This posting is here to collect cyber security news in August 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
240 Comments
Tomi Engdahl says:
https://9to5mac.com/2020/08/01/new-unpatchable-exploit-allegedly-found-on-apples-secure-enclave-chip-heres-what-it-could-mean/
Tomi Engdahl says:
Hacker leaks passwords for 900+ enterprise VPN servers
https://www.zdnet.com/article/hacker-leaks-passwords-for-900-enterprise-vpn-servers/
EXCLUSIVE: The list has been shared on a Russian-speaking hacker forum frequented by multiple ransomware gangs.
A hacker has published today a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.
ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.
According to a review, the list includes:
IP addresses of Pulse Secure VPN servers
Pulse Secure VPN server firmware version
SSH keys for each server
A list of all local users and their password hashes
Admin account details
Last VPN logins (including usernames and cleartext passwords)
VPN session cookies
Tomi Engdahl says:
A REUTERS INVESTIGATION
Rite Aid deployed facial recognition systems in hundreds of U.S. stores
https://www.reuters.com/investigates/special-report/usa-riteaid-software/
Tomi Engdahl says:
Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)
Kaspersky says Oilrig (APT34) group has been using DoH to silently exfiltrate data from hacked networks.
https://www.zdnet.com/article/iranian-hacker-group-becomes-first-known-apt-to-weaponize-dns-over-https-doh/?ftag=CAD-03-10abf6j
Tomi Engdahl says:
DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols
https://github.com/Arno0x/DNSExfiltrator
Tomi Engdahl says:
A new technique can detect newer 4G ‘stingray’ cell phone snooping
https://techcrunch.com/2020/08/05/crocodile-hunter-4g-stingray-cell/?tpcc=ECFB2020
Security researchers say they have developed a new technique to detect modern cell-site simulators.
Cell site simulators, known as “stingrays,” impersonate cell towers and can capture information about any phone in its range — including in some cases calls, messages and data. Police secretly deploy stingrays hundreds of times a year across the United States, often capturing the data on innocent bystanders in the process.
Little is known about stingrays, because they are deliberately shrouded in secrecy. Developed by Harris Corp. and sold exclusively to police and law enforcement, stingrays are covered under strict nondisclosure agreements that prevent police from discussing how the technology works.
But what we do know is that stingrays exploit flaws in the way that cell phones connect to 2G cell networks.
Most of those flaws are fixed in the newer, faster and more secure 4G networks, though not all. Newer cell site simulators, called “Hailstorm” devices, take advantage of similar flaws in 4G that let police snoop on newer phones and devices.
Some phone apps claim they can detect stingrays and other cell site simulators, but most produce wrong results.
But now researchers at the Electronic Frontier Foundation have discovered a new technique that can detect Hailstorm devices.
Enter the EFF’s latest project, dubbed “Crocodile Hunter”
https://github.com/EFForg/crocodilehunter
Quintin and fellow researcher Yomna Nasser, who authored the EFF’s technical paper on how cell site simulators work, found that collecting and decoding the MIB and SIB messages over the air can identify potentially illegitimate cell towers.
https://www.eff.org/deeplinks/2019/07/announcing-gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell
Tomi Engdahl says:
YouTube bans thousands of Chinese accounts to combat ‘coordinated influence operations’
https://tcrn.ch/33Id71x
YouTube has banned a large number of Chinese accounts it said were engaging in “coordinated influence operations” on political issues, the company announced today; 2,596 accounts from China alone were taken down from April to June, compared with 277 in the first three months of 2020.
