New research on an old problem reveals despite efforts, the InfoSec professionals still have a way to go when it comes to securing printers.
Despite copious warnings and efforts by the security community to harden the defenses of printers, they continue to represent a ripe target for attackers.
Just this past summer researchers at Check Point found a vulnerability that allowed an attacker to compromise a multi-function printer with fax capabilities simply by sending a fax. In July, Positive Technology shared a proof-of-concept attack that shows how attackers can compromise a corporate network via installing a customized Xerox printer firmware on a targeted printer. In August, HP Inc. patched hundreds of inkjet models vulnerable to two vulnerable remote code execution flaws (CVE-2018-5924, CVE-2018-5925).
Canadian companies should watch out when they use technology supplied by state-owned companies from countries that want to steal corporate secrets, the country’s security agencies have warned.
The RCMP organized two workshops last March — one in Calgary, the other in Toronto — to raise awareness about threats to critical systems, including espionage and foreign interference, cyberattacks, terrorism and sabotage, newly disclosed documents show.
Imagine you’re a journalist covering an uprising against a military regime. You film a riot on your phone, then quickly send it to your server over the virtual private network (VPN) you found in the Android app store that promised high security. That night, when you finally make it back to your hotel room and boot up your laptop to write the story, you realize the video is nowhere to be found.
Unbeknownst to you, this government forced your VPN provider to give them access to all the data streaming through their VPN as a condition for operating in their country.
The security hole, tracked as CVE-2018-6983, was demonstrated last week by Tianwen Tang of Qihoo 360’s Vulcan Team at the Tianfu Cup PWN competition. The white hat hacker earned $100,000 for his work.
The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered.
The notorious threat actor, believed to be backed by the North Korean government, is known to have been involved in a series of high-profile attacks, including the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank.
Also referred to as Hidden Cobra, the group is believed to be the most serious threat against banks and also started targeting individuals last year. Recently, the group was said to have stolen millions from ATMs across Asia and Africa.
Recently patched vulnerabilities in the popular AMP for WP plugin are being targeted in an active Cross-Site Scripting (XSS) campaign, Wordfence reports.
With over 100,000 installs, the plugin adds Accelerated Mobile Pages (Google AMP Project) functionality to websites, which makes them faster for mobile users.
Australia-based HR software provider PageUp recently shared another update on the data breach disclosed earlier this year. The company says it has found no evidence that the attackers have actually stolen any data from its systems.
The United States is trying to persuade wireless companies and internet providers in allied countries to shun equipment made by Chinese telecoms giant Huawei, citing cyber security risks, The Wall Street Journal reported Friday.
The lobbying campaign, also targeting government officials, is taking place in allied countries where Huawei equipment is widely in use such as Germany, Italy and Japan, the Journal reported, quoting people familiar with the situation.
ZTE Corp. shares fell sharply Friday and Chinese stocks retreated more broadly as news that the U.S. was discouraging sales of Chinese telecoms gear abroad exacerbated trade concerns.
A Thai government official on Wednesday defended a sweeping cybersecurity bill which experts have decried for allowing the wholesale seizure of private computers and property, saying that “every country has a need” to protect itself.
The proposed bill has drawn widespread criticism for authorizing a newly created committee to access and seize computers and hard drives of individuals and private companies without a court order in cases of “reasonable suspicion” and “emergency”.
“Every country has a need to set a legal system whereby we can protect our society… because every sector is now using some kind of computer,” Pichet said.
Scammers are using Google Maps to trick people into giving up their bank details.
The app lets users edit and update listings, so the fraudsters are changing banks’ phone numbers to their own.
Victims then call them up and give up their details without ever realise something’s gone wrong.
Kate Conger / New York Times:
For a NYT tech reporter, apps like Signal help minimize and secure the digital footprint from meetings with sources, but in-person ones remain the most secure
In the news has been yet another router botnet. [Hui Wang] and [RootKiter] of 360Netlab announced their discovery of what they call the “BCMUPnP_Hunter” rootkit. They estimate this botnet to be running on over 100,000 routers worldwide.
Widely active cyber criminal group Lazarus targeting financial organizations across Latin America by installing a backdoor into the targeting systems.
Same hacking groups already targeted various financial organization around the world using various advanced tools and techniques.
Recent activities by this Lazarus APT group hits the cryptocurrency exchanges using fake installer and macOS malware using variously sophisticated techniques.
Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development. We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.
Health authorities across the globe have failed to protect millions of patients from poorly tested implants, the first-ever global examination of the medical device industry reveals.
A global investigation reveals the rising human toll of lax controls and testing standards pushed by a booming industry.
On the day before the American Thanksgiving holiday, ICANN released the initial report of the policy development process that is trying to reform Whois.
