Cyber security new December 2019

This posting is here to collect cyber security news in December 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

 

197 Comments

  1. Tomi Engdahl says:

    China due to introduce face scans for mobile users
    https://www.bbc.com/news/world-asia-china-50587098

    People in China are now required to have their faces scanned when registering new mobile phone services, as the authorities seek to verify the identities of the country’s hundreds of millions of internet users.

    The regulation, announced in September, was due to come into effect Sunday.

    Reply
  2. Tomi Engdahl says:

    Now even the FBI is warning about your smart TV’s security
    https://tcrn.ch/2P6bmC4

    If you just bought a smart TV on Black Friday or plan to buy one for Cyber Monday tomorrow, the FBI wants you to know a few things.

    Smart TVs are like regular television sets but with an internet connection. With the advent and growth of Netflix, Hulu and other streaming services, most saw internet-connected televisions as a cord-cutter’s dream. But like anything that connects to the internet, it opens up smart TVs to security vulnerabilities and hackers. Not only that, many smart TVs come with a camera and a microphone. But as is the case with most other internet-connected devices, manufacturers often don’t put security as a priority.

    Reply
  3. Tomi Engdahl says:

    Private Internet Access VPN to be acquired by malware company founded by former Israeli spy
    https://telegra.ph/Private-Internet-Access-VPN-acquired-by-malware-business-founded-by-former-Israeli-spies-12-01
    Stay safe

    Reply
  4. Tomi Engdahl says:

    Question: How does a Linux/Unix sysadmin keep a fire going?
    Answer: They rotate the logs.

    Reply
  5. Tomi Engdahl says:

    This Ring Uses a Fake Fingerprint to Protect Your Biometric Data
    BY MICHAEL KAN 2 DEC 2019, 7:49 P.M.
    https://uk.pcmag.com/news/123893/this-ring-uses-a-fake-fingerprint-to-protect-your-biometric-data

    The ring concept from Kaspersky Lab is designed to address a key vulnerability with biometric authentication—your face and fingerprints can’t be reset like a password if copies of them are stolen. So why not use a dummy fingerprint instead?

    Reply
  6. Tomi Engdahl says:

    Putin signs law making Russian apps mandatory on smartphones, computers
    https://www.reuters.com/article/us-russia-internet-software-idUSKBN1Y61Z4?utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    Russian President Vladimir Putin on Monday signed legislation requiring all smartphones, computers and smart TV sets sold in the country to come pre-installed with Russian software.

    Reply
  7. Tomi Engdahl says:

    I haven’t verified this but if it is legitimate it is of significant concern for PIA users

    https://vpnpro.com/blog/private-internet-access-announces-merger-with-kape-technologies-in-latin/

    Reply
  8. Tomi Engdahl says:

    “Clapper made clear that the internet of things – the many devices like thermostats, cameras and other appliances that are increasingly connected to the internet – are providing ample opportunity for intelligence agencies to spy on targets, and possibly the masses”
    https://www.theguardian.com/commentisfree/2016/feb/09/internet-of-things-smart-devices-spying-surveillance-us-government?

    Reply
  9. Tomi Engdahl says:

    China Uses DNA to Map Faces, With Help From the West
    https://www.nytimes.com/2019/12/03/business/china-dna-uighurs-xinjiang.html

    Beijing’s pursuit of control over a Muslim ethnic group pushes the rules of science and raises questions about consent.

    Reply
  10. Tomi Engdahl says:

    Toyota, Lexus owners warned about thefts that use ‘relay attacks’
    https://www.cbc.ca/news/canada/ottawa/toyota-lexus-relay-attack-1.5380947

    Thieves have taken at least 100 high-end vehicles across Ottawa region since April

    Thieves using $200 ‘amplifier’
    Like many new cars, modern Toyotas are designed to respond to the radio signal from the key fob within a range of a metre or two.

