This posting is here to collect cyber security news in October 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
223 Comments
Tomi Engdahl says:
sudo had a bug: Potential bypass of Runas user restrictions (CVE-2019-14287) on Linux or Unix-like system. Patch your systems. One can get root access by running:
sudo -u#-1 /bin/sh
sudo -u#4294967295 /bin/sh
https://www.sudo.ws/alerts/minus_1_uid.html
Tomi Engdahl says:
Experts discovered a security policy bypass issue in the Sudo utility that is installed as a command on almost every Linux and Unix system.
https://securityaffairs.co/wordpress/92519/hacking/sudo-flaw-cve-2019-14287.html
The Sudo utility that is installed as a command on almost every Linux and Unix system is affected by a security policy bypass issue tracked as CVE-2019-14287.
The vulnerability could be exploited by an ill-intentioned user or a malicious program to execute arbitrary commands as root on a targeted Linux system, even if the “sudoers configuration” disallows the root access.
“When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.” reads the security advisory.
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2019/10/15/350-hackers-hunt-down-missing-people-in-first-such-hackathon/
More than 350 ethical hackers got together in cities across Australia on Friday for a hackathon in which they worked to “cyber trace a missing face”, in the first-ever capture the flag event devoted to finding missing persons.
Organizers called the results “astounding,” ABC News reports.
During the six hours the competing teams hammered away at the task of searching for clues that could potentially solve 12 of the country’s most frustrating cold cases. 100 leads were generated every 10 minutes.
Tomi Engdahl says:
Invisible mask: practical attacks on face recognition with infrared
https://blog.acolyer.org/2019/10/15/invisible-mask/?fbclid=IwAR17H9j0mc7llKI1da9fPXik44Yv4RnB3sx3Ukyhkzkee283T2YgQaHrgNg
As a result, the adversary masquerading as someone else will be able to walk on the street, without any noticeable anomaly to other individuals but appearing to be a completely different person to the FR (facial recognition) system behind surveillance cameras.
There are two levels of invisible mask attacks: subverting surveillance systems such that your face will not be recognised, and deliberately impersonating another individual to pass authentication tests. The authors achieved a 100% success rate at avoiding recognition, and a 70% success rate in impersonating a target individual!
Tomi Engdahl says:
JSRAT – Secret Command & Control Channel Backdoor to Control Victims Machine Using JavaScript
Read:https://gbhackers.com/secret-command-control-channel-backdoor/
Tomi Engdahl says:
Lawyer Offers Warning After Almost Falling Victim to Extremely Sophisticated Phishing Scam
https://www.comicsands.com/lawyer-offers-warning-phishing-scam-2640918405.html?utm_content=inf_10_3759_2&utm_source=facebook&utm_campaign=GTAK&tse_id=INF_352e0ee0ec3a11e9b433ab68d22425b2
Tomi Engdahl says:
Apple insists it’s totally not doing that thing it wasn’t accused of: We’re not handing over Safari URLs to Tencent – just people’s IP addresses
Cupertino in China Syndrome meltdown
https://www.theregister.co.uk/2019/10/14/apple_china_tencent/
Tomi Engdahl says:
Building China’s Comac C919 airplane involved a lot of hacking, report says
https://www.zdnet.com/article/building-chinas-comac-c919-airplane-involved-a-lot-of-hacking-report-says/
One of China’s most brazen hacking sprees involved intelligence officers, hackers, security researchers, and company insiders.
Tomi Engdahl says:
When Trump Phones Friends, the Chinese and the Russians Listen and Learn
https://www.google.com/amp/s/www.nytimes.com/2018/10/24/us/politics/trump-phone-security.amp.html
President Trump has two official iPhones that have limited abilities and a third that is no different from hundreds of millions of iPhones in use around the world.
When President Trump calls old friends on one of his iPhones to gossip, gripe or solicit their latest take on how he is doing, American intelligence reports indicate that Chinese spies are often listening — and putting to use invaluable insights into how to best work the president and affect administration policy, current and former American officials said.
