This posting is here to collect cyber security news in February 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
373 Comments
Tomi Engdahl says:
EU orders recall of children’s smartwatch over severe privacy concerns
https://www.google.com/amp/s/www.zdnet.com/google-amp/article/eu-orders-recall-of-childrens-smartwatch-over-severe-privacy-concerns/
EU warns that ENOX Safe-KID-One smartwatches contain several security flaws that let third-parties track and call children’s watches
Tomi Engdahl says:
Programmer at Chinese Bank Jailed After Reportedly Finding a Secret Way to Withdraw $1 Million
https://gizmodo.com/programmer-at-chinese-bank-jailed-after-reportedly-find-1832326878
Tomi Engdahl says:
Russian Darknet Forum Selling Access to U.S. News Sites
https://darkwebnews.com/dark-web/russian-darknet-forum-sells-us-news-sites-access/
Tomi Engdahl says:
14 Essential Bug Bounty Programs of 2019
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/essential-bug-bounty-programs/
Tomi Engdahl says:
Google’s New Tool Alerts When You Use Compromised Credentials On Any Site
https://thehackernews.com/2019/02/google-password-checkup-breaches.html?fbclid=IwAR1CNKA-gputT2m0yjF7drGtjGJRAoNzStHjhSFS2ewPETqR9QiCeeM4Kk4&m=1
Tomi Engdahl says:
Police raids target ‘hundreds of UK web attackers’
https://www.bbc.com/news/technology-47117499
UK police have seized more than 60 computers and other gadgets suspected of being used to carry out web attacks.
Tomi Engdahl says:
Man hacks Fort Worth couple’s security camera, asks Alexa to play Justin Bieber song
https://www.star-telegram.com/news/local/community/fort-worth/article225550950.html
Tomi Engdahl says:
The Cybersecurity 202: A bank wants to recover the $81 million North Korea allegedly stole. It won’t be easy.
https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/02/05/the-cybersecurity-202-a-bank-wants-to-recover-the-81-million-north-korea-stole-it-won-t-be-easy/5c58842f1b326b66eb09860f/?noredirect=on&utm_term=.cd8df33addec
The New York Federal Reserve is assisting Bangladesh’s central bank in a lawsuit filed Thursday to claw back $81 million in funds stolen during a 2016 North Korean hacking campaign. But they’re not going after Pyongyang directly.
Tomi Engdahl says:
Justin Rohrlich / Quartz:
Automatic license plate readers, once limited to law enforcement, are now being used by private citizens, raising fears of abuse and new legal, ethical issues
In just two years, 9,000 of these cameras were installed to spy on your car
https://qz.com/1540488/in-just-two-years-9000-of-these-cameras-were-installed-to-spy-on-your-car/
The surveillance state is no longer limited to the state.
For years, police departments have been tracking people’s cars with cameras that capture the license plate number of every vehicle that passes by. The Electronic Frontier Foundation, a San Francisco-based digital privacy nonprofit, has described the technology as “a form of mass surveillance.”
Now, a new generation of tech firms has made it possible for private citizens to use the devices, known as automatic license plate readers, or ALPRs—without the strict oversight that governs this type of data collection by law enforcement.
A 3,000% increase
Automatic license plate readers, or ALPRs, have long been geared toward local, state, and federal law enforcement users. The systems can be mounted on utility poles, streetlights, overpasses, in police cars, even within traffic cones and digital speed display signs that show drivers how fast they’re going. Once a vehicle’s plate is photographed, and the date, time, and location are recorded, an algorithm checks it against a database of cars that cops are looking for.
ALPRs can capture roughly 2,000 plates a minute, on vehicles traveling up to 120 miles per hour, casting an astonishingly wide net.
Unlike traditional ALPR systems, which consist of professional-grade equipment priced beyond the reach of most civilians—and even some smaller police departments—the new setups rely on off-the-shelf security cameras.
