This posting is here to collect cyber security news in July 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
237 Comments
Tomi Engdahl says:
Florida City Fires IT Employee After Paying $460,000 Bitcoin Ransom to Hackers
https://gizmodo.com/florida-city-fires-it-employee-after-paying-460-000-in-1836031022
Lake City, Florida paid out a bitcoin ransom worth $460,000 to hackers who disabled the city’s computer systems with sophisticated ransomware last month, hot on the heels of a $600,000 ransom paid out in similar circumstances by Riviera Beach
the city has fired its director of information technology.
employee downloaded an infected document they had received via email. That set off a chain of events
Emotet trojan, which installed itself and subsequently downloaded another trojan called TrickBot and the Ryuk ransomware. Ryuk then spread throughout city systems, locking them down and demanding a ransom.
city officials reluctantly determined that it would be cheaper and more effective to simply pay off the hackers
Tomi Engdahl says:
Ryuk, Ryuk, Ryuk: Georgia’s courts hit by ransomware
It looks like another Ryuk ransomware campaign is responsible.
https://arstechnica.com/information-technology/2019/07/ryuk-ryuk-ryuk-georgias-courts-hit-by-ransomware/
Tomi Engdahl says:
The Pentagon Has A Laser That Can Remotely Identify People By Reading Their Heartbeat
https://www.iflscience.com/technology/pentagon-laser-can-remotely-identify-people-reading-heartbeat/
According to MIT Technology Review, a laser has been developed for the Pentagon that can read people’s unique heartbeat signatures, after it was requested by US Special Forces. Code-named Jetson, the device is still in the prototype stage but is already able to read heartbeats from around 200 meters (656 feet) away, even through people’s clothing.
The Pentagon has a laser that can identify people from a distance—by their heartbeat
https://www.technologyreview.com/s/613891/the-pentagon-has-a-laser-that-can-identify-people-from-a-distanceby-their-heartbeat/
While it works at 200 meters (219 yards), longer distances could be possible with a better laser. “I don’t want to say you could do it from space,”
uses a technique known as laser vibrometry to detect the surface movement caused by the heartbeat. This works though typical clothing like a shirt and a jacket (though not thicker clothing such as a winter coat).
The most common way of carrying out remote biometric identification is by face recognition. But this needs good, frontal view of the face
Cardiac signatures are already used for security identification.
He claims that Jetson can achieve over 95% accuracy under good conditions
One glaring limitation is the need for a database of cardiac signatures, but even without this the system has its uses
Tomi Engdahl says:
‘Deepfake’ revenge porn is now illegal in Virginia
https://techcrunch.com/2019/07/01/deepfake-revenge-porn-is-now-illegal-in-virginia/
The law, which went into effect Monday, now makes it illegal to share nude photos of videos of someone without their permission— whether they’re real or fake ones. The law also covers photoshopped images or any other kind of fake footage
https://www.topmobiletech.com/how-to-fix-headphone-jack-not-working-on-laptop/ says:
I just like the valuable info you provide for your articles.
I’ll bookmark your blog and check again here
regularly. I am slightly sure I will learn many new stuff
right right here! Good luck for the following!
Tomi Engdahl says:
A Cloudflare outage is impacting sites everywhere
https://techcrunch.com/2019/07/02/a-cloudflare-outage-is-impacting-sites-everywhere/
If you’ve been experiencing “502 Bad Gateway” notices all morning, for better or worse, you’re not alone. Cloudflare has been experiencing some major outages this morning, leaving many sites reeling in its wake
“Massive spike in CPU usage caused primary and backup systems to fall over. Impacted all services. No evidence yet attack related. Shut down service responsible for CPU spike and traffic back to normal levels. Digging in to root cause.”
