This posting is here to collect cyber security news in July 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
237 Comments
Tomi Engdahl says:
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html?m=1
If you are in Kazakhstan and unable to access the Internet service without installing a certificate, you’re not alone.
The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services.
Tomi Engdahl says:
the government is essentially launching a “man in the middle” attack on every resident of the country
https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html?m=1
The root certificate in question, labeled as “trusted certificate” or “national security certificate,” if installed, allows ISPs to intercept and monitor users’ encrypted HTTPS and TLS connections, helping the government spy on its citizens and censor content.
Tomi Engdahl says:
Kazakhstan government is now intercepting all HTTPS traffic
https://www.zdnet.com/article/kazakhstan-government-is-now-intercepting-all-https-traffic/
Kazakh government first wanted to intercept all HTTPS traffic way back in 2016, but they backed off after several lawsuits.
Tomi Engdahl says:
https://www.zdnet.com/article/bulgarias-hacked-database-is-now-available-on-hacking-forums/
Tomi Engdahl says:
https://www.zdnet.com/article/microsoft-demos-electionguard-technology-for-securing-electronic-voting-machines/
Tomi Engdahl says:
https://www.zdnet.com/article/contractor-who-stole-50tb-of-nsa-data-gets-nine-years-in-prison/
Tomi Engdahl says:
My browser, the spy: How extensions slurped up browsing histories from 4M users
Have your tax returns, Nest videos, and medical info been made public?
https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/
When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.
DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google’s account, had as many as 4.1 million users.
Tomi Engdahl says:
Kazakhstan begins intercepting citizens’ web traffic to ‘protect them from cyber threats’
https://thenextweb.com/security/2019/07/19/kazakhstan-begins-intercepting-citizens-web-traffic-to-protect-them-from-cyber-threats/
Tomi Engdahl says:
https://www.wired.com/story/faceapp-privacy-backlash-facebook/
Tomi Engdahl says:
https://mashable.com/article/faceapp-privacy-policy/
Tomi Engdahl says:
FaceApp: Concerns raised that viral app making you old is a Russian company taking your selfies
https://eu.citizen-times.com/story/money/tech/2019/07/17/viral-face-app-aging-russian-company-privacy-policy-scrutiny/1753674001/
Tomi Engdahl says:
No, You Don’t Need a Burner Phone at a Hacking Conference
https://www.vice.com/en_us/article/bj9qbw/no-you-dont-need-a-burner-phone-at-a-hacking-conference
Every year, infosec Twitter debates whether people should bring a burner phone to conferences like Def Con or Black Hat. Here’s why we think you don’t need to worry about that.
Tomi Engdahl says:
FaceApp: FBI Told To Investigate If Russia Now Has U.S. Citizens’ Biometric Data
https://www.forbes.com/sites/zakdoffman/2019/07/17/fbi-and-ftc-told-to-investigate-russias-faceapp-as-u-s-national-security-risk/?utm_source=FACEBOOK&utm_medium=social&utm_term=Valerie/#76616c657269
Tomi Engdahl says:
Hackers breach FSB contractor, expose Tor deanonymization project and more
https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/
SyTech, the hacked company, was working on research projects for the FSB, Russia’s intelligence service.
Hackers stole 7.5TB of data from the contractor’s network, and they defaced the company’s website with a “yoba face,” an emoji popular with Russian users that stands for “trolling.”
Hackers posted screenshots of the company’s servers on Twitter and later shared the stolen data with Digital Revolution, another hacking group who last year breached Quantum, another FSB contractor.
Tomi Engdahl says:
Met Police website hacked, tweets ‘F*CK THE POLICE’
https://thenextweb.com/security/2019/07/20/met-police-twitter-hacked/
It appears hackers briefly took over UK Metropolitan Police’s website
Tomi Engdahl says:
Russia’s Secret Intelligence Agency Hacked: ‘Largest Data Breach In Its History’
https://www.forbes.com/sites/zakdoffman/2019/07/20/russian-intelligence-has-been-hacked-with-social-media-and-tor-projects-exposed/?utm_source=FACEBOOK&utm_medium=social&utm_term=Valerie/#76616c657269
Red faces in Moscow this weekend, with the news that hackers have successfully targeted FSB—Russia’s Federal Security Service. The hackers managed to steal 7.5 terabytes of data from a major contractor, exposing secret FSB projects to de-anonymize Tor browsing, scrape social media, and help the state split its internet off from the rest of the world. The data was passed to mainstream media outlets for publishing.