Tomi Engdahl says:
Phorpiex Botnet Sending Out Millions of Sextortion Emails Using Hacked Computers
https://www.leboncoincrypto.fr/2019/10/16/phorpiex-botnet-sending-out-millions-of-sextortion-emails-using-hacked-computers/high-tech/66012/
A decade-old botnet malware that currently controls over 450,000 computers worldwide has recently shifted its operations from infecting machines with ransomware or crypto miners to abusing them for sending out sextortion emails to millions of innocent people.
Tomi Engdahl says:
Mum Discovers eBay Samsung Screen Protector Lets Anyone Open Her Phone
https://www.ladbible.com/news/technology-mum-discovers-ebay-iphone-screen-protector-lets-anyone-open-her-phone-20191015
Lisa Neilson, 34, said she bought a £2.70 screen protector online to cover her new Samsung Galaxy S10.
However, later she found that her left thumb print also unlocked the phone – and soon discovered any print could do so, worryingly.
Samsung has now launched an investigation into what happened, having advised that people should only use authorised screen protectors.
Lisa, from Castleford, West Yorkshire, said: “Anyone can access it and could get into the financial apps and transfer funds.”
Tomi Engdahl says:
UK, USA and Australia giving tech advice to Facebook: “Don’t improve your users’ privacy and security by providing end-to-end encryption unless you want to simultaneously degrade their privacy and security by installing a back door into your app…”
https://www.theguardian.com/technology/2019/oct/03/facebook-surveillance-us-uk-australia-backdoor-encryption
Tomi Engdahl says:
Someone hacked this massive marketplace selling stolen credit cards and removed nearly 26 million records
https://www.hackread.com/stolen-credit-card-data-trading-marketplace-hacked/
Tomi Engdahl says:
Block chain, Dark Web, Tor, yeah, whatever, you’re going to prison…
‘One Of The Worst Forms Of Evil’: More Than 330 Arrested In Child Porn Site Bust
https://www.npr.org/2019/10/16/770628069/one-of-the-worst-forms-of-evil-more-than-330-arrested-in-child-porn-site-bust?utm_campaign=npr&utm_medium=social&utm_term=nprnews&utm_source=facebook.com
The Department of Justice announced that hundreds of people have been charged in the takedown of a massive darknet child pornography website.
among the first to be found using cryptocurrency to carry out video sales.
this type of crime as “one of the worst forms of evil imaginable.”
“Our message for those who produce, distribute, and receive child pornography is clear: You may try to hide behind technology, but we will find you and we will arrest and prosecute you,” Liu added
they seized 8 terabytes of child sexual exploitation videos
Law enforcement agencies have arrested and charged 337 site users so far
Tomi Engdahl says:
Any fingerprint unlocks Galaxy S10, Samsung warns
https://www.bbc.co.uk/news/technology-50080586
A flaw that means any fingerprint can unlock a Galaxy S10 phone has been acknowledged by Samsung.
It promised a software patch that would fix the problem.
When the S10 was launched, in March, Samsung described the fingerprint authentication system as “revolutionary”.
Samsung said it was “aware of the case of S10′s malfunctioning fingerprint recognition and will soon issue a software patch”.
Tomi Engdahl says:
Miami Police to purchase spyware to trace and monitor phones and social media
https://www.bradenton.com/news/local/crime/article236013148.html
Miami city commissioners unanimously voted Thursday in favor of allocating $70,600 for the police department to purchase technology from Pen-Link, a Nebraska-based surveillance technology company capable of “intercepting, processing and analyzing” data from phones and websites.
The technology can determine in real time when someone has sent a message on social media, and to whom they sent that message, said Miami Police Chief Jorge Colina.
“The intention is to be able to track anybody that makes a threat that is going to cause physical damage or hurt anybody — they can trace them personally,” said District 4 Commissioner Manolo Reyes. “It’s just for protection, not for persecution.”
The technology is not new for city police. Since 2003, the Miami-Dade Police Department has spent more than $500,000 on Pen-Link products and often shared them with the city police.
Tomi Engdahl says:
Nothing you do on a computer is ever 100% anonymous or untraceable.
Bitcoin itself has never been hacked. Bitcoin is also pseudonymous not anonymous.