Tomi Engdahl says:
China Is Forcing Tourists to Install Text-Stealing Malware at its Border
https://www.vice.com/en_us/article/7xgame/at-chinese-border-tourists-forced-to-install-a-text-stealing-piece-of-malware
Tomi Engdahl says:
Face Recognition Surveillance Banned by Second American City
https://gizmodo.com/face-recognition-surveillance-banned-by-second-american-1835945552
One day after the biggest police body camera manufacturer in America banned the use of face recognition technology, Somerville, Massachusetts became the second city in the United States to ban the tech after San Francisco broke new ground with a ban last month, Vice reported.
Tomi Engdahl says:
UCLA PROFESSOR STOLE MISSILE SECRETS FOR CHINA, FACES 219 YEARS IN PRISON
https://www.newsweek.com/ucla-professor-stole-missile-secrets-china-219-years-prison-espionage-1447286
California-based electrical engineer has been found guilty of attempting to export sensitive military electronics to China and could face more than two centuries behind bars.
a plot to illegally obtain microchips from an American company and export them to China, where they could be used in a range of military systems including missiles and fighter jets.
Shih posed as a customer to acquire the hardware—so-called monolithic microwave integrated circuits (MMICs)—from an unnamed U.S. company.
The MMICs were then shipped to Chinese company called Chengdu GaStone Technology (CGTC), where Shih had previously served as president.
Tomi Engdahl says:
Subcontracting censorship plus no real agreement on defintion – non starter
EU’s terrorism filter plans: The problems just keep coming
https://www.zdnet.com/article/eus-terrorism-filter-plans-the-problems-just-keep-coming/
European authorities have discovered that creating rules to keep terrorist content off the internet is not easy.
Tomi Engdahl says:
https://fossbytes.com/deepnude-app-available-internet-github-youtube-4chan/
were numerous fake copies on the DeepNude app available on the internet. There are various websites providing alleged Android APK files of the said app. However, the app was only designed for Windows and Linux-based operating systems.
He took the app offline
Still, there was a possibility that copies of the original app could be lying down somewhere on the internet and might surface later.
Tomi Engdahl says:
China is installing a secret surveillance app on tourists’ phones
https://www.vox.com/future-perfect/2019/7/3/20681258/china-uighur-surveillance-app-tourist-phone
It scans for Quran passages, Dalai Lama photos, and other things the authorities don’t want you to bring into Xinjiang
Tomi Engdahl says:
YouTube’s ‘instructional hacking’ ban threatens computer security teachers
https://www.theverge.com/2019/7/3/20681586/youtube-ban-instructional-hacking-phishing-videos-cyber-weapons-lab-strike
YouTube now says takedown of a ‘white hat’ hacking channel was a mistake
Tomi Engdahl says:
spyware found on more than 700 million Android phones
https://www.cyberscoop.com/android-malware-china-huawei-zte-kryptowire-blu-products/
More than 700 million Android smartphones, some of which were used in the U.S., carried hidden software that enabled surveillance by tracking user’s movements and communications, a Virginia-based team of security researchers found.
The firmware, discovered by Kryptowire, was reportedly authored by Chinese startup Shanghai Adups Technology Company. It was largely discovered on disposable and prepaid phones made overseas.
Tomi Engdahl says:
Police face calls to end use of facial recognition software
https://www.theguardian.com/technology/2019/jul/03/police-face-calls-to-end-use-of-facial-recognition-software
Analysts find system often wrongly identifies people and could breach human rights law
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / VICE:
Unknown attackers are spamming OpenPGP certificates, breaking a core component of encryption software PGP and showing a fundamental weakness known for a decade
Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem
https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem
A new wave of spamming attacks on a core component of PGP’s ecosystem has highlighted a fundamental weakness in the whole ecosystem.