At least one company, OpenALPR, offers software for free, on Github. Anyone who downloads it can turn a single web-connected camera into an automatic license plate reader that can monitor traffic across a four-lane highway with 99% accuracy. (Customers pay between $49 and $995 monthly for optional cloud-based storage and analysis.)
OpenALPR competitor PlateSmart Technologies, another company that markets ALPR systems to the general public, advertises various uses in security and “business intelligence,”
Schools can also use the systems to control access to their campuses, and hospitals can track staff, visitors, and patients, PlateSmart tells prospective customers. Casinos can connect to law enforcement databases
Ethical issues
Unlike police and other law enforcement users of ALPR, private citizens are not beholden to constitutional protections barring unlawful search and seizure, or racial profiling, for example. Civilian users don’t have to worry about departmental review boards or internal affairs units watching over them, either.
At least 16 states have statutes related to ALPR use and data retention, which civilians are required to follow. However, the states that do have rules don’t do a very good job of publicizing them. “It’s possible not a lot of users realize this when trying out the software,” says Dave Maass of the Electronic Frontier Foundation.
The ALPR industry itself is not regulated—nothing currently prohibits ALPR companies from marketing their data—so the potential for misuse is high
Tomi Engdahl says:
It’s bad enough that dating sites are a pit of exaggerations and inevitable disappointment, they’re also a hot target for hackers.
Users complain of account hacks, but OkCupid denies a data breach
https://techcrunch.com/2019/02/10/okcupid-account-hacks/?utm_source=tcfbpage&sr_share=facebook
Tomi Engdahl says:
QNAP NAS user? You’d better check your hosts file for mystery anti-antivirus entries
https://www.theregister.co.uk/2019/02/11/qnap_hosts_file_issues
Tomi Engdahl says:
Dating apps face questions over age checks after report exposes child abuse
https://techcrunch.com/2019/02/11/dating-apps-face-questions-over-age-checks-after-report-exposes-child-abuse/?utm_source=tcfbpage&sr_share=facebook
The UK government has said it could legislate to require age verification checks on users of dating apps, following an investigation into underage use of dating apps published by the Sunday Times yesterday.
Tomi Engdahl says:
Got a direct message from a top YouTuber? Chances are, it’s phishing
https://www.kaspersky.com/blog/youtube-phishing-scam/25600/
Are you subscribed to a top YouTuber’s channel? If so, at any moment, a message purporting to be from your preferred celebrity can land in your inbox.
At first glance, the text looks like amazing news. Your fancied YouTube star feels extremely grateful to you for being one of their subscribers or for leaving comments on their video. And you’ve been chosen at random either to participate in a giveaway or to directly get a valuable prize — a new iPhone X or a gift card, for example.
The problem is that the message is fake.
Tomi Engdahl says:
Verkkohyökkäys voi lamaannuttaa sairaalan – esimerkkejä löytyy jo Suomestakin
https://yle.fi/uutiset/3-10640642
Tomi Engdahl says:
Container Escape Flaw Hits AWS, Google Cloud, Linux Distros
https://www.securityweek.com/container-escape-flaw-hits-aws-google-cloud-linux-distros
A vulnerability recently addressed in runc could allow malicious containers to gain root-level code execution on the host.
Introduced in 2015, runc is a lightweight, portable container runtime that includes all of the code used by Docker to interact with system features related to containers. The runtime is used in most containers out there, including cri-o, containerd, Kubernetes, Podman, and others.
Tracked as CVE-2019-5736 and featuring a CVSSv3 score of 7.2, the vulnerability can be exploited with minimal user interaction, senior software engineer at SUSE Linux and runc maintainer Aleksa Sarai says.
Discovered by Adam Iwaniuk and Borys Popławski, the vulnerability could allow a malicious container to overwrite the host runc binary and execute code on the host.
“Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” Scott McCarty, Red Hat principal product manager for containers, says.