Tomi Engdahl says:
Researcher Demos Hacking of 3D Printer Firmware That Can Trigger a Fire
Attribution link: https://latesthackingnews.com/2020/08/06/researcher-demos-hacking-of-3d-printer-firmware-that-can-trigger-a-fire/
Tomi Engdahl says:
Hackers say ‘jackpotting’ flaws tricked popular ATMs into spitting out cash
https://techcrunch.com/2020/08/06/hackers-atm-spit-cash/?tpcc=ECFB2020
Tomi Engdahl says:
Massive 20GB Intel IP Data Breach Floods the Internet, Mentions Backdoors
https://www.tomshardware.com/news/massive-20gb-intel-data-breach-floods-the-internet-mentions-backdoors
Anonymous hacker promises more to come soon, too
A leaker today posted on Twitter a link to a file sharing service that contains what an anonymous source claims is a portion of Intel’s crown jewels: A 20GB folder of confidential Intel intellectual property. The leaker dubbed the release the “Intel exconfidential Lake Platform Release ;).”
The anonymous leaker claims the hacker “breached” Intel and the files were obtained earlier this year, adding “most of the things here have NOT been published ANYWHERE before and are classified as confidential, under NDA or Intel Restricted Secret.” The leaker says more files will be shared soon, and “the future parts of this leak will have even juicier and more classified stuff.”
Tomi Engdahl says:
Black Hat 2020: Influence Campaigns Are a Cybersecurity Problem
https://threatpost.com/black-hat-hacking-public-opinion/158167/
An inside look at how nation-states use social media to influence, confuse and divide — and why cybersecurity researchers should be involved.
Social media used as a cudgel for nation-states to sway opinion is a cybersecurity threat CISOs can’t ignore — and need to understand better and mitigate against.
Tomi Engdahl says:
Nearly 50% of all smartphones affected by Qualcomm Snapdragon bugs
https://www.bleepingcomputer.com/news/security/nearly-50-percent-of-all-smartphones-affected-by-qualcomm-snapdragon-bugs/
Several security vulnerabilities found in Qualcomm’s Snapdragon chip Digital Signal Processor (DSP) chip could allow attackers to take control of almost 40% of all smartphones, spy on their users, and create un-removable malware capable of evading detection.
Hundreds of millions of devices exposed to attacks
The vulnerable DSP chip “can be found in nearly every Android phone on the planet, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more,” according to Check Point researchers who found these vulnerabilities.
Apple’s iPhone smartphone line is not affected by the security issues discovered and disclosed by Check Point in their report.
Check Point disclosed their findings to Qualcomm, who acknowledged them, notified device vendors, and assigned them with the following six CVEs: CVE-2020-11201, CVE-2020-11202, CVE-2020-11206, CVE-2020-11207, CVE-2020-11208, and CVE-2020-11209.
Qualcomm fixed the vulnerabilities, security updates incoming
Although Qualcomm has already patched the six security flaws found to affect the Qualcomm Snapdragon DSP chip, mobile vendors still have to implement and deliver security fixes to their devices’ users, the threat is still there since the devices are still vulnerable to attacks.
Tomi Engdahl says:
Trump Signs Executive Order Banning TikTok, WeChat In 45 Days
https://www.zerohedge.com/markets/trump-signs-executive-order-banning-tiktok-wechat
President Trump signed an executive order banning U.S. residents from doing any business with TikTok or the apps’ Chinese owner ByteDance 45 days from now.
Trump said the U.S. “must take aggressive action against the owners of TikTok to protect our national security”.
The EO comes as Trump has demanded the divestment of the popular video app, citing national security risks to the U.S, and threatens penalties on any U.S. resident or company that engages in any transactions with TikTok or ByteDance after the order takes effect.
Tomi Engdahl says:
Windows 10 turns thumbs down on CCleaner
https://techxplore.com/news/2020-08-windows-thumbs-ccleaner.html
For 16 years, CCleaner has been a popular computer system cleaning and optimization tool, known for efficiently removing unwanted files, programs and accumulated digital fragments from users’ hard drives.
This week, Microsoft told CCleaner: “You’re not wanted any more.”
Microsoft Defender (until this May known as Windows Defender) has begun tagging the free version of Avast CCleaner as a PUA—Potentially Unwanted Application.