Whois-Privacy Reform Hits its First Milestone
Posted on November 25, 2018 by Milton MuellerPrivacy & Surveillance
On the day before the American Thanksgiving holiday, ICANN released the initial report of the policy development process that is trying to reform Whois. Jokes about turkeys were probably inevitable, but to the EPDP members who have spent months of practically non-stop work on it (including two IGP partners), that sign of progress was something to be thankful for.
The initial report is now open for public comment. The report accurately reflects where there is agreement, and where there is a lack of consensus in the group. Public comment, especially from those with expertise in data protection law, may help resolve some of those conflicts.
At 130 pages, the report may seem overwhelming, but all one really needs to review is the 24-page Executive Summary, which lays out the EPDP’s 22 recommendations and the 11 questions the group wants the public to comment upon.
If you want to see the privacy rights of domain name registrants respected, you need to weigh in. And if you don’t weigh in, you can be sure that Facebook, the MPAA, the trademark interests, cybersecurity firms who monetize Whois data, and other anti-privacy rights interests will be out in force.
Craig Silverman / BuzzFeed News:
Investigation: 8 apps with a total of 2B+ downloads from Google Play, including 7 from Cheetah mobile, exploit user permissions in an ongoing ad fraud scheme — Eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part …
“Why isn’t Google immediately dropping such apps from the Play store and advising users to uninstall them?” one analyst asked.
Seven of the apps Kochava found engaging in this behavior are owned by Cheetah Mobile, a Chinese company listed on the New York Stock Exchange that last year was accused of fraudulent business practices by a short-seller investment firm — a charge that Cheetah vigorously denied.
The allegations are the latest shock to a vast digital ad tech industry that remains dogged by a multibillion-dollar fraud problem and a mobile ecosystem rife with malicious ads and fraudulent practices.
While the most immediate victims are brands who lose ad dollars to bots and other schemes, ad fraud also diverts revenue away from legitimate publishers and developers.
“This is theft — no other way to say it,” Grant Simmons, the head of client analytics for Kochava, told BuzzFeed News. He said this example is notable because Cheetah Mobile and Kika Tech are large app developers that built these practices into their apps.
“These are real companies doing it — at scale — not some random person in their basement,” he said.
Catalin Cimpanu / ZDNet:
Hacker gains access to the repo of Event-Stream, a JS library with 2M+ weekly downloads on npm, to inject BitPay’s wallet apps with code that steals funds — Users of BitPay’s Copay desktop and mobile wallet apps are affected. An update has been released earlier today that doesn’t contain the malicious code.
Users of BitPay’s Copay desktop and mobile wallet apps are affected. An update has been released earlier today that doesn’t contain the malicious code.
The average cost of a data breach is $3.86 million, according to a study by IBM Security and Ponemon Institute. But the cost of “mega breaches,” where 1 million to 50 million records are lost, can run from $40 million to $350 million.
IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation.
The incidents affected millions, just as Black Friday, Cyber Monday and the holiday shopping season kicked off.
The annual holiday buying bonanza has officially kicked off for 2018, and, as if on cue, a pair of security incidents at two of the most-used services this time of year – the U.S. Postal Service and Amazon – showed up to remind us of the dangers of shopping season. Both hinged on improper API use – and points out an oft-overlook weakness that is all too common in network security strategies.
The data exposures come as holiday attacks are set to worsen. According to Carbon Black’s Holiday Threat Report, released Monday, seasonal cyberattacks are on pace to increase by 60 percent from last year, spiking on “Cyber Monday” and remaining at elevated levels throughout the holiday season.
A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.
Chip-and-PIN technology has become the de-facto standard for in-person credit- and debit-card transactions in the U.S. – but a lack of merchant compliance means that cards are still being compromised in the millions.
Chip cards, which contain an embedded microprocessor that encrypts the card data, are a more secure alternative to magnetic stripe cards, in theory. They also implement the EMV standard, which stands for Europay, MasterCard and Visa, and is a global standard for chip cards’ compatibility with point of sale (PoS) terminals. They became the default type of card when the four major U.S. credit card issuers – Visa, MasterCard, American Express and Discover – decided to shift payment-card fraud liability to merchants in 2015, if they do not have an EMV payment system. The only exception to this is gas stations, which have until 2020 to make the switch (owing to the expense related to swapping out gas pumps).
Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn.
Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology, led by some leapfrog advances in facial recognition systems.
Now facial recognition appears to be on the verge of blossoming commercially, with security use-cases paving the way.
The results could start a wave of major damages for companies that collect and sell consumer information.
Equifax, Experian and Oracle are among a slate of companies whose business is consumer information, that could soon face billions of dollars in fines for improper data handling.