Tomi Engdahl says:
Office 365 declared illegal in German schools due to privacy risks
Microsoft’s future in Germany is in question again.
https://arstechnica.com/information-technology/2019/07/germany-threatens-to-break-up-with-microsoft-office-again/
Tomi Engdahl says:
Although the press release specifically targets Office 365, it notes that competing Apple and Google cloud suites also do not satisfy German privacy regulations for use in schools.
https://arstechnica.com/information-technology/2019/07/germany-threatens-to-break-up-with-microsoft-office-again/
Tomi Engdahl says:
VoIP’s Big Security Problem? It’s SIP
BY WAYNE RASH 5 DEC 2018, NOON
https://uk.pcmag.com/ringcentral-office/118690/voips-big-security-problem-its-sip
Session Initiation Protocol (SIP) is essential for most forms of Voice-over-IP (VoIP) communications, but by itself, it’s insecure and easily hacked. Here’s what you need to know to protect your calls and your network.
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/russian-fsb-intel-agency-contractor-hacked-secret-projects-exposed/
Tomi Engdahl says:
Russian FSB Intel Agency Contractor Hacked, Secret Projects Exposed
https://www.bleepingcomputer.com/news/security/russian-fsb-intel-agency-contractor-hacked-secret-projects-exposed/
A contractor for the Russian Federal Security Service (FSB) has been hacked and secret projects that were being developed for the intelligence agency were leaked to Russian Media.
In addition, BBC Russia reports that the hackers stole 7.5TB of data from the contractor’s network. This data includes information about numerous non-public projects that were being developed by Sytech on behalf of the Russian government and its intelligence agency.
Tomi Engdahl says:
Russian FSB Intel Agency Contractor Hacked, Secret Projects Exposed
https://www.bleepingcomputer.com/news/security/russian-fsb-intel-agency-contractor-hacked-secret-projects-exposed/
Tomi Engdahl says:
https://www.securityweek.com/slack-resetting-more-user-passwords-response-2015-breach
Tomi Engdahl says:
https://www.securityweek.com/malware-framework-gathers-1-billion-ad-impressions-3-months
Tomi Engdahl says:
https://www.securityweek.com/scotland-yard-twitter-and-emails-hacked
Tomi Engdahl says:
FTC hits Equifax with fine of up to $700M for 2017 data breach
https://techcrunch.com/2019/07/22/equifax-fine-ftc/?tpcc=ECFB2019
Credit agency Equifax will pay up to $700 million in fines as part of a settlement with federal authorities over a data breach in 2017.
700 million looks like a lot of money, but when looking this way the settlement money does not look big at all:
Equifax settlement for data breach will only cost it $4 per person
https://www.engadget.com/2019/07/22/equifax-settlement-over-data-breach/
There are concerns the penalty is just a drop in the bucket.
Tomi Engdahl says:
Cyber threats from the U.S. and Russia are now focusing on civilian infrastructure
https://techcrunch.com/2019/07/22/cyber-threats-from-the-u-s-and-russia-are-now-focusing-on-civilian-infrastructure/?tpcc=ECFB2019
Targeting civilian infrastructure opens a dangerous new front in cyber hostilities between the U.S.
Joe Cheravitch
5 hours ago
Tomi Engdahl says:
https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/
Tomi Engdahl says:
‘My job application was withdrawn by someone pretending to be me’
https://bbc.in/2jKGdsq
Tomi Engdahl says:
Haven’t had time to read FaceApp’s 37 minute long terms and conditions ? Don’t worry, Man did and he breaks it down, exploring the A.I. FaceApp, it’s connection to Russian Intelligence and the potential of using it to advance digital tribalism on the World Wide Web.
