This posting is here to collect cyber security news in August 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
273 Comments
Tomi Engdahl says:
With warshipping, hackers ship their exploits directly to their target’s mail room
https://techcrunch.com/2019/08/06/warshipping-hackers-ship-exploits-mail-room/
Just drop your exploit in the mail and let your friendly postal worker deliver it to your target’s door.
This newly named technique — dubbed “warshipping” — is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy
“It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal’s location,” wrote Charles Henderson, who heads up the IBM offensive operations unit.
Tomi Engdahl says:
Microsoft catches Russian state hackers using IoT devices to breach networks
Fancy Bear servers are communicating with compromised devices inside corporate networks
https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/?fbclid=IwAR2eloBJGkedvwbu5g1c3Brx6SI8pIq6KAMA2OFVCXO9dBkb_zv8JRgQT38
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2019/08/06/github-encourages-hacking-says-lawsuit-following-capital-one-breach/
Tomi Engdahl says:
Saying goodbye to Flash in Chrome
https://www.blog.google/products/chrome/saying-goodbye-flash-chrome/
Tomi Engdahl says:
Sites using Facebook ‘Like’ button liable for data, EU court rules
https://www.euractiv.com/section/digital/news/sites-using-facebook-like-button-liable-for-data-eu-court-rules/
Europe’s top court ruled Monday (30 July) that companies that embed Facebook’s “Like” button on their websites must seek users’ consent to transfer their personal data to the US social network, in line with the bloc’s data privacy laws
According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.
Tomi Engdahl says:
Hackers Inject Multi-Gateway Card Skimmer via Fake Google Domains
https://www.bleepingcomputer.com/news/security/hackers-inject-multi-gateway-card-skimmer-via-fake-google-domains/
Attackers are using fake Google domains spoofed with the help of internationalized domain names (IDNs) to host and load a Magecart credit card skimmer script with support for multiple payment gateways.
Tomi Engdahl says:
All big phones security at risk .. #oneplus #blackshark #oppo #redmi #nokia8 #redmi #snapdragon #googlepixel #nubia #asus #realme
Security warning for the users of these 34 Android smartphones
Qualcomm has said that a bug (code name: CVE-2019-10540) may have impacted more than a few of its popular chipsets like Snapdragon 855, 845, 730, 710, 675
https://m.gadgetsnow.com/slideshows/security-warning-for-users-of-these-35-android-smartphones/Security-warning-for-users-of-these-34-Android-smartphones/photolist/70563397.cms
Tomi Engdahl says:
https://amonitoring.ru/article/steamclient-0day/
Tomi Engdahl says:
https://www.reddit.com/r/hacking/comments/cn2un8/steam_windows_client_local_privilege_escalation/?utm_medium=android_app&utm_source=share
Severe local 0-Day escalation exploit found in Steam Client Services
This trivially-exploited security allows any user root—er, LOCALSYSTEM—privileges.
https://arstechnica.com/gaming/2019/08/severe-local-0-day-escalation-exploit-found-in-steam-client-services/
Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.
The vulnerability lies within Steam Client Service.
it’s possible to pass arguments to services that run under extremely privileged accounts—such as msiserver, the Windows Installer service.
A genuinely malicious user might use this procedure to directly pop a locally or remotely accessible shell with LOCALSYSTEMprivileges, after which they can do whatever they like with no further tricks necessary.
With this second rejection, Vasily decided there was no further recourse but public disclosure, and he informed HackerOne that he would disclose after July 30.
Tomi Engdahl says:
A BOEING CODE LEAK EXPOSES SECURITY FLAWS DEEP IN A 787′S GUTS
https://www.wired.com/story/boeing-787-code-leak-security-flaws/
LATE ONE NIGHT last September, security researcher Ruben Santamarta sat in his home office
He was surprised to discover a fully unprotected server on Boeing’s network, seemingly full of code designed to run on the company’s giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.
Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner’s components, deep in the plane’s multi-tiered network.
Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull it off.
multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System
Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane’s safety-critical systems, including its engine, brakes, and sensors.