Amazon Web Services (AWS) provides numerous benefits to customers, allowing companies to be more responsive, available, and cost-efficient. It also provides a number of security capabilities, including strong identity and access management, granular activity logs, and strong policy enforcement.
However, that doesn’t mean you shouldn’t worry about security in your AWS environment. Simple speaking, AWS provides enough flexibility for you to shoot yourself in the foot if you aren’t careful. Gartner estimates that through 2022, at least 95 percent of cloud security failures will be the customer’s fault. Of course, AWS invented the now-famous shared responsibility model to educate customers on these risks and their role in protecting their workloads.
Users of BitPay’s Copay desktop and mobile wallet apps are affected. An update has been released earlier today that doesn’t contain the malicious code.
XLoader and FakeSpy are two of the most prevalent malware families that emerged from the mobile threat landscape recently. We first reported about XLoader in April 2018 when it used Domain Name System (DNS) cache poisoning/DNS spoofing to victimize users with malicious Android apps that steal PII and financial data and install additional apps. Meanwhile, we released our findings on FakeSpy in June after it infected Android users via SMS phishing or SMiShing to launch info-stealing attacks.
We have recently observed an ongoing phishing campaign targeting the French industry. Among these targets are organizations involved in chemical manufacturing, aviation, automotive, banking, industry software providers, and IT service providers. Beginning October 2018, we have seen multiple phishing emails which follow a similar pattern, similar indicators, and obfuscation with quick evolution over the course of the campaign. This post will give a quick look into how the campaign has evolved, what it is about, and how you can detect it.
Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.
Two recently disclosed Linux kernel vulnerabilities that remain unpatched could be exploited for local denial-of-service (DoS).
Tracked as CVE-2018-19406, the first issue was discovered in a Linux kernel function called kvm_pv_send_ipi, which is defined in arch/x86/kvm/lapic.c. The flaw is triggered when the Advanced Programmable Interrupt Controller (APIC) map does not initialize correctly.
To exploit the security flaw, a local attacker can use crafted system calls to reach a situation where the apic map is uninitialized.
The second vulnerability, which has been assigned CVE number CVE-2018-19407, impacts the vcpu_scan_ioapic function that is defined in arch/x86/kvm/x86.c. The bug is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not initialize correctly.
A local user looking to exploit the security flaw can use crafted system calls that reach a situation where ioapic is uninitialized.
Patches for these two bugs were made available in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed
Google is rolling out new tools to ensure Europeans receive the information they need for next year’s Parliamentary elections in the European Union (EU).
Up to 350 million voters across the EU are expected to take to the polls in May 2019, to elect 705 Members of European Parliament (MEPs). With threat actors already meddling in the elections process in various countries, including in the United States, interference is expected in next year’s European process as well.
Britain’s parliament has seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app as it turns up the heat on the social media company over its data protection policies.
The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn’t until security blogger Brian Krebs contacted the organization this month that it took any action.
The same researcher contacted Krebs. Krebs verified the flaw and contacted USPS, who this time “promptly addressed the issue”.
The problem was an API with inadequate authentication.
Yoshitaka Sakurada, the minister for cybersecurity who recently confessed that he does not use computers, has now told a Diet committee that he is not very familiar with cybersecurity issues.
“My biggest job (as Cabinet minister) is to read out written replies (prepared by bureaucrats) without making any mistakes,” he said.
“I use a smartphone many times a day because it’s very useful,” said Sakurada
When users have been installing Sennheiser’s HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store. To make matters worse, the software was also installing an encrypted version of the certificate’s private key that was not as secure as the developers may have thought.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
558 Comments
Tomi Engdahl says:
Old Printer Vulnerabilities Die Hard
https://threatpost.com/old-printer-vulnerabilities-die-hard/139318/
New research on an old problem reveals despite efforts, the InfoSec professionals still have a way to go when it comes to securing printers.
Despite copious warnings and efforts by the security community to harden the defenses of printers, they continue to represent a ripe target for attackers.
Just this past summer researchers at Check Point found a vulnerability that allowed an attacker to compromise a multi-function printer with fax capabilities simply by sending a fax. In July, Positive Technology shared a proof-of-concept attack that shows how attackers can compromise a corporate network via installing a customized Xerox printer firmware on a targeted printer. In August, HP Inc. patched hundreds of inkjet models vulnerable to two vulnerable remote code execution flaws (CVE-2018-5924, CVE-2018-5925).
Tomi Engdahl says:
Security agencies warn of foreign espionage threat to company networks
RCMP warns of of ‘supply chain vulnerability’ — a back-door tactic to infiltrate systems
https://www.cbc.ca/news/politics/security-agencies-warn-espionage-networks-1.4919962
Canadian companies should watch out when they use technology supplied by state-owned companies from countries that want to steal corporate secrets, the country’s security agencies have warned.
