An interview with ESET researchers Tomáš Gardoň and Filip Kafka on their research of a malware toolkit used in espionage against the Malaysian government
The Justice Department has unsealed a damning indictment that links to spies working for the Chinese government an aggressive campaign to hack into U.S. tech and industry giants.
Will Oremus / Slate:
Facebook has forfeited our trust to the point that we see nefarious motives in any misstep, as some overblown reactions to Spotify and Netflix integrations show
Facebook may or may not have lost its handle on our data. But it has definitely lost its handle on the public narrative—and the benefit of the doubt.
There were many important and troubling revelations in the New York Times’ latest investigation into Facebook’s privacy practices. There were others that seem less sinister the closer you look at them.
Perhaps more important than either, however, was how the story resonated and what people took from it—which, in many cases, was far more than it actually proved. People didn’t just get mad; they got not-gonna-take-this-anymore mad.
Above all, what the story and its fallout tell us is this: Any benefit of the doubt that Facebook once enjoyed—from the media, the government, the tech-savvy public—is long gone. And that’s a bigger blow than any EU penalty or FTC fine the social network could incur.
For instance, the Times reported that Facebook struck deals with several companies that allowed for the sharing of users’ contact lists and address books, partly to enhance Facebook’s shady “People You May Know” recommendation engine. One of those partners was the Chinese firm Huawei, which the U.S. government views as a national cybersecurity risk.
Facebook also had a partnership with the Russian tech firm Yandex, which is suspected of Kremlin ties, that gave it access to Facebook user IDs. And not only did it sling user data around, the company failed to reel it back in once its partners no longer needed it.
All of which is deeply disconcerting, even if the concrete harms remain speculative at this point. (No evidence has yet surfaced that Facebook’s partners misused the data, though it’s certainly possible.)
We now know that Facebook’s carelessness with users’ information, highlighted in March by the Cambridge Analytica scandal
the most alarming new details in the New York Times story, such as agreements that allowed Netflix and Spotify to “read, write, and delete users’ private messages,” appear to have been wildly overblown.
A response from Facebook on Wednesday evening explained that these permissions were about allowing Facebook users to read, write, and delete their own Facebook messages from within Netflix and Spotify once they linked their accounts and logged in.
Such nuance did not come across clearly in the Times story and was often lost completely in the public conversation that swirled around it
Zack Whittaker / TechCrunch:
Blind, an anonymous chat app used by staff at companies like Apple, Facebook, Google, and Uber, left one database server exposed from Nov. 1 to Dec. 19 — One of the company’s servers was exposed without a password for weeks
One of its servers storing user data and messages was exposed without a password
Blind left one of its database servers exposed without a password, making it possible (for anyone who knew where to look) to access each user’s account information and identify would-be whistleblowers.
The exposed server was found by a security researcher, who goes by the name Mossab H, who informed the company of the security lapse.
Blind said the exposure only affects users who signed up or logged in between November 1 and December 19
Blind only pulled the database after TechCrunch followed up by email a week later. The company began emailing its users on Thursday after we asked for comment.
Kim said there is “no evidence” that the database was misappropriated or misused, but did not say how it came to that conclusion.
At its core, the app and anonymous social network allows users to sign up using their corporate email address, which is said to be linked only to Blind’s member ID. Email addresses are “only used for verification”
But after reviewing a portion of the exposed data, some of the company’s claims do not stand up.
We found that the database provided a real-time stream of user logins, user posts, comments and other interactions, allowing anyone to read private comments and posts.
Blind claims on its website that its email verification “is safe, as our patented infrastructure is set up so that all user account and activity information is completely disconnected from the email verification process.”
Many records did, however, contain plain text email addresses.
The database also contained passwords, which were stored as an MD5 hash, a long-outdated algorithm that is nowadays easy to crack. Many of the passwords were quickly unscrambled using readily available tools
“The MD5 keys were a log and it does not represent how we are managing data. We use more advanced methods like salted hash and SHA2 on securing users’ data in our database.”
login records in the database also stored user account access tokens — the same kind of tokens that recently put Microsoft and Facebook accounts at risk.
Pranav Dixit / BuzzFeed News:
Indian government downplays its order that seemingly authorizes ten government agencies to monitor, intercept, and decrypt data on all computers in the country — India’s Ministry of Home Affairs, a federal government authority that controls the country’s internal security …
An uproar broke out in India’s parliament on Friday after the Ministry of Home Affairs, a federal government authority that controls the country’s internal security, seemingly authorized 10 government agencies — including federal intelligence and law enforcement agencies — to monitor, intercept, and decrypt all data on all computers in the country.
The governmental order detailing the powers immediately drew strong criticism from both India’s privacy activists and its opposition parties, who said it enabled blanket state surveillance and violated the fundamental right to privacy that India’s 1.3 billion citizens are constitutionally guaranteed.
India’s Information Security Act has allowed agencies to invoke surveillance measures in the interest of national security since 2008
“George Orwell’s Big Brother is here,” tweeted Asaduddin Owaisi
WhatsApp chat groups are being used to spread illegal child pornography, cloaked by the app’s end-to-end encryption. Without the necessary number of human moderators, the disturbing content is slipping by WhatsApp’s automated systems.
This week a plan for a future Facebook app feature was revealed in a patent for “Office Trajectories” by the USPTO. In this patent, Facebook detailed a method for determining the current location of an individual – even when their phone is turned off and/or their GPS is deactivated. How might Facebook achieve this, you might scream? They’ll just use all the information you’ve already given them, jam it all in a computer with Machine Learning, and spit out the most likely location – it’s easy, really!
we can go right on ahead and file the fact that this exists under our “We’re Being Tracked” file. Yes, Uncle Jimmy, you are being tracked, just like you always thought you were – but not by the government. You’re being tracked by the companies you use to share and communicate with friends and family.
Facebook filed a patent, titled “Offline Trajectories,” last week in which it proposes predicting users’ “location trajectories” – in other words, where we’re likely headed. Knowing when we’re about to hurtle into a no-WiFi-connection limbo means Facebook can “prefill” our phones with content and ads.
Flaws could allow an attacker to stop or start a home charging station, or even change the current in order to start a fire.