Tomi Engdahl says:
Instagram ad partner secretly sucked up and tracked millions of users’ locations and stories
https://tcrn.ch/2yMXGnX
Hyp3r, an apparently trusted marketing partner of Facebook and Instagram, has been secretly collecting and storing location and other data on millions of users, against the policies of the social networks, Business Insider reported today. It’s hard to see how it could do this for years without intervention by the platforms except if the latter were either ignorant or complicit.
https://www.businessinsider.com/startup-hyp3r-saving-instagram-users-stories-tracking-locations-2019-8?r=US&IR=T
Tomi Engdahl says:
https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/
If you are somehow under the impression that you — the customer — are in control over the security, privacy and integrity of your mobile phone service, think again. And you’d be forgiven if you assumed the major wireless carriers or federal regulators had their hands firmly on the wheel.
Tomi Engdahl says:
Hackers have crafted malware that’s designed to kill people. Here’s what we know about it.
Search + Menu
Computing / Cybersecurity
Triton is the world’s most murderous malware, and it’s spreading
https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/?utm_medium=tr_social&utm_campaign=site_visitor.unpaid.engagement&utm_source=Facebook#Echobox=1564766972
The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too
Tomi Engdahl says:
“Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple’s Siri, Amazon’s Alexa and Google’s Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors, wire money or buy stuff online — simply with music playing over the radio.”
https://www.nytimes.com/2018/05/10/technology/alexa-siri-hidden-command-audio-attacks.html
Tomi Engdahl says:
https://labs.bitdefender.com/2019/08/bypassing-kpti-using-the-speculative-behavior-of-the-swapgs-instruction/?cid=soc%7Cc%7cfb%7Cnoncomm
Tomi Engdahl says:
https://www.reddit.com/r/hacking/comments/cn2un8/steam_windows_client_local_privilege_escalation/?utm_medium=android_app&utm_source=share
Tomi Engdahl says:
The Fully Remote Attack Surface of the iPhone
https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html?m=1
There are several attack surfaces of the iPhone that have these qualities, including SMS, MMS, VVM, Email and iMessage.
Tomi Engdahl says:
Corporate Surveillance in Everyday Life
https://crackedlabs.org/en/corporate-surveillance
Report: How thousands of companies monitor, analyze, and influence the lives of billions. Who are the main players in today’s digital tracking?
Tomi Engdahl says:
Flawed office printers are a silent but serious target for hackers
https://techcrunch.com/2019/08/08/office-printers-hackers-target-def-con/
The latest research by the NCC Group just revealed at the Def Con security conference shows just how easy of a target office printers can be.
Think about it: Office printers at some of the largest organizations in finance, government and tech all print corporate secrets — and classified material — and often keep a recorded copy in their memory.
Tomi Engdahl says:
https://pentestmag.com/how-i-hacked-into-your-corporate-network-using-your-own-anti-virus-agent/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/urgent-11-vxworks-rtos-vulnerabilities-found-critical-systems-affected/
Tomi Engdahl says:
FBI tells lawmakers it can’t access Dayton gunman’s phone
https://thehill.com/homenews/administration/456742-fbi-tells-lawmakers-it-cant-access-phone-of-dayton-gunman
Top FBI officials informed congressional lawmakers this week that they have been unable to access the smartphone of the suspected gunman in the Dayton, Ohio, mass shooting, two sources told The Hill.
The Trump administration has criticized tech companies’ ability to fully encrypt communications. Attorney General William Barr said in a speech last month that encrypted messaging services allow “criminals to operate with impunity.”
The cost of encryption is “ultimately measured in a mounting number of victims — men, women and children who are the victims of crimes, crimes that could have been prevented if law enforcement had been given lawful access to encrypted evidence,” Barr said during a speech at a cybersecurity conference.
Tomi Engdahl says:
https://thehackernews.com/2019/08/android-qualcomm-vulnerability.html?m=1
A series of critical vulnerabilities have been discovered in Qualcomm chipsets that could allow hackers to compromise Android devices remotely just by sending malicious packets over-the-air with no user interaction.
the vulnerabilities, collectively known as QualPwn, reside in the WLAN and modem firmware of Qualcomm chipsets that powers hundreds of millions of Android smartphones and tablets.
“One of the vulnerabilities allows attackers to compromise the WLAN and Modem over-the-air. The other allows attackers to compromise the Android Kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstances,” researchers said in a blog post.