    Jeff Bates of Lockdown Security in Markham, Ont., says thieves are using a $200 device that boosts the strength of that signal, allowing them to unlock the vehicle and disarm its security system even though the fob is inside the house. Driving off with the luxury vehicle is as simple as pushing a button.

    Bates said in some cases, thieves will still break into a vehicle the old-fashioned way, then plug a computer into the car’s diagnostic port and hack the security system to make it think the key is present.

    Often, the vehicles are never found.

    In an email, Toyota spokesperson David Shum said customers should take extra steps to safeguard their vehicles, including considering an after-market alarm system, steering wheel lock and diagnostic-port lock.

    “If a garage is not accessible, park another less desirable vehicle in front of your vehicle,” Shum suggested.

    While some experts recommend wrapping the key fob in tinfoil or keeping it in a metal box, Toyota suggests buying a radio frequency shielding “faraday pouch” to prevent unwanted radio waves from reaching the device.

    Shum also warned Toyota owners to never leave their key fobs near the front door of their home.

    Reply
  11. Tomi Engdahl says:

    Avast Online Security and Avast Secure Browser are spying on you
    https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/

    Are you one of the allegedly 400 million users of Avast antivirus products? Then I have bad news for you: you are likely being spied upon. The culprit is the Avast Online Security extension that these products urge you to install in your browser for maximum protection.

    Avast Secure Browser has Avast Online Security installed by default.

    Avast products promote this browser heavily, and it will also be used automatically in “Banking Mode.” Given that Avast bought AVG a few years ago, there is also a mostly identical AVG Secure Browser with the built-in AVG Online Security extension.

    Summary of the findings
    When Avast Online Security extension is active, it will request information about your visited websites from an Avast server. In the process, it will transmit data that allows reconstructing your entire web browsing history and much of your browsing behavior.

    Avast Privacy Policy covers this functionality and claims that it is necessary to provide the service. Storing the data is considered unproblematic due to anonymization (I disagree), and Avast doesn’t make any statements explaining just how long it holds on to it.

    Reply
  12. Tomi Engdahl says:

    Avast and AVG Browser Extensions Spying On Chrome and Firefox Users
    https://thehackernews.com/2019/12/avast-and-avg-browser-plugins.html?m=1

    If your Firefox or Chrome browser has any of the below-listed four extensions offered by Avast and its subsidiary AVG installed, you should disable or remove them as soon as possible.
    Avast Online Security
    AVG Online Security
    Avast SafePrice
    AVG SafePrice
    Why? Because these four widely installed browser extensions have been caught collecting a lot more data on its millions of users than they are intended to, including your detailed browsing history.

    Reply
  13. Tomi Engdahl says:

    Homeland Security wants to use facial recognition on traveling US citizens, too
    https://edition.cnn.com/2019/12/02/tech/homeland-security-facial-recognition-citizens-at-airports/index.html?utm_term=link&utm_source=fbbusiness&utm_medium=social&utm_content=2019-12-03T05%3A00%3A03

    The Department of Homeland Security wants to be able to use facial-recognition technology to identify all people entering and leaving the United States — including US citizens.

    In a recent filing, the DHS proposed changing existing regulations

    Reply
  14. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researchers achieve new cryptography milestones, including factoring the largest RSA key size ever, largely thanks to improved algorithms, not better hardware

    New crypto-cracking record reached, with less help than usual from Moore’s Law
    795-bit factoring and discrete logarithms achieved using more efficient algorithms.
    https://arstechnica.com/information-technology/2019/12/new-crypto-cracking-record-reached-with-less-help-than-usual-from-moores-law/

    The new records include the factoring of RSA-240, an RSA key that has 240 decimal digits and a size of 795 bits. The same team of researchers also computed a discrete logarithm of the same size. The previous records were the factoring in 2010 of an RSA-768 (which, despite its digit is a smaller RSA key than the RSA-240, with 232 decimal digits and 768 bits) and the computation of a 768-bit prime discrete logarithm in 2016.