Given that creating proof-of-concept (PoC) cyberattacks for the Internet of Things (IoT) is essentially like shooting fish in a barrel these days, perhaps it’s not exactly surprising that a new niche category has proven to present a fresh attack surface: electric vehicle (EV) charging stations.
The danger is physical in this case: Research demonstrates that a savvy attacker could hack into the station and prevent a car from charging – or, in a much worse scenario, could even start a fire.
Digital security depends on the difficulty of factoring large numbers. A new proof shows why one method for breaking digital encryption won’t work.
Does this mean RSA encryption is in trouble? Actually, no. The reason for this has to do with the new proof about polynomials. The mathematicians Emmanuel Breuillard and Péter Varjú of the University of Cambridge proved that as polynomials with only 0 and 1 as coefficients get longer, they’re less and less likely to be factorable at all. And if a polynomial can’t be factored, it can’t be used to identify the prime factors of the number it’s based on.
It makes it simple for attackers to find devices to take over and add to botnets.
A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not – without ever connecting to them.
CVE-2018-7900 exists in the router panel and allows credentials information to leak – so attackers can simply perform a ZoomEye or Shodan IoT search to find list of the devices having default passwords – no need for bruteforcing or running the risk of running into a generic honeypot.
Lawmakers are again unhappy with Facebook after the latest big story again portraying Facebook’s failure to protect the private data of its users.
Yesterday, the New York Times reported that the company had special relationships with a handful of major tech companies, including Amazon, Microsoft and Spotify.
Ever broken your phone screen? Had your computer fritz? Ever taken a device to a repair shop? Ever been asked for your password when you hand it over? Ever wonder whether the shop workers lift the lid to rifle through your little treasure chest of personal data?
At first glance of Amazon’s new patent application, one would be tempted to think it no more than a built-in “smart” security system.
But no, this facial recognition surveillance doorbell does a lot more than record would-be thieves.
Amazon is dreaming of a dangerous future, with its technology at the center of a massive decentralized surveillance network, running real-time facial recognition on members of the public using cameras installed in people’s doorbells. –Jacob Snow, ACLU
PoC for ThinkPHP security flaw sparks furious scans for vulnerable sites, most of which are based in China.
The attacks have targeted websites built with ThinkPHP, a Chinese-made PHP framework that is very popular among the local web development scene.
All attacks started after Chinese cyber-security firm VulnSpy posted a proof-of-concept exploit for ThinkPHP on ExploitDB, a website popular for hosting free exploit code.
ATTACKS STARTED WITHIN A DAY
“The PoC was published on December 11, and we saw internet-wide scans less than 24 hours later,” Troy Mursch, co-founder of Bad Packets LLC told ZDNet today.
Four other security firms –F5 Labs, GreyNoise, NewSky Security, and Trend Micro– have also reported similar scans
Less than a week after mystery drones grounded flights at the U.K’s second largest airport, wreaking havoc on as many as 140,000 people’s travel plans for the Christmas period, police have admitted that there may in fact not have been any drones at all.
“always a possibility that there may not have been any genuine drone activity in the first place.”
Indeed, the police are reliant on eyewitness accounts — 67 of them
Law enforcement’s new partnership with genetic genealogy made 2018 a year of profound impact in how years-old cold case murders and rapes are investigated and solved.
Detectives across the country said they were able to locate suspects in 28 cold cases this year after uploading crime scene DNA to GEDmatch.com, a public genealogy website, obtaining a match and then letting a genealogist create family trees through painstaking research that ultimately led to a suspect.
If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.
In all, it usually only adds a few extra seconds to your day.
Does turning off SSID Broadcast improve your home network security?
Most broadband routers and other wireless access points (APs) automatically transmit their network name (SSID) into the open air every few seconds. You can choose to disable this feature on your Wi-Fi network but before you do, be aware of the pros and cons.
while it’s technically a better decision to keep your SSID hidden away, it’s not a fool-proof security measure. A hacker with the right tools and enough time, can sniff out the traffic coming from your network, find the SSID and continue on their hacking way.
Should You Disable SSID Broadcast On Your Home Network?
Home networks don’t require the use of a visible SSID unless it’s using multiple access points that devices are roaming between.
If your network uses a single router, deciding whether to turn off this features boils down to a trade-off between the potential security benefits and a loss of convenience in setting up new home network clients
Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!
Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
an airport worker at Gatwick — London’s second international airport — sees something fly past in the gloom above the floodlights. The weather and darkness makes it difficult to see what the object was, but the report is phoned in to security. What was it?
Thousands of people across the site are put on alert, watching for the drone. And of course, the drone reports roll in, and the story takes on a life of its own. People who have no idea what a drone looks like in the air are now expecting to see one
There follows three days of airport closure drama. No photos emerge despite almost every one of the many thousands of people on the site having a camera phone from which they are Tweeting about the queues in the terminal. There is a grainy video, but it is indistinct, and crucially it doesn’t have anything in it that is identifiable as Gatwick. Meanwhile the police are frustrated in their search for the drone operators, who like their drone, prove difficult to pinpoint
You might imagine that this was the fictional plot of a thriller novel, but sadly not. All of the above is a tale of the last few days of events in the British news
There are reports of drone wreckage, but since readers with long memories will recall UK police once identified RepRap parts as a 3D printed gun we’ll wait until we see it before we call it that.
When a Drone Report Comes In, We Need a Reliable Way to Evaluate It
Competent Police Investigations and Responsible Journalism on Drone Reports
Once an incident has started and news of it emerges there is a consequent effect upon members of our community. Legitimate drone fliers away from the airport will find themselves under more scrutiny
Raymond Zhong / New York Times:
As Huawei comes under government scrutiny worldwide, a look at the company’s aggressive culture that encouraged employees to bend the rules, up to a point — SHENZHEN, China — Earthquakes, terrorist attacks and low oxygen levels on Mount Everest could not hold them back.
As the Chinese tech giant Huawei expanded around the globe, supplying equipment to bring mobile phone and data service to the planet’s farthest reaches, its employees were urged on by a culture that celebrated daring feats in pursuit of new business.
They worked grueling hours. They were encouraged to bend certain company rules, as long as doing so enriched the company and not employees personally
Employees at the company and people who have studied it have a name for its hard-charging corporate spirit: “wolf culture.”