Once compromised, the kernel gives attackers full system access
Though Tencent researchers tested their QualPwn attacks against Google Pixel 2 and Pixel 3 devices that are running on Qualcomm Snapdragon 835 and Snapdragon 845 chips, the vulnerabilities impact many other chipsets
Google just yesterday released security patches for these vulnerabilities as part of its Android Security Bulletin for August 2019. So, you are advised to download the security patches as soon as they are available
Tomi Engdahl says:
Apple locks new iPhone batteries to prevent third-party repair, report says
It’s yet another change that keep iPhone owners inside Apple’s ecosystem.
https://arstechnica.com/tech-policy/2019/08/apple-locks-new-iphone-batteries-to-prevent-third-party-repair-report-says/
Tomi Engdahl says:
New Windows hack warning: Patch Intel systems now to block SWAPGSAttack exploits
https://www.zdnet.com/article/new-windows-hack-warning-patch-intel-systems-now-to-block-swapgsattack-exploits/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d4a4d0affeb9a00013ba732&utm_medium=trueAnthem&utm_source=facebook
Researchers detail hardware vulnerability that bypasses mitigations against Spectre and Meltdown CPU vulnerabilities on Windows systems – and impacts all systems using Intel processors manufactured since 2012.
A newly uncovered vulnerability affecting every Windows computer using an Intel processor built since 2012 could allow attackers to bypass safeguards and access information held in a system’s protected kernel memory
Tomi Engdahl says:
Serious vulnerabilities in #WhatsApp, disclosed in 2018, can still be exploited in several attacks to manipulate chats.
https://threatpost.com/whatsapp-flaws-message-manipulation/147088/
Tomi Engdahl says:
Leo Kelion / BBC:
Researcher says one in four UK- and US-based companies contacted to test a GDPR “right of access” request made in someone else’s name revealed personal data
Black Hat: GDPR privacy law exploited to reveal personal data
https://www.bbc.com/news/technology-49252501
About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.
The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.
It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.
“Generally if it was an extremely large company – especially tech ones – they tended to do really well,” he told the BBC.
“Small companies tended to ignore me.
“But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”
Tomi Engdahl says:
https://www.forbes.com/sites/thomasbrewster/2019/08/08/apple-confirms-1-million-reward-for-hackers-who-find-serious-iphone-vulnerabilities/amp/
Tomi Engdahl says:
https://gizmodo.com/the-white-house-readies-draft-of-executive-order-that-c-1837110097
It appears the Trump administration is drafting an executive order that has the potential to radically change how the content posted on social networks are governed, stripping crucial protections from tech companies and inserting much more government oversight. This is being done under the guise of a popular political talking point claiming that social media networks are censoring conservatives.
Tomi Engdahl says:
The deal gives Broadcom ownership of Symantec’s entire enterprise security business as well as the Symantec brand name. Symantec will restructure and cut 7% of its workforce.
https://www.zdnet.com/article/broadcom-buys-symantecs-enterprise-security-portfolio-for-10-7-billion/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d4cf024ffeb9a00013bcf8c&utm_medium=trueAnthem&utm_source=facebook
Tomi Engdahl says:
How Reverse Engineering (and Cyber-Criminals’ Mistakes) Can Help You When You’ve Been a Ransomware Victim
https://blog.virusbay.io/2019/08/05/how-reverse-engineering-and-cyber-criminals-mistakes-can-help-you-when-youve-been-a-ransomware-victim/
Tomi Engdahl says:
I Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets
Avoiding digital snoops takes more than throwing money at the problem, but that part can be really fun.
https://www.bloomberg.com/news/features/2019-08-08/i-tried-hiding-from-silicon-valley-in-a-pile-of-privacy-gadgets
As the spy gear piles up on my desk, my 10-year-old son asks me what my mission is. “I’m hiding,” I whisper, pointing in the direction I think is north, which is something I should probably know as a spy. “From Silicon Valley.”
It isn’t going to be easy. I use Google, Facebook, Amazon, Lyft, Uber, Netflix, Hulu, and Spotify. I have two Amazon Echos, a Google Home, an iPhone, a MacBook Air, a Nest thermostat, a Fitbit, and a Roku. I shared the secrets of my genetic makeup by spitting in one vial for 23andMe, another for an ancestry site affiliated with National Geographic, and a third to test my athletic potential.
Tomi Engdahl says:
Apple’s iPhone FaceID Hacked In Less Than 120 Seconds
https://www.forbes.com/sites/daveywinder/2019/08/10/apples-iphone-faceid-hacked-in-less-than-120-seconds/amp/
Tomi Engdahl says:
How safe are school records? Not very, says student security researcher
https://tcrn.ch/2KE8VVi
If you can’t trust your bank, government or your medical provider to protect your data, what makes you think students are any safer?