    The sum of the computation time for both of the new records is about 4,000 core-years using Intel Xeon Gold 6130 CPUs (running at 2.1GHz) as a reference. Like previous records, these ones were accomplished using a complex algorithm called the Number Field Sieve

    Comments:

    Attacking encryption with a quantum computer requires a much bigger quantum computer than we can currently build. Shor’s Algorithm is what would be used, which I believe requires at least twice as many qubits as there are bits in the encryption key.

    The largest number we’ve factored using Shor’s Algorithm is 21, a paltry five bits. So we’re about two orders of magnitude away from being able to crack a key as large as the one mentioned in the article, and three orders of magnitude away from keys that are being commonly used today.

    Reply
  15. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Mozilla removes four Firefox extensions made by Avast and AVG after reports that they were harvesting user data and browsing histories

    Mozilla removes Avast and AVG extensions from add-on portal over snooping claims
    The four extensions, two from Avast and two from AVG, are still available on the Chrome Web Store.
    https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/

    Reply
  16. Tomi Engdahl says:

    Two malicious Python libraries caught stealing SSH and GPG keys
    One library was available for only two days, but the second was live for nearly a year.
    https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/

    The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers.

    The two libraries were created by the same developer and mimicked other more popular libraries

    The first is “python3-dateutil,” which imitated the popular “dateutil” library. The second is “jeIlyfish” (the first L is an I), which mimicked the “jellyfish” library.

    Reply
  17. Tomi Engdahl says:

    Dutch politician faces three years in prison for hacking iCloud accounts and leaking nudes
    https://www.zdnet.com/article/dutch-politician-faces-three-years-in-prison-for-hacking-icloud-accounts-and-leaking-nudes/

    City council member who doubled as a hacker set to be sentenced on Christmas Eve.

    Reply
  18. Tomi Engdahl says:

    80% of all Android apps are encrypting traffic by default
    90% of all Android 9 apps are encrypting network traffic via HTTPS.
    https://www.zdnet.com/article/80-of-all-android-apps-are-encrypting-traffic-by-default/

    Google reached another milestone in its quest to push for the broader adoption of the HTTPS standard.

    In a blog post today, the US-based tech giant said that four out of five (80%) Android applications available for download through the official Play Store are encrypting their respective network traffic using HTTPS.

    Reply
  19. Tomi Engdahl says:

    Elcomsoft Extracts Data from Locked iPhones with Unpatchable checkra1n Jailbreak –
    https://www.elcomsoft.com/press_releases/eift_191202.html

    ElcomSoft Co. Ltd. releases a major update of iOS Forensic Toolkit, the company’s mobile forensic tool for extracting data from a range of Apple devices. Version 5.20 adds the ability to extract the file system and decrypt the keychain from select Apple devices running all versions of iOS from iOS 12 to iOS 13.3. Partial file system extraction is now possible from locked iPhones even if the screen lock password is not known.

    Reply
  20. Tomi Engdahl says:

    China resurrects Great Cannon for DDoS attacks on Hong Kong forum
    Two years after the last attacks, the Great Cannon is up and running again
    https://www.zdnet.com/article/china-resurrects-great-cannon-for-ddos-attacks-on-hong-kong-forum/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    After more than two years since it’s been used the last time, the Chinese government deployed an infamous DDoS tool named the “Great Cannon” to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests.

    According to the report, the Great Cannon worked by intercepting traffic meant for websites hosted inside China and injecting JavaScript code in the responses users received in their browsers.

    malicious JavaScript code executed in users’ browsers and secretly accessed a victim’s site — generating gigantic traffic spikes for the victim and its web server.

    Reply
  21. Tomi Engdahl says:

    Best home security systems of 2019 (plus DIY kits, video doorbells and more)
    https://www.cnet.com/how-to/best-home-security-systems-of-2019/?ftag=CMG-01-10aaa1b

    Yes, shopping for a home security system can be a headache. Good thing we’ve done a lot of the legwork for you.