Now, the company’s aggressive ways have been cast in a new light. The United States has accused Meng Wanzhou, a top Huawei executive and daughter of its founder, of committing bank fraud to help the company’s business in Iran.
It is not clear precisely how Huawei’s culture shaped its dealings in Iran.
Huawei workers have been accused of bribing government officials to win business in Africa, copying an American competitor’s source code and even stealing the fingertip of a robot in a T-Mobile lab in Bellevue, Wash. In 2015
Mr. Ren said in 2015 that Huawei had toughened its safeguards against employee misconduct. But the following year, in a speech that was emailed to employees, he acknowledged that many workers did not pay attention to internal rules and controls
Mr. Ren said that it was important to enforce internal standards, but that this should not become a hindrance.
“If it blocks the business from producing grain, then we all starve to death,” he said, according to a transcript of his comments on a Huawei website.
Ms. Meng’s arrest this month has darkened China’s relations with the United States
Security concerns about Huawei and other Chinese equipment providers are mounting among traditional allies of the United States.
At the annual meeting of spy chiefs of the so-called Five Eyes countries, Huawei was among the topics discussed by senior intelligence officers from Britain, Australia, New Zealand, Canada and the United States
The pressure on the business is building. In Germany last week, Deutsche Telekom said it was taking seriously the “global discussion about the security of network elements from Chinese manufacturers.” On Monday, the Czech intelligence agency warned against the country working with Huawei and ZTE, another Chinese technology company.
Abrar Al-Heeti / CNET:
Despite challenges in penetrating the US market, Huawei says it has shipped over 200M smartphones in 2018 globally, up from last year’s 153M units
Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers.
a kill switch for the ransomware component of the infection. If the infection was able to connect to this kill switch domain, the ransomware component would not activate. The infection, though, would continue to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
Apps were meant for training, never approved for combat. Whistleblower’s efforts helped shed light on vulnerabilities, despite leadership reprisals.
US military troops used two Android apps that contained severe vulnerabilities in live combat scenarios, a Navy Inspector General report revealed today.
The two apps are named KILSWITCH (Kinetic Integrated Low-Cost Software Integrated Tactical Combat Handheld) and APASS (Android Precision Assault Strike Suite).
Both apps work by showing satellite imagery of surroundings, including objectives, mission goals, nearby enemy and friendly forces.
The two apps work as a modern-day replacement for radios and paper maps and allow troops to use a real-time messaging client to coordinate with other military branches, and even call in air-strike support with a few simple screen taps, according to a DARPA press release and accompanying YouTube video.
both apps contained vulnerabilities that could have allowed enemy forces access to troops’ information.
The report says that the two apps, KILSWITCH and APASS, were never meant or approved to be deployed in live combat zones.
“Cybersecurity was not a concern for the [apps'] developers,” the report said, because developers initially expected the apps to be used for troop training and military exercises primarily.
But the two apps, because of their flashy features and easier to use interface, became wildly popular among US troops, but also other military branches, including foreign allied forces.
It’s called the “Dark Side” because the 50 workers there prefer to keep the lights low so they can dim the brightness on their computer screens.
Or maybe it’s because of what they do in cyber research and development.
Questions about exactly what goes on at the heart of one of the United States’ primary cybersecurity facilities at the Idaho National Laboratory aren’t always answered, and photos by outsiders aren’t allowed.
BevMo is warning that a data breach may have allowed a hacker to steal credit card numbers and other information from more than 14,000 customers who used the alcohol-seller’s website.
FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks.
A new tech support scam has been discovered that uses JavaScript to create a loop that ultimately causes Google Chrome to use up all of the CPU resources on the computer and freeze the browser.
This new tech support scam variant was reported in a Google Chrome bug report that states that once a user visits the page, the CPU utilization quickly goes to 100%. This makes it impossible to close the tab, the browser, or properly use the computer until the Chrome process is killed.
When visiting the listed url, you are brought to a tech support scam page that has a title of “Important Information”. This page pretends to be a Windows error title “Internet Security Alert! Code: 055BCCAC9FEC” that states your computer has been infected and that you should call the listed support number for help.
This high CPU utilization will ultimately cause the browser to freeze and your computer to become barely usable. At this point, the only way to close the browser will be to close the offending Chrome.exe process using a tool like the Windows Task Manager.
US brings more indictments against the APT10 cyber espionage group operating in China for its Operation Cloud Hopper campaign against managed service providers, but what will those indictments accomplish?
Security experts wonder, however, what impact the indictments will really make.
The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).
In today’s world, we all try to do as much as we can to be secure while online. Most have learned the signs to try to spot phishing attempts: misspelled words, broken english, urgent requests etc. We even implement 2FA to help prove that someone is who they say they are when they are authenticating to a site. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA.
Over the past decade, many attackers have exploited design weaknesses in the Internet’s global routing system. Most commonly, the Border Gateway Protocol (BGP) is abused to divert gigabytes, or possibly even petabytes, of high-value traffic to ISPs inside Russia or China, sometimes for years at a time, so that the data can be analyzed or manipulated. Other times, attackers have used BGP hijackings more surgically to achieve specific aims, such as stealing cryptocurrency or regaining control of computers monitored in a police investigation.
Late last month came word of a new scheme. In one of the most sophisticated uses of BGP hijacking yet, criminals used the technique to generate $29 million in fraudulent ad revenue, in part by taking control of IP addresses belonging to the US Air Force and other reputable organizations.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
486 Comments
Tomi Engdahl says:
Twitter Fixes Bug That Gives Unauthorized Access to Direct Messages
https://www.bleepingcomputer.com/news/security/twitter-fixes-bug-that-gives-unauthorized-access-to-direct-messages/
Tomi Engdahl says:
Warning from Black Hat NOC
https://blogs.cisco.com/security/black-hat-europe-2018
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/ruotsin-valtion-rautatieyhtion-asiakastileille-murtauduttiin-yli-miljoona-salasanaa-nollataan-6752831
Tomi Engdahl says:
Shamoon 3 Targets Oil and Gas Organization
https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
Tomi Engdahl says:
New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps
https://thehackernews.com/2018/12/facebook-api-bug-leak.html
Tomi Engdahl says:
Suomalaiset äimän käkenä: väitetystä ydinvoimalan tietoturvauhasta ei kellään tietoa
https://www.tivi.fi/Kaikki_uutiset/suomalaiset-aiman-kakena-vaitetysta-ydinvoimalan-tietoturvauhasta-ei-kellaan-tietoa-6752707
Tomi Engdahl says:
Malaysian government targeted with mash-up espionage toolkit
https://www.welivesecurity.com/2018/12/14/malaysian-government-targeted-mash-up-espionage-toolkit/
An interview with ESET researchers Tomáš Gardoň and Filip Kafka on their research of a malware toolkit used in espionage against the Malaysian government
Tomi Engdahl says:
Justice Department accuses Chinese spies of hacking into dozens of US tech and industry giants
https://techcrunch.com/2018/12/20/us-indictment-tech-hacks-chinese/
The Justice Department has unsealed a damning indictment that links to spies working for the Chinese government an aggressive campaign to hack into U.S. tech and industry giants.
