over 40 Drivers Could Let Hackers Install Persistent Backdoor On Windows PCs A team of security researchers has discovered high-risk security vulnerabilities in more than 40 drivers from at least 20 different vendors that could allow attackers to gain most privileged permission on the system and hide malware in a way that remains undetected over time, sometimes for years. For sophisticated attackers, maintaining persistence after compromising a system is one of the most important tasks, and to achieve this, existing hardware vulnerabilities sometimes play an important role. Worse, all the vulnerable drivers covering kit listed below have been certified by Microsoft. American Megatrends International (AMI), ASRock, ASUSTeK Computer, ATI Technologies (AMD), Biostar, EVGA, Getac, GIGABYTE, Huawei, Insyde, Intel, Micro-Star International (MSI), NVIDIA, Phoenix Technologies, Realtek Semiconductor, SuperMicro, Toshiba and 3 more that could not be divulged due to security concerns. Should Facebook have a “quiet period” of no algorithm changes before a major election? Jennifer Grygiel: Several Facebook News Feed updates leading up to the 2016 U.S. election disadvantaged traditional news sources and favored less reliable information shared by your uncle. Should regulation keep the playing field static? In mid-2015, Facebook introduced a major algorithm change that pivoted readers away from journalism and news, to deliver more updates from their friends and family. The change was couched in friendly language suggesting Facebook was trying to make sure users didn’t miss stories from friends. But social media data shows that one effect of the change was to reduce the number of interactions Facebook users had with credible news outlets. A few months before the 2016 election, an even bigger algorithm change toward friends and family posts took a second toll on publisher traffic. A wide range of news publishers found that their content was significantly less visible to Facebook users. In my research, I looked at Facebook engagement for mainstream news outlets surrounding the 2016 election. My findings support others’ conclusions that Facebook’s algorithm greatly suppressed public engagement with these publishers. Voter interest in the presidential election was higher in 2016 than in the previous two decades, and misinformation was rampant. Facebook’s changes meant that key news organizations across the political spectrum had a harder time getting the word out about credible election news and reporting. Just after the election, reporter Craig Silverman’s research at BuzzFeed showed that fake election news had outperformed “real news.” In late 2018, Facebook’s own company statement revealed issues with how its algorithm rewarded “borderline content” that was sensational and provocative, like much of the hyperpartisan news that trended in advance of the election. More recent research by Harvard’s Shorenstein Center shows that Facebook traffic continued to decrease significantly for publishers after a further Facebook algorithm change in January 2018. In the financial industry “quiet periods” in advance of major corporate announcements seek to prevent marketing and public relations efforts from artificially influencing stock prices. Similar protections for algorithms against corporate ma nipulation could help ensure that politically active, power-seeking Facebook executives — or any other company with significant control over users’ access to information — can’t use their systems to shape public opinion or voting behavior. Hack of High-End Hotel Smart Locks Shows IoT Security Fail The name of the hotel group has been withheld over security concerns, but here is how the compromise works: First, using Android devices, white hat hackers enabled debug mode and activating the HCI snoop log, while on iOS devices, they installed the Apple Bluetooth Debug Certificate on the device. Then, in order to actually monitor the traffic, they were then able to use wireless sniffing, which are packet analyzers that specifically capture data on wireless networks, and can be done using classic sniffing tools like Support Wireshark live view or Adafruit Bluefruit LE Sniffer (through researchers created their own tool for more a more reliable attack). After monitoring the traffic and specifically inspecting the credential packet, hackers found the mobile key system to be vulnerable to a key stealing attack, which would allow them to circumvent the vendor’s method of replay protection. They then developed an exploit that allowed them to perform an array of malicious functions. There are some drawbacks: An attacker would need to be local and would need to identify the lock’s MAC address in advance. However, with these requirements, researchers were able to break into a hotel room. Update Issues After discovering the vulnerabilities, white hat hackers first notified the lock vendor April 18. In May, the vendor