    Reply
  22. Tomi Engdahl says:

    Zimbabwe Is Trying to Build a China Style Surveillance State
    “It has everything it needs to give the ruling Zanu-PF party and its agents in government the legal basis to imprison opponents using the internet.”
    https://www.vice.com/en_us/article/59n753/zimbabwe-is-trying-to-build-a-china-style-surveillance-state?utm_source=vicenewsfacebook

    Reply
  23. Tomi Engdahl says:

    “Russian authorities have detained a man who built a fake frontier post in the woods near the country’s border with Finland and promised migrant workers he could smuggle them into the European Union.

    The man erected mock border posts and charged four men from south Asia more than $10,000 to take them to EU member Finland, the Russian border guard service said on Wednesday.”

    Russia arrests conman who built fake border with Finland
    https://www.theguardian.com/world/2019/dec/05/russia-arrests-conman-who-built-fake-border-with-finland?CMP=fb_gu&utm_medium=Social&utm_source=Facebook#Echobox=1575540693

    Reply
  24. Tomi Engdahl says:

    https://mashable.com/2014/12/29/fingerprint-photo-copy/

    For more than a century, it’s been possible to lift fingerprints from a physical surface, like a drinking glass. Now a group of hackers is saying they can copy fingerprints from photographs.

    Reply
  25. Tomi Engdahl says:

    FBI Puts $5 Million Bounty On Russian Hackers Behind Dridex Banking Malware
    https://thehackernews.com/2019/12/dridex-russian-hackers-wanted-by-fbi.html?m=1

    The United States Department of Justice today disclosed the identities of two Russian hackers and charged them for developing and distributing the Dridex banking Trojan using which the duo stole more than $100 million over a period of 10 years.

    Reply
  26. Tomi Engdahl says:

    Some Hardware-based Password Managers Have Poor Security
    https://www.bleepingcomputer.com/news/security/some-hardware-based-password-managers-have-poor-security/

    Some hardware-based password managers lack proper protections for the sensitive data they store and allow reading it in plain text, even after they’ve been reset.

    The information was retrieved through physical access to the electronic board inside the device and connecting directly to the flash chips used for storage.

    Using a Raspberry Pi microcomputer, it was possible to read and extract the information available on the flash chip in RecZone Password Safe, which is still available for prices around $35.

    Apart from storing the details in plain text, Eveleigh also found that resetting the device did not affect the storage.

    The issues found in RecZone Password Safe are not specific to this gadget. Looking at Royal’s Password Vault Keeper, Eveleigh noticed it was relying on a CMOS chip.

    A third hardware-based password manager might also have problems keeping the credentials secure. Eveleigh analyzed passwordsFAST, which sells for $24.99 and found that it relied on the I2C serial communication protocol.

    while him and his colleagues could not break the encryption, the microcontroller is accessible

    Reply
  27. Tomi Engdahl says:

    Apple Issues New Warning For Millions Of iPhone Users
    https://www.forbes.com/sites/gordonkelly/2019/12/05/apple-iphone-11-pro-max-upgrade-privacy-security-ios-13-update/?utm_source=FACEBOOK&utm_medium=social&utm_term=Valerie/#76616c657269

    Yesterday Apple was caught red handed and now the company has admitted that the settings in millions of iPhones are misleading users about their use of location data, and promised to fix it. 

    Apple iPhone 11 Alert: Mysterious Location Privacy Issue Is Hitting Users

    https://www.forbes.com/sites/kateoflahertyuk/2019/12/04/apple-iphone-11-iphone-11-pro-location-privacy-issue/

    Reply
  28. Tomi Engdahl says:

    Apple says its ultra wideband technology is why newer iPhones appear to share location data, even when the setting is disabled
    https://tcrn.ch/2rWZnPy

    Reply
  29. Tomi Engdahl says:

    Microsoft Found 44M Accounts Using Breached Passwords
    BY MATTHEW HUMPHRIES 6 DEC 2019, 11:50 A.M.
    https://uk.pcmag.com/news/123976/microsoft-found-44m-accounts-using-breached-passwords

    Microsoft has now forced a password reset on all these user accounts.

