Cyber security news September 2019

This posting is here to collect cyber security news in September 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

 

211 Comments

  1. Tomi Engdahl says:

    Google and Amazon use smart speakers for ‘surveillance,’ top tech investor says
    https://finance.yahoo.com/news/amazon-google-smart-speaker-john-borthwick-122503661.html?guccounter=1&guce_referrer=aHR0cDovL20uZmFjZWJvb2suY29tLw&guce_referrer_sig=AQAAAIenP6_LV-eN1yLFLEiYqdwNV8g7j1M2H7lwKTycTHDN5vSRAAEmOARhusPlXZTxrrddirqa6TPXnb0i8yR3SA_CDEK1_YYF-wvEOzl0RfNkpsR2yhIRfPYllueP31NDaHy03aMo8zgD9pS8f-DTb5T3xQAHdcsZ7h4dfmD8f_xe

    “I would say that there’s two or three layers sort of problematic layers with these new smart speakers, smart earphones that are in market now,”

    “And so the first is, from a consumer standpoint, user standpoint, is that these, these devices are being used for what’s — it’s hard to call it anything but surveillance,” Borthwick said.

    The way forward? Some form of regulation that gives users more control over their own data.

    Reply
  2. Tomi Engdahl says:

    6 signs your phone has stalkerware (and what to do about it)
    http://ow.ly/YkyA50vMyjB

    Stalkerware is designed to know where you physically are. In many cases, stalkers know exactly what you’re doing and when. Here’s how to thwart it.

    Reply
  3. Tomi Engdahl says:

    Critical ‘Backdoor Attack’ Warning Issued For 60 Million WordPress Users
    https://www.forbes.com/sites/daveywinder/2019/08/31/critical-backdoor-attack-warning-issued-for-60-million-wordpress-users/

    According to WordPress, over 60 million people have chosen the software to power their websites. An ongoing “backdoor attack” is trying to compromise as many of them as possible.

    A website hacking campaign, that has been ongoing since July, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software into something that is potentially even more problematical. Mikey Veenstra, a researcher with the Defiant Threat Intelligence team, said that “the campaign has added another script which attempts to install a backdoor into the target site by exploiting an administrator’s session.”

    a malicious JavaScript dropped into compromised websites looks to “create a new user with administrator privileges on the victim’s site.” If a logged-in administrator is identified as viewing the infected page, it then goes on to make an AJAX call via jQuery, one that creates a rogue administrator account.

    “This AJAX call creates a user named wpservices with the email [email protected] and the password w0rdpr3ss,”

    Reply
  4. Tomi Engdahl says:

    Facebook’s big win: Will this ruling have global impact on how your data is used?
    https://www.zdnet.com/article/facebooks-big-win-will-this-ruling-have-global-impact-on-how-your-data-is-used/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d655ae237ca340001d00821&utm_medium=trueAnthem&utm_source=facebook

    What was seen as one of the best ways to regulate social-media giants like Facebook has just fallen apart in a Düsseldorf court.

    “Personally, I think it’s over,” Podszun told ZDNet, because even if there’s a positive decision in five years’ time, the technology will have moved on. “The law is at its limits with the internet giants. It is too slow and cannot act swiftly enough.”

    Reply
  5. Tomi Engdahl says:

    The Ethics of Hiding Your Data From the Machines
    https://www.wired.com/story/ethics-hiding-your-data-from-machines/

    It’s one thing to try to keep personal information from Facebook. But what if a company is going to use it to save people’s lives?

    Reply
  6. Tomi Engdahl says:

    A cyber attack happens every 39 seconds

    … This is just 1 of 5 frightening facts that we have listed to show you the current threats of the digital world. And fear not! We are there to help, and we give you 5 manageable solutions to the listed threats.

    Read more here
    http://bit.ly/current-threats

    Reply
  7. Tomi Engdahl says:

    Arresting Smurfs in Hong Kong…

    Hong Kong police are spraying protesters with blue-dye water cannons to mark them for arrest later
    https://www.insider.com/hong-kong-police-fire-blue-dye-water-cannons-2019-8

    The Hong Kong protests, sparked by a proposed extradition bill from mainland China, have been going on for thirteen weeks.