acknowledged the vulnerability, and on June 28, the vendor discussed update plans – however, the system remains unpatched as of last Thursday. And from Black Hat Phony Phones: These phones look great, but they're actually low-cost fakes from China. Each costs about $50, and come preloaded with malware for no extra charge! The bogus iPhone is particularly impressive. It runs a highly modified version of Android that's a dead ringer for iOS. Heavy dependence on GPS? GPS is great; it helps you get where you need to go and you don't have to keep a musty atlas in your car anymore. But Global Navigation Satellite Systems (GNSS) like GPS are easily spoofed, and that's a problem if you're designing an autonomous vehicle that relies too heavily on GNSS. A fundamental problem with GNSS systems, Murray said, is they lack integrity mechanisms. That means there's no way for the receiving antenna to know if the signal it sees is legitimate. GNSS signals are also very low power, meaning it's easy to drown out legitimate GNSS broadcasts with malicious ones. Murray put it in blunt terms: "All of our receivers are susceptible to spoofing." In the demo, the team changed the velocity data to make it appear that the car was going faster, causing it to miss its turn and drive itself off the road. In another example, the team sent bogus signals indicating that the car was stopped as it slowed to approach an intersection. In a video showing the attack, the car starts to turn and lurch erratically. "As soon as it stops it becomes unstable," said Murray. "It has no feedback and doesn't know where to turn." Pwned by Text. Every now and again you'll see a story about a security company or a government that has a super-secret iPhone vulnerability it's using for some such nefarious activity. One Google security researcher wondered if such things could really exist, and found 10 bugs in the process. In the end, she and her colleague were able to extract files and partially seize control of an iPhone just by sending it text messages. APT41 Is Not Your Usual Chinese Hacker Group. APT41 is 'highly agile and persistent,' In one instance, the group deployed over 150 unique pieces of malware in a year-long campaign against a single target. But what makes APT41 unique are the efforts it has allegedly taken to enrich itself. Security firm FireEye identified two forum users trading under the names "Zhang Xuguang" and "Wolfzhi" who advertised their hacking skills. The hours of operation of these accounts matches the hours when APT41 is actively attacking video game targets, suggesting APT41 is taking jobs on the side —"moonlighting." In order to bring in revenue, "APT41 has manipulated virtual currencies and even attempted to deploy ransomware," writes FireEye. APT41 has allegedly targeted developers, breaking into their networks and stealing digital certificates in order to sign malicious code. Properly signed, this malware is accepted as legitimate, allowing it to be distributed to targets. FireEye describes this as a "supply chain" attack, and says it's a hallmark of APT41's operations. APT41 has enjoyed much success, but its best trick appears to be its pursuit of profit. "APT41's links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them," writes FireEye. "It is also possible that APT41 has simply evaded scrutiny from Chinese authorities." 5G is better, but there are weaknesses. At the heart of the attacks demonstrated at Black Hat is a mechanism modems use to communicate with cellular base stations and the core network to which those base stations are connected. Each modem has a little list inside of it that outlines what the modem is allowed to do. These are called capabilities, Shaik explained, and are set by the companies that build the modems. For example, a phone will have a voice calling capability enabled, while a smart fridge will probably have the voice calling capability disabled. There are "thousands of optional features defined for the modem. And they all get passed in clear text before the encrypted communication begins. This allows network mapping of device type, manufacturer and use. Bidding down, means a rogue interceptor can reset the speed of communication down low enough for it to consume havoc (for up to 7 days) and last is forcing a device out of power-save mode causing it to run down in a fraction of it's intended lifespan. And that Boeing 787 hack. Well it turns out the Ruben Santamarta who made the discovery has a fear of flying, his research tells you why, but because he won't go into a plane it remains largely untested. Boeing says, "Nothing to worry about" but peers see it differently. He has deconstructed the firmware and found that all navigation (IDN), entertainment (CDN) and inflight radio (ODN) come together into one cabinet. First suggestion? Triggering a firmware update while in flight. Boeing isn't talking, but expect more on this topic over the coming months. Amazon's