This posting is here to collect cyber security news in December 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
197 Comments
Tomi Engdahl says:
China due to introduce face scans for mobile users
https://www.bbc.com/news/world-asia-china-50587098
People in China are now required to have their faces scanned when registering new mobile phone services, as the authorities seek to verify the identities of the country’s hundreds of millions of internet users.
The regulation, announced in September, was due to come into effect Sunday.
Tomi Engdahl says:
Now even the FBI is warning about your smart TV’s security
https://tcrn.ch/2P6bmC4
If you just bought a smart TV on Black Friday or plan to buy one for Cyber Monday tomorrow, the FBI wants you to know a few things.
Smart TVs are like regular television sets but with an internet connection. With the advent and growth of Netflix, Hulu and other streaming services, most saw internet-connected televisions as a cord-cutter’s dream. But like anything that connects to the internet, it opens up smart TVs to security vulnerabilities and hackers. Not only that, many smart TVs come with a camera and a microphone. But as is the case with most other internet-connected devices, manufacturers often don’t put security as a priority.
Tomi Engdahl says:
November 26, 2019
Oregon FBI Tech Tuesday: Securing Smart TVs
https://www.fbi.gov/contact-us/field-offices/portland/news/press-releases/tech-tuesdaysmart-tvs/?=portland-field-office
Tomi Engdahl says:
Private Internet Access VPN to be acquired by malware company founded by former Israeli spy
https://telegra.ph/Private-Internet-Access-VPN-acquired-by-malware-business-founded-by-former-Israeli-spies-12-01
Stay safe
Tomi Engdahl says:
Question: How does a Linux/Unix sysadmin keep a fire going?
Answer: They rotate the logs.
Tomi Engdahl says:
This Ring Uses a Fake Fingerprint to Protect Your Biometric Data
BY MICHAEL KAN 2 DEC 2019, 7:49 P.M.
https://uk.pcmag.com/news/123893/this-ring-uses-a-fake-fingerprint-to-protect-your-biometric-data
The ring concept from Kaspersky Lab is designed to address a key vulnerability with biometric authentication—your face and fingerprints can’t be reset like a password if copies of them are stolen. So why not use a dummy fingerprint instead?
Tomi Engdahl says:
Putin signs law making Russian apps mandatory on smartphones, computers
https://www.reuters.com/article/us-russia-internet-software-idUSKBN1Y61Z4?utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Russian President Vladimir Putin on Monday signed legislation requiring all smartphones, computers and smart TV sets sold in the country to come pre-installed with Russian software.
Tomi Engdahl says:
I haven’t verified this but if it is legitimate it is of significant concern for PIA users
https://vpnpro.com/blog/private-internet-access-announces-merger-with-kape-technologies-in-latin/
Tomi Engdahl says:
“Clapper made clear that the internet of things – the many devices like thermostats, cameras and other appliances that are increasingly connected to the internet – are providing ample opportunity for intelligence agencies to spy on targets, and possibly the masses”
https://www.theguardian.com/commentisfree/2016/feb/09/internet-of-things-smart-devices-spying-surveillance-us-government?
Tomi Engdahl says:
China Uses DNA to Map Faces, With Help From the West
https://www.nytimes.com/2019/12/03/business/china-dna-uighurs-xinjiang.html
Beijing’s pursuit of control over a Muslim ethnic group pushes the rules of science and raises questions about consent.
Tomi Engdahl says:
Toyota, Lexus owners warned about thefts that use ‘relay attacks’
https://www.cbc.ca/news/canada/ottawa/toyota-lexus-relay-attack-1.5380947
Thieves have taken at least 100 high-end vehicles across Ottawa region since April
Thieves using $200 ‘amplifier’
Like many new cars, modern Toyotas are designed to respond to the radio signal from the key fob within a range of a metre or two.
Jeff Bates of Lockdown Security in Markham, Ont., says thieves are using a $200 device that boosts the strength of that signal, allowing them to unlock the vehicle and disarm its security system even though the fob is inside the house. Driving off with the luxury vehicle is as simple as pushing a button.