Microsoft has long scoffed at third-party registry cleaners as potentially causing problems. In this instance, however, the company appears to be focusing on the manner of CCleaner’s distribution as part of a multi-program software bundle as its main concern.
The free version of CCleaner is packaged with Google Chrome browser, Google Toolbar, Avast Free Antivirus and AVG Antivirus Free.
Microsoft stated that while users can decline to authorize automatic installation of the bundled programs, some users inadvertently install them anyway. Microsoft said it objects to “misleading or inaccurate claims about files, registry entries, or other items on your PC.”
Tomi Engdahl says:
Hearing for Twitter hack suspect Zoom-bombed by porn, rap music
https://thehill.com/regulation/technology/510740-hearing-for-twitter-hack-suspect-zoom-bombed-by-porn-rap-music
Unknown users “Zoom-bombed” the Wednesday bond hearing of the Florida teenager accused of hacking a number of high-profile Twitter accounts, interrupting the online hearing with pornography and rap.
Hillsborough County, Fla., Judge Christopher C. Nash was forced to pause the hearing for Graham Ivan Clark when the disruptions began, according to The Associated Press. As soon as Nash resumed the hearings, the disruptions began again.
Clark, 17, is alleged to have hacked the accounts of several politicians, celebrities and organizations, including former Vice President Joe Biden, former President Barack Obama, Amazon founder Jeff Bezos, and Tesla CEO Elon Musk, as well as Apple and Uber. Forty-five accounts were used to solicit Bitcoin payments on July 15, although the company has said up to 130 accounts were compromised.
Tomi Engdahl says:
Kinda reminds me of the old days running a PC on the floor to “intercept” DirecTV signals.
How hackers could spy on satellite internet traffic with just $300 of home TV equipment
https://www.zdnet.com/article/how-hackers-could-spy-on-satellite-internet-traffic-with-just-300-of-home-tv-equipment/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_medium=trueAnthem&utm_source=facebook
Black Hat 2020: A researcher at Oxford University has demonstrated how he could gain access to sensitive information on corporate networks by targeting traffic being transmitted by satellites.
Tomi Engdahl says:
Canon suffers ransomware attack, Maze claims responsibility
https://www.zdnet.com/google-amp/article/canon-suffers-ransomware-attack-maze-claims-responsibility/
Reports based on an internal memo suggest an external security firm has been hired to investigate.
As reported by Bleeping Computer, a six-day outage beginning July 30 on the image.canon website, a service for uploading and storing photos through Canon’s mobile applications, led to suspicions that a cyberattack may have taken place.
https://www.bleepingcomputer.com/news/security/canon-confirms-ransomware-attack-in-internal-memo/#employee
Tomi Engdahl says:
What happens when holes perfect for spyware are found in the engine room of millions of Qualcomm-based phones? Let’s find out
https://www.theregister.com/AMP/2020/08/07/qualcomm_chips_brimming_with_somewhat/?__twitter_impression=true
Start the clock on those patches – they’ll be coming any day, week, month soon
DEF CON In July, the makers of millions of smartphones powered by Qualcomm’s Snapdragon system-on-chips received mitigation recommendations to address a bevy of security flaws in their products, all introduced by Qualcomm’s technology.
Those software-level vulnerabilities, which apparently affect potentially more than 40 per cent of cellphones worldwide, were outlined this week at the now-virtual DEF CON hacking conference.
Tomi Engdahl says:
Can’t sniff it, so block it.. .
China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI
https://www.zdnet.com/article/china-is-now-blocking-all-encrypted-https-traffic-using-tls-1-3-and-esni/
The block was put in place at the end of July and is enforced via China’s Great Firewall.
The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using modern, interception-proof protocols and technologies.
The ban has been in place for at least a week, since the end of July
CHINA NOW BLOCKING HTTPS+TLS1.3+ESNI
Through the new GFW update, Chinese officials are only targeting HTTPS traffic that is being set up with new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication).