New 'Prime Air' Drone Can Morph From Helicopter to Plane The redesigned Prime Air drone is a 'hybrid' craft, which can take off and land like a helicopter, but also glide through the air like a plane. The FAA on Wednesday also gave the company a special certificate to run R&D-related flights with the drone. "Through the use of computer-vision techniques we've invented, our drones can recognize and avoid wires as they descend into, and ascend out of, a customer's yard," Amazon said. The goal of "Prime Air" is to create a fully electric machine capable of flying up to 15 miles that can also deliver a package under five pounds within 30 minutes. US military purchased $32.8m worth of electronics with known security risks These acquisitions were made by Army and Air Force employees using payment cards issued by the government for micro-purchases of under $10,000. As a result of these purchases, the Department of Defense (DOD)'s Inspector General (IG) believes the Army and Air Force are introducing vulnerable equipment into their networks that may be exploited by US adversaries. The report specifically listed Lexmark printers, GoPro cameras, and Lenovo computers as problematic products, as examples. Purchasing printers from Lexmark was a big mistake, auditors said, citing a 2018 Congressional report on supply chain vulnerabilities that warned against using Lexmark devices, claiming the China-based company had connections to the Chinese military, and the country's nuclear, and cyberespionage programs. In addition, the DODIG also pointed out that Lexmark printers have been impacted by more than 20 vulnerabilities in the past, "including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer." Furthermore, the Army and Air Force also bought 117 GoPro action cameras worth nearly $98,000. "However, the cameras have vulnerabilities that could allow a remote attacker access to the stored network credentials and live video streams," auditors sai in 2006, the State Department banned the use of Lenovo computers on their classified networks after reports that Lenovo computers were manufactured with hidden hardware or software used for cyberespionage. The DHS issued a similar warning in 2015 about Lenovo computers containing pre-installed spyware, along with various critical vulnerabilities. The DODIG report blamed these purchases on DOD management errors. Auditors said the DOD failed to establish a department to develop a strategy for managing cybersecurity risks and which could put together a list of approved products that DOD staffers could consult before making purchases. And because the DoD is having such a tough time sorting out its' shopping lists two senators introduced.... Wait for it... the MICROCHIPS act, short for.. Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property and Supply (MICROCHIPS), in an attempt to get the US government to pass a law for the creation of a state agency for testing hardware and software that goes into the supply chain of the US military and other federal agencies. Honestly, I couldn't make this up. E3 Website Accidentally Doxed Contact Info for 2,000 Journalists For some reason, E3's public website featured a link to a spreadsheet containing the sensitive information, which includes email addresses, addresses and phone numbers for media members who attended the annual gaming show. The "doxing" from the E3 leak risks unleashing a new wave of harassment on the gaming media when many gaming journalists already face personal attacks from online trolls who disagree with their reviews and view points. The danger was underscored in 2014 during the Gamergate controversy when an online harassment campaign targeted several women in the gaming industry, and resulted in death and rape threats against them. My browser, the spy: How extensions slurped up browsing histories from 4M users Dan Goodin. For ARS Technical's: DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.” As the founder of Internet hosting service Host Duplex, Sam Jadali first looked into Nacho Analytics late last year after it published a series of links that listed one of his client domains. Jadali said he was concerned because those URLs led to private forum conversations—and only the senders and recipients of the links would have known of the URLs or would have the credentials needed to access the discussion. So how had they ended up on Nacho Analytics? He forensically tested more than 200 different extensions, including one called "Hover Zoom"—and found several that uploaded a user's browsing behavior to developer-designated servers. But none of the extensions sent the specific links that would later be published by Nacho Analytics. He correlated time stamps posted by Nacho Analytics with the time stamps in his own server logs, which were monitoring the client’s domain. That’s when Jadali got the first indication he was on to something; two of his three users told him they