The RCMP organized two workshops last March — one in Calgary, the other in Toronto — to raise awareness about threats to critical systems, including espionage and foreign interference, cyberattacks, terrorism and sabotage, newly disclosed documents show.
Tomi Engdahl says:
With DigitalOcean, Jigsaw’s Private VPN Gives a Line Out to Journalists
https://blog.digitalocean.com/digitalocean-outline-jigsaw-vpn/
Imagine you’re a journalist covering an uprising against a military regime. You film a riot on your phone, then quickly send it to your server over the virtual private network (VPN) you found in the Android app store that promised high security. That night, when you finally make it back to your hotel room and boot up your laptop to write the story, you realize the video is nowhere to be found.
Unbeknownst to you, this government forced your VPN provider to give them access to all the data streaming through their VPN as a condition for operating in their country.
Tomi Engdahl says:
Black Friday special by Emotet: Filling inboxes with infected XML macros
Emotet starts another massive spam campaign just as Black Friday begins to pick up steam
https://www.welivesecurity.com/2018/11/23/black-friday-special-emotet-filling-inboxes-infected-xml-macros/
Tomi Engdahl says:
Chief of Russia’s Military Intelligence Agency Dies
https://www.securityweek.com/chief-russias-military-intelligence-agency-dies
Igor Korobov, 62, had headed the defence ministry’s Main Intelligence Directorate (GRU) since 2016 and was the target of US sanctions.
Under his tenure the GRU has become a byword for Russian meddling in Western affairs.
The ministry said he died on Wednesday after a “long and serious illness,” with analysts suggesting it was a code word for cancer.
Tomi Engdahl says:
VMware Patches Workstation Flaw Disclosed at Hacking Contest
https://www.securityweek.com/vmware-patches-workstation-flaw-disclosed-hacking-contest
The security hole, tracked as CVE-2018-6983, was demonstrated last week by Tianwen Tang of Qihoo 360’s Vulcan Team at the Tianfu Cup PWN competition. The white hat hacker earned $100,000 for his work.
Tomi Engdahl says:
North Korean Hackers Hit Latin American Banks
https://www.securityweek.com/north-korean-hackers-hit-latin-american-banks
The North Korean hacking group know as Lazarus recently targeted financial institutions in Latin America, Trend Micro security researchers have discovered.
The notorious threat actor, believed to be backed by the North Korean government, is known to have been involved in a series of high-profile attacks, including the devastating attack against Sony Pictures in late 2014 and the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank.
Also referred to as Hidden Cobra, the group is believed to be the most serious threat against banks and also started targeting individuals last year. Recently, the group was said to have stolen millions from ATMs across Asia and Africa.
Tomi Engdahl says:
Attackers Exploit Recently Patched Popular WordPress Plugin
https://www.securityweek.com/attackers-exploit-recently-patched-popular-wordpress-plugin
Recently patched vulnerabilities in the popular AMP for WP plugin are being targeted in an active Cross-Site Scripting (XSS) campaign, Wordfence reports.
With over 100,000 installs, the plugin adds Accelerated Mobile Pages (Google AMP Project) functionality to websites, which makes them faster for mobile users.
Tomi Engdahl says:
HR Software Firm PageUp Finds No Evidence of Data Theft
https://www.securityweek.com/hr-software-firm-pageup-finds-no-evidence-data-theft
Australia-based HR software provider PageUp recently shared another update on the data breach disclosed earlier this year. The company says it has found no evidence that the attackers have actually stolen any data from its systems.
Tomi Engdahl says:
US Urging Allies to Shun Huawei: WSJ
https://www.securityweek.com/us-urging-allies-shun-huawei-wsj
The United States is trying to persuade wireless companies and internet providers in allied countries to shun equipment made by Chinese telecoms giant Huawei, citing cyber security risks, The Wall Street Journal reported Friday.
The lobbying campaign, also targeting government officials, is taking place in allied countries where Huawei equipment is widely in use such as Germany, Italy and Japan, the Journal reported, quoting people familiar with the situation.
U.S. Push on Huawei Ripples Through Markets
Washington has asked foreign allies to avoid telecommunications equipment from China’s Huawei
https://www.wsj.com/articles/u-s-push-on-huawei-ripples-through-markets-1542981918
ZTE Corp. shares fell sharply Friday and Chinese stocks retreated more broadly as news that the U.S. was discouraging sales of Chinese telecoms gear abroad exacerbated trade concerns.
Tomi Engdahl says:
Thai Minister Defends Controversial Cybersecurity Bill
https://www.securityweek.com/thai-minister-defends-controversial-cybersecurity-bill
A Thai government official on Wednesday defended a sweeping cybersecurity bill which experts have decried for allowing the wholesale seizure of private computers and property, saying that “every country has a need” to protect itself.