Tomi Engdahl says:
Widespread Apple ID Phishing Attack Pretends to be App Store Receipts
https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/?fbclid=IwAR3bFDHMklqCzsipTnc6OHdpAfZeCGnFXbTXMAazXTlhimEuOmAteeGk_Tc
Tomi Engdahl says:
Idiots with drones shut down the UK’s second largest airport — again
https://www.theverge.com/2018/12/20/18149819/london-gatwick-airport-drone-shutdown-reports
A new ‘suspected drone sighting’ briefly shut down air traffic at Gatwick Airport yet again, diverting more flights.
Tomi Engdahl says:
Will Oremus / Slate:
Facebook has forfeited our trust to the point that we see nefarious motives in any misstep, as some overblown reactions to Spotify and Netflix integrations show
What the NYT’s Facebook Investigation Really Tells Us
https://slate.com/technology/2018/12/facebook-new-york-times-investigation-spotify-netflix-messages.html
Facebook may or may not have lost its handle on our data. But it has definitely lost its handle on the public narrative—and the benefit of the doubt.
There were many important and troubling revelations in the New York Times’ latest investigation into Facebook’s privacy practices. There were others that seem less sinister the closer you look at them.
Perhaps more important than either, however, was how the story resonated and what people took from it—which, in many cases, was far more than it actually proved. People didn’t just get mad; they got not-gonna-take-this-anymore mad.
Above all, what the story and its fallout tell us is this: Any benefit of the doubt that Facebook once enjoyed—from the media, the government, the tech-savvy public—is long gone. And that’s a bigger blow than any EU penalty or FTC fine the social network could incur.
For instance, the Times reported that Facebook struck deals with several companies that allowed for the sharing of users’ contact lists and address books, partly to enhance Facebook’s shady “People You May Know” recommendation engine. One of those partners was the Chinese firm Huawei, which the U.S. government views as a national cybersecurity risk.
Facebook also had a partnership with the Russian tech firm Yandex, which is suspected of Kremlin ties, that gave it access to Facebook user IDs. And not only did it sling user data around, the company failed to reel it back in once its partners no longer needed it.
All of which is deeply disconcerting, even if the concrete harms remain speculative at this point. (No evidence has yet surfaced that Facebook’s partners misused the data, though it’s certainly possible.)
We now know that Facebook’s carelessness with users’ information, highlighted in March by the Cambridge Analytica scandal
the most alarming new details in the New York Times story, such as agreements that allowed Netflix and Spotify to “read, write, and delete users’ private messages,” appear to have been wildly overblown.
A response from Facebook on Wednesday evening explained that these permissions were about allowing Facebook users to read, write, and delete their own Facebook messages from within Netflix and Spotify once they linked their accounts and logged in.
Such nuance did not come across clearly in the Times story and was often lost completely in the public conversation that swirled around it
Tomi Engdahl says:
To be clear, Facebook has earned this mistrust, even if it hasn’t earned all of the specific outrages that have been levied against it.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Blind, an anonymous chat app used by staff at companies like Apple, Facebook, Google, and Uber, left one database server exposed from Nov. 1 to Dec. 19 — One of the company’s servers was exposed without a password for weeks
At Blind, a security lapse revealed private complaints from Silicon Valley employees
https://techcrunch.com/2018/12/20/blind-anonymous-app-data-exposure/
One of its servers storing user data and messages was exposed without a password
Blind left one of its database servers exposed without a password, making it possible (for anyone who knew where to look) to access each user’s account information and identify would-be whistleblowers.
The exposed server was found by a security researcher, who goes by the name Mossab H, who informed the company of the security lapse.
Blind said the exposure only affects users who signed up or logged in between November 1 and December 19
Blind only pulled the database after TechCrunch followed up by email a week later. The company began emailing its users on Thursday after we asked for comment.
Kim said there is “no evidence” that the database was misappropriated or misused, but did not say how it came to that conclusion.
At its core, the app and anonymous social network allows users to sign up using their corporate email address, which is said to be linked only to Blind’s member ID. Email addresses are “only used for verification”
But after reviewing a portion of the exposed data, some of the company’s claims do not stand up.
We found that the database provided a real-time stream of user logins, user posts, comments and other interactions, allowing anyone to read private comments and posts.
Blind claims on its website that its email verification “is safe, as our patented infrastructure is set up so that all user account and activity information is completely disconnected from the email verification process.”
Many records did, however, contain plain text email addresses.
The database also contained passwords, which were stored as an MD5 hash, a long-outdated algorithm that is nowadays easy to crack. Many of the passwords were quickly unscrambled using readily available tools
“The MD5 keys were a log and it does not represent how we are managing data. We use more advanced methods like salted hash and SHA2 on securing users’ data in our database.”
login records in the database also stored user account access tokens — the same kind of tokens that recently put Microsoft and Facebook accounts at risk.