had viewed the leaked forum pages with a browser that used Hover Zoom. He set up a fresh installation of Windows and Chrome, then used the Burp Suite security tool and the FoxyProxy Chrome extension to observe how Hover Zoom behaved. This time, though, he found no initial sign of data collection, so he remained patient. Then, he said, after more than three weeks of lying dormant, the extension uploaded its first batch of visited URLs. Within a couple of hours, he said, the visited links, which referenced domains controlled by Jadali, were published on Nacho Analytics. more testing revealed these extensions were also compromising user data: Fairshare Unlock, a Chrome extension for accessing premium content for free. (A Firefox version of the extension, available here, collects the same browsing data.) SpeakIt!, a text-to-speech extension for Chrome. Hover Zoom, a Chrome extension for enlarging images. PanelMeasurement, a Chrome extension for finding market research surveys Super Zoom, another image extension for both Chrome and Firefox. Google and Mozilla removed Super Zoom from their add-ons stores in February or March, after Jadali reported its data collection behavior. Even after that removal, the extension continued to collect browsing behavior on the researcher’s lab computer weeks later. SaveFrom.net Helper a Firefox extension that promises to make Internet downloading easier. Jadali observed the data collection only in an extension version downloaded from the developer. He did not observe the behavior in the version that was previously available from Mozilla’s add-ons store. Branded Surveys, which offers chances to receive cash and other prizes in return for completing online surveys. Panel Community Surveys, another app that offers rewards for answering online surveys. Principals with both Nacho Analytics and the browser extensions say that any data collection is strictly "opt in." They also insist that links are anonymized and scrubbed of sensitive data before being published. Ars, however, saw numerous cases where names, locations, and other sensitive data appeared directly in URLs, in page titles, or by clicking on the links. Class-action lawsuit filed in California against Capital One and GitHub Capital One and GitHub have been sued this week as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach during which the personal details of more than 106 million users were stolen by a hacker. While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted details about the hack on the code-sharing site. The lawsuit claims that "decisions by GitHub's management [...] allowed the hacked data to be posted, displayed, used, and/or otherwise available." According to the lawsuit, details about the Capital One hack were available from April 21, 2019, to mid-July before they were taken down. "GitHub knew or should have known that obviously hacked data had been posted to GitHub.com," the lawsuit claims. The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. Satellites and planes are not enough, now the US Gov't will use balloons to track activity on the ground below. Government contractor Sierra Nevada Corporation – the aerospace company, not the brewery – has released balloons that will drift over a large area in the United States' Midwest: South Dakota, Iowa, Minnesota, Wisconsin, Missouri, and Illinois, to form a network capable of monitoring and tracking activity on the ground over massive distances. The Pentagon-ordered tests, involving 25 balloons cruising at 65,000-odd feet, will run from July 12 to September 1. It is understood the craft are carrying radar equipment to track the movement of vehicles far below. The Guardian newspaper noted that Sierra Nevada's other contracts with the US government are for small aircraft that have been equipped with cameras and sensors and used to provide images and surveillance in Mexico, Central America, and the Caribbean. Poshmark Tells Users to Reset Passwords After Data Breach Hackers have breached Poshmark, a popular online marketplace for used clothing, and stolen customer information. The looted data includes customers' full names, genders, cities, email addresses, linked social media profiles, and account passwords—but in a hashed cryptographic form. The breach only ensnared the US-based constituents of its 40 million members. Hey, Apple! 'Opt Out' Is not good enough. Let People Opt In Brian Barrett: Like Google and Amazon before it, Apple has been caught sending voice assistant recordings to contractors, who listen to snippets of your requests and conversations, without telling anyone. In response to the privacy concerns that raises, Apple says it will eventually give users control over whether their Siri data gets sent to third-party eavesdroppers, but it's unclear whether that consent will be opt-in or opt-out. Google and Amazon offer the latter. And it's not nearly good enough. Woot Woot Amazon Prime day - stay safe!
