Cyber security news August 2019

This posting is here to collect cyber security news in August 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

273 Comments

  1. Tomi Engdahl says:

    With warshipping, hackers ship their exploits directly to their target’s mail room
    https://techcrunch.com/2019/08/06/warshipping-hackers-ship-exploits-mail-room/

    Just drop your exploit in the mail and let your friendly postal worker deliver it to your target’s door.

    This newly named technique — dubbed “warshipping” — is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy

    “It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal’s location,” wrote Charles Henderson, who heads up the IBM offensive operations unit.

    Reply
  2. Tomi Engdahl says:

    Microsoft catches Russian state hackers using IoT devices to breach networks
    Fancy Bear servers are communicating with compromised devices inside corporate networks
    https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/?fbclid=IwAR2eloBJGkedvwbu5g1c3Brx6SI8pIq6KAMA2OFVCXO9dBkb_zv8JRgQT38

    Reply
  3. Tomi Engdahl says:

    Sites using Facebook ‘Like’ button liable for data, EU court rules
    https://www.euractiv.com/section/digital/news/sites-using-facebook-like-button-liable-for-data-eu-court-rules/

    Europe’s top court ruled Monday (30 July) that companies that embed Facebook’s “Like” button on their websites must seek users’ consent to transfer their personal data to the US social network, in line with the bloc’s data privacy laws

    According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.

    Reply
  4. Tomi Engdahl says:

    Hackers Inject Multi-Gateway Card Skimmer via Fake Google Domains
    https://www.bleepingcomputer.com/news/security/hackers-inject-multi-gateway-card-skimmer-via-fake-google-domains/

    Attackers are using fake Google domains spoofed with the help of internationalized domain names (IDNs) to host and load a Magecart credit card skimmer script with support for multiple payment gateways.

    Reply
  5. Tomi Engdahl says:

    All big phones security at risk .. #oneplus #blackshark #oppo #redmi #nokia8 #redmi #snapdragon #googlepixel #nubia #asus #realme

    Security warning for the users of these 34 Android smartphones

    Qualcomm has said that a bug (code name: CVE-2019-10540) may have impacted more than a few of its popular chipsets like Snapdragon 855, 845, 730, 710, 675

    https://m.gadgetsnow.com/slideshows/security-warning-for-users-of-these-35-android-smartphones/Security-warning-for-users-of-these-34-Android-smartphones/photolist/70563397.cms

    Reply
  6. Tomi Engdahl says:

    https://www.reddit.com/r/hacking/comments/cn2un8/steam_windows_client_local_privilege_escalation/?utm_medium=android_app&utm_source=share

    Severe local 0-Day escalation exploit found in Steam Client Services
    This trivially-exploited security allows any user root—er, LOCALSYSTEM—privileges.
    https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/

    Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.

    The vulnerability lies within Steam Client Service.

    it’s possible to pass arguments to services that run under extremely privileged accounts—such as msiserver, the Windows Installer service.

    A genuinely malicious user might use this procedure to directly pop a locally or remotely accessible shell with LOCALSYSTEMprivileges, after which they can do whatever they like with no further tricks necessary.

    With this second rejection, Vasily decided there was no further recourse but public disclosure, and he informed HackerOne that he would disclose after July 30.

    Reply
  7. Tomi Engdahl says:

    A BOEING CODE LEAK EXPOSES SECURITY FLAWS DEEP IN A 787′S GUTS
    https://www.wired.com/story/boeing-787-code-leak-security-flaws/

    LATE ONE NIGHT last September, security researcher Ruben Santamarta sat in his home office

    He was surprised to discover a fully unprotected server on Boeing’s network, seemingly full of code designed to run on the company’s giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.

    Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner’s components, deep in the plane’s multi-tiered network.

    Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull it off.

    multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System

    Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane’s safety-critical systems, including its engine, brakes, and sensors.