Tomi Engdahl says:
Pranav Dixit / BuzzFeed News:
Indian government downplays its order that seemingly authorizes ten government agencies to monitor, intercept, and decrypt data on all computers in the country — India’s Ministry of Home Affairs, a federal government authority that controls the country’s internal security …
India’s Government Denies Telling Federal Agencies They Can Snoop On Every Computer, Despite An Order That Seemingly Says They Can
“Welcome to 1984.”
https://www.buzzfeednews.com/article/pranavdixit/india-home-ministry-surveillance-computers-ten-agencies
An uproar broke out in India’s parliament on Friday after the Ministry of Home Affairs, a federal government authority that controls the country’s internal security, seemingly authorized 10 government agencies — including federal intelligence and law enforcement agencies — to monitor, intercept, and decrypt all data on all computers in the country.
The governmental order detailing the powers immediately drew strong criticism from both India’s privacy activists and its opposition parties, who said it enabled blanket state surveillance and violated the fundamental right to privacy that India’s 1.3 billion citizens are constitutionally guaranteed.
India’s Information Security Act has allowed agencies to invoke surveillance measures in the interest of national security since 2008
“George Orwell’s Big Brother is here,” tweeted Asaduddin Owaisi
Tomi Engdahl says:
Slack
An Apology and an Update
https://slackhq.com/an-apology-and-an-update
Two days ago, we updated our system for applying location information to comply with U.S. trade embargoes and economic sanctions regulations.
Soon after updating, we discovered that we made a series of mistakes and inadvertently deactivated a number of accounts that we shouldn’t have.
Tomi Engdahl says:
WhatsApp has an encrypted child porn problem
Facebook fails to provide enough moderators
https://techcrunch.com/2018/12/20/whatsapp-pornography/
WhatsApp chat groups are being used to spread illegal child pornography, cloaked by the app’s end-to-end encryption. Without the necessary number of human moderators, the disturbing content is slipping by WhatsApp’s automated systems.
Tomi Engdahl says:
Facebook has a plan to track you offline
https://www.slashgear.com/facebook-has-an-idea-to-track-you-offline-17558170/
This week a plan for a future Facebook app feature was revealed in a patent for “Office Trajectories” by the USPTO. In this patent, Facebook detailed a method for determining the current location of an individual – even when their phone is turned off and/or their GPS is deactivated. How might Facebook achieve this, you might scream? They’ll just use all the information you’ve already given them, jam it all in a computer with Machine Learning, and spit out the most likely location – it’s easy, really!
we can go right on ahead and file the fact that this exists under our “We’re Being Tracked” file. Yes, Uncle Jimmy, you are being tracked, just like you always thought you were – but not by the government. You’re being tracked by the companies you use to share and communicate with friends and family.
Facebook has filed patents to predict our future locations
https://nakedsecurity.sophos.com/2018/12/14/facebook-has-filed-patents-to-predict-our-future-locations/
Facebook filed a patent, titled “Offline Trajectories,” last week in which it proposes predicting users’ “location trajectories” – in other words, where we’re likely headed. Knowing when we’re about to hurtle into a no-WiFi-connection limbo means Facebook can “prefill” our phones with content and ads.
It knows enough to know a lot more
Tomi Engdahl says:
Nest camera hacker threatens to kidnap baby, spooks parents
https://www.nbcnews.com/news/us-news/nest-camera-hacker-threatens-kidnap-baby-spooks-parents-n949251
“I’m in your baby’s room,” the hacker said. But the baby was alone and safe.
Tomi Engdahl says:
Windows monthly security and quality updates overview
https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/#oPBQldAsvyWhLkKB.97
Tomi Engdahl says:
Electric Vehicle Charging Stations Open to IoT Attacks
https://threatpost.com/electric-vehicle-charging-stations/139958/
Flaws could allow an attacker to stop or start a home charging station, or even change the current in order to start a fire.
Given that creating proof-of-concept (PoC) cyberattacks for the Internet of Things (IoT) is essentially like shooting fish in a barrel these days, perhaps it’s not exactly surprising that a new niche category has proven to present a fresh attack surface: electric vehicle (EV) charging stations.
The danger is physical in this case: Research demonstrates that a savvy attacker could hack into the station and prevent a car from charging – or, in a much worse scenario, could even start a fire.
Tomi Engdahl says:
A foul-mouthed parrot uses Amazon’s Alexa to order things when his owner is away
https://kfoxtv.com/news/offbeat/a-foul-mouthed-parrot-uses-amazons-alexa-to-order-things-when-his-owner-is-away-12-17-2018
A parrot that was kicked out of an animal sanctuary for swearing too much is in trouble again, but this time, for a different reason.
He enjoys chatting with Alexa on his owner’s Amazon Echo so much so that he keeps using it to order things.
According to the Sun, Rocco has ordered strawberries, watermelon, raisins, broccoli and ice cream, as well as a kite, kettle and light bulbs.
Tomi Engdahl says:
Mathematicians Seal Back Door to Breaking RSA Encryption
https://www.quantamagazine.org/mathematicians-seal-back-door-to-breaking-rsa-encryption-20181217/
Digital security depends on the difficulty of factoring large numbers. A new proof shows why one method for breaking digital encryption won’t work.
Does this mean RSA encryption is in trouble? Actually, no. The reason for this has to do with the new proof about polynomials. The mathematicians Emmanuel Breuillard and Péter Varjú of the University of Cambridge proved that as polynomials with only 0 and 1 as coefficients get longer, they’re less and less likely to be factorable at all. And if a polynomial can’t be factored, it can’t be used to identify the prime factors of the number it’s based on.
Tomi Engdahl says:
Huawei Router Flaw Leaks Default Credential Status
https://threatpost.com/huawei-router-default-credential/140234/
It makes it simple for attackers to find devices to take over and add to botnets.
A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not – without ever connecting to them.
CVE-2018-7900 exists in the router panel and allows credentials information to leak – so attackers can simply perform a ZoomEye or Shodan IoT search to find list of the devices having default passwords – no need for bruteforcing or running the risk of running into a generic honeypot.
Tomi Engdahl says:
Using Facebook’s latest privacy stumble, lawmakers push for strong FTC oversight
https://techcrunch.com/2018/12/19/facebook-privacy-ftc-wyden-schatz-klobuchar/?sr_share=facebook&utm_source=tcfbpage
Lawmakers are again unhappy with Facebook after the latest big story again portraying Facebook’s failure to protect the private data of its users.
Yesterday, the New York Times reported that the company had special relationships with a handful of major tech companies, including Amazon, Microsoft and Spotify.