FaceApp: Russiagate 2.0, Tribalism, KGB, VR, AI, Facial Recognition
An episode of Man Behind The Machine
https://anchor.fm/man-behind-the-machine/episodes/FaceApp-Russiagate-2-0-or-Tribalism-e4msmj
Tomi Engdahl says:
Phishers Target Office 365 Admins with Fake Admin Alerts
https://www.bleepingcomputer.com/news/security/phishers-target-office-365-admins-with-fake-admin-alerts/
Tomi Engdahl says:
RDP exposed: the wolves already at your door
https://nakedsecurity.sophos.com/2019/07/17/rdp-exposed-the-wolves-already-at-your-door/
For the last two months the infosec world has been waiting to see if and when criminals will successfully exploit CVE-2019-0708, the remote, wormable vulnerability in Microsoft’s RDP (Remote Desktop Protocol), better known as BlueKeep.
The expectation is that sooner or later a BlueKeep exploit will be used to power some self-replicating malware that spreads around the world
criminals around the world are already abusing RDP successfully every day,
Many of the millions of RDP servers connected to the internet are protected by no more than a username and password, and many of those passwords are bad enough to be guessed
criminal markets selling both stolen RDP credentials and compromised computers. The technique is so successful that the criminals crippling city administrations, hospitals, utilities and enterprises with targeted ransomware attacks, and demanding five- or six-figure ransoms, seem to like nothing more
They set up ten geographically dispersed RDP honeypots and sat back to observe. One month and over four million password guesses later they switched off the honeypots, just as CVE-2019-0708 was announced.
The low interaction honeypots were Windows machines in a default configuration, hosted on Amazon’s AWS cloud infrastructure. They were set up to log login attempts while ensuring attackers could never get in
The first honeypot to be discovered was found just one minute and twenty four seconds after it was switched on. The last was found in just a little over 15 hours.
Between them, the honeypots received 4.3 million login attempts at a rate that steadily increased
While the majority of attacks were quick and simple attempts to dig out an administrator password with a very short password list, some attackers employed more sophisticated tactics.
What to do?
RDP password guessing shouldn’t be a problem – it isn’t new, and it isn’t particularly sophisticated – and yet it underpins an entire criminal ecosystem.
In theory, all it takes to solve the RDP problem is for all users to avoid really bad passwords. But the evidence is they won’t
While there are a number of things that administrators can do to harden RDP servers, most notably two-factor authentication, the best protection against the dual threat of password guessing and vulnerabilities like BlueKeep is simply to take RDP off the internet. Switch off RDP where it isn’t absolutely necessary, or make it accessible only via a VPN (Virtual Private Network) if it is.
Tomi Engdahl says:
https://www.antihack.me/blog/russias-secret-intelligence-agency-hacked-largest-data-breach-in-its-history
Tomi Engdahl says:
There is nothing newsworthy in the projects exposed here, everything was known or expected. The fact of the breach itself, its scale and apparent ease is of more note. Contractors remain the weak link in the chain for intelligence agencies worldwide—to emphasize the point, just last week, a former NSA contractor was jailed in the U.S. for stealing secrets over two decades. And the fallout from Edward Snowden continues to this day.
https://www.antihack.me/blog/russias-secret-intelligence-agency-hacked-largest-data-breach-in-its-history
Tomi Engdahl says:
https://techcrunch.com/2019/07/22/uk-to-toughen-telecoms-security-controls-to-shrink-5g-risks/?tpcc=ECFB2019
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2019/07/18/google-chrome-is-ditching-its-xss-detection-tool/
Tomi Engdahl says:
U.S. attorney general William Barr says Americans should accept security risks of encryption backdoors
https://techcrunch.com/2019/07/23/william-barr-consumers-security-risks-backdoors/
U.S. attorney general William Barr has said consumers should accept the risks that encryption backdoors pose to their personal cybersecurity to ensure law enforcement can access encrypted communications.
Tomi Engdahl says:
Facebook and Google track what porn you’re watching, even when you’re in incognito
https://www.businessinsider.com/facebook-google-quietly-tracking-porn-you-watch-2019-7
Porn sites are riddled with web trackers, including from Google, Facebook, and Oracle, according to researchers at Microsoft, Carnegie Mellon, and the University of Pennsylvania.
Google and Facebook said data from these trackers was not used to build marketing profiles of users.
Tomi Engdahl says:
NSA Forms Cybersecurity Directorate Under More Assertive U.S. Effort
https://www.wsj.com/articles/nsa-forms-cybersecurity-directorate-under-more-assertive-u-s-effort-11563876005
The National Security Agency will create a cybersecurity directorate later this year as part of a wider effort to more closely align the agency’s offensive and defensive operations, U.S. officials said.