One thing all cryptocurrencies necessarily have in common is that you either have a cryptographically sound audit trail or a forgery problem. Anonymity can always be broken by rubber-hose cryptanalysis, if nothing else.
IRS Followed Bitcoin Transactions, Resulting In Takedown Of The Largest Child Exploitation Site On The Web
https://www.google.com/amp/s/www.forbes.com/sites/kellyphillipserb/2019/10/16/irs-followed-bitcoin-transactions-resulting-in-takedown-of-the-largest-child-exploitation-site-on-the-web/amp/
The largest dark web child pornography site in the world has been taken down. That was the word today from the U.S. Attorney’s Office for the District of Columbia, the Justice Department’s Criminal Division, the IRS Criminal Investigation (IRS-CI), and U.S. Immigration and Customs Enforcement’s Homeland Security Investigations (HSI), together with the National Crime Agency of the United Kingdom and Republic of Korea at a joint press conference announcing arrests and forfeitures.
IRS-CI was able to trace bitcoin transactions on the site to people all over the world who were uploading and downloading this material, as well as find the location of the site administrator. By analyzing the blockchain and de-anonymizing bitcoin transactions, the agency was able to identify hundreds of predators around the world – even though those users thought that they could remain anonymous.
Tomi Engdahl says:
Rob Merrick / The Independent:
After delays, the UK government quietly drops its controversial plan to implement an age verification requirement for porn websites
UK ‘porn block’: Government drops plan to stop children watching sex videos online
https://www.independent.co.uk/news/uk/politics/porn-block-uk-ban-government-bill-website-delay-sex-a9158396.html
Controversial plans for a “porn block” to stop children viewing adult material online have been dropped, the government has announced.
The long-delayed measure – first promised in 2015 and first due to come into effect last year – “will not be commencing” after running into trouble and after repeated delays.
“The government’s commitment to protecting children online is unwavering,” Nicky Morgan, the digital secretary, insisted, in a statement revealing the climbdown.
the idea – one of the first of its kind in any democratic country – ran into legal, practical and technical difficulties.
Privacy campaigners protested
The government was also forced to exempt large social media sites from the ban
“This delay is disappointing, but it is also imperative that the vehicle used to achieve protection for children from pornography is robust and effective. The government cannot drag its feet on this.”
Tomi Engdahl says:
Hackers who’d carried out the infamous breach of the Democratic National Committee have breached a European embassy in Washington, according to research released Thursday.
Warning: Russian Hackers Break Into European Embassy In Washington
http://on.forbes.com/61831Gqcv
Hackers who’d infamously breached the Democratic National Committee have continued to cause havoc, according to research released Thursday.
Faou believes it was likely Cozy Bear was trying to steal documents and emails, given the nature of the victims, though he did not have access to the purloined data.
Cheekily, the Russian hackers are using famous American tech company infrastructure as part of their attacks. When the hackers need to know what website to use to control infected computers, the domains would be sent by those hacked PCs to various services, including Twitter, Evernote and Reddit.
Tomi Engdahl says:
Cyber Theft, Humint Helped China Cut Corners on Passenger Jet
https://www.darkreading.com/attacks-breaches/cyber-theft-humint-helped-china-cut-corners-on-passenger-jet/d/d-id/1336082
Beijing likely saved a lot of time and billions of dollars by copying components for its C919 plane from others, a new report from CrowdStrike says.
Tomi Engdahl says:
Ju-min Park / Reuters:
Samsung says it will issue a patch for a fingerprint recognition bug on its Galaxy S10 phone that allowed any fingerprint to unlock the phone — SEOUL (Reuters) – Samsung Electronics Co Ltd said on Thursday it will soon roll out a software patch to fix problems with fingerprint recognition on its flagship Galaxy S10 smartphone.
Samsung says will soon patch Galaxy S10 fingerprint recognition problem
https://www.reuters.com/article/us-samsung-elec-smartphone/samsung-to-patch-galaxy-s10-fingerprint-problem-idUSKBN1WW0Q5
Tomi Engdahl says:
Food writer Jack Monroe ‘loses £5,000 in phone-number hijack’
https://ava.st/2MWiArx
Jack Monroe says she has lost about £5,000 after her phone number was hijacked and re-activated on another Sim card.