Tomi Engdahl says:
Bloomberg:
Sources: Broadcom is in advanced talks to acquire Symantec in a deal that could be reached in weeks; Symantec shares rise 13%+
Broadcom Is in Advanced Talks to Acquire Symantec
https://www.bloomberg.com/news/articles/2019-07-02/broadcom-is-said-to-be-in-advanced-talks-to-acquire-symantec
Broadcom could reach an agreement to buy the Mountain View, California-based company within weeks
The deal would mark Broadcom’s second big bet in software, following its $18 billion takeover last year of CA Technologies.
“Symantec would make a perfect fit for the Broadcom portfolio,” Harsh Kumar, an analyst at Piper Jaffray wrote in a note to investors. He said the situation is similar to Broadcom’s CA acquisition, “which ultimately turned out to be extremely successful under the Broadcom umbrella.”
Tomi Engdahl says:
Dan Goodin / Ars Technica:
D-Link agrees to implement a new security program to settle a 2017 FTC complaint that alleged D-Link left thousands open to well-known attacks
D-Link agrees to new security monitoring to settle FTC charges
Agreement settles charges D-Link left users open to critical and widespread threats.
https://arstechnica.com/information-technology/2019/07/d-link-agrees-to-new-security-monitoring-to-settle-ftc-charges/?mid=1
Tomi Engdahl says:
Youtube’s ban on “hacking techniques” threatens to shut down all of infosec Youtube
https://boingboing.net/2019/07/03/nobus-r-us.html
Once upon a time, companies were able to insist — with a straight face — that the real problem with the security defects in their products was the researchers who went public with them, warning customers and users that the products they were trusting were not trustworthy.
Then came the modern infosec movement, in which hactivists and researchers started to give companies a little grace period before going public, while still rejecting the whole idea of “security through obscurity.”
Infosec’s watchword is “sunlight is the best disinfectant.” If you want to prove that a product is genuinely defective, it’s not enough to make the claim: you have to back it up with demos that anyone else can replicate — otherwise the companies will straight up call you a liar and assure their customers that there’s nothing to worry about.
Yesterday, Youtube froze Kody Kinzie’s longrunning Cyber Weapons Lab channel, citing a policy that bans “Instructional hacking and phishing: Showing users how to bypass secure computer systems.”
The two groups that really benefit from these disclosures are:
1. Users, who get to know which systems they should and should not trust; and
2. Developers, who learn from other developers’ blunders and improve their own security.
Youtube banning security disclosures doesn’t make products more secure, nor will it prevent attackers from exploiting defects
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2019/07/04/open-sesame-zipatos-smart-hub-hacked-to-open-front-doors/
Zipato’s ZipaMicro Z-Wave smart hub controller offers a simple and relatively cheap way of doing that with the added benefit that it works with all sorts of smart home products – security cameras, sensors, heating controls, light bulbs, and IoT-enabled locks – from third parties.
Unfortunately, according to Black Marble researchers Chase Dardaman and Jason Wheeler, there’s a catch – the Zipato controller has three critical security flaws which could be used together by hackers to open your home’s doors for you.
Tomi Engdahl says:
Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature
https://techcrunch.com/2019/07/05/isp-group-mozilla-internet-villain-dns-privacy/?tpcc=ECFB2019
The U.K.’s Internet Services Providers’ Association (ISPA), the trade group for U.K. internet service providers, nominated the browser maker for its proposed effort to roll out the security feature, which they say will allow users to “bypass UK filtering obligations and parental controls, undermining internet safety standards in the U.K.”
ISPA doesn’t think DNS-over-HTTPS is compatible with the U.K.’s current website blocking regime.
Under U.K. law, websites can be blocked for facilitating the infringement of copyrighted or trademarked material or if they are deemed to contain terrorist material or child abuse imagery.
Tomi Engdahl says:
https://fossbytes.com/youtube-bans-instructional-hacking-and-phishing-videos/
Tomi Engdahl says:
Grubhub is using thousands of fake websites to upcharge commission fees from real businesses
https://www.theverge.com/2019/6/28/19154220/grubhub-seamless-fake-restaurant-domain-names-commission-fees
Tomi Engdahl says:
Huawei cryptographic keys embedded in Cisco’s firmware
https://www.iot-inspector.com/blog/2019/07/huawei-cryptographic-keys-embedded-in-ciscos-firmware/
Things happen when they happen. And when developers use third-party or open source libraries in their own product, they may not be aware of potential security issues.