The proposed bill has drawn widespread criticism for authorizing a newly created committee to access and seize computers and hard drives of individuals and private companies without a court order in cases of “reasonable suspicion” and “emergency”.
“Every country has a need to set a legal system whereby we can protect our society… because every sector is now using some kind of computer,” Pichet said.
Tomi Engdahl says:
Scammers are changing the contact details for banks on Google Maps to defraud people (GOOG) – Tech
https://uschnews.com/scammers-are-changing-the-contact-details-for-banks-on-google-maps-to-defraud-people-goog-tech/
Scammers are using Google Maps to trick people into giving up their bank details.
The app lets users edit and update listings, so the fraudsters are changing banks’ phone numbers to their own.
Victims then call them up and give up their details without ever realise something’s gone wrong.
Tomi Engdahl says:
Hacker takeovers Drake’s Fortnite account to yell racial slurs
https://www.hackread.com/drake-fortnite-account-hacked/
The official Fortnite account of the Canadian rapper Drake going by the handle of “Duddus647” was hacked in an attack on Thanksgiving weekend.
Tomi Engdahl says:
US Postal Service Addresses Vulnerability That Exposed 60 Million Users Data For Over A Year
https://www.yourdigitalmind.com/news/us-postal-service-addresses-vulnerability-that-exposed-60-million-users-data-for-over-a-year/
Tomi Engdahl says:
Swedish ISP punishes Elsevier for forcing it to block Sci-Hub by also blocking Elsevier
https://boingboing.net/2018/11/03/balkanizing-the-balkanizers.html
Tomi Engdahl says:
Kate Conger / New York Times:
For a NYT tech reporter, apps like Signal help minimize and secure the digital footprint from meetings with sources, but in-person ones remain the most secure
You Don’t Have to Be a Journalist to Want to Keep Chats Private
https://www.nytimes.com/2018/11/21/technology/personaltech/you-dont-have-to-be-a-journalist-to-want-to-keep-chats-private.html
It’s easy to leave behind digital evidence when talking to sources — or to friends. Here’s how Kate Conger, a tech reporter, reduces that exposure.
Tomi Engdahl says:
Five Year Old Bug Spawns Router Botnet Monster
https://hackaday.com/2018/11/23/five-year-old-bug-spawns-router-botnet-monster/
In the news has been yet another router botnet. [Hui Wang] and [RootKiter] of 360Netlab announced their discovery of what they call the “BCMUPnP_Hunter” rootkit. They estimate this botnet to be running on over 100,000 routers worldwide.
BCMPUPnP_Hunter: A 100k Botnet Turns Home Routers to Email Spammers
http://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/
Tomi Engdahl says:
Lazarus Hackers Group Attack Financial Organizations using a Powerful Backdoor
https://gbhackers.com/lazarus-hackers-financial-organizations/
Widely active cyber criminal group Lazarus targeting financial organizations across Latin America by installing a backdoor into the targeting systems.
Same hacking groups already targeted various financial organization around the world using various advanced tools and techniques.
Recent activities by this Lazarus APT group hits the cryptocurrency exchanges using fake installer and macOS malware using variously sophisticated techniques.
Tomi Engdahl says:
Chinese Threat Actor TEMP.Periscope Targets UK-Based Engineering Company Using Russian APT Techniques
https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/
Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development. We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.
Tomi Engdahl says:
See how hackers combine a stack buffer overflow with a memory disclosure vulnerability to reliably execute arbitrary system commands!
Implant Files
https://www.icij.org/investigations/implant-files/
Health authorities across the globe have failed to protect millions of patients from poorly tested implants, the first-ever global examination of the medical device industry reveals.
A global investigation reveals the rising human toll of lax controls and testing standards pushed by a booming industry.
Tomi Engdahl says:
https://www.icij.org/investigations/implant-files/new-database-tracks-faulty-medical-devices-across-the-globe/
The International Medical Devices Database empowers patients, doctors and regulators with unprecedented knowledge.
Tomi Engdahl says:
https://www.internetgovernance.org/2018/11/25/whois-privacy-reform-hits-its-first-milestone/
On the day before the American Thanksgiving holiday, ICANN released the initial report of the policy development process that is trying to reform Whois.
Whois-Privacy Reform Hits its First Milestone
Posted on November 25, 2018 by Milton MuellerPrivacy & Surveillance
On the day before the American Thanksgiving holiday, ICANN released the initial report of the policy development process that is trying to reform Whois. Jokes about turkeys were probably inevitable, but to the EPDP members who have spent months of practically non-stop work on it (including two IGP partners), that sign of progress was something to be thankful for.