It starts with Linux: How Red Hat is helping to counter Linux container security flaws
https://www.redhat.com/en/blog/it-starts-linux-how-red-hat-helping-counter-linux-container-security-flaws
Tomi Engdahl says:
620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts
https://www.theregister.co.uk/AMP/2019/02/11/620_million_hacked_accounts_dark_web/?__twitter_impression=true
Dubsmash, Armor Games, 500px, Whitepages, ShareThis, and more said to be up for grabs for $$$s in BTC
Tomi Engdahl says:
Applicants of Virginia election security post had personal info exposed
https://wtop.com/virginia/2019/02/applicants-of-virginia-election-security-post-had-personal-info-exposed/
Virginia elections’ next chief information officer likely had their personal information exposed, after a job posting for the position included a username and password that could be used to view applicants’ resume and personal details.
Tomi Engdahl says:
Manipulating an Indian politician’s tweets is worryingly easy to do
https://techcrunch.com/2019/02/13/india-politician-tweets/?utm_source=tcfbpage&sr_share=facebook
Here’s a concerning story from India, where the upcoming election is putting the use of social media in the spotlight.
While the Indian government is putting Facebook, Google and other companies under pressure to prevent their digital platforms from being used for election manipulation, a journalist has demonstrated just how easy it is to control the social media messages published by government ministers.
Pratik Sinha, a co-founder of fact-checking website Alt News, accessed a Google document of prepared statements and tinkered with the content
Tomi Engdahl says:
You Can Add Sudden-Acceleration Attacks to the List of Electric Scooter Dangers
https://gizmodo.com/you-can-add-sudden-acceleration-attacks-to-the-list-of-1832562198?utm_campaign=socialflow_gizmodo_facebook&utm_source=gizmodo_facebook&utm_medium=socialflow
On Tuesday, security firm Zimperium published a report detailing what researchers say are security flaws of Xiaomi’s M365 scooter that make it susceptible to hackers. Specifically, Zimperium found that these scooters each have a Bluetooth password to access its features, but “the password is not being used properly
Don’t Give Me a Brake – Xiaomi Scooter Hack Enables Dangerous Accelerations and Stops for Unsuspecting Riders
https://story.trendkite.com/r/3370sX
This proof-of concept (PoC) is released for educational purposes and evaluation by researchers, and should not be used in any unintended way.
Tomi Engdahl says:
Snapd Flaw Lets Attackers Gain Root Access On Linux Systems
https://thehackernews.com/2019/02/snapd-linux-privilege-escalation.html?m=1
Tomi Engdahl says:
Two-Factor Authentication Evaluation Guide
https://duo.com/resources/ebooks/two-factor-authentication-evaluation-guide?key=face14c&utm_source=facebook&utm_medium=paid_social&utm_campaign=emea-h2-2017&utm_content=emea2017_rmrktingfb&_bf=23843038648480249#eyJoYXNoIjoiIiwic2VhcmNoIjoiP2tleT1mYWNlMTRjJnV0bV9zb3VyY2U9ZmFjZWJvb2smdXRtX21lZGl1bT1wYWlkX3NvY2lhbCZ1dG1fY2FtcGFpZ249ZW1lYS1oMi0yMDE3JnV0bV9jb250ZW50PWVtZWEyMDE3X3Jtcmt0aW5nZmImX2JmPTIzODQzMDM4NjQ4NDgwMjQ5In0=
Tomi Engdahl says:
“Catastrophic” hack on email provider destroys almost two decades of data
VFEmail says data for virtually all US users is gone for good.
https://arstechnica.com/information-technology/2019/02/catastrophic-hack-on-email-provider-destroys-almost-two-decades-of-data/
Email provider VFEmail said it has suffered a catastrophic destruction of all of its servers by an unknown assailant who wiped out almost two decades’ worth of data and backups in a matter of hours.
“Yes, @VFEmail is effectively gone,” VFEmail founder Rick Romero wrote on Twitter Tuesday morning after watching someone methodically reformat hard drives of the service he started in 2001. “It will likely not return. I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.”