Tomi Engdahl says:
Hacked Bluetooth hair straighteners are too hot to handle
http://nakedsecurity.sophos.com/2019/07/18/hacked-bluetooth-hair-straighteners-are-too-hot-to-handle/
What do cigarettes, candles, and faulty electrical appliances have in common with one another?
The answer is they are among the top causes of house fires in countries such as the US and UK.
hair straighteners.
They get hot (235 degrees Celsius, or 455 degrees Fahrenheit) and are easy to leave turned on inadvertently, which together explains why Hampshire Fire and Rescue estimates that up to 2016 they have been responsible for as many as 650,000 house fires in the UK alone.
Correct: Pen Test Partners researcher Stuart Kennedy found enough weaknesses to remotely override the product’s chosen temperature setting as someone is using it. Writes Kennedy:
For instance, if somebody was using the straighteners at 120°C and had a sleep time of say 5 mins after use, you could change that to 235°C and 20 mins sleep time.
What went wrong when the Glamoriser had the smart stuff added?
just fire up the app on their own phone and do the whole thing from there as long as the owner wasn’t connected or is out of range.
It’s not dissimilar to the case of hot tub hacking, another IoT calamity
Tomi Engdahl says:
Researchers spotlight the lie of ‘anonymous’ data
https://techcrunch.com/2019/07/24/researchers-spotlight-the-lie-of-anonymous-data/
Researchers from two universities in Europe have published a method they say is able to correctly re-identify 99.98% of individuals in anonymized datasets with just 15 demographic attributes.
Tomi Engdahl says:
Siemens contractor pleads guilty to planting logic bomb in company spreadsheets
https://www.zdnet.com/article/siemens-contractor-pleads-guilty-to-planting-logic-bomb-in-company-spreadsheets/
Logic bomb would crash spreadsheets after a certain date, resulting in Siemens hiring the contractor to fix the latest bugs.
Tomi Engdahl says:
VLC Media Player Plagued By Unpatched Critical RCE Flaw
https://threatpost.com/vlc-media-player-plagued-by-unpatched-critical-rce-flaw/146611/
According to NIST, the bug ranks 9.8 out of 10 on the CVSS 3.0 scale, making it critical severity. Despite the level of severity, no patch is currently available for the vulnerability.
Tomi Engdahl says:
Report: NSO Group’s Pegasus Spyware Can Break Into Cloud Services, Transmit User Data to Servlet
https://gizmodo.com/report-nso-groups-pegasus-spyware-can-break-into-cloud-1836560630
Israeli spyware company NSO Group’s powerful Pegasus malware—the same spyware implicated in a breach of WhatsApp earlier this year—is capable of scraping a target’s data from the servers of Apple, Google, Amazon, Facebook, and Microsoft, according to a report in the Financial Times on Friday.
Tomi Engdahl says:
Chrome 76 blocks websites from detecting incognito mode
http://nakedsecurity.sophos.com/2019/07/22/chrome-76-blocks-websites-from-detecting-incognito-mode/
Tomi Engdahl says:
Flaws in widely used corporate VPNs put company secrets at risk
https://techcrunch.com/2019/07/23/corporate-vpn-flaws-risk/
Tomi Engdahl says:
Kazakhstan government is now intercepting all HTTPS traffic
https://www.zdnet.com/article/kazakhstan-government-is-now-intercepting-all-https-traffic/
Kazakh government first wanted to intercept all HTTPS traffic way back in 2016, but they backed off after several lawsuits.
Tomi Engdahl says:
https://www.technologyreview.com/s/613996/youre-very-easy-to-track-down-even-when-your-data-has-been-anonymized/
Tomi Engdahl says:
Facebook settles with FTC: $5 billion and new privacy guarantees
https://techcrunch.com/2019/07/24/facebook-settles-with-ftc-5-billion-and-new-privacy-guarantees/?tpcc=ECFB2019&fbclid=IwAR0LWPejZEqYD8GLt9sB3GbLqUfMZjH1wBbA61oDMnIFFPwoDeBqWEvitdQ
Tomi Engdahl says:
VideoLAN is really angry with MITRE
https://twitter.com/videolan/status/1153963312981389312?s=19