Other HTTPS traffic is still allowed through the Great Firewall, if it uses older versions of the same protocols — such as TLS 1.1 or 1.2, or SNI (Server Name Indication).
Tomi Engdahl says:
Windows 10 classifies the popular tool CCleaner an ‘unwanted application’
https://www.digitaltrends.com/computing/microsoft-defender-ccleaner-unwanted-application/
Tomi Engdahl says:
Multiple Tor security issues disclosed, more to come
A security researcher has published details about two Tor security issues and promises to release three more.
https://www.zdnet.com/article/multiple-tor-security-issues-disclosed-more-to-come/
Tomi Engdahl says:
The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, …
found the hackers using repeatedly in victim networks, however, was a technique to manipulate domain controllers, the powerful servers that set the rules for access in large networks. With a custom-built program that combined code from the common hacking tools Dumpert and Mimikatz, the hackers would add a new, additional password for every user in the domain controller’s memory—the same one for each user—a trick known as skeleton key injection. With that new password the hackers would have surreptitious access to machines across the company. “It’s like a skeleton key that lets them go anywhere,” Duffy says.
https://arstechnica.com/information-technology/2020/08/chinese-hackers-have-pillaged-taiwans-semiconductor-industry/
Tomi Engdahl says:
I’m Open Sourcing the Have I Been Pwned Code Base
https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/
Let me just cut straight to it: I’m going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it. Let me explain why and how.
Tomi Engdahl says:
Bugs in HDL Automation expose IoT devices to remote hijacking
https://www.bleepingcomputer.com/news/security/bugs-in-hdl-automation-expose-iot-devices-to-remote-hijacking/
A security researcher discovered vulnerabilities in an automation system for smart homes and buildings that allowed taking over accounts belonging to other users and control associated devices.
In a presentation on Saturday at the IoT Village during the DEF CON hacker conference, Barak Sternberg shows how some weak spots in the HDL automation system could have been leveraged by attackers to fully compromise it.
This additional account has the string “debug” in the username ([email protected]) and the same password defined by the user for their account.
Its purpose is to apply the settings and send the configuration for the local devices to an external HDL server so that other authorized users can download it and control the smart home.
Tomi Engdahl says:
Google Home erroneous update reveals the $450 million ADT deal
https://www.bleepingcomputer.com/news/google/google-home-erroneous-update-reveals-the-450-million-adt-deal/
“Burned something in the kitchen and the cheap $10 smoke detector went off. Then I got a notification on my phone that google heard the smoke detector going off. Pretty rad google.”
Cat’s out of the bag
It turns out, Google had accidentally rolled out an update to its Home devices which tested certain home security features, possibly related to an upcoming business deal.
A Google spokesperson told Protocol this week that the company had in fact mistakenly pushed out this feature on the users’ devices, and has since reverted the update.
The same week, however, Google has unveiled its partnership with the American home security giant, ADT.
“Google will combine its Nest devices, services, and technology with ADT’s leadership position providing security solutions for millions of homes and small businesses in the U.S. The partnership pairs more than 20,000 ADT professionals together with Nest’s portfolio of helpful home devices,” said the company in a blog post.
Tomi Engdahl says:
User consent, anyone?
A Private Equity Firm Bought Ancestry, and Its Trove of DNA, for $4.7B
Blackstone, which says it will not have access to people’s data, acquired the genealogy and home DNA testing company from a group of other investment firms.
https://www.vice.com/en_au/article/akzyq5/private-equity-firm-blackstone-bought-ancestry-dna-company-for-billions
Tomi Engdahl says:
Dwight A Spencer Blackstone is interested in making money, not your DNA. They invested in (did not buy) some bio firms. https://www.biopharmadive.com/news/blackstone-alnylam-investment-inclisiran-heart-drug/575917/
Tomi Engdahl says:
Researchers warn of an Achilles’ heel security flaw for Android phones
Chips that allow modern phone features, such as quick charging or noise cancellation, may open the door for hackers too, researchers warn.