    Reply
  8. Tomi Engdahl says:

    Anti-surveillance mask lets you pass as someone else
    https://www.cnet.com/news/urme-anti-surveillance-mask-lets-you-pass-as-someone-else/

    Uncomfortable with surveillance cameras? “Identity replacement tech” in the form of the Personal Surveillance Identity Prosthetic gives you a whole new face.

    Reply
  9. Tomi Engdahl says:

    In four months, Windows 7 will reach end-of-life and no longer receive security updates

    Microsoft will let some Windows 7 customers get free security updates for an extra year
    https://tcrn.ch/32d1V91

    Reply
  10. Tomi Engdahl says:

    This DIY Implant Lets You Stream Movies From Inside Your Leg
    https://www.wired.com/story/this-diy-implant-lets-you-stream-movies-from-inside-your-leg/

    Biohackers inserted a device—a hard drive plus router—into their legs. They say it could improve data security, but it also raises knotty legal issues.

    PegLeg was designed so that anyone who connects to the device’s network can upload or download files to the hard drive anonymously, but this radical openness raises thorny legal questions about who is responsible for the data stored in another person’s body.

    PegLeg is an offshoot of a similar open-source device called the PirateBox.

    Reply
  11. Tomi Engdahl says:

    Does anyone know if it’s able to protect the identity of users, lol? Sounds like a great place for Beijing to just set up a sniffer and log loads of data for future use.

    Hong Kong Protestors Using Mesh Messaging App China Can’t Block: Usage Up 3685%
    https://www.forbes.com/sites/johnkoetsier/2019/09/02/hong-kong-protestors-using-mesh-messaging-app-china-cant-block-usage-up-3685/#382a2076135a

    How do you communicate when the government censors the internet? With a peer-to-peer mesh broadcasting network that doesn’t use the internet.

    That’s exactly what Hong Kong pro-democracy protesters are doing now, thanks to San Fransisco startup Bridgefy’s Bluetooth-based messaging app. The protesters can communicate with each other — and the public — using no persistent managed network.

    Reply
  12. Tomi Engdahl says:

    Amateurs Identify U.S. Spy Satellite Behind President Trump’s Tweet
    https://www.npr.org/2019/09/02/756673481/amateurs-identify-u-s-spy-satellite-behind-president-trumps-tweet?utm_term=nprnews&utm_campaign=npr&utm_source=facebook.com&utm_medium=social&fbclid=IwAR2RkYK_5rj2NS61UC7ZLXA5unECQAJwVyKsu_5hSohqrg5ylU8vToOf3j4

    Amateur satellite trackers say they believe an image tweeted by President Trump on Friday came from one of America’s most advanced spy satellites.

    The image almost certainly came from a satellite known as USA 224, according to Marco Langbroek, a satellite-tracker based in the Netherlands.

    Reply
  13. Tomi Engdahl says:

    Fraudsters deepfake CEO’s voice to trick manager into transferring $243,000
    https://thenextweb.com/security/2019/09/02/fraudsters-deepfake-ceos-voice-to-trick-manager-into-transferring-243000/

    It’s already getting tough to discern real text from fake, genuine video from deepfake. Now, it appears that use of fake voice tech is on the rise too.

    That’s according to the Wall Street Journal, which reported a case of voice fraud — aka vishing (short for “voice phishing”) — that cost a company $243,000.

    Fraudsters Used AI to Mimic CEO’s Voice in Unusual Cybercrime Case
    https://www.wsj.com/articles/fraudsters-use-ai-to-mimic-ceos-voice-in-unusual-cybercrime-case-11567157402

    Scams using artificial intelligence are a new challenge for companies

    Reply
  14. Tomi Engdahl says:

    Mozilla flips the default switch on Firefox tracker cookie blocking
    https://tcrn.ch/32y7qiT

    From today Firefox users who update to the latest version of the browser will find a pro-privacy setting flipped for them on desktop and Android smartphones, assuming they didn’t already have the anti-tracking cookie feature enabled.