The initial report is now open for public comment. The report accurately reflects where there is agreement, and where there is a lack of consensus in the group. Public comment, especially from those with expertise in data protection law, may help resolve some of those conflicts.
At 130 pages, the report may seem overwhelming, but all one really needs to review is the 24-page Executive Summary, which lays out the EPDP’s 22 recommendations and the 11 questions the group wants the public to comment upon.
If you want to see the privacy rights of domain name registrants respected, you need to weigh in. And if you don’t weigh in, you can be sure that Facebook, the MPAA, the trademark interests, cybersecurity firms who monetize Whois data, and other anti-privacy rights interests will be out in force.
Tomi Engdahl says:
Craig Silverman / BuzzFeed News:
Investigation: 8 apps with a total of 2B+ downloads from Google Play, including 7 from Cheetah mobile, exploit user permissions in an ongoing ad fraud scheme — Eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part …
These Hugely Popular Android Apps Have Been Committing Ad Fraud Behind Users’ Backs
https://www.buzzfeednews.com/article/craigsilverman/android-apps-cheetah-mobile-kika-kochava-ad-fraud
“Why isn’t Google immediately dropping such apps from the Play store and advising users to uninstall them?” one analyst asked.
Seven of the apps Kochava found engaging in this behavior are owned by Cheetah Mobile, a Chinese company listed on the New York Stock Exchange that last year was accused of fraudulent business practices by a short-seller investment firm — a charge that Cheetah vigorously denied.
The allegations are the latest shock to a vast digital ad tech industry that remains dogged by a multibillion-dollar fraud problem and a mobile ecosystem rife with malicious ads and fraudulent practices.
While the most immediate victims are brands who lose ad dollars to bots and other schemes, ad fraud also diverts revenue away from legitimate publishers and developers.
“This is theft — no other way to say it,” Grant Simmons, the head of client analytics for Kochava, told BuzzFeed News. He said this example is notable because Cheetah Mobile and Kika Tech are large app developers that built these practices into their apps.
“These are real companies doing it — at scale — not some random person in their basement,” he said.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Hacker gains access to the repo of Event-Stream, a JS library with 2M+ weekly downloads on npm, to inject BitPay’s wallet apps with code that steals funds — Users of BitPay’s Copay desktop and mobile wallet apps are affected. An update has been released earlier today that doesn’t contain the malicious code.
Hacker backdoors popular JavaScript library to steal Bitcoin funds
https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/
Users of BitPay’s Copay desktop and mobile wallet apps are affected. An update has been released earlier today that doesn’t contain the malicious code.
Tomi Engdahl says:
Brazil’s largest professional association suffers massive data leak
https://www.zdnet.com/article/brazils-largest-professional-association-suffers-massive-data-leak/
Industrial group FIESP is dealing with the exposure of millions of personal data records.
Tomi Engdahl says:
IBM security study: Mega data breaches cost $40 million to $350 million
https://venturebeat.com/2018/07/10/ibm-security-study-mega-data-breaches-cost-40-million-to-350-million/
The average cost of a data breach is $3.86 million, according to a study by IBM Security and Ponemon Institute. But the cost of “mega breaches,” where 1 million to 50 million records are lost, can run from $40 million to $350 million.
IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation.
Tomi Engdahl says:
USPS, Amazon Data Leaks Showcase API Weaknesses
https://threatpost.com/usps-amazon-data-leaks-showcase-api-weaknesses/139362/
The incidents affected millions, just as Black Friday, Cyber Monday and the holiday shopping season kicked off.
The annual holiday buying bonanza has officially kicked off for 2018, and, as if on cue, a pair of security incidents at two of the most-used services this time of year – the U.S. Postal Service and Amazon – showed up to remind us of the dangers of shopping season. Both hinged on improper API use – and points out an oft-overlook weakness that is all too common in network security strategies.
The data exposures come as holiday attacks are set to worsen. According to Carbon Black’s Holiday Threat Report, released Monday, seasonal cyberattacks are on pace to increase by 60 percent from last year, spiking on “Cyber Monday” and remaining at elevated levels throughout the holiday season.
Tomi Engdahl says:
Emotet Campaign Ramps Up with Mass Email Harvesting Module
https://threatpost.com/emotet-campaign-ramps-up-with-mass-email-harvesting-module/139041/
Tomi Engdahl says:
U.S. Chip Cards Are Being Compromised in the Millions
https://threatpost.com/u-s-chip-cards-are-being-compromised-in-the-millions/139028/
A full 60 million U.S. cards were compromised in the past 12 months. While 93 percent of those were EMV chip-enabled, merchants continued to use mag stripes.