    Microsoft has discovered 44 million user accounts are using usernames and passwords that have been leaked through security breaches.

    As ZDNet reports, the vulnerable account logins were discovered when Microsoft’s threat research team carried out a scan of all Microsoft accounts between January and March this year.

    44 million Microsoft users reused passwords in the first three months of 2019
    https://www.zdnet.com/article/44-million-microsoft-users-reused-passwords-in-the-first-three-months-of-2019/

    Microsoft used a database of three billion publicly leaked credentials to identify users who reused passwords

    Reply
  30. Tomi Engdahl says:

    SQL Injection loses #1 spot as most dangerous attack technique
    https://hotforsecurity.bitdefender.com/blog/sql-injection-loses-1-spot-as-most-dangerous-attack-technique-21850.html?cid=soc%7Cc%7cfb%7CH4S

    The Common Weakness Enumeration (CWE), a community-developed compilation of the most critical errors leading to vulnerabilities in software, has lowered SQL Injection from its #1 spot as the most dangerous attack technique.

    SQL Injection, one of the oldest and most prevalent hacking techniques, enables attackers to spoof identity, change or destroy data, leak data, void transactions or change balances, and even gain administrator privileges on the database server.

    As a result, the 2019 list identifies “Improper Restriction of Operations within the Bounds of a Memory Buffer” as the new top weakness, followed by Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). In third place comes Improper Input Validation, followed by Information Exposure and Out-of-bounds Read.

    https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html

    Reply
  31. Tomi Engdahl says:

    PhotoDNA – Robust hashing that finds online child sexual abuse material
    https://www.netclean.com/technical-model-national-response/photodna/

    PhotoDNA is a hashing technology that is widely used to detect online child sexual abuse material. It differs from binary hashing technologies in that it calculates hash values based on the visual content of an image. Like all hashing technologies, PhotoDNA can only detect images that have been identified and classified as child sexual abuse material. However, unlike binary hashing technologies, robust hashing technologies can detect small variations in the classified image or video.

    Microsoft started developing PhotoDNA in collaboration with Dartmouth College back in 2009. It was a social responsibility project, and once it was ready for use it was donated to organisations like the National Centre for Missing & Exploited Children (NCMEC), and Project VIC. It is also used by online platforms such as OneDrive, Google Gmail, Twitter, Facebook, and Adobe Systems, to name a few, and incorporated into software by businesses such as NetClean that build software to detect child sexual abuse material.

    Reply
  32. Tomi Engdahl says:

    Online vigilante Deric Lostutter helped expose the cover-up in the Steubenville rape case. Now he’s facing more jail time than the convicted rapists.

    Anonymous Vs. Steubenville
    https://www.rollingstone.com/culture/culture-news/anonymous-vs-steubenville-57875/

    Reply
  33. Tomi Engdahl says:

    Top Israeli VC talks cybersecurity, diversity and ‘no go’ investments
    https://techcrunch.com/2019/12/02/israeli-vc-erel-margalit-jerusalem-venture-partners/

    It is no secret that Israel is second only to the U.S. for its leading cybersecurity acumen, talent, startups and successful exits.

    Israel is a powerhouse in both offensive and defensive cyber operations, with cybersecurity giants CyberArk, Check Point, and Illusive Networks all founded in the country in recent years.

    Reply
  34. Tomi Engdahl says:

    Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform
    https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html

    Until now, the public’s exposure to mobile phone malware has been dominated by news about the privately run “greyware” vendors who have made headlines for being purveyors of spyware tools. These commercial smartphone spyware tools reportedly end up in the hands of autocrats who use it to hamper free speech, quash dissent, or worse. Consumers of these news stories are often left with the impression that mobile malware is just something paranoid dictators purchase for use within their own borders in remote third world nations. It is not.

