A collection point
...and some of my own.
Meetup Critical Flaws Allow ‘Group’ Takeover, Payment Theft A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup “group,” access the group’s member details and even redirect Meetup payments to an attacker-owned PayPal account. Meetup is a service with a user base of over 35 million users, used to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal. While events are typically in person, in light of the ongoing pandemic, many events have moved to virtual settings. “Checkmarx found several ‘more-common’ API security issues like lack of resources and rate-limiting and excessive data exposure, as well as some serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk,” said researchers with Checkmarx, in research disclosed last week at Black Hat USA 2020. Zoom Just Made A Major China Move Amid TikTok Ban Fears Kate O'Flaherty: Video conferencing platform Zoom has confirmed it will suspend all direct sales to mainland China from August 23 as it looks to distance itself from the country amid growing scrutiny of firms such as TikTok in the U.S. Zoom made the announcement today (August 3) that it would move to a partner-only model in China in an email seen by Reuters. Bizconf Communications, Suiri Zhumu Video Conference, and Systec Umeet were listed as the partners that can offer Zoom’s commercial services to customers in China. Zoom has already pulled back in China. In May it confirmed there would be no new free user registrations in the country and enterprise customers would be restricted to those signing up through authorized sales reps. In June, Zoom was criticized after banning three users organizing memorials to mark the Tiananmen Square massacre at the request of Beijing. It’s reversed the decision, but Forbes’ Thomas Brewster reported how the firm was still going to help China block accounts of users in the country. It had also been in trouble when researchers found Zoom routed data through China—although the video conferencing firm quickly made changes to address this. Also in June, Justice Department Assistant Attorney General John Demers, Hawley and Blumenthal said in a letter that they were “extremely concerned” Zoom and TikTok had potentially disclosed private American information to the Chinese Communist Party (CCP) and censored content on the CCP’s behalf. “As tens of millions of Americans turn to Zoom and TikTok during the COVID-19 pandemic, few know that the privacy of their data and their freedom of expression is under threat due to the relationship of these companies to the Chinese government,” the senators wrote. “Of particular concern, both Zoom and TikTok have sought to conceal and distract from their meaningful ties to China, holding themselves out as American companies.” But the two companies are very different. TikTok (which is earmarked for a sale to Microsoft) is currently owned by a Chinese company with its HQ in Beijing, ByteDance. Meanwhile, Zoom is based in Silicon Valley, and while its CEO Eric Yuan was born in China, he is now a U.S. citizen. Even so, the senators were also concerned about a Citizen Lab report which alleged that Zoom “appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software.” The issue is of course political, as Ian Thornton-Trump, former Canadian forces intelligence operator and CISO for threat intelligence firm Cyjax says. “In recent congressional testimony several witnesses attested to China's continued aggressive innovation and intellectual property theft. My view is this, in part is political pandering and all linked to the deteriorating relationship between China and the U.S.” So, a sensible move by Zoom, but will it help prevent growing scrutiny in the U.S., where the focus is growing on all firms perceived to have a link—however tenuous—with China? Havenly Breach Hits Over 1.3 Million Accounts Phil Muncaster: Havenly has become the latest online firm to suffer a serious breach of customer data after hackers published the information for free on the dark web. Notorious dark web trader ShinyHunters was spotted last week posting the data of nearly 1.4 million accounts online. They’re said to be part of a much bigger 386 million record trove including data from customers of Dave, Promo and HomeChef, which has been previously disclosed. According to breach notification site HaveIBeenPwned, the data from Havenly customers includes email addresses, names, phone numbers, geographic locations and passwords stored as SHA-1 hashes. However, an email to customers from the interior design company last week failed to mention the compromise of personal data at all, instead focusing on the fact that no financial details were disclosed. Promo Data Breach Hits 14.6 Million User Accounts An Israeli marketing video firm this week announced a major breach of user data which appears to have impacted over 14 million accounts. Promo, which describes itself as “the world’s #1 marketing video maker,” revealed in an online notice that a vulnerability in a third-party service was to blame for the incident, which also affected customers of its Slidely business. “The exposed data includes first name, last name, email address, IP address, approximated user location based on the IP address, gender, as well as encrypted, hashed and salted password to the Promo or Slidely account,” said Promo. “Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded.” In fact, this does seem to be the case, after dark web traders were spotted selling the haul, including 1.4 million cracked passwords. Finland: The Data that Remains: Testing Android Phones after Factory Resets Juho Pörhönen: one of the hazards of giving a mobile phone a second life is that data from the previous user could be discoverable by later owners. Second-Hand Android Devices Hold Onto Data After Factory Reset. During a test of 100 Android devices, 19 