Chip-and-PIN technology has become the de-facto standard for in-person credit- and debit-card transactions in the U.S. – but a lack of merchant compliance means that cards are still being compromised in the millions.
Chip cards, which contain an embedded microprocessor that encrypts the card data, are a more secure alternative to magnetic stripe cards, in theory. They also implement the EMV standard, which stands for Europay, MasterCard and Visa, and is a global standard for chip cards’ compatibility with point of sale (PoS) terminals. They became the default type of card when the four major U.S. credit card issuers – Visa, MasterCard, American Express and Discover – decided to shift payment-card fraud liability to merchants in 2015, if they do not have an EMV payment system. The only exception to this is gas stations, which have until 2020 to make the switch (owing to the expense related to swapping out gas pumps).
Tomi Engdahl says:
New Boom in Facial Recognition Tech Prompts Privacy Alarms
https://threatpost.com/new-boom-in-facial-recognition-tech-prompts-privacy-alarms/138979/
Tech advances are accelerating the use of facial recognition as a reliable and ubiquitous mass surveillance tool, privacy advocates warn.
Somewhat quietly over the past couple of years there has been a flurry of breakthroughs in biometric technology, led by some leapfrog advances in facial recognition systems.
Now facial recognition appears to be on the verge of blossoming commercially, with security use-cases paving the way.
Tomi Engdahl says:
Lawsuits Aim Billions in Fines at Equifax and Ad-Targeting Companies
https://threatpost.com/lawsuits-aim-billions-in-fines-at-equifax-and-ad-targeting-companies/139001/
The results could start a wave of major damages for companies that collect and sell consumer information.
Equifax, Experian and Oracle are among a slate of companies whose business is consumer information, that could soon face billions of dollars in fines for improper data handling.
Tomi Engdahl says:
A new way to think about security in AWS
https://blogs.cisco.com/security/a-new-way-to-think-about-security-in-aws
Amazon Web Services (AWS) provides numerous benefits to customers, allowing companies to be more responsive, available, and cost-efficient. It also provides a number of security capabilities, including strong identity and access management, granular activity logs, and strong policy enforcement.
However, that doesn’t mean you shouldn’t worry about security in your AWS environment. Simple speaking, AWS provides enough flexibility for you to shoot yourself in the foot if you aren’t careful. Gartner estimates that through 2022, at least 95 percent of cloud security failures will be the customer’s fault. Of course, AWS invented the now-famous shared responsibility model to educate customers on these risks and their role in protecting their workloads.
Tomi Engdahl says:
Many free mobile VPN apps are based in China or have Chinese ownership
https://www.zdnet.com/article/many-free-mobile-vpn-apps-are-based-in-china-or-have-chinese-ownership/
Chinese affiliation raises a sign of alarm in light of China’s recent clampdown of “unauthorized” VPN services.
Tomi Engdahl says:
Hacker backdoors popular JavaScript library to steal Bitcoin funds
https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/
Users of BitPay’s Copay desktop and mobile wallet apps are affected. An update has been released earlier today that doesn’t contain the malicious code.
Tomi Engdahl says:
Germany proposes router security guidelines
https://www.zdnet.com/article/germany-proposes-router-security-guidelines/
German government would like to regulate what kind of routers are sold and installed across the country.
Tomi Engdahl says:
A Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang
https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/
XLoader and FakeSpy are two of the most prevalent malware families that emerged from the mobile threat landscape recently. We first reported about XLoader in April 2018 when it used Domain Name System (DNS) cache poisoning/DNS spoofing to victimize users with malicious Android apps that steal PII and financial data and install additional apps. Meanwhile, we released our findings on FakeSpy in June after it infected Android users via SMS phishing or SMiShing to launch info-stealing attacks.
Tomi Engdahl says:
How Surveillance Inhibits Freedom of Expression
https://www.schneier.com/blog/archives/2018/11/how_surveillanc_1.html
Tomi Engdahl says:
https://labsblog.f-secure.com/2018/11/26/phishing-campaign-targeting-french-industry/
We have recently observed an ongoing phishing campaign targeting the French industry. Among these targets are organizations involved in chemical manufacturing, aviation, automotive, banking, industry software providers, and IT service providers. Beginning October 2018, we have seen multiple phishing emails which follow a similar pattern, similar indicators, and obfuscation with quick evolution over the course of the campaign. This post will give a quick look into how the campaign has evolved, what it is about, and how you can detect it.
Tomi Engdahl says:
Half of all Phishing Sites Now Have the Padlock
https://krebsonsecurity.com/2018/11/half-of-all-phishing-sites-now-have-the-padlock/
Maybe you were once advised to “look for the padlock” as a means of telling legitimate e-commerce sites from phishing or malware traps. Unfortunately, this has never been more useless advice. New research indicates that half of all phishing scams are now hosted on Web sites whose Internet address includes the padlock and begins with “https://”.