    In this report, BlackBerry researchers reveal what the focus on those groups has overshadowed: several governments with well-established cyber capabilities have long ago adapted to and exploited the mobile threat landscape for a decade or more. In this context, mobile malware is not a new or niche effort, but a longstanding part of a cross-platform strategy integrated with traditional desktop malware in diverse ways across the geopolitical sphere.

    Reply
  35. Tomi Engdahl says:

    Inferring and hijacking VPN-tunneled TCP connections.

    https://seclists.org/oss-sec/2019/q4/122

    Reply
  36. Tomi Engdahl says:

    New Linux Bug Lets Attackers Hijack Encrypted VPN Connections
    https://thehackernews.com/2019/12/linux-vpn-hacking.html

    Reply
  37. Tomi Engdahl says:

    https://www.forbes.com/sites/kateoflahertyuk/2019/12/06/googles-new-chrome-move-another-reason-to-turn-to-firefox/

    Now privacy advocates are honing in on a nascent web API called getInstalledRelatedApps, which has been in development since 2015 and available to experiment with since Chrome 59’s launch in 2017.

    Described on GitHub, the API lets developers determine if their native app is installed on your device.

    Reply
  38. Tomi Engdahl says:

    Bug bounty firm HackerOne suffers ‘sloppy cut-and-paste’ breach
    https://www.siliconrepublic.com/enterprise/bug-bounty-hacker-one-breach

    Reply
  39. Tomi Engdahl says:

    20 VPS providers to shut down on Monday, giving customers two days to save their data
    No explanation given for the sudden shutdown. Customers suspect an exit scam.
    https://www.zdnet.com/article/20-vps-providers-to-shut-down-on-monday-giving-customers-two-days-to-save-their-data/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook

    At least 20 web hosting providers have hastily notified customers today, Saturday, December 7, that they plan to shut down on Monday, giving their clients two days to download data from their accounts before servers are shut down and wiped clean.

    The providers appear to be using servers hosted in ColoCrossing data centers

    All clues point to the fact that all 20 websites are part of an affiliate scheme or a multi-brand business ran by the same entity.

    Those who didn’t lose too much money quickly realized they were set to work the weekend, as they had to download all their data and find a new provider, in order to avoid a prolonged downtime on Monday, when the 20 providers are set to shut off servers.

    Online, the phrase “exit scam” is now being mentioned in several places [1, 2, 3]. Many believe the company behind all these VPS providers is running away with the money it made in Black Friday and Cyber Monday deals, without providing any service.

    Paranoia and fear of a scam are high, and for good reasons.

    A source in the web hosting industry who wanted to remain anonymous told ZDNet that what happened this weekend is often referred to as “deadpooling” — namely, the practice of setting up a small web hosting company, providing ultra-cheap VPS servers for a few dollars a month, and then shutting down a few months later, without refunding customers.

    “This is a systemic issue within the low-end market, we call it deadpooling,” the source told us. “It doesn’t happen often at this scale, however.”

    Reply
  40. Tomi Engdahl says:

    FBI Asked Sony for Data on User Who Allegedly Used PlayStation Network to Sell Cocaine
    The search warrant application even asks what games the suspect played and their progress.
    https://www.vice.com/en_us/article/zmjp73/fbi-asked-sony-playstation-4-user-data-cocaine-dealer?utm_campaign=sharebutton

    Reply
  41. Tomi Engdahl says:

    ‘FUCK CRIME:’ Inside Ring’s Quest to Become Law Enforcement’s Best Friend
    https://www.vice.com/en_us/article/bjw9e8/inside-rings-quest-to-become-law-enforcements-best-friend?utm_campaign=sharebutton

    Amazon’s surveillance company has seeped into hundreds of American communities by throwing parties for police and giving them free devices

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*