The criminals were then able to receive her two-factor authentication messages and access her bank and payment accounts.
Tomi Engdahl says:
Cryptocurrency miners infected more than 50% of the European airport workstations
https://securityaffairs.co/wordpress/92616/cyber-crime/european-airport-workstations-miner.html
Researchers at Cyberbit spotted a crypto mining campaign that infected more than 50% of the European airport workstations.
Tomi Engdahl says:
Swedes are getting implants in their hands to replace cash, credit cards
https://nypost.com/2019/07/14/swedish-people-are-getting-chip-implants-to-replace-cash-credit-cards/
More than 4,000 people have already had the sci-fi-ish chips, about the size of a grain of rice, inserted into their hands — with the pioneers predicting millions will soon join them as they hope to take it global.
Related:
“We know workers are already concerned that some employers are using tech to control and micromanage”
Alarm over talks to implant UK employees with microchips
This article is more than 10 months old
https://www.theguardian.com/technology/2018/nov/11/alarm-over-talks-to-implant-uk-employees-with-microchips?CMP=share_btn_fb&fbclid=IwAR3mIOHggmctGzP1qaF4opLUBlgRC9Hh4hO4ev9QzFY2JXI-pEwU9zWreAo
Trades Union Congress concerned over tech being used to control and micromanage
Tomi Engdahl says:
The US nuclear forces’ Dr. Strangelove-era messaging system finally got rid of its floppy disks
https://www.c4isrnet.com/air/2019/10/17/the-us-nuclear-forces-dr-strangelove-era-messaging-system-finally-got-rid-of-its-floppy-disks/
OFFUTT AIR FORCE BASE, Neb. — In 2014, “60 Minutes” made famous the 8-inch floppy disks used by one antiquated Air Force computer system that, in a crisis, could receive an order from the president to launch nuclear missiles from silos across the United States.
But no more. At long last, that system, the Strategic Automated Command and Control System or SACCS, has dumped the floppy disk, moving to a “highly-secure solid state digital storage solution” this past June, said Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron.
Tomi Engdahl says:
Hackers Impersonating Other Hacker Types
https://securityboulevard.com/2019/10/hackers-impersonating-other-hacker-types/
State-sponsored hackers and other threat actors are impersonating each other in an attempt to evade detection, according to a recent report from Optiv.
The “2019 Cyber Threat Intelligence Estimate”
“Sometimes threat actors may masquerade as a certain type in order to hide their true agenda,” the report noted. “Or, threat actors may belong to two or more classes, switching between them as their priorities change. The report also finds that many vertical industries are still open to ever-evolving cyber threats.”
Tomi Engdahl says:
Whether you’re worried about privacy or have a backlog of terrible memes, here’s how you disappear without a trace.
Twitter Thread On How To Delete Yourself From The Internet Goes Viral
https://www.iflscience.com/technology/twitter-thread-on-how-to-delete-yourself-from-the-internet-goes-viral/
Tomi Engdahl says:
Germany’s cyber-security agency recommends Firefox as most secure browser
Germany’s BSI tested Firefox, Chrome, IE, and Edge. Firefox was only browser to pass all minimum requirements for mandatory security features.
https://www.zdnet.com/article/germanys-cyber-security-agency-recommends-firefox-as-most-secure-browser/
Tomi Engdahl says:
Google exec says Nest owners should probably warn their guests that their conversations are being recorded
https://www.pulse.ng/bi/tech/google-exec-says-nest-owners-should-probably-warn-their-guests-that-their/z1e1d5n
Google devices chief Rick Osterloh said he believes anyone “in proximity” of a microphone-fitted smart device like Google Nest or Amazon Echo should be informed the devices are in use.