Among one of the more damaging issues Demirkapi found in Follett’s student information system was an improper access control vulnerability, which if exploited could have allowed an attacker to read and write to the central Aspen database and obtain any student’s data.
Tomi Engdahl says:
How tech is transforming the intelligence industry
Technology and the future of spying
https://techcrunch.com/2019/08/10/how-tech-is-transforming-the-intelligence-industry/
Tomi Engdahl says:
What a security researcher learned from monitoring traffic at Defcon
https://www.cnet.com/news/what-a-security-researcher-learned-from-monitoring-traffic-at-defcon/
He spent thousands on a data-collecting monstrosity to figure out why people considered the security conference’s network dangerous
36-year-old security researcher saw me too. Or at least my network traffic. Because the hardware on Spicer’s back was a surveillance tool nicknamed the “Wi-Fi Cactus.”
The Wi-Fi Cactus, which Spicer wears like a backpack, is made up of 25 Hak5 Pineapples, devices made to monitor, intercept and manipulate network traffic
https://shop.hak5.org/pages/wifi-pineapple
Tomi Engdahl says:
Teen Security Researcher Suspended for Exposing Vulnerabilities in His School’s Software
https://www.vice.com/en_us/article/59nzjz/teen-security-researcher-bill-demirkapi-suspended-for-exposing-vulnerabilities
Another vulnerability that Bill Demirkapi found impacted 5,000 schools.
Tomi Engdahl says:
INSIDE THE HIDDEN WORLD OF ELEVATOR PHONE PHREAKING
https://www.wired.com/story/elevator-phone-phreaking-defcon/?mbid=synd_digg
“I can dial into an elevator phone, listen in on private conversations, reprogram the phone
As a result, he or any other similarly equipped phreaker could change the number the phone calls when someone in the elevator presses the “help” or “call” button. Instead of dialing emergency responders, a reprogrammed phone can be set to call the phreaker’s cell phone, or a pizza delivery place, or a number that plays a recording of Rick Astley’s “Never Gonna Give You Up.” Or a phreaker can reprogram the phone to change its location ID
Tomi Engdahl says:
Clever attack uses SQLite databases to hack other apps, malware servers
https://www.zdnet.com/article/clever-attack-uses-sqlite-databases-to-hack-other-apps-malware-servers/
Tainted SQLite database can run malicious code inside other apps, such as web apps or Apple’s iMessage.
SQLite databases can be modified in such a way that they execute malicious code inside other apps that rely on them to store data, security researchers have revealed.
When the third-party app, such as iMessage, reads the tainted SQLite database, it also inadvertantly executes the hidden code.
For example, browsers store user data and passwords inside SQLite databases. Info-stealers — a class of malware — is specifically designed for stealing these SQLite user data files and uploading the files to a remote command-and-control (C&C) server.
These C&C servers are usually coded in PHP and work by parsing the SQLite files to extract the user’s browser data so they can show it inside the malware’s web-based control panel.
Tomi Engdahl says:
Warning Issued For Apple’s 1.4 Billion iPad And iPhone Users
https://www.forbes.com/sites/gordonkelly/2019/08/10/apple-iphone-ipad-security-warning-ios-12-ios13-iphone-xs-max-xr/?utm_source=FACEBOOK&utm_medium=social&utm_term=Valerie/#76616c657269
Apple is having a bad week. Just days after Face ID was hacked and the company’s “user-hostile” iPhone battery practices were exposed, an extraordinary story of Apple neglect has resulted in a warning every iPhone and iPad user needs to know about.
Picked up by AppleInsider, security firm Check Point has revealed it has found a way to hack every iPhone and iPad running iOS 8 right up to betas of iOS 13.
Contacts app built into iOS can be exploited using the industry-standard SQLite database so that any search of Contacts can trick the device into running malicious code capable of stealing user data and passwords.
In short: Apple got sloppy. As AppleInsider explains: “the bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps.
Tomi Engdahl says:
On Thursday at Black Hat USA in Las Vegas, Nevada, McAfee researchers revealed the existence of the security flaw in a desk phone developed by Avaya, a VOIP solution provider and vendor for business desk phones
found a severe remote code execution (RCE) vulnerability present in an open-source component within the phone’s firmware.