    Reply
  8. Tomi Engdahl says:

    Instagram ad partner secretly sucked up and tracked millions of users’ locations and stories
    https://tcrn.ch/2yMXGnX

    Hyp3r, an apparently trusted marketing partner of Facebook and Instagram, has been secretly collecting and storing location and other data on millions of users, against the policies of the social networks, Business Insider reported today. It’s hard to see how it could do this for years without intervention by the platforms except if the latter were either ignorant or complicit.

    https://www.businessinsider.com/startup-hyp3r-saving-instagram-users-stories-tracking-locations-2019-8?r=US&IR=T

    Reply
  9. Tomi Engdahl says:

    https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/

    If you are somehow under the impression that you — the customer — are in control over the security, privacy and integrity of your mobile phone service, think again. And you’d be forgiven if you assumed the major wireless carriers or federal regulators had their hands firmly on the wheel.

    Reply
  10. Tomi Engdahl says:

    Hackers have crafted malware that’s designed to kill people. Here’s what we know about it.

    Search + Menu
    Computing / Cybersecurity
    Triton is the world’s most murderous malware, and it’s spreading
    https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/?utm_medium=tr_social&utm_campaign=site_visitor.unpaid.engagement&utm_source=Facebook#Echobox=1564766972

    The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too

    Reply
  11. Tomi Engdahl says:

    “Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple’s Siri, Amazon’s Alexa and Google’s Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors, wire money or buy stuff online — simply with music playing over the radio.”

    https://www.nytimes.com/2018/05/10/technology/alexa-siri-hidden-command-audio-attacks.html

    Reply
  12. Tomi Engdahl says:

    The Fully Remote Attack Surface of the iPhone
    https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html?m=1

    There are several attack surfaces of the iPhone that have these qualities, including SMS, MMS, VVM, Email and iMessage.

    Reply
  13. Tomi Engdahl says:

    Corporate Surveillance in Everyday Life
    https://crackedlabs.org/en/corporate-surveillance

    Report: How thousands of companies monitor, analyze, and influence the lives of billions. Who are the main players in today’s digital tracking?

    Reply
  14. Tomi Engdahl says:

    Flawed office printers are a silent but serious target for hackers
    https://techcrunch.com/2019/08/08/office-printers-hackers-target-def-con/

    The latest research by the NCC Group just revealed at the Def Con security conference shows just how easy of a target office printers can be.

    Think about it: Office printers at some of the largest organizations in finance, government and tech all print corporate secrets — and classified material — and often keep a recorded copy in their memory.

    Reply
  15. Tomi Engdahl says:

    FBI tells lawmakers it can’t access Dayton gunman’s phone
    https://thehill.com/homenews/administration/456742-fbi-tells-lawmakers-it-cant-access-phone-of-dayton-gunman

    Top FBI officials informed congressional lawmakers this week that they have been unable to access the smartphone of the suspected gunman in the Dayton, Ohio, mass shooting, two sources told The Hill.

    The Trump administration has criticized tech companies’ ability to fully encrypt communications. Attorney General William Barr said in a speech last month that encrypted messaging services allow “criminals to operate with impunity.”

    The cost of encryption is “ultimately measured in a mounting number of victims — men, women and children who are the victims of crimes, crimes that could have been prevented if law enforcement had been given lawful access to encrypted evidence,” Barr said during a speech at a cybersecurity conference.

    Reply
  16. Tomi Engdahl says:

    https://thehackernews.com/2019/08/android-qualcomm-vulnerability.html?m=1

    A series of critical vulnerabilities have been discovered in Qualcomm chipsets that could allow hackers to compromise Android devices remotely just by sending malicious packets over-the-air with no user interaction.

    the vulnerabilities, collectively known as QualPwn, reside in the WLAN and modem firmware of Qualcomm chipsets that powers hundreds of millions of Android smartphones and tablets.

    “One of the vulnerabilities allows attackers to compromise the WLAN and Modem over-the-air. The other allows attackers to compromise the Android Kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstances,” researchers said in a blog post.