Tomi Engdahl says:
Earlier this month the US, alongside the UK and Australia, called on Facebook to create a “backdoor”, or fatal flaw, into its encrypted messaging apps, which would allow anyone with the key to that backdoor unlimited access to private communications
Without encryption, we will lose all privacy. This is our new battleground
Edward Snowden
https://www.theguardian.com/commentisfree/2019/oct/15/encryption-lose-privacy-us-uk-australia-facebook?CMP=share_btn_fb
Tomi Engdahl says:
Lawrence Abrams / BleepingComputer:
Google says Chrome 77 for Android enables Site Isolation security feature on pages where users log in with a password, adds additional protections on desktop
Google Chrome 77 Added New Site Isolation Security Features
https://www.bleepingcomputer.com/news/google/google-chrome-77-added-new-site-isolation-security-features/
When enabled, Site Isolation will cause each web site you visit to be loaded into its own process that is further sandboxed to limit what resources and functions that process can access. By isolating sites in this way, it prevents malicious web sites from exploiting speculative execution vulnerabilities to access data loaded in a different browser tab.
https://storage.googleapis.com/pub-tools-public-publication-data/pdf/eb34c36e786ea8774c88887e81910cbde92ced87.pdf
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researcher finds bug dating back to 2013 in a driver for Realtek Wi-Fi chips in Linux devices that could let hackers remotely crash or compromise devices — Buffer overflow can be triggered in Realtek Wi-Fi chips, no user interaction needed. — A potentially serious vulnerability in Linux …
Unpatched Linux bug may open devices to serious attacks over Wi-Fi
Buffer overflow can be triggered in Realtek Wi-Fi chips, no user interaction needed.
https://arstechnica.com/information-technology/2019/10/unpatched-linux-flaw-may-let-attackers-crash-or-compromise-nearby-devices/
Tomi Engdahl says:
Gerrit De Vynck / Bloomberg:
Nest is becoming less popular among residential builders as Google’s software changes impede Nest devices’ ability to connect with third-party IoT devices — – Google scraps Nest systems that worked with other devices — Residential builders are a growing part of smart-home market
Builders Ditch Nest After Google Ties Devices to Digital Assistant
https://www.bloomberg.com/news/articles/2019-10-17/builders-ditch-nest-as-google-ties-digital-assistant-to-devices
Tomi Engdahl says:
Pen testers find mystery black box connected to ship’s engines
https://nakedsecurity.sophos.com/2019/10/17/pen-testers-find-mystery-black-box-connected-to-ships-engines/?utm_source=Naked+Security+-+Sophos+List&utm_campaign=4762b8cae7-Naked+Security+-+Sep+2019+-+ad+A+%28G1%2C3%29&utm_medium=email&utm_term=0_31623bb782-4762b8cae7-455125481&fbclid=IwAR1h95ReyNy8C0kxWlecCMs6cUNsz_iCsfYVuu2cQj6co7_Xx9SrsI7k9g0
Tomi Engdahl says:
Catalan separatists have tooled up with a decentralized app for civil disobedience
https://techcrunch.com/2019/10/17/catalan-separatists-have-tooled-up-with-a-decentralized-app-for-civil-disobedience/
Tomi Engdahl says:
We asked a hacker to try and steal a CNN tech reporter’s data. Here’s what happened
https://edition.cnn.com/2019/10/18/tech/reporter-hack/index.html
Using two of my posts — an Instagram check-in at a hotel on the west coast of the United States and a tweet about a piece of furniture — a hacker was quickly able to get my home address and my cell phone number.
How? Both the hotel and the furniture company handed my personal details to the hacker over the phone.
Data breaches and hacks get all our attention, but a hacker with a good phone persona and a few basic tools can trick customer support agents from major corporations into handing over a shocking amount of private information and more.
Without having my password, and without hacking into my email account, she was able to get my home address, my phone number and steal my hard-earned hotel points. In perhaps the cruelest act of all, she was even able to change my seat on my five-hour flight out of Vegas, moving me from a spacious exit aisle to a middle seat at the back by the restrooms.
She did all this by using some information she found about me online, like which airlines I fly with and what hotels I stay at — because I tweet about them.
Then, using that information, she called up some of my favorite companies
Tobac isn’t trying to embarrass these companies: she wants them to start using the type of authentication processes on the phone that they use online. She says some of the biggest airlines and hotel chains are leaving open a massive vulnerability — and failing their customers — by not doing so.