Tomi Engdahl says:
DoS Vulnerabilities Impact Linux Kernel
https://www.securityweek.com/dos-vulnerabilities-impact-linux-kernel
Two recently disclosed Linux kernel vulnerabilities that remain unpatched could be exploited for local denial-of-service (DoS).
Tracked as CVE-2018-19406, the first issue was discovered in a Linux kernel function called kvm_pv_send_ipi, which is defined in arch/x86/kvm/lapic.c. The flaw is triggered when the Advanced Programmable Interrupt Controller (APIC) map does not initialize correctly.
To exploit the security flaw, a local attacker can use crafted system calls to reach a situation where the apic map is uninitialized.
The second vulnerability, which has been assigned CVE number CVE-2018-19407, impacts the vcpu_scan_ioapic function that is defined in arch/x86/kvm/x86.c. The bug is triggered when I/O Advanced Programmable Interrupt Controller (I/O APIC) does not initialize correctly.
A local user looking to exploit the security flaw can use crafted system calls that reach a situation where ioapic is uninitialized.
Patches for these two bugs were made available in the unofficial Linux Kernel Mailing List (LKML) archive, but haven’t been pushed
upstream.
Tomi Engdahl says:
Google Wants to Ensure Integrity of EU Parliamentary Elections
https://www.securityweek.com/google-wants-ensure-integrity-eu-parliamentary-elections
Google is rolling out new tools to ensure Europeans receive the information they need for next year’s Parliamentary elections in the European Union (EU).
Up to 350 million voters across the EU are expected to take to the polls in May 2019, to elect 705 Members of European Parliament (MEPs). With threat actors already meddling in the elections process in various countries, including in the United States, interference is expected in next year’s European process as well.
Tomi Engdahl says:
UK Parliament Seizes Confidential Facebook Documents
https://www.securityweek.com/uk-parliament-seizes-confidential-facebook-documents
Britain’s parliament has seized confidential Facebook documents from the developer of a now-defunct bikini photo searching app as it turns up the heat on the social media company over its data protection policies.
Tomi Engdahl says:
U.S. Postal Service API Flaw Exposes Data of 60 Million Customers
https://www.securityweek.com/us-postal-service-api-flaw-exposes-data-60-million-customers
The United States Postal Service (USPS) has fixed an API flaw that potentially exposed data on 60 million customers. A researcher reported the flaw to USPS more than a year ago; but it wasn’t until security blogger Brian Krebs contacted the organization this month that it took any action.
The same researcher contacted Krebs. Krebs verified the flaw and contacted USPS, who this time “promptly addressed the issue”.
The problem was an API with inadequate authentication.
https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/
Tomi Engdahl says:
Gov Committee Raises Concerns Over UK Critical Infrastructure Security
https://www.securityweek.com/gov-committee-raises-concerns-over-uk-critical-infrastructure-security
Tomi Engdahl says:
https://www.zdnet.com/article/rowhammer-attacks-can-now-bypass-ecc-memory-protections/
Tomi Engdahl says:
Japan cybersecurity minister who doesn’t use computers says he’s also not familiar with cybersecurity
https://www.japantimes.co.jp/news/2018/11/23/national/politics-diplomacy/japan-cybersecurity-minister-doesnt-use-computers-says-hes-not-familiar-cybersecurity/#.W_18IlPks0P
Yoshitaka Sakurada, the minister for cybersecurity who recently confessed that he does not use computers, has now told a Diet committee that he is not very familiar with cybersecurity issues.
“My biggest job (as Cabinet minister) is to read out written replies (prepared by bureaucrats) without making any mistakes,” he said.
“I use a smartphone many times a day because it’s very useful,” said Sakurada
Tomi Engdahl says:
Spying on HDMI on my mobile TEMPEST / van Eck setup
https://m.youtube.com/watch?feature=youtu.be&v=BpNP9b3aIfY
Tomi Engdahl says:
The Intel Microcode Boot Loader Protects Older CPUs From Spectre
https://www.bleepingcomputer.com/news/security/the-intel-microcode-boot-loader-protects-older-cpus-from-spectre/
Tomi Engdahl says:
https://andrewmohawk.com/2016/02/05/bypassing-rolling-code-systems/
Tomi Engdahl says:
Sennheiser Headset Software Could Allow Man-in-the-Middle SSL Attacks
https://www.bleepingcomputer.com/news/security/sennheiser-headset-software-could-allow-man-in-the-middle-ssl-attacks/
When users have been installing Sennheiser’s HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store. To make matters worse, the software was also installing an encrypted version of the certificate’s private key that was not as secure as the developers may have thought.