Bates said in some cases, thieves will still break into a vehicle the old-fashioned way, then plug a computer into the car’s diagnostic port and hack the security system to make it think the key is present.
Often, the vehicles are never found.
In an email, Toyota spokesperson David Shum said customers should take extra steps to safeguard their vehicles, including considering an after-market alarm system, steering wheel lock and diagnostic-port lock.
“If a garage is not accessible, park another less desirable vehicle in front of your vehicle,” Shum suggested.
While some experts recommend wrapping the key fob in tinfoil or keeping it in a metal box, Toyota suggests buying a radio frequency shielding “faraday pouch” to prevent unwanted radio waves from reaching the device.
Shum also warned Toyota owners to never leave their key fobs near the front door of their home.
Tomi Engdahl says:
Avast Online Security and Avast Secure Browser are spying on you
https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/
Are you one of the allegedly 400 million users of Avast antivirus products? Then I have bad news for you: you are likely being spied upon. The culprit is the Avast Online Security extension that these products urge you to install in your browser for maximum protection.
Avast Secure Browser has Avast Online Security installed by default.
Avast products promote this browser heavily, and it will also be used automatically in “Banking Mode.” Given that Avast bought AVG a few years ago, there is also a mostly identical AVG Secure Browser with the built-in AVG Online Security extension.
Summary of the findings
When Avast Online Security extension is active, it will request information about your visited websites from an Avast server. In the process, it will transmit data that allows reconstructing your entire web browsing history and much of your browsing behavior.
Avast Privacy Policy covers this functionality and claims that it is necessary to provide the service. Storing the data is considered unproblematic due to anonymization (I disagree), and Avast doesn’t make any statements explaining just how long it holds on to it.
Tomi Engdahl says:
Avast and AVG Browser Extensions Spying On Chrome and Firefox Users
https://thehackernews.com/2019/12/avast-and-avg-browser-plugins.html?m=1
If your Firefox or Chrome browser has any of the below-listed four extensions offered by Avast and its subsidiary AVG installed, you should disable or remove them as soon as possible.
Avast Online Security
AVG Online Security
Avast SafePrice
AVG SafePrice
Why? Because these four widely installed browser extensions have been caught collecting a lot more data on its millions of users than they are intended to, including your detailed browsing history.
Tomi Engdahl says:
New Chrome Password Stealer Sends Stolen Data to a MongoDB Database
https://www.bleepingcomputer.com/news/security/new-chrome-password-stealer-sends-stolen-data-to-a-mongodb-database/
Tomi Engdahl says:
Homeland Security wants to use facial recognition on traveling US citizens, too
https://edition.cnn.com/2019/12/02/tech/homeland-security-facial-recognition-citizens-at-airports/index.html?utm_term=link&utm_source=fbbusiness&utm_medium=social&utm_content=2019-12-03T05%3A00%3A03
The Department of Homeland Security wants to be able to use facial-recognition technology to identify all people entering and leaving the United States — including US citizens.
In a recent filing, the DHS proposed changing existing regulations
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researchers achieve new cryptography milestones, including factoring the largest RSA key size ever, largely thanks to improved algorithms, not better hardware
New crypto-cracking record reached, with less help than usual from Moore’s Law
795-bit factoring and discrete logarithms achieved using more efficient algorithms.
https://arstechnica.com/information-technology/2019/12/new-crypto-cracking-record-reached-with-less-help-than-usual-from-moores-law/
The new records include the factoring of RSA-240, an RSA key that has 240 decimal digits and a size of 795 bits. The same team of researchers also computed a discrete logarithm of the same size. The previous records were the factoring in 2010 of an RSA-768 (which, despite its digit is a smaller RSA key than the RSA-240, with 232 decimal digits and 768 bits) and the computation of a 768-bit prime discrete logarithm in 2016.
The sum of the computation time for both of the new records is about 4,000 core-years using Intel Xeon Gold 6130 CPUs (running at 2.1GHz) as a reference. Like previous records, these ones were accomplished using a complex algorithm called the Number Field Sieve
Comments:
Attacking encryption with a quantum computer requires a much bigger quantum computer than we can currently build. Shor’s Algorithm is what would be used, which I believe requires at least twice as many qubits as there are bits in the encryption key.