Tomi Engdahl says:
Amazon confirms Alexa customer voice recordings are kept forever
That is unless you know how to delete them manually.
https://www.zdnet.com/article/amazon-confirms-alexa-customer-voice-recordings-are-kept-forever/
Tomi Engdahl says:
https://www.zdnet.com/article/engineer-found-guilty-of-trying-to-sell-military-chips-to-china/
Tomi Engdahl says:
Don’t Try To Download DeepNude Apps From The Internet, Here’s Why
https://fossbytes.com/download-deepnude-apk/
Tomi Engdahl says:
Security flaws in a popular smart home hub let hackers unlock front doors
https://techcrunch.com/2019/07/02/smart-home-hub-flaws-unlock-doors/
Zipato smart hubs. In new research published Tuesday and shared with TechCrunch, Dardaman and Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock.
Tomi Engdahl says:
Cautionary tale: Hackers hijack phone number, break into man’s Google account, then try to steal $25K
https://www.androidpolice.com/2019/06/17/cautionary-tale-hackers-hijack-phone-number-break-into-mans-google-account-then-try-to-steal-25k/
Identity theft via hacking or social engineering is a common problem these days, and the results can quickly spiral out of control, locking you out of the accounts you depend on permanently, as in the case of today’s horror story. A contributor over at ZDNet recently suffered what can only be called a total security meltdown in the space of a week when a hacker gained access to his Google account via a SIM-swap attack.
Tomi Engdahl says:
Pian pelkkä luottokortti ei enää käy verkkokaupassa – Osa kauppiaista ei ole läheskään valmiita uudistukseen, miljardien ostot vaarassa
https://yle.fi/uutiset/3-10833294
Tomi Engdahl says:
New Silex malware is bricking IoT devices, has scary plans
Over 2,000 devices have been bricked in the span of a few hours. Attacks still ongoing.
https://www.zdnet.com/article/new-silex-malware-is-bricking-iot-devices-has-scary-plans/
Tomi Engdahl says:
81% of ‘suspects’ flagged by Met’s police facial recognition technology innocent, independent report says
https://news.sky.com/story/met-polices-facial-recognition-tech-has-81-error-rate-independent-report-says-11755941
The force maintains its technology only makes a mistake in one in 1,000 cases, but it uses a different metric for gauging success.
the report concludes that it is “highly possible” the Met’s usage of the system would be found unlawful if challenged in court
Tomi Engdahl says:
Subcontracting censorship plus no real agreement on defintion – non starter
EU’s terrorism filter plans: The problems just keep coming
https://www.zdnet.com/article/eus-terrorism-filter-plans-the-problems-just-keep-coming/
European authorities have discovered that creating rules to keep terrorist content off the internet is not easy.
Tomi Engdahl says:
Seriously? Cisco put Huawei X.509 certificates and keys into its own switches
https://www.zdnet.com/article/seriously-cisco-put-huawei-x-509-certificates-and-keys-into-its-own-switches/
How did cryptographic certificates and keys issued to Huawei end up in Cisco gear?
Tomi Engdahl says:
U.S. Military Satellites Likely Cyber Attacked By China Or Russia Or Both: Report
https://www.forbes.com/sites/zakdoffman/2019/07/05/u-s-military-satellites-likely-cyber-attacked-by-china-or-russia-or-both-report/
New research from a leading defense think tank has turned the tables on that theory, suggesting U.S. and NATO command and control systems are themselves open to compromise because of vulnerabilities in the satellite systems carrying mission-critical data. Cyber attacks on satellites “have the potential to wreak havoc on strategic weapons systems and undermine deterrence by creating uncertainty and confusion,”
The enemy here is not Iran—it does not have the sophistication, it is China and Russia.