https://www.cnet.com/news/researchers-warn-of-an-achilles-heel-security-flaw-for-android-phones/
Tomi Engdahl says:
San Diego installed smart streetlights to save money and enable consumer apps but the police decided to use their video recordings to investigate “serious” crimes. The community has pushed back.
https://spectrum.ieee.org/view-from-the-valley/sensors/remote-sensing/cops-smart-street-lights
Tomi Engdahl says:
https://techxplore.com/news/2020-08-year-old-format-macos-hack.html
Tomi Engdahl says:
Blackstone agrees to buy Ancestry in $4.7 billion deal
https://www.statnews.com/2020/08/05/blackstone-ancestry-dna-acquisition/
Tomi Engdahl says:
Insecure satellite Internet is threatening ship and plane safety
Attacks that worked 10 years ago have only gotten worse despite growing use.
https://arstechnica.com/information-technology/2020/08/insecure-satellite-internet-is-threatening-ship-and-plane-safety/
More than a decade has passed since researchers demonstrated serious privacy and security holes in satellite-based Internet services. The weaknesses allowed attackers to snoop on and sometimes tamper with data received by millions of users thousands of miles away. You might expect that in 2020—as satellite Internet has grown more popular—providers would have fixed those shortcomings, but you’d be wrong.
In a briefing delivered on Wednesday at the Black Hat security conference online, researcher and Oxford PhD candidate James Pavur presented findings that show that satellite-based Internet is putting millions of people at risk, despite providers adopting new technologies that are supposed to be more advanced.
Over the course of several years, he has used his vantage point in mainland Europe to intercept the signals of 18 satellites beaming Internet data to people, ships, and planes in a 100 million-square-kilometer swath that stretches from the United States, Caribbean, China, and India.
While researchers such as Adam Laurie and Leonardo Nve demonstrated the insecurity of satellite Internet in 2009 and 2010, respectively, Pavur has examined the communications at scale, with the interception of more than 4 terabytes of data from the 18 satellites he tapped. He has also analyzed newer protocols, such as Generic Stream Encapsulation and complex modulations including 32-Ary Amplitude and Phase Shift Keying (APSK). At the same time, he has brought down the interception cost of those new protocols from as much as $50,000 to about $300.
Et tu, Avionics?
In past years, Pavur focused on transmissions sent to everyday users on land and large ships at sea. This year, he turned his attention to planes. With the onset of the COVID-19 pandemic causing passenger flying to plummet
But it turned out that the decrease in passenger traffic made it easier to focus on traffic sent to crew members in the cockpit.
The flight-bag data passed through the same network-address-translation router as entertainment and Internet traffic from passengers. In other words, the same physical satellite antenna and modem were delivering Internet traffic to both the flight bag and passengers. This suggests that any network segregation that may exist was performed by software rather than through physical hardware separation, which is less prone to hacking.
Session hijacking: The attacker always wins
The use of satellite-based Internet to receive the navigational data puts the crew and passengers at risk of an attack Pavur developed that allows an attacker to impersonate the aircraft with which the ground station is communicating. The hack uses TCP session hijacking, a technique in which the attacker sends the ISP the metadata customers use to authenticate themselves.
Because users’ traffic is bounced off a satellite 30,000 kilometers above Earth—a route that typically results in signal latency of about 700 milliseconds—and the attacker’s data isn’t, the attacker will always beat customers in reaching the ISP.
The session hijacking can be used to cause planes or ships to report incorrect locations or fuel levels, false readings for heating, ventilation, and air conditioning systems, or transmit other sensitive data that’s falsified. It can also be used to create denials of service that prevent the vessel from receiving data that’s crucial to safe operations.
A problem in search of a solution
The common reaction Pavur gets after he shares his findings is that satellite-based Internet users should simply use a VPN to prevent attackers from reading or tampering with any data sent. Unfortunately, he said, the handshakes required for each endpoint to authenticate itself to the other results in a slow-down of about 90 percent. The overhead increases the already-large 700 millisecond latency to a wait that renders satellite Internet almost completely unusable.