The largest number we’ve factored using Shor’s Algorithm is 21, a paltry five bits. So we’re about two orders of magnitude away from being able to crack a key as large as the one mentioned in the article, and three orders of magnitude away from keys that are being commonly used today.
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Mozilla removes four Firefox extensions made by Avast and AVG after reports that they were harvesting user data and browsing histories
Mozilla removes Avast and AVG extensions from add-on portal over snooping claims
The four extensions, two from Avast and two from AVG, are still available on the Chrome Web Store.
https://www.zdnet.com/article/mozilla-removes-avast-and-avg-extensions-from-add-on-portal-over-snooping-claims/
Tomi Engdahl says:
Two malicious Python libraries caught stealing SSH and GPG keys
One library was available for only two days, but the second was live for nearly a year.
https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/
The Python security team removed two trojanized Python libraries from PyPI (Python Package Index) that were caught stealing SSH and GPG keys from the projects of infected developers.
The two libraries were created by the same developer and mimicked other more popular libraries
The first is “python3-dateutil,” which imitated the popular “dateutil” library. The second is “jeIlyfish” (the first L is an I), which mimicked the “jellyfish” library.
Tomi Engdahl says:
Dutch politician faces three years in prison for hacking iCloud accounts and leaking nudes
https://www.zdnet.com/article/dutch-politician-faces-three-years-in-prison-for-hacking-icloud-accounts-and-leaking-nudes/
City council member who doubled as a hacker set to be sentenced on Christmas Eve.
Tomi Engdahl says:
80% of all Android apps are encrypting traffic by default
90% of all Android 9 apps are encrypting network traffic via HTTPS.
https://www.zdnet.com/article/80-of-all-android-apps-are-encrypting-traffic-by-default/
Google reached another milestone in its quest to push for the broader adoption of the HTTPS standard.
In a blog post today, the US-based tech giant said that four out of five (80%) Android applications available for download through the official Play Store are encrypting their respective network traffic using HTTPS.
Tomi Engdahl says:
Elcomsoft Extracts Data from Locked iPhones with Unpatchable checkra1n Jailbreak –
https://www.elcomsoft.com/press_releases/eift_191202.html
ElcomSoft Co. Ltd. releases a major update of iOS Forensic Toolkit, the company’s mobile forensic tool for extracting data from a range of Apple devices. Version 5.20 adds the ability to extract the file system and decrypt the keychain from select Apple devices running all versions of iOS from iOS 12 to iOS 13.3. Partial file system extraction is now possible from locked iPhones even if the screen lock password is not known.
Tomi Engdahl says:
https://cybersecurity.att.com/blogs/labs-research/the-great-cannon-has-been-deployed-again
Tomi Engdahl says:
China resurrects Great Cannon for DDoS attacks on Hong Kong forum
Two years after the last attacks, the Great Cannon is up and running again
https://www.zdnet.com/article/china-resurrects-great-cannon-for-ddos-attacks-on-hong-kong-forum/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
After more than two years since it’s been used the last time, the Chinese government deployed an infamous DDoS tool named the “Great Cannon” to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests.
According to the report, the Great Cannon worked by intercepting traffic meant for websites hosted inside China and injecting JavaScript code in the responses users received in their browsers.
malicious JavaScript code executed in users’ browsers and secretly accessed a victim’s site — generating gigantic traffic spikes for the victim and its web server.
Tomi Engdahl says:
Best home security systems of 2019 (plus DIY kits, video doorbells and more)
https://www.cnet.com/how-to/best-home-security-systems-of-2019/?ftag=CMG-01-10aaa1b
Yes, shopping for a home security system can be a headache. Good thing we’ve done a lot of the legwork for you.