    Once compromised, the kernel gives attackers full system access

    Though Tencent researchers tested their QualPwn attacks against Google Pixel 2 and Pixel 3 devices that are running on Qualcomm Snapdragon 835 and Snapdragon 845 chips, the vulnerabilities impact many other chipsets

    Google just yesterday released security patches for these vulnerabilities as part of its Android Security Bulletin for August 2019. So, you are advised to download the security patches as soon as they are available

    Reply
  17. Tomi Engdahl says:

    Apple locks new iPhone batteries to prevent third-party repair, report says
    It’s yet another change that keep iPhone owners inside Apple’s ecosystem.
    https://arstechnica.com/tech-policy/2019/08/apple-locks-new-iphone-batteries-to-prevent-third-party-repair-report-says/

    Reply
  18. Tomi Engdahl says:

    New Windows hack warning: Patch Intel systems now to block SWAPGSAttack exploits
    https://www.zdnet.com/article/new-windows-hack-warning-patch-intel-systems-now-to-block-swapgsattack-exploits/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d4a4d0affeb9a00013ba732&utm_medium=trueAnthem&utm_source=facebook

    Researchers detail hardware vulnerability that bypasses mitigations against Spectre and Meltdown CPU vulnerabilities on Windows systems – and impacts all systems using Intel processors manufactured since 2012.

    A newly uncovered vulnerability affecting every Windows computer using an Intel processor built since 2012 could allow attackers to bypass safeguards and access information held in a system’s protected kernel memory

    Reply
  19. Tomi Engdahl says:

    Serious vulnerabilities in #WhatsApp, disclosed in 2018, can still be exploited in several attacks to manipulate chats.
    https://threatpost.com/whatsapp-flaws-message-manipulation/147088/

    Reply
  20. Tomi Engdahl says:

    Leo Kelion / BBC:
    Researcher says one in four UK- and US-based companies contacted to test a GDPR “right of access” request made in someone else’s name revealed personal data

    Black Hat: GDPR privacy law exploited to reveal personal data
    https://www.bbc.com/news/technology-49252501

    About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.

    The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.

    It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

    “Generally if it was an extremely large company – especially tech ones – they tended to do really well,” he told the BBC.

    “Small companies tended to ignore me.

    “But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”

    Reply
  21. Tomi Engdahl says:

    https://gizmodo.com/the-white-house-readies-draft-of-executive-order-that-c-1837110097

    It appears the Trump administration is drafting an executive order that has the potential to radically change how the content posted on social networks are governed, stripping crucial protections from tech companies and inserting much more government oversight. This is being done under the guise of a popular political talking point claiming that social media networks are censoring conservatives.

    Reply
  22. Tomi Engdahl says:

    How Reverse Engineering (and Cyber-Criminals’ Mistakes) Can Help You When You’ve Been a Ransomware Victim

    https://blog.virusbay.io/2019/08/05/how-reverse-engineering-and-cyber-criminals-mistakes-can-help-you-when-youve-been-a-ransomware-victim/

    Reply
  23. Tomi Engdahl says:

    I Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets
    Avoiding digital snoops takes more than throwing money at the problem, but that part can be really fun.
    https://www.bloomberg.com/news/features/2019-08-08/i-tried-hiding-from-silicon-valley-in-a-pile-of-privacy-gadgets

    As the spy gear piles up on my desk, my 10-year-old son asks me what my mission is. “I’m hiding,” I whisper, pointing in the direction I think is north, which is something I should probably know as a spy. “From Silicon Valley.”

    It isn’t going to be easy. I use Google, Facebook, Amazon, Lyft, Uber, Netflix, Hulu, and Spotify. I have two Amazon Echos, a Google Home, an iPhone, a MacBook Air, a Nest thermostat, a Fitbit, and a Roku. I shared the secrets of my genetic makeup by spitting in one vial for 23andMe, another for an ancestry site affiliated with National Geographic, and a third to test my athletic potential.

    Reply
  24. Tomi Engdahl says:

    How safe are school records? Not very, says student security researcher
    https://tcrn.ch/2KE8VVi

    If you can’t trust your bank, government or your medical provider to protect your data, what makes you think students are any safer?

    Among one of the more damaging issues Demirkapi found in Follett’s student information system was an improper access control vulnerability, which if exploited could have allowed an attacker to read and write to the central Aspen database and obtain any student’s data.