Tomi Engdahl says:
Malicious USB Cables Embed Wi-Fi, Can Remotely Control Connected PC
https://www.extremetech.com/computing/285646-offensive-usb-cables-embed-wi-fi-can-remotely-control-connected-pc
Tomi Engdahl says:
China Programming AI Drones To Autonomously Murder Without Human Input
https://www.zerohedge.com/news/2019-02-10/china-programming-ai-drones-autonomously-murder-without-human-input?fbclid=IwAR0DfpRitXQV0KnRw_670XOT6EGcJU-V8GPMFIrivLb5hOiBgVagNHucfxQ
China is programming new autonomous AI-powered drones to conduct “targeted military strikes” without a human making the decision to fire, according to a new report by the Center for a New American Security, a US national security think tank.
Tomi Engdahl says:
CVE-2019-5736: runc container breakout (all versions)
https://seclists.org/oss-sec/2019/q1/119
The vulnerability allows a malicious container to (with minimal user
interaction) overwrite the host runc binary and thus gain root-level
code execution on the host. The level of user interaction is being able
to run any command (it doesn’t matter if the command is not
attacker-controlled) as root within a container in either of these
contexts:
* Creating a new container using an attacker-controlled image.
* Attaching (docker exec) into an existing container which the
attacker had previous write access to.
This vulnerability is *not* blocked by the default AppArmor policy, nor
by the default SELinux policy on Fedora[++] (because container processes
appear to be running as container_runtime_t). However, it *is* blocked
through correct use of user namespaces (where the host root is not
mapped into the container’s user namespace).
Tomi Engdahl says:
Russia considers ‘unplugging’ from internet
11 February 2019
https://www.bbc.com/news/technology-47198426
Russia is considering whether to disconnect from the global internet briefly, as part of a test of its cyber-defences.
Tomi Engdahl says:
ThreatList: Latest DDoS Trends by the Numbers
https://threatpost.com/threatlist-latest-ddos-trends-by-the-numbers/141614/
Trends in DDoS attacks show a evolution beyond Mirai code and point to next-gen botnets that are better hidden and have a greater level of persistence on devices – making them “far more dangerous
Tomi Engdahl says:
Doomsday Docker security hole uncovered
https://www.zdnet.com/article/doomsday-docker-security-hole-uncovered/
A security vulnerability has been disclosed for a flaw in runc, Docker and Kubernetes’ container runtime, which can be used to attack any host system running containers.
Tomi Engdahl says:
Hackers wipe US servers of email provider VFEmail
https://www.zdnet.com/google-amp/article/hackers-wipe-us-servers-of-email-provider-vfemail/
Hackers did not ask for a ransom. VFEmail described the incident as “attack and destroy.”
Tomi Engdahl says:
https://seclists.org/oss-sec/2019/q1/119
Tomi Engdahl says:
CenturyLink Discover New Phase of TheMoon IoT Botnet Targeting ISPs
https://www.sdxcentral.com/articles/news/centurylink-discover-new-phase-of-themoon-iot-botnet-targeting-isps/2019/02/
CenturyLink threat researchers found a new module of IoT botnet “TheMoon,” which targets vulnerabilities in routers within broadband networks. This previously undocumented module allows the botnet to be leveraged as a service by other attackers.
Tomi Engdahl says:
Privilege Escalation in Ubuntu Linux (dirty_sock exploit)
https://shenaniganslabs.io/2019/02/13/Dirty-Sock.html
o a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system.
Tomi Engdahl says:
Cyber Attack on Malta’s Bank of Valletta
https://www.securityweek.com/cyber-attack-maltas-bank-valletta
Malta’s largest bank was the target of a cyber attack Wednesday, with hackers attempting to withdraw 13 million euros ($14.7 million), Prime Minister Joseph Muscat said.
The Bank of Valletta, in which the government is the largest shareholder, shut down its systems, closing branches and ATMs, and suspending mobile and Internet banking and internal email. Its website also went offline.