For the Consultative Committee for Space Data Systems, people working in the space industry likely “constitute the weakest link in cyber defense.” But to this, you can add aging IT systems, outdated civilian cyber defenses and typically slack corporate information security across legacy systems. A wide range of vulnerabilities. Highly sophisticated cyber adversaries
Tomi Engdahl says:
UK ISP group names Mozilla ‘Internet Villain’ for supporting ‘DNS-over-HTTPS’
https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/
UK government and local ISPs are putting the pressure on browsers to drop plans to support DoH protocol
Tomi Engdahl says:
Hackers Hijacked VR Chatrooms to Manipulate Users’ Reality
https://www.vice.com/en_us/article/8xz33p/hackers-hijacked-vr-chatrooms-to-manipulate-users-reality
Tomi Engdahl says:
IronPython, darkly: how we uncovered an attack on government entities in Europe
http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html?m=1
Tomi Engdahl says:
Russia Is Disrupting GPS Signals and It’s Spilling into Israel
The interference is so powerful, it’s been deutsches by the International Space Station.
https://www.popularmechanics.com/military/weapons/a28250133/russia-gps-signals-israel/
Tomi Engdahl says:
https://beebom.com/huawei-no-back-door-pact-india-spying-fears/
Tomi Engdahl says:
Ubuntu-Maker Canonical’s GitHub Account Gets Hacked
https://thehackernews.com/2019/07/canonical-ubuntu-github-hacked.html
An unknown hacker yesterday successfully managed to hack into the official GitHub account of Canonical, the company behind the Ubuntu Linux project and created 11 new empty repositories.
It appears that the cyberattack was, fortunately, just a “loud” defacement attempt rather than a “silent” sophisticated supply-chain attack that could have been abused to distribute modified malicious versions of the open-source Canonical software.
Tomi Engdahl says:
https://securityboulevard.com/2019/06/cloud-hopper-the-chinese-group-that-hacked-eight-major-u-s-computer-service-firms-to-boost-economic-interests-reuters-reports/
Tomi Engdahl says:
https://pentestmag.com/chb-cybersecurity-briefing-01-07-19/
Tomi Engdahl says:
Google Confirms Apple iPhone Bricking iMessage Bomb
https://www.forbes.com/sites/daveywinder/2019/07/07/google-confirms-apple-iphone-bricking-imessage-bomb/
vulnerability in Apple’s iMessage has been found that “bricks” an iPhone and survives hard resets, leaving users having to wipe the device and start factory fresh again.
The iMessage text bombing zero-day was disclosed by Google Project Zero researcher Natalie Silvanovich, who describes how the malformed message vulnerability can cause a Mac to “crash and respawn.”
If you haven’t turned on the automatic software update feature in iOS 12, then I recommend that you do. That way you can be sure that issues like the iMessage text bomb iPhone bricker will not impact you
Tomi Engdahl says:
Microsoft Issues Warning For 50M Windows 10 Users
https://www.forbes.com/sites/gordonkelly/2019/07/06/microsoft-windows-10-upgrade-vpn-warning-upgrade-windows/
Microsoft has told tens of millions of Windows 10 users that the latest KB4501375 update may break the platform’s Remote Access Connection Manager (RASMAN). And this can have serious repercussions.
The big one is VPNs.
Microsoft is stepping up its attempts to push Windows 7 users to Windows 10.
Tomi Engdahl says:
“Activists seeking to use various “secure” chat tools are regularly forced to use the exact same account registration approach used by Telegram — even with its known built-in security vulnerability.”
This includes the popular chat apps Signal and Whatsapp. Several human rights technologists, and users of the apps, have spoken about the problem with this system design. Consider, for example, Jillian York’s critique of this approach two years ago. And requests for this feature in Signal go back at least as far as 2014. The engineers of these apps cannot feign ignorance.”