    Reply
  25. Tomi Engdahl says:

    How tech is transforming the intelligence industry
    Technology and the future of spying
    https://techcrunch.com/2019/08/10/how-tech-is-transforming-the-intelligence-industry/

    Reply
  26. Tomi Engdahl says:

    What a security researcher learned from monitoring traffic at Defcon
    https://www.cnet.com/news/what-a-security-researcher-learned-from-monitoring-traffic-at-defcon/

    He spent thousands on a data-collecting monstrosity to figure out why people considered the security conference’s network dangerous

    36-year-old security researcher saw me too. Or at least my network traffic. Because the hardware on Spicer’s back was a surveillance tool nicknamed the “Wi-Fi Cactus.”

    The Wi-Fi Cactus, which Spicer wears like a backpack, is made up of 25 Hak5 Pineapples, devices made to monitor, intercept and manipulate network traffic

    https://shop.hak5.org/pages/wifi-pineapple

    Reply
  27. Tomi Engdahl says:

    Teen Security Researcher Suspended for Exposing Vulnerabilities in His School’s Software
    https://www.vice.com/en_us/article/59nzjz/teen-security-researcher-bill-demirkapi-suspended-for-exposing-vulnerabilities

    Another vulnerability that Bill Demirkapi found impacted 5,000 schools.

    Reply
  28. Tomi Engdahl says:

    INSIDE THE HIDDEN WORLD OF ELEVATOR PHONE PHREAKING
    https://www.wired.com/story/elevator-phone-phreaking-defcon/?mbid=synd_digg

    “I can dial into an elevator phone, listen in on private conversations, reprogram the phone

    As a result, he or any other similarly equipped phreaker could change the number the phone calls when someone in the elevator presses the “help” or “call” button. Instead of dialing emergency responders, a reprogrammed phone can be set to call the phreaker’s cell phone, or a pizza delivery place, or a number that plays a recording of Rick Astley’s “Never Gonna Give You Up.” Or a phreaker can reprogram the phone to change its location ID

    Reply
  29. Tomi Engdahl says:

    Clever attack uses SQLite databases to hack other apps, malware servers
    https://www.zdnet.com/article/clever-attack-uses-sqlite-databases-to-hack-other-apps-malware-servers/

    Tainted SQLite database can run malicious code inside other apps, such as web apps or Apple’s iMessage.

    SQLite databases can be modified in such a way that they execute malicious code inside other apps that rely on them to store data, security researchers have revealed.

    When the third-party app, such as iMessage, reads the tainted SQLite database, it also inadvertantly executes the hidden code.

    For example, browsers store user data and passwords inside SQLite databases. Info-stealers — a class of malware — is specifically designed for stealing these SQLite user data files and uploading the files to a remote command-and-control (C&C) server.

    These C&C servers are usually coded in PHP and work by parsing the SQLite files to extract the user’s browser data so they can show it inside the malware’s web-based control panel.

    Reply
  30. Tomi Engdahl says:

    Warning Issued For Apple’s 1.4 Billion iPad And iPhone Users
    https://www.forbes.com/sites/gordonkelly/2019/08/10/apple-iphone-ipad-security-warning-ios-12-ios13-iphone-xs-max-xr/?utm_source=FACEBOOK&utm_medium=social&utm_term=Valerie/#76616c657269

    Apple is having a bad week. Just days after Face ID was hacked and the company’s “user-hostile” iPhone battery practices were exposed, an extraordinary story of Apple neglect has resulted in a warning every iPhone and iPad user needs to know about.  

    Picked up by AppleInsider, security firm Check Point has revealed it has found a way to hack every iPhone and iPad running iOS 8 right up to betas of iOS 13.

    Contacts app built into iOS can be exploited using the industry-standard SQLite database so that any search of Contacts can trick the device into running malicious code capable of stealing user data and passwords. 

    In short: Apple got sloppy. As AppleInsider explains: “the bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps.

    Reply
  31. Tomi Engdahl says:

    On Thursday at Black Hat USA in Las Vegas, Nevada, McAfee researchers revealed the existence of the security flaw in a desk phone developed by Avaya, a VOIP solution provider and vendor for business desk phones

    found a severe remote code execution (RCE) vulnerability present in an open-source component within the phone’s firmware.