Tomi Engdahl says:
Zimbabwe Is Trying to Build a China Style Surveillance State
“It has everything it needs to give the ruling Zanu-PF party and its agents in government the legal basis to imprison opponents using the internet.”
https://www.vice.com/en_us/article/59n753/zimbabwe-is-trying-to-build-a-china-style-surveillance-state?utm_source=vicenewsfacebook
Tomi Engdahl says:
https://thehill.com/policy/technology/472993-house-passes-anti-robocall-bill
Tomi Engdahl says:
“Russian authorities have detained a man who built a fake frontier post in the woods near the country’s border with Finland and promised migrant workers he could smuggle them into the European Union.
The man erected mock border posts and charged four men from south Asia more than $10,000 to take them to EU member Finland, the Russian border guard service said on Wednesday.”
Russia arrests conman who built fake border with Finland
https://www.theguardian.com/world/2019/dec/05/russia-arrests-conman-who-built-fake-border-with-finland?CMP=fb_gu&utm_medium=Social&utm_source=Facebook#Echobox=1575540693
Tomi Engdahl says:
https://mashable.com/2014/12/29/fingerprint-photo-copy/
For more than a century, it’s been possible to lift fingerprints from a physical surface, like a drinking glass. Now a group of hackers is saying they can copy fingerprints from photographs.
Tomi Engdahl says:
https://www.us-cert.gov/
Tomi Engdahl says:
Hackers Claim ‘Any’ Smartphone Fingerprint Lock Can Be Broken In 20 Minutes
https://www.forbes.com/sites/daveywinder/2019/11/02/smartphone-security-alert-as-hackers-claim-any-fingerprint-lock-broken-in-20-minutes/
Tomi Engdahl says:
FBI Puts $5 Million Bounty On Russian Hackers Behind Dridex Banking Malware
https://thehackernews.com/2019/12/dridex-russian-hackers-wanted-by-fbi.html?m=1
The United States Department of Justice today disclosed the identities of two Russian hackers and charged them for developing and distributing the Dridex banking Trojan using which the duo stole more than $100 million over a period of 10 years.
Tomi Engdahl says:
Some Hardware-based Password Managers Have Poor Security
https://www.bleepingcomputer.com/news/security/some-hardware-based-password-managers-have-poor-security/
Some hardware-based password managers lack proper protections for the sensitive data they store and allow reading it in plain text, even after they’ve been reset.
The information was retrieved through physical access to the electronic board inside the device and connecting directly to the flash chips used for storage.
Using a Raspberry Pi microcomputer, it was possible to read and extract the information available on the flash chip in RecZone Password Safe, which is still available for prices around $35.
Apart from storing the details in plain text, Eveleigh also found that resetting the device did not affect the storage.
The issues found in RecZone Password Safe are not specific to this gadget. Looking at Royal’s Password Vault Keeper, Eveleigh noticed it was relying on a CMOS chip.
A third hardware-based password manager might also have problems keeping the credentials secure. Eveleigh analyzed passwordsFAST, which sells for $24.99 and found that it relied on the I2C serial communication protocol.
while him and his colleagues could not break the encryption, the microcontroller is accessible
Tomi Engdahl says:
Apple Issues New Warning For Millions Of iPhone Users
https://www.forbes.com/sites/gordonkelly/2019/12/05/apple-iphone-11-pro-max-upgrade-privacy-security-ios-13-update/?utm_source=FACEBOOK&utm_medium=social&utm_term=Valerie/#76616c657269
Yesterday Apple was caught red handed and now the company has admitted that the settings in millions of iPhones are misleading users about their use of location data, and promised to fix it.
Apple iPhone 11 Alert: Mysterious Location Privacy Issue Is Hitting Users
https://www.forbes.com/sites/kateoflahertyuk/2019/12/04/apple-iphone-11-iphone-11-pro-location-privacy-issue/
Tomi Engdahl says:
Apple says its ultra wideband technology is why newer iPhones appear to share location data, even when the setting is disabled
https://tcrn.ch/2rWZnPy
Tomi Engdahl says:
Microsoft Found 44M Accounts Using Breached Passwords
BY MATTHEW HUMPHRIES 6 DEC 2019, 11:50 A.M.
https://uk.pcmag.com/news/123976/microsoft-found-44m-accounts-using-breached-passwords
Microsoft has now forced a password reset on all these user accounts.