As Hong Kong protesters embrace Telegram, when will the messaging app fix one of its biggest security flaws?
https://www.hongkongfp.com/2019/07/07/hong-kong-protesters-embrace-telegram-will-messaging-app-fix-one-biggest-security-flaws/
the mass mobilisation of over a million protestors in Hong Kong who took to the streets last month to voice their opposition to the extradition bill. As a result, Telegram has experienced DDoS attacks hampering the service, and security experts have questioned the strength of Telegram (For instance, Telegram group chats are not encrypted).
Hong Kong activist, Ivan Ip, was arrested for being the administrator of a 20,000 person Telegram group and was forced by the authorities to provide his phone’s access information. As a result, the 20,000 people participating in a peaceful protest are now readily identifiable to authorities (by their phone numbers), creating a data breach that has the potential to be exponentially more damaging, and long-lasting for the implicated activists, than any of the DDoS attacks Telegram now faces.
The Security Issue is a System Architecture Problem
Some digital security experts are asking why activists in Hong Kong would choose to use Telegram (a fairly legitimate question since the chat app has had its security efficacy regularly questioned by experts).
Telegram and other “secure” chat apps, such as WhatsApp and Signal, have chosen a system design that ignores one of the largest security threats faced by those most in need of secure apps and even enforces the vulnerability.
First, consider just some of the known options available for secure chat: Signal, WhatsApp, and Telegram all require phone number verification.
Human rights technologists and some tech-savvy individuals have found strategies to work around this phone number requirement to enable users to mask their identity when using these apps. However, some of the people most in need of such apps don’t have access to the digital resources required to achieve these workarounds (e.g., burner phones and burner SIMs cannot be purchased, or a person has limited financial means, etc.).
This is a serious question. Doesn’t it make more sense to just fix this engineered security flaw?
I am fairly confident these software organizations did not intentionally design their systems to incorporate such a significant security flaw. It was likely these system design choices were made to make it easy to adopt the use of these tools, and to easily connect with those you want to chat with. It is understandable and even valuable to make these tools easy to use. The increased use of these apps is a good thing.
Also, making the type of architectural change needed to fix the flaw on an active system with a large userbase is not simple or cheap.
Tomi Engdahl says:
Microsoft Discovers Fileless Astaroth Trojan Campaign
https://www.bleepingcomputer.com/news/security/microsoft-discovers-fileless-astaroth-trojan-campaign/#.XSOEdn-DD-g.facebook
A fileless malware campaign used by attackers to drop the information stealing Astaroth Trojan into the memory of infected computers was detected by Microsoft Defender ATP Research Team researchers.
Tomi Engdahl says:
Serious Zoom security flaw could let websites hijack Mac cameras
https://www.theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras
Tomi Engdahl says:
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Tomi Engdahl says:
7-Eleven Japanese customers lose $500,000 due to mobile app flaw
https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/
Hackers exploit 7-Eleven’s poorly Dordogne password reset function to make unwanted charges on 900 customers’ accounts.
The 7pay mobile app was designed to show a barcode on the phone’s screen when customers reach the 7-Eleven cashier counters. The cashier scans the barcode, and the bought goods are charged to the user’s 7pay app and the customer’s credit or debit cards that have been saved in the account
However, in a mind-boggling turn of events, the app contained a password reset function that was incredibly poorly designed. It allowed anyone to request a password reset for other people’s accounts, but have the password reset link sent to their email address, instead of the legitimate account owner.
With so much data about Japanese users lying around the internet from the multitude of past breaches, a hacker only had to compile it and automate an attack.
And so they did.
7-ELEVEN PROMISES TO COMPENSATE HACKED 7PAY USERS
hackers broke into nearly 900 7pay accounts, and made illegal charges worth ¥55 million ($510,000).