    Decade-old remote code execution bug found in phones used by Fortune 500
    The firmware vulnerability lurked undetected for ten years.
    https://www.zdnet.com/article/decade-old-remote-code-execution-bug-found-in-phone-used-by-up-to-90-percent-of-fortune-500/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d4cd3d7ffeb9a00013bcdc4&utm_medium=trueAnthem&utm_source=facebook

    Reply
  32. Tomi Engdahl says:

    China’s cyber-spies make money on the side by hacking video games
    https://www.technologyreview.com/f/614088/chinese-hackers-do-double-duty-operations-for-espionage-and-profit/

    Just because you’re a world-class Chinese government hacker busy conducting espionage against geopolitical adversaries doesn’t mean you can’t make a little extra money on the side.

    Reply
  33. Tomi Engdahl says:

    3fun: Security glitch in threesome hook-up app reveals details of users in Downing Street and White House
    https://www.independent.co.uk/news/uk/home-news/3fun-threesome-app-downing-street-white-house-cyber-security-a9051201.html

    ‘Worst security of any dating app we’ve ever seen,’ say experts

    The app, 3fun, revealed users with locations appearing to be in No 10 in London, and the White House and the US Supreme Court in Washington DC, according to a report on cyber security firm Pen Test Partners’ website.

    Furthermore, private photographs were accessible too.

    Users of the app could restrict the app from showing their locations, but according to Pen Test Partners, the data was only filtered on the mobile app itself, not on the servers containing the data, which their experts were able to query to reveal location information.

    Reply
  34. Tomi Engdahl says:

    Patrick Howell O’Neill / MIT Technology Review:
    FireEye: Chinese state-backed hacker group APT41 hacks video-game companies and sells virtual game currencies on the dark web as a side hustle

    Reply
  35. Tomi Engdahl says:

    Patrick Howell O’Neill / MIT Technology Review:
    FireEye: Chinese state-backed hacker group APT41 hacks video-game companies and sells virtual game currencies on the dark web as a side hustle

    China’s cyber-spies make money on the side by hacking video games
    https://www.technologyreview.com/f/614088/chinese-hackers-do-double-duty-operations-for-espionage-and-profit/

    Reply
  36. Tomi Engdahl says:

    Don’t Just Delete Facebook, Poison Your Data First
    https://www.vice.com/en_us/article/qvxv4x/how-to-delete-facebook-data?utm_source=vicefbus

    If you’re savvy with code, you can employ a script that repeatedly alters your Facebook posts with nonsense, making it more difficult for the social media site to collect user data.

    Reply
  37. Tomi Engdahl says:

    Researchers hacked a Canon DSLR with ransomware demanding Bitcoin
    The camera’s firmware has since been patched
    https://thenextweb.com/hardfork/2019/08/12/canon-dslrs-susceptible-bitcoin-ransomware/

    A group of security researchers have managed to exploit vulnerabilities in a Canon EOS 80D digital camera to hold its owner’s photos to a Bitcoin ransom, The Inquirer reports.

    Security boffins find that Canon DSLR cameras are vulnerable to ransomware
    Ransom, where!?
    https://www.theinquirer.net/inquirer/news/3080359/canon-dslr-ransomware

    Reply
  38. Tomi Engdahl says:

    Google Warning: Tens Of Millions Of Android Phones Come Preloaded With Dangerous Malware
    https://www.forbes.com/sites/zakdoffman/2019/08/10/google-warning-tens-of-millions-of-android-phones-come-preloaded-with-dangerous-malware/?utm_source=FACEBOOK&utm_medium=social&utm_term=Paulie/#7061756c696

    Google’s Maddie Stone, a security researcher with the company’s Project Zero, shared her team’s findings at Black Hat on Thursday. “If malware or security issues come as preinstalled apps,” she warned, “then the damage it can do is greater, and that’s why we need so much reviewing, auditing and analysis.”

    Of particular concern were two particularly virulent malware campaigns: Chamois and Triada. Chamois generates various flavors of ad fraud, installs background apps, downloads plugins and can even send premium rate text messages. Chamois alone was found to have come installed on 7.4 million devices. Triada is an older variant of malware, one that also displays ads and installs apps.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*