Microsoft has discovered 44 million user accounts are using usernames and passwords that have been leaked through security breaches.
As ZDNet reports, the vulnerable account logins were discovered when Microsoft’s threat research team carried out a scan of all Microsoft accounts between January and March this year.
44 million Microsoft users reused passwords in the first three months of 2019
https://www.zdnet.com/article/44-million-microsoft-users-reused-passwords-in-the-first-three-months-of-2019/
Microsoft used a database of three billion publicly leaked credentials to identify users who reused passwords
Tomi Engdahl says:
SQL Injection loses #1 spot as most dangerous attack technique
https://hotforsecurity.bitdefender.com/blog/sql-injection-loses-1-spot-as-most-dangerous-attack-technique-21850.html?cid=soc%7Cc%7cfb%7CH4S
The Common Weakness Enumeration (CWE), a community-developed compilation of the most critical errors leading to vulnerabilities in software, has lowered SQL Injection from its #1 spot as the most dangerous attack technique.
SQL Injection, one of the oldest and most prevalent hacking techniques, enables attackers to spoof identity, change or destroy data, leak data, void transactions or change balances, and even gain administrator privileges on the database server.
As a result, the 2019 list identifies “Improper Restriction of Operations within the Bounds of a Memory Buffer” as the new top weakness, followed by Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). In third place comes Improper Input Validation, followed by Information Exposure and Out-of-bounds Read.
https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
Tomi Engdahl says:
The Fight Over Encrypted DNS: Explained
https://spectrum.ieee.org/tech-talk/telecom/security/the-fight-over-encrypted-dns-boils-over?utm_content=bufferaee28&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
Tomi Engdahl says:
PhotoDNA – Robust hashing that finds online child sexual abuse material
https://www.netclean.com/technical-model-national-response/photodna/
PhotoDNA is a hashing technology that is widely used to detect online child sexual abuse material. It differs from binary hashing technologies in that it calculates hash values based on the visual content of an image. Like all hashing technologies, PhotoDNA can only detect images that have been identified and classified as child sexual abuse material. However, unlike binary hashing technologies, robust hashing technologies can detect small variations in the classified image or video.
Microsoft started developing PhotoDNA in collaboration with Dartmouth College back in 2009. It was a social responsibility project, and once it was ready for use it was donated to organisations like the National Centre for Missing & Exploited Children (NCMEC), and Project VIC. It is also used by online platforms such as OneDrive, Google Gmail, Twitter, Facebook, and Adobe Systems, to name a few, and incorporated into software by businesses such as NetClean that build software to detect child sexual abuse material.
Tomi Engdahl says:
Online vigilante Deric Lostutter helped expose the cover-up in the Steubenville rape case. Now he’s facing more jail time than the convicted rapists.
Anonymous Vs. Steubenville
https://www.rollingstone.com/culture/culture-news/anonymous-vs-steubenville-57875/
Tomi Engdahl says:
https://thehackernews.com/2019/12/linux-vpn-hacking.html?m=1
Tomi Engdahl says:
Top Israeli VC talks cybersecurity, diversity and ‘no go’ investments
https://techcrunch.com/2019/12/02/israeli-vc-erel-margalit-jerusalem-venture-partners/
It is no secret that Israel is second only to the U.S. for its leading cybersecurity acumen, talent, startups and successful exits.
Israel is a powerhouse in both offensive and defensive cyber operations, with cybersecurity giants CyberArk, Check Point, and Illusive Networks all founded in the country in recent years.
Tomi Engdahl says:
Mobile Malware and APT Espionage: Prolific, Pervasive, and Cross-Platform
https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html
Until now, the public’s exposure to mobile phone malware has been dominated by news about the privately run “greyware” vendors who have made headlines for being purveyors of spyware tools. These commercial smartphone spyware tools reportedly end up in the hands of autocrats who use it to hamper free speech, quash dissent, or worse. Consumers of these news stories are often left with the impression that mobile malware is just something paranoid dictators purchase for use within their own borders in remote third world nations. It is not.