Tomi Engdahl says:
Gift Guide: The best security and privacy tech to keep your friends safe
https://techcrunch.com/2018/11/09/gift-guide-best-security-privacy-tech/?utm_source=tcfbpage&sr_share=facebook
Tomi Engdahl says:
Phone repair shop employees accused of stealing nude photos
https://nakedsecurity.sophos.com/2018/12/20/phone-repair-shop-employees-accused-of-stealing-nude-photos/
Ever broken your phone screen? Had your computer fritz? Ever taken a device to a repair shop? Ever been asked for your password when you hand it over? Ever wonder whether the shop workers lift the lid to rifle through your little treasure chest of personal data?
Tomi Engdahl says:
Amazon’s Creepy Facial Recognition Doorbell Will Surveil Entire Neighborhood From People’s Front Doors
https://www.zerohedge.com/news/2018-12-21/amazons-creepy-facial-recognition-doorbell-will-surveil-entire-neighborhood-peoples?fbclid=IwAR2xybuq6ENf5NhbUVsPCrokDkjOArnW3IteTue5e3OfpPyky-gB53Isw88
At first glance of Amazon’s new patent application, one would be tempted to think it no more than a built-in “smart” security system.
But no, this facial recognition surveillance doorbell does a lot more than record would-be thieves.
Amazon is dreaming of a dangerous future, with its technology at the center of a massive decentralized surveillance network, running real-time facial recognition on members of the public using cameras installed in people’s doorbells. –Jacob Snow, ACLU
Tomi Engdahl says:
Chrome OS to block USB access while the screen is locked
https://www.zdnet.com/article/chrome-os-to-block-usb-access-while-the-screen-is-locked/#ftag=RSSbaffb68
Google takes steps to protect Chromebooks from some types of physical access attacks.
Tomi Engdahl says:
Chinese websites have been under attack for a week via a new PHP framework bug
https://www.zdnet.com/article/chinese-websites-have-been-under-attack-for-a-week-via-a-new-php-framework-bug/
PoC for ThinkPHP security flaw sparks furious scans for vulnerable sites, most of which are based in China.
The attacks have targeted websites built with ThinkPHP, a Chinese-made PHP framework that is very popular among the local web development scene.
All attacks started after Chinese cyber-security firm VulnSpy posted a proof-of-concept exploit for ThinkPHP on ExploitDB, a website popular for hosting free exploit code.
ATTACKS STARTED WITHIN A DAY
“The PoC was published on December 11, and we saw internet-wide scans less than 24 hours later,” Troy Mursch, co-founder of Bad Packets LLC told ZDNet today.
Four other security firms –F5 Labs, GreyNoise, NewSky Security, and Trend Micro– have also reported similar scans
Tomi Engdahl says:
UK police release airport drone suspects and admit there may not have been any drones after all
https://techcrunch.com/2018/12/24/uk-police-release-airport-drone-suspects/?utm_source=tcfbpage&sr_share=facebook
Less than a week after mystery drones grounded flights at the U.K’s second largest airport, wreaking havoc on as many as 140,000 people’s travel plans for the Christmas period, police have admitted that there may in fact not have been any drones at all.
“always a possibility that there may not have been any genuine drone activity in the first place.”
Indeed, the police are reliant on eyewitness accounts — 67 of them
it remains unclear exactly what did take place.
Tomi Engdahl says:
APPLE ADMITS GIVING GOVERNMENTS ACCESS TO THOUSANDS OF IPHONES AND OTHER DEVICES
https://www.independent.co.uk/life-style/gadgets-and-tech/news/apple-iphone-ipad-government-data-privacy-transparency-report-2018-a8697761.html
Apple approved more than 25,000 government requests to access customer data in the first half of 2018, according to its own figures.
Tomi Engdahl says:
German cybersecurity chief: Anyone have any evidence of Huawei naughtiness?
https://www.theregister.co.uk/2018/12/18/german_cybersecurity_chief_show_me_the_huawei_evidence/
We won’t be having a word with local firms until then
Germany’s top cybersecurity official has said he hasn’t seen any evidence for the espionage allegations against Huawei.
Tomi Engdahl says:
DNA, genetic genealogy made 2018 the year of the cold case: ‘Biggest crime-fighting breakthrough in decades’
https://www.foxnews.com/us/dna-genetic-genealogy-made-2018-the-year-old-the-cold-case-biggest-crime-fighting-breakthrough-in-decades
Law enforcement’s new partnership with genetic genealogy made 2018 a year of profound impact in how years-old cold case murders and rapes are investigated and solved.
Detectives across the country said they were able to locate suspects in 28 cold cases this year after uploading crime scene DNA to GEDmatch.com, a public genealogy website, obtaining a match and then letting a genealogist create family trees through painstaking research that ultimately led to a suspect.
Tomi Engdahl says:
Two-factor authentication can save you from hackers
https://techcrunch.com/2018/12/25/cybersecurity-101-guide-two-factor/?utm_source=tcfbpage&sr_share=facebook
If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.
In all, it usually only adds a few extra seconds to your day.
Tomi Engdahl says:
Disable SSID Broadcast to Hide Your Wi-Fi Network
https://www.lifewire.com/disabling-ssid-broadcast-on-wireless-routers-816569
Does turning off SSID Broadcast improve your home network security?
Most broadband routers and other wireless access points (APs) automatically transmit their network name (SSID) into the open air every few seconds. You can choose to disable this feature on your Wi-Fi network but before you do, be aware of the pros and cons.
while it’s technically a better decision to keep your SSID hidden away, it’s not a fool-proof security measure. A hacker with the right tools and enough time, can sniff out the traffic coming from your network, find the SSID and continue on their hacking way.
Should You Disable SSID Broadcast On Your Home Network?
Home networks don’t require the use of a visible SSID unless it’s using multiple access points that devices are roaming between.
If your network uses a single router, deciding whether to turn off this features boils down to a trade-off between the potential security benefits and a loss of convenience in setting up new home network clients
Tomi Engdahl says:
How to protect your cell phone number and why you should care
https://techcrunch.com/2018/12/25/cybersecurity-101-guide-protect-phone-number/?utm_source=tcfbpage&sr_share=facebook
Assuming you have your strong passwords in place and your two-factor authentication set up, you think your accounts are now safe? Think again. There’s much more to be done.