Decade-old remote code execution bug found in phones used by Fortune 500
The firmware vulnerability lurked undetected for ten years.
https://www.zdnet.com/article/decade-old-remote-code-execution-bug-found-in-phone-used-by-up-to-90-percent-of-fortune-500/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d4cd3d7ffeb9a00013bcdc4&utm_medium=trueAnthem&utm_source=facebook
Tomi Engdahl says:
China’s cyber-spies make money on the side by hacking video games
https://www.technologyreview.com/f/614088/chinese-hackers-do-double-duty-operations-for-espionage-and-profit/
Just because you’re a world-class Chinese government hacker busy conducting espionage against geopolitical adversaries doesn’t mean you can’t make a little extra money on the side.
Tomi Engdahl says:
3fun: Security glitch in threesome hook-up app reveals details of users in Downing Street and White House
https://www.independent.co.uk/news/uk/home-news/3fun-threesome-app-downing-street-white-house-cyber-security-a9051201.html
‘Worst security of any dating app we’ve ever seen,’ say experts
The app, 3fun, revealed users with locations appearing to be in No 10 in London, and the White House and the US Supreme Court in Washington DC, according to a report on cyber security firm Pen Test Partners’ website.
Furthermore, private photographs were accessible too.
Users of the app could restrict the app from showing their locations, but according to Pen Test Partners, the data was only filtered on the mobile app itself, not on the servers containing the data, which their experts were able to query to reveal location information.
Tomi Engdahl says:
Patrick Howell O’Neill / MIT Technology Review:
FireEye: Chinese state-backed hacker group APT41 hacks video-game companies and sells virtual game currencies on the dark web as a side hustle
Tomi Engdahl says:
Patrick Howell O’Neill / MIT Technology Review:
FireEye: Chinese state-backed hacker group APT41 hacks video-game companies and sells virtual game currencies on the dark web as a side hustle
China’s cyber-spies make money on the side by hacking video games
https://www.technologyreview.com/f/614088/chinese-hackers-do-double-duty-operations-for-espionage-and-profit/
Tomi Engdahl says:
Don’t Just Delete Facebook, Poison Your Data First
https://www.vice.com/en_us/article/qvxv4x/how-to-delete-facebook-data?utm_source=vicefbus
If you’re savvy with code, you can employ a script that repeatedly alters your Facebook posts with nonsense, making it more difficult for the social media site to collect user data.
Tomi Engdahl says:
Researchers hacked a Canon DSLR with ransomware demanding Bitcoin
The camera’s firmware has since been patched
https://thenextweb.com/hardfork/2019/08/12/canon-dslrs-susceptible-bitcoin-ransomware/
A group of security researchers have managed to exploit vulnerabilities in a Canon EOS 80D digital camera to hold its owner’s photos to a Bitcoin ransom, The Inquirer reports.
Security boffins find that Canon DSLR cameras are vulnerable to ransomware
Ransom, where!?
https://www.theinquirer.net/inquirer/news/3080359/canon-dslr-ransomware
Tomi Engdahl says:
Microsoft has issued a critical warning across all versions of its platforms, including every version of Windows 10, and told users they must act now.
https://www.forbes.com/sites/gordonkelly/2019/08/13/microsoft-windows-10-upgrade-new-bluekeep-critical-warning-upgrade-windows/
https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/
Tomi Engdahl says:
Google Warning: Tens Of Millions Of Android Phones Come Preloaded With Dangerous Malware
https://www.forbes.com/sites/zakdoffman/2019/08/10/google-warning-tens-of-millions-of-android-phones-come-preloaded-with-dangerous-malware/?utm_source=FACEBOOK&utm_medium=social&utm_term=Paulie/#7061756c696
Google’s Maddie Stone, a security researcher with the company’s Project Zero, shared her team’s findings at Black Hat on Thursday. “If malware or security issues come as preinstalled apps,” she warned, “then the damage it can do is greater, and that’s why we need so much reviewing, auditing and analysis.”
Of particular concern were two particularly virulent malware campaigns: Chamois and Triada. Chamois generates various flavors of ad fraud, installs background apps, downloads plugins and can even send premium rate text messages. Chamois alone was found to have come installed on 7.4 million devices. Triada is an older variant of malware, one that also displays ads and installs apps.
Tomi Engdahl says:
There’s OG BlueKeep exploits in the wild now: https://mspoweruser.com/time-to-update-bluekeep-rdp-vulnerability-being-actively-exploited/