Tomi Engdahl says:
Intel SGX Can Be Abused to Hide Advanced Malware: Researchers
https://www.securityweek.com/intel-sgx-can-be-abused-hide-advanced-malware-researchers
A team of researchers has demonstrated that Intel’s SGX technology can be abused to hide an advanced and stealthy piece of malware that could allow attackers to steal data and conduct activities on the victim’s behalf. Intel says its technology works as intended and it’s not designed to block these types of attacks.
Michael Schwarz, Samuel Weiser and Daniel Gruss of the Graz University of Technology in Austria have conducted an analysis of Intel SGX and the practicality of enclave malware. It’s worth noting that Schwarz and Gruss were also involved in the discovery of the notorious Meltdown and Spectre vulnerabilities.
Tomi Engdahl says:
U.S. Senators Announce Federal Cybersecurity Workforce Bills
https://www.securityweek.com/us-senators-announce-federal-cybersecurity-workforce-bills
U.S. senators recently introduced and reintroduced bills whose goal is to help the government address the shortage of cybersecurity experts.
Experts from the private sector and academia would be recruited for limited “tours of duty” in the government for up to two years. In addition, experts working for the government would do tours of duty in the private sector to learn best practices that can be applied to secure government systems.
Tomi Engdahl says:
SAP Patches Critical Vulnerability in HANA XSA
https://www.securityweek.com/sap-patches-critical-vulnerability-hana-xsa
Tomi Engdahl says:
Third-Party Patch Released for Code Execution Flaw in OpenOffice
https://www.securityweek.com/third-party-patch-released-code-execution-flaw-openoffice
The flaw, described as a path traversal issue and tracked as CVE-2018-16858, was disclosed in early February by researcher Alex Inführ. The expert found that a hacker could execute code on a system by getting the targeted user to open a specially crafted document that loaded a Python file placed by the attacker anywhere on the device.
Code Execution Flaw Found in LibreOffice, OpenOffice
https://www.securityweek.com/code-execution-flaw-found-libreoffice-openoffice
A researcher has identified a serious remote code execution vulnerability affecting the LibreOffice and Apache OpenOffice open-source productivity suites, but a patch has only been released for the former.
Tomi Engdahl says:
Windows App Caught Running on Mac, Installing Malware
https://www.securityweek.com/windows-app-caught-running-mac-installing-malware
A Windows application was recently observed packing the ability to run on Macs and download and install malware on the target systems.
Despite featuring the EXE extension, which is the official executable file format for Windows, the application can run on macOS and override the platform’s built-in protection mechanisms, such as Gatekeeper, to deliver a malicious payload.
This is possible because Gatekeeper only verifies native Mac files and won’t check the EXE extension, which results in the bypass of the code signature check and verification.
Tomi Engdahl says:
China Calls US Concerns Over Huawei ‘Groundless’
https://www.securityweek.com/china-calls-us-concerns-over-huawei-groundless
Beijing called the latest US warning against using Huawei equipment “groundless” on Tuesday, as the Chinese telecom giant faces espionage fears in a growing number of countries.
The world’s second-largest smartphone maker and biggest producer of telecommunications gear has been under fire in recent months after the arrest of a top executive in Canada and a global campaign by Washington to blacklist its equipment.
“The US has spared no effort in unscrupulously fabricating all kinds of groundless charges,” said Chinese foreign ministry spokeswoman Hua Chunying at a regular press briefing in Beijing Tuesday.
https://www.securityweek.com/search/google/huawei%20spying?query=huawei%20spying&cx=016540353864684098383%3A6mcx-eenlzi&cof=FORID%3A11&sitesearch=&safe=off
Tomi Engdahl says:
Android Developers Blog:
Google says rejected app submissions to Google Play rose in 2018 by 55%+ YoY, as tighter policies and more extensive automated protections rolled out — Posted by Andrew Ahn, Product Manager, Google Play — Google Play is committed to providing a secure and safe platform for billions …
How we fought bad apps and malicious developers in 2018
https://android-developers.googleblog.com/2019/02/how-we-fought-bad-apps-and-malicious.html
Tomi Engdahl says:
Coffee Meets Bagel Dating App Warns Users of Breach
https://threatpost.com/coffee-meets-bagel-breach/141850/
The dating site said users’ names and email addresses that were added to the system prior to May 2018 may be impacted.