Tomi Engdahl says:
Equifax used ‘admin’ as username and password for sensitive data: lawsuit
https://finance.yahoo.com/news/equifax-password-username-admin-lawsuit-201118316.html
Equifax (EFX) used the word “admin” as both password and username for a portal that contained sensitive information, according to a class action lawsuit filed in federal court in the Northern District of Georgia.
“Equifax employed the username ‘admin’ and the password ‘admin’ to protect a portal used to manage credit disputes, a password that ‘is a surefire way to get hacked,’” the lawsuit reads.
The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website.
The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don’t come from wronged consumers, but rather shareholders that allege the company didn’t adequately disclose risks or its security practices.
The lawsuit claims damages from the fact that the investments lost value due to “multiple false or misleading statements and omissions about the sensitive personal information in Equifax’s custody, the vulnerability of its internal systems to cyberattack, and its compliance with data protection laws and cybersecurity best practices.”
Tomi Engdahl says:
Hackers are draining ATMs across the US
https://www.foxnews.com/tech/hackers-are-draining-atms-across-the-us
The number of so-called “jackpotting” attacks – getting ATMs to spit out all of the cash inside – in regions including the U.S. and Latin America has gone up
Krebs on Security, a cybersecurity publication, described how it works. “Just prior to executing on ATM cash-outs, the intruders will remove many fraud controls at the financial institution, such as maximum withdrawal amounts and any limits on the number of customer ATM transactions daily.”
With jackpotting, criminals use malware or hardware to get an ATM to dispense cash — sometimes into the hands of waiting “mules,” according to Trend Micro’s report. “ATM attacks continue to reap financial rewards for their perpetrators, which means we should not expect them to let up.”
Tomi Engdahl says:
An infographic about supply chain risk with a bunch of data points.
It’s here https://objectsecurity.com/infographic1
(https://objectsecurity.com/infographic1) – thank you!
Tomi Engdahl says:
We asked a hacker to steal a CNN tech reporter’s data. It was disturbingly easy. https://cnn.it/2IZIkSs
Tomi Engdahl says:
Andy Greenberg / Wired:
A behind-the-scenes account of a cyberattack that disrupted the opening ceremony of the 2018 Winter Olympics, which was tied to a specific unit of Russia’s GRU
The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History
https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/
How digital detectives unraveled the mystery of Olympic Destroyer—and why the next big attack will be even harder to crack.
Tomi Engdahl says:
Windows 10 Security Alert As Microsoft Warns: ‘Do Not Install This Update’
https://www.forbes.com/sites/daveywinder/2019/10/18/windows-10-security-alert-as-microsoft-warns-do-not-install-this-update/amp/
“After installing this update, the Microsoft Defender Advanced Threat Protection (ATP) service might stop running and might fail to send reporting data. You might also receive a 0xc0000409 error in Event Viewer in MsSense.exe.”
Tomi Engdahl says:
Unpatched Linux bug may open devices to serious attacks over Wi-Fi
Buffer overflow can be triggered in Realtek Wi-Fi chips, no user interaction needed.
https://arstechnica.com/information-technology/2019/10/unpatched-linux-flaw-may-let-attackers-crash-or-compromise-nearby-devices/
Tomi Engdahl says:
Without encryption, we will lose all privacy. This is our new battleground
https://www.theguardian.com/commentisfree/2019/oct/15/encryption-lose-privacy-us-uk-australia-facebook
Tomi Engdahl says:
Google chief: I’d disclose smart speakers before guests enter my home
https://www.bbc.com/news/technology-50048144
Tomi Engdahl says:
https://www.cisecurity.org/
Tomi Engdahl says:
China’s New Cybersecurity Program: NO Place to Hide
https://www.chinalawblog.com/2019/09/chinas-new-cybersecurity-program-no-place-to-hide.html
Tomi Engdahl says:
Warning: Russian Hackers Break Into European Embassy In Washington
https://www.forbes.com/sites/thomasbrewster/2019/10/17/russian-hackers-breach-european-embassy-in-washington/
Tomi Engdahl says:
https://www.engadget.com/2019/10/14/linux-unix-sudo-command-security-flaw/
Tomi Engdahl says:
https://www.theregister.co.uk/2019/10/14/linux_sudo_security_bug/