You might think your Social Security or bank account numbers are the most sensitive digits in your life. Nowadays, hackers can do far more damage with little effort using just your cell phone number. But unlike your Social Security number, you’re far less likely to keep your cell phone number a secret — otherwise nobody can contact you!
Whether you’re an AT&T, Verizon, Sprint or T-Mobile customer, every cell phone number can be a target for hackers. And it takes remarkably little effort to wreak havoc to your online life.
Tomi Engdahl says:
Ooops, Did We Just Close An Airport Over A UFO Sighting?
https://hackaday.com/2018/12/26/ooops-did-we-just-close-an-airport-over-a-ufo-sighting/
an airport worker at Gatwick — London’s second international airport — sees something fly past in the gloom above the floodlights. The weather and darkness makes it difficult to see what the object was, but the report is phoned in to security. What was it?
Thousands of people across the site are put on alert, watching for the drone. And of course, the drone reports roll in, and the story takes on a life of its own. People who have no idea what a drone looks like in the air are now expecting to see one
There follows three days of airport closure drama. No photos emerge despite almost every one of the many thousands of people on the site having a camera phone from which they are Tweeting about the queues in the terminal. There is a grainy video, but it is indistinct, and crucially it doesn’t have anything in it that is identifiable as Gatwick. Meanwhile the police are frustrated in their search for the drone operators, who like their drone, prove difficult to pinpoint
You might imagine that this was the fictional plot of a thriller novel, but sadly not. All of the above is a tale of the last few days of events in the British news
There are reports of drone wreckage, but since readers with long memories will recall UK police once identified RepRap parts as a 3D printed gun we’ll wait until we see it before we call it that.
When a Drone Report Comes In, We Need a Reliable Way to Evaluate It
Competent Police Investigations and Responsible Journalism on Drone Reports
Once an incident has started and news of it emerges there is a consequent effect upon members of our community. Legitimate drone fliers away from the airport will find themselves under more scrutiny
Gatwick shutdown: Is this the drone that caused the chaos?
https://www.bbc.com/news/av/uk-46646741/gatwick-shutdown-is-this-the-drone-that-caused-the-chaos
Gatwick airport, the UK’s second busiest airport, is still experiencing delays and cancellations after a drone appeared in airspace on Thursday.
Tomi Engdahl says:
Raymond Zhong / New York Times:
As Huawei comes under government scrutiny worldwide, a look at the company’s aggressive culture that encouraged employees to bend the rules, up to a point — SHENZHEN, China — Earthquakes, terrorist attacks and low oxygen levels on Mount Everest could not hold them back.
Huawei’s ‘Wolf Culture’ Helped It Grow, and Got It Into Trouble
https://www.nytimes.com/2018/12/18/technology/huawei-workers-iran-sanctions.html
As the Chinese tech giant Huawei expanded around the globe, supplying equipment to bring mobile phone and data service to the planet’s farthest reaches, its employees were urged on by a culture that celebrated daring feats in pursuit of new business.
They worked grueling hours. They were encouraged to bend certain company rules, as long as doing so enriched the company and not employees personally
Employees at the company and people who have studied it have a name for its hard-charging corporate spirit: “wolf culture.”
Now, the company’s aggressive ways have been cast in a new light. The United States has accused Meng Wanzhou, a top Huawei executive and daughter of its founder, of committing bank fraud to help the company’s business in Iran.
It is not clear precisely how Huawei’s culture shaped its dealings in Iran.
Huawei workers have been accused of bribing government officials to win business in Africa, copying an American competitor’s source code and even stealing the fingertip of a robot in a T-Mobile lab in Bellevue, Wash. In 2015
Mr. Ren said in 2015 that Huawei had toughened its safeguards against employee misconduct. But the following year, in a speech that was emailed to employees, he acknowledged that many workers did not pay attention to internal rules and controls
Mr. Ren said that it was important to enforce internal standards, but that this should not become a hindrance.
“If it blocks the business from producing grain, then we all starve to death,” he said, according to a transcript of his comments on a Huawei website.
Ms. Meng’s arrest this month has darkened China’s relations with the United States
Security concerns about Huawei and other Chinese equipment providers are mounting among traditional allies of the United States.
At the annual meeting of spy chiefs of the so-called Five Eyes countries, Huawei was among the topics discussed by senior intelligence officers from Britain, Australia, New Zealand, Canada and the United States
The pressure on the business is building. In Germany last week, Deutsche Telekom said it was taking seriously the “global discussion about the security of network elements from Chinese manufacturers.” On Monday, the Czech intelligence agency warned against the country working with Huawei and ZTE, another Chinese technology company.
Abrar Al-Heeti / CNET:
Despite challenges in penetrating the US market, Huawei says it has shipped over 200M smartphones in 2018 globally, up from last year’s 153M units
Huawei exceeds 200 million smartphone shipments, setting company record
https://www.cnet.com/news/huawei-exceeds-200-million-smartphone-shipments-setting-company-record/
It credits the success of its P20 and Honor 10 phones, among others.
Tomi Engdahl says:
18 Months Later, WannaCry Still Lurks on Infected Computers
https://www.bleepingcomputer.com/news/security/18-months-later-wannacry-still-lurks-on-infected-computers/
Eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers.
https://www.bleepingcomputer.com/news/security/wannacry-wana-decryptor-wanacrypt0r-info-and-technical-nose-dive/
When the WannaCry infection was first unleashed, security researcher Marcus Hutchins of Kryptos Logic registered a domain that acted as
a kill switch for the ransomware component of the infection. If the infection was able to connect to this kill switch domain, the ransomware component would not activate. The infection, though, would continue to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
Tomi Engdahl says:
Two Android apps used in combat by US troops contained severe vulnerabilities
https://www.zdnet.com/article/two-android-apps-used-in-combat-by-us-troops-contained-severe-vulnerabilities/
Apps were meant for training, never approved for combat. Whistleblower’s efforts helped shed light on vulnerabilities, despite leadership reprisals.
US military troops used two Android apps that contained severe vulnerabilities in live combat scenarios, a Navy Inspector General report revealed today.