Out of 100 ships Pavur pseudo-randomly looked at, he was able to deanonymize about 10 and tie them to specific vessels
The interception of unencrypted navigational charts, equipment failures in the open sea, and the use of vulnerability-riddled Windows 2003 servers also puts users at considerable risk. Combined with the use of insecure channels such as FTP, an attacker might be able to tamper with maritime data to hide a sandbar or use the data to plan physical intrusions.
the crux of the problem is the result of industrywide protocols that are insecure.
“The goal of my research is to bring out these unique dynamics that the physical properties of space create for cybersecurity, and it’s an area that’s been underexplored,” he said. “A lot of people think that satellites are just normal computers that are a little bit further away, but there’s a lot that’s different about satellites. If we highlight those differences, we can better build security to protect the systems.”
Tomi Engdahl says:
Voting Machine Makers Are Finally Playing Nice With Hackers
After years of secrecy, one major election tech company is giving more hackers a look under the hood.
https://www.wired.com/story/voting-machine-makers-hackers-ess/
Tomi Engdahl says:
U.S. travel management firm CWT paid $4.5 million this week to hackers who stole reams of sensitive corporate files and said they had knocked 30,000 computers offline, according to a record of the ransom negotiations seen by Reuters.
https://www.reuters.com/article/us-cyber-cwt-ransom/payment-sent-travel-giant-cwt-pays-4-5-million-ransom-to-cyber-criminals-idUSKCN24W25W
Tomi Engdahl says:
TikTok: Logs, Logs, Logs
https://medium.com/@fs0c131y/tiktok-logs-logs-logs-e93e8162647a
We are in 2020 and the US president is about to ban TikTok, a video-sharing social network mobile app, because “it poses a risk to US national security”. At the same time, Microsoft started discussions on a potential TikTok purchase in the United States. TikTok has received a lot of media coverage lately, but how much of it is factual? This is what I will try to answer in this series of articles.
Tomi Engdahl says:
ONE TWEET TRIED TO IDENTIFY A COP — THEN FIVE PEOPLE WERE CHARGED WITH FELONY HARASSMENT
Is retweeting an officer’s photo cyber harassment?
https://www.theverge.com/2020/8/6/21355999/twitter-cyber-harassment-felony-charges-police-protests-retweet
A New Jersey police department is pursuing cyber harassment charges against five people in connection with a protest photo uploaded to Twitter in June. Complaints were served against the original tweeter and four other people who retweeted the message, alleging that they caused the officer to fear for the safety of his family.
It’s an unprecedented use of anti-harassment laws, coming amid a nationwide law enforcement backlash against anti-police brutality activism. If successful, the charges would add significant new risks to political activity on social media, a key element in the ongoing protest movements.
The now-deleted message included a photo of a masked on-duty police officer with a request that “If anyone knows who this bitch is throw his info under this tweet.” Because of the mask, the officer is not readily identifiable from the photograph, and there do not appear to be any replies revealing his identity.
The original poster and the retweeters are charged with cyber harassment, a fourth-degree felony punishable by up to 18 months in jail.
alleges that the photo and accompanying caption threatened the officer “acting in the performance of his duties, causing Detective Sandomenico to fear that harm will come to himself, family, and property.”
At the time Sziszak posted her fundraiser, the post had no replies and five retweets. It’s unclear how the department discovered its existence. However, some departments use automated social media surveillance tools to track all the tweets sent from a particular location. Had such a tool been used to surveil the Nutley protests, it would likely have surfaced the Sandomenico tweet.
The campaign description says Alfaro was upset by officers who were “very friendly” with counter-protesters and covered their badges, a practice that some officers across the country have adopted to dodge complaints from protesters. “In an attempt to identify a specific police officer who was befriending someone harassing me, I uploaded a photo.”