percent of the sample (19/100), with ten of those phones containing non-critical data (SMS and call logs from the carrier). More concerning, however, was that on eight phones, we recovered critical personal data. One phone had critical corporate data. “Analysis of Data Remanence After Factory Reset, and Sophisticated Attacks on Memory Chips” For our next analysis, we wanted to expand a recognized Cambridge study on Android’s factory reset performance. Using a sample of 68 phones, we focused again on the most popular models circulating on the European market. The idea was to simulate the user’s real experience using our own test data and accounts, populating the device with multimedia files, SMS, contacts, email accounts, social media, etc. After that, we performed a factory reset, then a memory extraction via forensic tools. We then analyzed the results. In the end, we were able to recover data on 14 phones (20 percent of the sample). In conclusion, our first study suggests that many IT asset disposal facilities can fail to successfully sanitize a significant percentage of Android devices. Despite claims of phones going through data sanitization processes, previously owned devices still stored user data. This did not seem to depend on the OS version, as data was found up to Android OS 6.0. Moral of this story? Ensure your phone is fully encrypted. Then wipe it and if you want that absolute certainty ... use a hammer on it, although NIST SP 800-88 media sanitation guidelines now point out that with components getting smaller and smaller, even breaking them into small pieces may leave recoverable data. US: Foreign Threats Loom Ahead of US Presidential Election AP: Intelligence officials confirmed in recent days that foreign actors are actively seeking to compromise the private communications of “U.S. political campaigns, candidates and other political targets” while working to compromise the nation’s election infrastructure. Foreign entities are also aggressively spreading disinformation intended to sow voter confusion heading into the fall. There is no evidence that America’s enemies have yet succeeded in penetrating campaigns or state election systems, but Democrat Joe Biden’s presidential campaign confirmed this week that it has faced multiple related threats. The former vice president’s team was reluctant to reveal specifics for fear of giving adversaries useful intelligence. Bitcoin Transactions Led FBI to Twitter Hackers By Eduard Kovacs: Court documents made public last week by U.S. authorities following the announcement of charges against three individuals allegedly involved in the recent Twitter attack revealed how some of the hackers were identified by investigators. News of the charges came shortly after Twitter revealed that the attackers gained access to its internal systems and tools, which they later used to take control of tens of high-profile accounts, by using phone spear-phishing. The hackers targeted 130 accounts, but reset the passwords for only 45 of them, many of which were used to post tweets that were part of a bitcoin scam. The U.S. Department of Justice announced on Friday that it charged 22-year-old Nima Fazeli (aka Rolex, Rolex#0373, and Nim F) of Orlando, Florida, 19-year-old Mason John Sheppard (aka Chaewon and “ever so anxious#001”) of the United Kingdom, and 17-year-old Graham Ivan Clark (aka Kirk#5270), of Tampa, Florida. Clark is believed to be the mastermind of the operation — he is the one who allegedly broke into Twitter’s systems. Fazeli and Sheppard are believed to have helped him sell access to Twitter accounts. According to court documents, a user with the online moniker Kirk#5270 on the chat service Discord claimed to work for Twitter and offered to provide access to any user account. That is how he met Rolex and Chaewon, who helped him sell access to Twitter accounts, including on the OGUsers.com hacking forum, which specializes in the trading of social media and other online accounts. In the case of Fazeli, the FBI found information on his OGUsers account in a database that was leaked earlier this year after the hacker website was breached. The FBI reached out to cryptocurrency exchange Coinbase to obtain information on a bitcoin address shared by Rolex on the OGUsers forum. Coinbase records showed that the address received funds from a user named Nim F, which had been registered with an email address that was also used to register the Rolex account on OGUsers. In order to register the Nim F account on Coinbase, the user had to provide an ID for verification, and they provided a driver’s license with the name Nima Fazeli. One of the Coinbase accounts registered by Fazeli had made roughly 1,900 transactions totaling approximately 21 bitcoin (worth $230,000). The investigation showed that Fazeli apparently accessed the Discord and Coinbase accounts using the same IP addresses, which pointed to locations in Florida. In the case of Sheppard, who also allegedly helped Clark sell access to Twitter accounts, he used the online monikers Chaewon and Mas on OGUsers and “ever so anxious#0001” on Discord. An analysis of the leaked OGUser records led to the discovery of an email address that was also associated with a Coinbase account. Information obtained from Coinbase showed that the account belonged to one Mason Sheppard, an account that had been verified using a driver’s license in the name Mason John Sheppard from the United Kingdom. The driver’s license listed Sheppard’s address and date of birth. A judge set Clark’s bail at $725,000 on Saturday. David Anderson, U.S. Attorney for the Northern District of California, said Sheppard faces 45 years in prison for the charges brought against him, while Fazeli faces a statutory maximum penalty of 5 years in prison. Leave a Reply. |
Linking the world
Sharing is caring Archives
May 2024
Categories |