The two apps are named KILSWITCH (Kinetic Integrated Low-Cost Software Integrated Tactical Combat Handheld) and APASS (Android Precision Assault Strike Suite).
Both apps work by showing satellite imagery of surroundings, including objectives, mission goals, nearby enemy and friendly forces.
The two apps work as a modern-day replacement for radios and paper maps and allow troops to use a real-time messaging client to coordinate with other military branches, and even call in air-strike support with a few simple screen taps, according to a DARPA press release and accompanying YouTube video.
both apps contained vulnerabilities that could have allowed enemy forces access to troops’ information.
The report says that the two apps, KILSWITCH and APASS, were never meant or approved to be deployed in live combat zones.
“Cybersecurity was not a concern for the [apps'] developers,” the report said, because developers initially expected the apps to be used for troop training and military exercises primarily.
But the two apps, because of their flashy features and easier to use interface, became wildly popular among US troops, but also other military branches, including foreign allied forces.
Tomi Engdahl says:
Idaho Lab Protects US Infrastructure From Cyber Attacks
https://www.securityweek.com/idaho-lab-protects-us-infrastructure-cyber-attacks
It’s called the “Dark Side” because the 50 workers there prefer to keep the lights low so they can dim the brightness on their computer screens.
Or maybe it’s because of what they do in cyber research and development.
Questions about exactly what goes on at the heart of one of the United States’ primary cybersecurity facilities at the Idaho National Laboratory aren’t always answered, and photos by outsiders aren’t allowed.
Tomi Engdahl says:
Android 9 Brings Significant Security Advancements, Google Says
https://www.securityweek.com/android-9-brings-significant-security-advancements-google-says
The latest Android iteration brings along a great deal of security improvements, including better encryption and authentication, Google says.
Tomi Engdahl says:
BevMo Warns of Customer Credit Card Data Breach
https://www.securityweek.com/bevmo-warns-customer-credit-card-data-breach
BevMo is warning that a data breach may have allowed a hacker to steal credit card numbers and other information from more than 14,000 customers who used the alcohol-seller’s website.
Tomi Engdahl says:
OVERRULED: Containing a Potentially Destructive Adversary
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. Public reporting indicates this activity may be related to recent destructive attacks.
Tomi Engdahl says:
New Tech Support Scam Causes Chrome Browser to Use 100% of the CPU
https://www.bleepingcomputer.com/news/security/new-tech-support-scam-causes-chrome-browser-to-use-100-percent-of-the-cpu/
A new tech support scam has been discovered that uses JavaScript to create a loop that ultimately causes Google Chrome to use up all of the CPU resources on the computer and freeze the browser.
This new tech support scam variant was reported in a Google Chrome bug report that states that once a user visits the page, the CPU utilization quickly goes to 100%. This makes it impossible to close the tab, the browser, or properly use the computer until the Chrome process is killed.
When visiting the listed url, you are brought to a tech support scam page that has a title of “Important Information”. This page pretends to be a Windows error title “Internet Security Alert! Code: 055BCCAC9FEC” that states your computer has been infected and that you should call the listed support number for help.
This high CPU utilization will ultimately cause the browser to freeze and your computer to become barely usable. At this point, the only way to close the browser will be to close the offending Chrome.exe process using a tool like the Windows Task Manager.
Tomi Engdahl says:
APT10 Indictments Show Expansion of MSP Targeting, Cloud Hopper Campaign
https://www.darkreading.com/threat-intelligence/apt10-indictments-show-shift-to-msp-targets/d/d-id/1333539
US brings more indictments against the APT10 cyber espionage group operating in China for its Operation Cloud Hopper campaign against managed service providers, but what will those indictments accomplish?
Security experts wonder, however, what impact the indictments will really make.
Tomi Engdahl says:
126 Arrests: The Emergence of India’s Cyber Crime Detectives Fighting Call Center Scams
http://garwarner.blogspot.com/2018/12/126-arrests-emergence-of-indias-cyber.html
The scammers had rented four floors of a building being operated by two scammers from Gurgaon, Narendra Pahuja and Jimmy Ashija. Their boss, who was not named by the police, allegedly operates at least five call centers. In the raid this week, 126 employees were arrested and police seized 312 workstations, as well as Rs 20 lakh in cash (about $28,500 USD).
Tomi Engdahl says:
Phishing Attempts That Bypass 2FA
https://isc.sans.edu/diary/Phishing+Attempts+That+Bypass+2FA/24446
In today’s world, we all try to do as much as we can to be secure while online. Most have learned the signs to try to spot phishing attempts: misspelled words, broken english, urgent requests etc. We even implement 2FA to help prove that someone is who they say they are when they are authenticating to a site. As we try to up our security game, the bad guys up their tactics too. Amnesty.org shared an interesting write up about phishing attacks that are bypassing 2FA.
https://www.amnesty.org/en/latest/research/2018/12/when-best-practice-is-not-good-enough/
Tomi Engdahl says:
Now Mirai Malware Attack as Miori delivered via Delivered via Remote Code Execution Exploit
https://gbhackers.com/mirai-malware-attack-miori/
Most Destructive IoT malware Mirai now being delivered as Miori and its spreading via dangerous remote code execution exploits.
Mirai malware has strong records of infecting poorly managing IoT devices and performing DDOS attacks on various platforms.
Tomi Engdahl says:
How 3ve’s BGP hijackers eluded the Internet—and made $29M
3ve used addresses of unsuspecting owners—like the US Air Force.
https://arstechnica.com/information-technology/2018/12/how-3ves-bgp-hijackers-eluded-the-internet-and-made-29m/
Over the past decade, many attackers have exploited design weaknesses in the Internet’s global routing system. Most commonly, the Border Gateway Protocol (BGP) is abused to divert gigabytes, or possibly even petabytes, of high-value traffic to ISPs inside Russia or China, sometimes for years at a time, so that the data can be analyzed or manipulated. Other times, attackers have used BGP hijackings more surgically to achieve specific aims, such as stealing cryptocurrency or regaining control of computers monitored in a police investigation.
Late last month came word of a new scheme. In one of the most sophisticated uses of BGP hijacking yet, criminals used the technique to generate $29 million in fraudulent ad revenue, in part by taking control of IP addresses belonging to the US Air Force and other reputable organizations.