The department’s legal argument against the five Twitter users is murky. A 2014 New Jersey law bans online harassment when it threatens someone with physical harm or crimes against their property, or when it involves sending “lewd, indecent, or obscene” material — it’s more typically applied in cases involving persistent harassment campaigns and cyberstalking. The First Amendment also protects the right to photograph on-duty police officers.
Tomi Engdahl says:
Snapdragon chip flaws put >1 billion Android phones at risk of data theft
There’s no word on when Google and phone makers will incorporate fix from Qualcomm.
https://arstechnica.com/information-technology/2020/08/snapdragon-chip-flaws-put-1-billion-android-phones-at-risk-of-data-theft/
Tomi Engdahl says:
https://www.bleepingcomputer.com/news/security/canon-confirms-ransomware-attack-in-internal-memo/
Tomi Engdahl says:
Twitter says Android security bug gave access to direct messages
https://techcrunch.com/2020/08/05/twitter-android-bug-direct-messages/
Twitter says a security bug may have exposed the private direct messages of its Android app users, but said that there was no evidence that the vulnerability was ever exploited.
Tomi Engdahl says:
The State of Civil Aviation Cybersecurity
https://www.tripwire.com/state-of-security/security-data-protection/civil-aviation-cybersecurity/
Tomi Engdahl says:
Russian hackers stole trade papers from Liam Fox email
https://www.bbc.com/news/uk-politics-53642923
Documents on UK-US trade talks, leaked ahead of the 2019 general election, were stolen from an email account belonging to Conservative MP Liam Fox, it has emerged.
The papers were published online and used by Labour in the 2019 campaign to claim the NHS would be put at risk.
The UK government has said Russians almost certainly sought to interfere in the election through the documents.
Reuters, which first reported the story, said hackers accessed Mr Fox’s account multiple times between 12 July and 21 October last year.
He told the BBC they had sought to “spread online, illegally obtained, leaked government documents” around the UK-US trade negotiations for after the country leaves the EU.
Tomi Engdahl says:
Android warning: 400 vulnerabilities discovered that could let hackers spy on you
https://www.mirror.co.uk/tech/android-warning-400-vulnerabilities-discovered-22495236
Researchers from Check Point have discovered 400 vulnerabilities in Qualcomm’s Snapdragon Digital Signal Processor (DSP) chip – a chip used in over 40% of the world’s phones
Tomi Engdahl says:
Industry binning old aircraft is an opportunity for aviation infosec.
Boeing 747-400s still use floppy disks for loading critical navigation databases, Pen Test Partners has revealed to the infosec community after poking about one of the recently abandoned aircraft.
The eye-catching factoid emerged during a DEF CON video interview of PTP’s Alex Lomas, where the man himself gave a walkthrough of a 747-400, its avionics bay and the flight deck.
Although airliners are not normally available to curious infosec researchers, a certain UK-based Big Airline’s decision to scrap its B744 fleet gave Pen Test Partners a unique opportunity to get aboard one and have a poke about before the scrap merchants set about their grim task.
“Aircraft themselves are really expensive beasts, you know,” said Lomas as he filmed inside the big Boeing. “Even if you had all the will in the world, airlines and manufacturers won’t just let you pentest an aircraft because [they] don’t know what state you’re going to leave it in.”
Pen Test Partners: Boeing 747s receive critical software updates over 3.5″ floppy disks
https://www.theregister.com/2020/08/10/boeing_747_floppy_drive_updates_walkthrough/
Industry binning old aircraft is an opportunity for aviation infosec
Tomi Engdahl says:
TeamViewer Flaw Could Let Hackers Steal System Password Remotely >
https://thehackernews.com/2020/08/teamviewer-password-hacking.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29&utm_content=FaceBook&m=1
If you are using TeamViewer, then beware and make sure you’re running the latest version of the popular remote desktop connection software for Windows.