    Reply
  15. Tomi Engdahl says:

    Walmart Stops Selling Ammo And Handguns, Bans Open Carry
    https://www.forbes.com/sites/lisettevoytko/2019/09/03/walmart-stops-selling-ammo-and-handguns-bans-open-carry/?utm_source=FACEBOOK&utm_medium=social&utm_term=Gordie/#d36630e4cb78

    Walmart CEO Doug McMillon issued a memo Tuesday that announced the store will stop selling handguns, as well as ammunition for handguns and short-barrel rifles, and will also no longer allow open carry in states with that law. The change follows this year’s mass shootings at Walmarts in Mississippi and Texas that left 24 dead.

    Reply
  16. Tomi Engdahl says:

    https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/

    USBAnywhere, in the baseboard management controllers (BMCs) of Supermicro servers, which can allow an attacker to easily connect to a server and virtually mount any USB device of their choosing to the server, remotely over any network including the Internet. At the time of writing, we found at least 47,000 systems with their BMCs exposed to the Internet

    Reply
  17. Tomi Engdahl says:

    A new TrickBot variant has been found collecting the PIN codes and credentials of mobile carrier customers.

    Researchers at Secureworks Counter Threat Unit (CTU), identified the new variant during August 2019.

    The banking trojan has now been modified to carry out SIM swapping attacks by intercepting login credentials and PIN codes for Verizon Wireless, T-Mobile and Sprint web accounts.

    https://gdpr.report/news/2019/09/02/privacy-trickbot-variant-targets-mobile-carrier-customers/?utm_source=hs_email&utm_medium=email&utm_content=76336106&_hsenc=p2ANqtz-8dQGGMbLX3DNCpfXmY4wd0XKrgPG96RaxiSi3kX6S4VKuIvCTHLYug3dHNT44nyC5-p6f75evbKxijK4pUMs95A-gjr9LY2vIiH5eE7c4NxheLf7Q&_hsmi=76336106

    Reply
  18. Tomi Engdahl says:

    New Android Warning: 100M+ Users Installed App With Nasty Malware Inside—Uninstall Now
    https://www.forbes.com/sites/zakdoffman/2019/08/27/android-warning-nasty-malware-hiding-inside-app-installed-by-100m-users/

    CamScanner was “a legitimate app,” the researchers explained, “with no malicious intensions.” At that time, ads were used openly to generate a normal commercial return for the app’s developers and there were in-app purchases to generate additional revenue. “However, at some point, that changed.”

    Reply
  19. Tomi Engdahl says:

    It Shouldn’t Be This Hard to Responsibly Fly a Drone
    https://spectrum.ieee.org/automaton/robotics/drones/it-shouldnt-be-this-hard-to-responsibly-fly-a-drone

    best to make sure that the places I fly are places that I’m allowed to fly, and fortunately, the FAA has a handy app that is supposed to make that easy.

    And it would have been easy, if I didn’t bother to check whether what the app was telling me was accurate or not. But I did check, and as it turns out, the app is, in many situations, worse than useless.

    Reply
  20. Tomi Engdahl says:

    Deepfaked Voice of CEO Used to Steal Almost $250,000 from Company
    https://interestingengineering.com/deepfaked-voice-of-ceo-used-to-steal-almost-250000-from-company

    Cyberthieves stole almost a quarter of a millon dollars from a UK-based company by using an AI-generated deepfake of the voice of the company’s CEO to authorize the money transfer.

    Reply
  21. Tomi Engdahl says:

    how to Track or trace People LOCATION with photo accurately 100% working
    https://m.youtube.com/watch?feature=youtu.be&v=OS02M_mqxTY

    Reply
  22. Tomi Engdahl says:

    Mental health websites in Europe found sharing user data for ads
    https://techcrunch.com/2019/09/04/mental-health-websites-in-europe-found-sharing-user-data-for-ads/?tpcc=ECFB2019

    Research by a privacy rights advocacy group has found popular mental health websites in the EU are sharing users’ sensitive personal data with advertisers.

    https://privacyinternational.org/campaigns/your-mental-health-sale

    Reply
  23. Tomi Engdahl says:

    Bus pass or bus ass? Hackers peeved about public transport claim to have reverse engineered ticket app for free rides
    ‘RSA private keys’ baked into Manchester firm’s software
    https://www.theregister.co.uk/2019/09/04/corethree_baked_private_rsa_key_first_bus_ticket_app/

    A hacker collective has said that it found the private keys for a Manchester bus company’s QR code ticketing app embedded in the app itself – and has now released its own ride-buses-for-free code.