Popular dating app Coffee Meets Bagel has sent its users an email notifying them that their data may have been “acquired by an unauthorized party.”
The news comes days after a massive database containing the information of around 6.2 million Coffee Meets Bagel users showed up on the Dark Web. Users received notice of the breach (ironically) on Feb. 14, in an email which was shared with Threatpost.
Tomi Engdahl says:
Androidin sovelluskauppa tiukensi seulaa: hylättyjä sovelluksia +55 %
https://www.tivi.fi/Kaikki_uutiset/androidin-sovelluskauppa-tiukensi-seulaa-hylattyja-sovelluksia-55-6758449
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/klassikkohuijauksella-nyhdetaan-rahaa-suomalaisyrityksilta-vipuun-menneiden-kannattaa-ilmoittaa-poliisille-6758435
Tomi Engdahl says:
Ransomware Attacks Target MSPs to Mass-Infect Customers
https://www.bleepingcomputer.com/news/security/ransomware-attacks-target-msps-to-mass-infect-customers/
Ransomware distributors have started to target managed service providers (MSPs) in order to mass-infect all of their clients in a single attack. Recent reports indicate that multiple MSPs have been hacked recently, which has led to hundreds, if not thousands, of clients being infected with the GandCrab Ransomware.
Tomi Engdahl says:
Canonical Snapd Vulnerability Gives Root Access in Linux
https://www.bleepingcomputer.com/news/security/canonical-snapd-vulnerability-gives-root-access-in-linux/
A researcher has discovered a new vulnerability called “Dirty_Sock” in the REST API for Canonical’s snapd daemon that can allow attackers to gain root access on Linux machines. To illustrate how these vulnerabilities can be exploited, the researcher has released to PoCs that use different methods to elevate privileges.
This vulnerability has since been patched by Canonical, the maker of Ubuntu and the Snap framework, but unless admins install the snapd update, local users will be able to gain root level access to servers running the daemon.
Tomi Engdahl says:
US counterintelligence agent helped Iran lob cyber-bombs at America, say Uncle Sam’s lawyers
Prosecutors accuse Monica Witt of helping Tehran target her former colleagues
https://www.theregister.co.uk/2019/02/14/counterintelligence_agent_espionage/
Tomi Engdahl says:
Shlayer Malware Disables macOS Gatekeeper to Run Unsigned Payloads
https://www.bleepingcomputer.com/news/security/shlayer-malware-disables-macos-gatekeeper-to-run-unsigned-payloads/
A new variant of the multi-stage Shlayer malware known to target macOS users has been observed in the wild, now being capable to escalate privileges using a two-year-old technique and to disable the Gatekeeper protection mechanism to run unsigned second stage payloads.
Tomi Engdahl says:
Chinese facial recognition company left database of people’s locations exposed
https://www.cnet.com/news/chinese-facial-recognition-company-left-database-of-peoples-location-exposed/
There were more than 6.8 million records from the last 24 hours alone that anyone could access.
Tomi Engdahl says:
Chinese company leaves Muslim-tracking facial recognition database exposed online
https://www.zdnet.com/article/chinese-company-leaves-muslim-tracking-facial-recognition-database-exposed-online/
Researcher finds one of the databases used to track Uyghur Muslim population in Xinjiang.
Tomi Engdahl says:
Hackers tried to steal €13 million from Malta’s Bank of Valletta
https://www.zdnet.com/article/hackers-tried-to-steal-eur13-million-from-maltas-bank-of-valletta/
Hackers tried to send funds to banks in the UK, the US, the Czech Republic, and Honk Kong. Transactions are being reverted.