TeamViewer team recently released a new version of its software that includes a patch for a severe vulnerability (CVE 2020-13699), which, if exploited, could let remote attackers steal your system password and eventually compromise it.
What’s more worrisome is that the attack can be executed almost automatically without requiring much interaction of the victims and just by convincing them to visit a malicious web page once.
Tomi Engdahl says:
GRUB2 Arbitrary Code Execution Vulnerability >
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-grub2-code-exec-xLePCAPY?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=GRUB2%20Arbitrary%20Code%20Execution%20Vulnerability&vs_k=1
Tomi Engdahl says:
Brit bank Barclays probed amid claims bosses used high-tech to spy on staff, measure productivity
https://www.theregister.com/2020/08/10/barclays_employee_monitoring/
Now that’s a stretch: ‘Work Yoga’ memo tells folks to ignore calls, emails to ‘stay in the zone’
The British offices of Barclays Bank are under investigation over allegations that managers spied upon their own staff as part of a workplace productivity improvement drive.
Last week an employee received a “work yoga” assessment on their daily performance informing them they had spent “not enough time in the Zone yesterday,” the City paper reports. The report recommended: “Tips: mute the phone, disable email/chat pop-ups, avoid breaks for 20+ minutes, 2–3 times a day.”
“People expect that they can keep their personal lives private and that they are also entitled to a degree of privacy in the workplace.
Tomi Engdahl says:
Barclays Bank appeared to be using the Wayback Machine as a ‘CDN’ for some Javascript
Tight-lipped bank has fixed the weirdness – but not said why it happened
https://www.theregister.com/2020/07/03/barclays_bank_javascript_wayback_machine/
Barclays Bank appears to have been using no less than the Internet Archive’s Wayback Machine as a “content distribution network” to serve up a Javascript file.
If web.archive.org went down, it would presumably break Barclays’ website as well. Worse, if someone managed to change the JS file at that URL, they could inject … well, whatever they liked.
JS is a favourite attack vector of, among other things, the Magecart financial creds-stealing gang.
Professor Alan Woodward of the University of Surrey told The Register: “It’s just the sort of thing that a Magecart attack would thrive on. At the end of the day, it is the organisation who integrates all of these assets, including those drawn in from other sites, to ensure that they have a secure site, and that can only ever be true if you know what your site comprises.”
Also, there’s no SRI, so if the Internet Archive want to serve up a keylogger, cryptojacking JS, hostile redirect, rewrite the DOM or insert a credit card skimmer à la MageCart, it’s all fair game
The practice is not unheard of, though as some have pointed out, it is a very bad idea and the nonprofit is not set up to support it.
Jake Moore of infosec biz Eset mused that it may have been a test of some kind gone badly wrong, adding: “Although no excuse, it is yet another reminder why testing is a full and thorough process especially when dealing with a financial institution.”
Mark Graham, director of the Internet Archive’s Wayback Machine, has been in touch to say:
The mission of the Wayback Machine is to help make the Web more useful and reliable.
We are often surprised by all the creative ways people use the Wayback Machine to help advance that mission. Especially journalists, students, researchers, academics, fact checkers, activists and the general public. But usually not banks.
Clearly someone at Barclays made a mistake (who among us has not done that!) If this incident helps more people learn about the free services the Wayback Machine has to offer it will have been of benefit. Onward!
Tomi Engdahl says:
A walkthrough of a Boeing 747-400 jumbojet from a hacker.
https://www.theregister.com/2020/08/10/boeing_747_floppy_drive_updates_walkthrough/
Tomi Engdahl says:
Twitter Spear Phishing Attack Highlights Security Weaknesses Of Social Media
https://www.forbes.com/sites/petersuciu/2020/08/01/twitter-spear-phishing-attack-highlights-security-weaknesses-of-social-media/
Tomi Engdahl says:
WastedLocker ransomware abuses Windows feature to evade detection
https://www.bleepingcomputer.com/news/security/wastedlocker-ransomware-abuses-windows-feature-to-evade-detection/