    Reply
  24. Tomi Engdahl says:

    A huge database of Facebook users’ phone numbers found online
    https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/

    Reply
  25. Tomi Engdahl says:

    Twitter Suspends SMS-Based Tweeting After High-Profile Account Hacks
    https://www.bleepingcomputer.com/news/security/twitter-suspends-sms-based-tweeting-after-high-profile-account-hacks/#.XXD0n64BVQk.facebook

    Twitter on Wednesday announced that it would turn off its Tweet via SMS feature for an unspecified period following abuses that led to hackers posting from at least two high-profile accounts.

    One of the victims was Twitter co-founder and CEO Jack Dorsey

    The most recent successful attack was on actress Chloë Grace Moretz’ account, which sent out tweets suggesting that the same hackers were behind the deed, a group calling themselves Chuckling Squad.

    Reply
  26. Tomi Engdahl says:

    Zero-day disclosed in Android OS
    https://www.zdnet.com/article/zero-day-disclosed-in-android-os/?ftag=COS-05-10aaa0g&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d7150c74b188d00011bac19&utm_medium=trueAnthem&utm_source=twitter

    Android project maintainers fail to fix dangerous privilege escalation bug six months after initial report.

    Details about a zero-day vulnerbility impacting the Android mobile operating system have been published online, yesterday, September 4.

    The vulnerability resides in how the Video for Linux (V4L2) driver that’s included with the Android OS handles input data.

    ANDROID DEVS WERE NOTIFIED, BUT FAILED TO DELIVER A PATCH

    Reply
  27. Tomi Engdahl says:

    Lloyd’s Of London, Aon and Others Poised to Profit From Cryptocurrency Hacker Insurance
    http://on.forbes.com/6189E7KFb

    The Lloyd’s of London insurance marketplace is one of the key players capitalizing on the demand for cryptocurrency insurance.

    Where there are assets, there’s insurance, and that’s becoming increasingly true in crypto, where the value of all digital coins vastly exceeds the amount of insurance currently available.

    Over the past three years, cryptocurrencies’ market value has risen 25-fold, hovering near $300 billion today. Meanwhile, theft of crypto assets by hackers continues unabated, reaching $480 million in the first half of 2019. Some insurance companies are leaping at the opportunity. 

    Reply
  28. Tomi Engdahl says:

    US City Rejects $5.3 Million Ransom Demand and Restores Encrypted Files from Backup
    https://secalerts.co/article/city-knocks-back-ransom-demand-and-restores-files-from-backup/c785f0f3

    The US city of New Bedford, Massachusetts, has shown how it’s done when it comes to dealing with cyber criminals holding a city to ransom. In the process, it avoided paying what would have been a record $5.3 million amount.

    The city kept the attacker ‘talking’, buying time while its IT department worked to strengthen the city’s defenses. When it became obvious the attacker wasn’t going to play ball and take the counter offer, the city restored all of the encrypted files and information from the backup systems they have in place. Due to the timing of the attack and the resultant low number of computers affected, no critical systems were impacted and restoring from backup was easy.

    Reply
  29. Tomi Engdahl says:

    Guy returns his “smart” light bulbs, discovers he can still control them after someone else buys them
    https://boingboing.net/2019/09/03/dutch-treat-2.html

    You know what’s great about putting wifi-enabled, Turing-complete computers into things like lightbulbs? Not. A. Single. Fucking. Thing.

    In the latest installment in the Internet of Shit edition of the unanticipated (but totally predictable) consequences, Americablog editor John Aravosis discovered that the Philips Hue lightbulbs he returned to Amazon were now on in someone else’s house — but still under his control.

    He writes, “Because I’m a nice guy, I deleted my account, which I’m hoping didn’t just delete her account.”