Prime days are already here. Cybercriminals never miss an opportunity and that even applies to Amazon sale days. Never click on e-mail promotional links for Amazon as they are more likely than not to be fake. Set 2FA/MFA on your Amazon account... you can use anything from Authy and Google Authenticator to SMS texts (and frankly even that is better than just a password). In memoriam – Corby Corbató, MIT computer science pioneer, dies at 93 July 11 2019. Fernando José Corbató, better known simply as Corby. Corby won the 1990 Alan Turing Award – the equivalent of a Nobel Prize in Computer Science: For his pioneering work organizing the concepts and leading the development of the general-purpose, large-scale, time-sharing and resource-sharing computer systems, CTSS and Multics. Most people who use Linux know that the name is a sort-of pun on Unix, the operating system that Linux most resembles. But nowhere near as many people realize that the name Unix was originally Unics, and was itself a pun on Multics, the ground-breaking multiuser operating system that gave rise to the Unix project itself. Multics, in turn, was essentially Version 2 of an Massachussets Institute of Technology (MIT) operating system called CTSS, short for Compatible Time-Sharing System. CTSS offered a whole new way of organizing computation, one that we take for granted these days on our laptops, servers and phones. You could run programs in the background as batch jobs, or in the foreground as interactive sessions, and that was “you (plural)”, because several users could be running interactive sessions at the same time. Police in the UK, backed by the government, are testing a facial-recognition system that is 20 percent accurate. Adam Smith: Britain has a close relationship with security cameras. London alone has one of the highest ratios of surveillance cameras per citizen in the developed world. Estimates from 2002 put the number of surveillance cameras in Greater London at more than 500,000; around 110 are used by the City of London Police, according to data obtained through a 2018 Freedom of Information request. Being recorded apparently is not enough; London's Metropolitan Police Service has been testing the use of facial-recognition cameras, and the effort has the support of Home Secretary Sajid Javid—who oversees immigration, citizenship, the police force, and the security service. "I think it's right they look at that," he said, according to the BBC. What Is Doxxing? Doxxing is revealing and publishing someone’s personal information. This information is collected through various means and is combined together to create a complete profile of personal data. It's not just social media, there is a lot more on the internet about us that we might not share ourselves. Like property registration details, date of birth of children, school and workplace details of the family members, phone numbers, location details, and other data. These details are not vulnerable on their own as they are just a piece of information with no background but if these details are combined together and are arranged in a proper manner, these minor details may become problematic. The primary victim of doxxing are celebrities. (So, you, of course). Most often doxxing is used as a mean to attack opponents; to defame public figures and influential personalities. To limit this threat, control your use of social media, if you own a blog, opt for WHOis protection (WHOis protection or Domain privacy is the ability to mask the information you used to register your domain name. When you purchase a domain from a registrar like GoDaddy, or Google, or any other registrar for that matter), they are required to report specific bits of information about the consumer for public record.), Delete past records - comments and posts, use a VPN when web surfing, and use different e-mails for different activities. More than 180,000 routers in Brazil had their DNS settings changed in Q1 2019. Catalin Cimpanu: Most of the Brazilian home routers were hacked while visiting sports, movie streaming sites, or adult portals. On these sites malvertising runs special code inside users' browsers to search and detect the IP address of their home router brand and model. When they detect the router's IP and type, the adware uses a list of default usernames and passwords to log into users' devices, without their knowledge. If the attacks are successful, additional code modifies the default DNS settings on the victims' routers, replacing the DNS server IP addresses routers receive from the upstream ISPs with the IP addresses of DNS servers managed by the hackers. The next time the users' smartphone or computer connects to the router, it will receive alternate DNS server IP addresses, and this way, funnel all DNS requests through the attacker's servers, allowing them to hijack and redirect traffic to malicious clone sites, stealing account login details and passwords. Three different attack variants have evolved, the last of which is based on Sonar.Js, a tool typically used for Penetration testing of network components. The big question is why this activity so far has been concentrated only in Brazil. Expect it to make its way to a network near you soon. In the meantime use complex router admin passwords (I.e. change the default), keep your router patched and verify your DNS settings. Premera Blue Cross to pay $10 million to 30 states over data breach Premera Blue Cross has consented to pay $10 million as compensation for a nearly year-long ( May 5, 2014 through March 6, 2015) data breach that impacted more than 10.4 million health patients, the Washington state’s Attorney General Bob Ferguson announced 2019 07 11. Of those funds, $5.4 million will go to Washington with the the remaining $4.6 million split among the other 29 states. Premera has also been ordered to Hire a Chief Information Security Officer (CISO), a Chief Compliance Officer (CCO), provide data security reports to the Attorney General (AG) and create a training program for employees. |
Linking the world
Sharing is caring Archives
May 2024
Categories |