In this report, BlackBerry researchers reveal what the focus on those groups has overshadowed: several governments with well-established cyber capabilities have long ago adapted to and exploited the mobile threat landscape for a decade or more. In this context, mobile malware is not a new or niche effort, but a longstanding part of a cross-platform strategy integrated with traditional desktop malware in diverse ways across the geopolitical sphere.
Tomi Engdahl says:
Google Confirms Critical Android 8, 9 And 10 ‘Permanent’ Denial Of Service Threat
https://www.forbes.com/sites/daveywinder/2019/12/07/google-confirms-critical-android-8-9-and-10-permanent-denial-of-service-threat/?utm_source=FACEBOOK&utm_medium=social&utm_term=Valerie/#76616c657269
Tomi Engdahl says:
Inferring and hijacking VPN-tunneled TCP connections.
https://seclists.org/oss-sec/2019/q4/122
Tomi Engdahl says:
New Linux Bug Lets Attackers Hijack Encrypted VPN Connections
https://thehackernews.com/2019/12/linux-vpn-hacking.html
Tomi Engdahl says:
https://www.forbes.com/sites/kateoflahertyuk/2019/12/06/googles-new-chrome-move-another-reason-to-turn-to-firefox/
Now privacy advocates are honing in on a nascent web API called getInstalledRelatedApps, which has been in development since 2015 and available to experiment with since Chrome 59’s launch in 2017.
Described on GitHub, the API lets developers determine if their native app is installed on your device.
Tomi Engdahl says:
Bug bounty firm HackerOne suffers ‘sloppy cut-and-paste’ breach
https://www.siliconrepublic.com/enterprise/bug-bounty-hacker-one-breach
Tomi Engdahl says:
20 VPS providers to shut down on Monday, giving customers two days to save their data
No explanation given for the sudden shutdown. Customers suspect an exit scam.
https://www.zdnet.com/article/20-vps-providers-to-shut-down-on-monday-giving-customers-two-days-to-save-their-data/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
At least 20 web hosting providers have hastily notified customers today, Saturday, December 7, that they plan to shut down on Monday, giving their clients two days to download data from their accounts before servers are shut down and wiped clean.
The providers appear to be using servers hosted in ColoCrossing data centers
All clues point to the fact that all 20 websites are part of an affiliate scheme or a multi-brand business ran by the same entity.
Those who didn’t lose too much money quickly realized they were set to work the weekend, as they had to download all their data and find a new provider, in order to avoid a prolonged downtime on Monday, when the 20 providers are set to shut off servers.
Online, the phrase “exit scam” is now being mentioned in several places [1, 2, 3]. Many believe the company behind all these VPS providers is running away with the money it made in Black Friday and Cyber Monday deals, without providing any service.
Paranoia and fear of a scam are high, and for good reasons.
A source in the web hosting industry who wanted to remain anonymous told ZDNet that what happened this weekend is often referred to as “deadpooling” — namely, the practice of setting up a small web hosting company, providing ultra-cheap VPS servers for a few dollars a month, and then shutting down a few months later, without refunding customers.
“This is a systemic issue within the low-end market, we call it deadpooling,” the source told us. “It doesn’t happen often at this scale, however.”
Tomi Engdahl says:
FBI Asked Sony for Data on User Who Allegedly Used PlayStation Network to Sell Cocaine
The search warrant application even asks what games the suspect played and their progress.
https://www.vice.com/en_us/article/zmjp73/fbi-asked-sony-playstation-4-user-data-cocaine-dealer?utm_campaign=sharebutton
Tomi Engdahl says:
‘FUCK CRIME:’ Inside Ring’s Quest to Become Law Enforcement’s Best Friend
https://www.vice.com/en_us/article/bjw9e8/inside-rings-quest-to-become-law-enforcements-best-friend?utm_campaign=sharebutton
Amazon’s surveillance company has seeped into hundreds of American communities by throwing parties for police and giving them free devices