    Reply
  30. Tomi Engdahl says:

    ESP8266 AND ESP32 WIFI HACKED!
    https://hackaday.com/2019/09/05/esp8266-and-esp32-wifi-hacked/

    [Matheus Garbelini] just came out with three (3!) different WiFi attacks on the popular ESP32/8266 family of chips. He notified Espressif first (thanks!) and they’ve patched around most of the vulnerabilities already, but if you’re running software on any of these chips that’s in a critical environment, you’d better push up new firmware pretty quickly.

    https://github.com/Matheus-Garbelini/esp32_esp8266_attacks

    Reply
  31. Tomi Engdahl says:

    600,000 GPS trackers for people and pets are using 123456 as a password
    A lack of encryption and easily enumerated IDs open users to a host of creepy attacks.
    https://arstechnica.com/information-technology/2019/09/600000-gps-trackers-for-people-and-pets-are-using-123456-as-a-password/

    Vulnerabilities in the T8 Mini GPS Tracker Locator and almost 30 similar model brands from the same manufacturer, Shenzhen i365 Tech, make users vulnerable to eavesdropping, spying, and spoofing attacks that falsify users’ true location.

    Researchers at Avast Threat Labs found that ID numbers assigned to each device were based on its International Mobile Equipment Identity, or IMEI. Even worse, during manufacturing, devices were assigned precisely the same default password of 123456. The design allowed the researchers to find more than 600,000 devices actively being used in the wild with that password.

    Reply
  32. Tomi Engdahl says:

    This is a must read article, not only for the issues raised regarding data and privacy, but for information on how to check the data Googles stores about the addresses/people and the credentials Google has connected to you.

    Google Has My Dead Grandpa’s Data And He Never Used The Internet
    https://bit.ly/2UxnBds

    To check out your data and see what Google knows about you, here are a couple immediate resource links:

    If you’re interested in seeing what addresses/people Google has connected to you, go to: chrome://settings/addresses

    If you’re interested in seeing what credentials Google has connected to you, go to: chrome://settings/passwords?search=credentials

    Reply
  33. Tomi Engdahl says:

    Drones are among the easiest consumer devices to attack, say security researchers who hacked their way into a variety of gadgets.

    IoT Security Risks: Drones, Vibrators, and Kids’ Toys Are Still Vulnerable to Hacking
    https://spectrum.ieee.org/tech-talk/telecom/internet/iot-security-risks-drones-vibrators-iot-devices-kids-toys-vulnerable-to-hacking

    A simple project to study compromised security cameras drew a trio of researchers deep into an investigation of the security risks of today’s connected devices. After they figured out how to bypass the camera’s authentication system and access its feed, they wondered what other devices in the growing Internet of Things (IoT) might also be vulnerable to hacking. Their list—which includes drones, children’s toys, and vibrators—raises serious concerns about the security of IoT devices.

    To assess the toy’s vulnerabilities to hacking, the researchers bought a Dino and began analyzing the encrypted Real-Time Transport Protocol (RTP) traffic, which transmits audio between the Dino device and cloud.

    they bought a second Dino, which exhibited the same patterns.

    “Since the traffic was encrypted, that could only mean one thing—the Dino devices were using a weak mode of encryption and the same set of hard-coded keys to encrypt/decrypt traffic,” explains Cardenas. “Since the Dinos used the same keys, we could use one of the Dinos to decrypt the network traffic the other was sending, without us even knowing the keys being used, only their identifiers.”

    hacker can impose his or her own voice recording into an interaction between a child and the toy, all the while sounding like Dino

    In another series of experiments, the researchers explored ways to hack vibrators.

    the researchers found unencrypted information that allows a hacker to gain the username and password of a trusted partner

    A hacker within Wi-Fi range can simply connect to the drone’s Wi-Fi access point (which do not required passwords), establish a connection, and then access files transferred to and from the drone. With this access, an attacker can also take control of the drone, either to crash it, cause damage to infrastructure, injure bystanders, or spy through the drone’s camera.

    The researchers alerted the manufacturers of all devices

    Based on these results, Cardenas emphasizes the need for consumers to be aware of IoT vulnerabilities. “We believe (the vulnerabilities in this study) are the tip of the iceberg.

    “Because the impact of these attacks won’t affect the developers of IoT, a pure market-driven solution for fixing the security problem will likely fail,”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*