Cyber security news August 2022

This posting is here to collect cyber security news in August 2022.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.

543 Comments

  1. Tomi Engdahl says:

    Deepfake yleistyy – pian emme enää väittele siitä, mitä videolla sanottiin
    https://etn.fi/index.php/13-news/13901-deepfake-yleistyy-pian-emme-enaeae-vaeittele-siitae-mitae-videolla-sanottiin

    Suomi kohisee tällä hetkellä siitä, mitä pääministeri on tehnyt vapaa-ajallaan. Analyyseissä on keskitytty jopa videon äänen spektrianalyysiin. Pian tälle analyysille ei ole tarvetta. Deepfake-videoiden tuotanto on kovassa kasvussa.

    Muun muassa tämä käy ilmi VMwaren Black Hat -messuilla julkistamasta Global Incident Response Threat -tutkimuksesta. Raportti sukeltaa syvälle tietoturvatiimien kohtaamiin haasteisiin, kuten pandemian aiheuttamiin häiriöihin ja työuupumukseen geopoliittisten kyberhyökkäysten keskellä.

    Raportin tulosten mukaan 65 prosenttia tietoturvatiimeistä sanoo, että kyberhyökkäykset ovat lisääntyneet sen jälkeen, kun Venäjä hyökkäsi Ukrainaan. Tämä on tietenkin lisännyt tiimien työtaakka ja stressiä. 47 prosenttia hyökkäyksiin vastanneista kertoi kokeneensa työuupumusta tai äärimmäistä stressiä viimeisen 12 kuukauden aikana. 69 prosenttia vastaajista on harkinnut alanvaihtoa. Yli kaksi kolmasosaa vastaajista ilmoitti, että heidän työpaikallaan on otettu käyttöön hyvinvointiohjelmia uupumuksen torjumiseksi.

    Raportissa nimetään järjestelmien väliset rajapinnat uudeksi suosituksi hyökkäyskohteeksi. Työkuormien ja sovellusten lisääntyessä 23 prosenttia hyökkäyksistä vaarantaa API-suojauksen. API-hyökkäysten yleisimpiä tyyppejä ovat tietojen paljastaminen (42 % vastaajista viime vuonna), SQL- ja API-injektiohyökkäykset (37 % ja 34 %, vastaavasti) ja hajautetut palvelunestohyökkäykset (33 %).

    Reply
  2. Tomi Engdahl says:

    SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences
    https://www.securityweek.com/sap-vulnerability-exploited-attacks-after-details-disclosed-hacker-conferences

    The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences.

    CISA added seven vulnerabilities to its catalog on Thursday and instructed federal agencies to address them by September 8. For several of the newly added security holes, there do not appear to be any public reports describing exploitation in the wild, but the cybersecurity agency clarified in the past that it only adds CVEs to its catalog if it has reliable information about malicious exploitation.

    Reply
  3. Tomi Engdahl says:

    Really?!

    https://news.sky.com/story/microsoft-reveals-janet-jackson-song-had-the-power-to-crash-laptops-even-if-it-wasnt-playing-on-them-12676525 Microsoft reveals Janet Jackson song had the power to crash laptops – even if it wasn’t playing on them

    Reply
  4. Tomi Engdahl says:

    Donot Team APT has updated its Windows #malware toolkit with improved capabilities, including a revamped stealer module to steal data from #Chrome and Firefox browsers.

    https://thehackernews.com/2022/08/donot-team-hackers-updated-its-malware.html?m=1

    Reply
  5. Tomi Engdahl says:

    Don’t let Janet Jackson’s ‘Rhythm Nation’ crash your old laptop
    Here’s how and why this ’80s hit song has this effect on older tech.
    https://www.zdnet.com/article/dont-let-janet-jacksons-rhythm-nation-crash-your-old-laptop/

    Reply
  6. Tomi Engdahl says:

    Marin tiesi videoiden menevän someen – asian­tuntija hämmästelee pääministerin riskin­ottoa https://www.is.fi/kotimaa/art-2000009018111.html

    Reply
  7. Tomi Engdahl says:

    Reuters:
    NSO Group CEO is stepping down as the company restructures to focus on NATO countries; source: NSO is also cutting 100 posts out of its 750-strong workforce — Israeli spyware firm NSO Group said on Sunday its Chief Executive Shalev Hulio is stepping down with immediate effect …

    Israeli spyware company NSO Group CEO steps down
    https://www.reuters.com/technology/israeli-spyware-company-nso-group-announces-new-ceo-2022-08-21/

    Reply
  8. Tomi Engdahl says:

    Karmiva löytö TikTok-sovelluksesta: “Poista se viimeistään nyt”
    https://www.is.fi/digitoday/mobiili/art-2000009014304.html
    KIINALAINEN videosovellus TikTok tekee asioita, joista käyttäjämassat eivät ole lainkaan tietoisia. Entinen Googlen insinööri ja tietoturvatutkija Felix Krause julkaisi havaintonsa ja se on huolestuttavaa luettavaa. Taustalla on TikTokin oma selain, joka vastaa kaikkien sovelluksessa klikattavien linkkien avaamisesta.
    Käyttäjän vieraillessa ulkopuolisella verkkosivulla TikTok pystyy keräämään muun muassa salasanat ja luottokorttitiedot ja näkemään, mitä nappeja ja muita linkkejä näpäyttelet, Krause kirjoittaa.
    Toimiakseen näin sovellus syöttää omaa koodiaan ulkopuolisille verkkosivuille. Tutkija kuitenkin huomauttaa, että tämä yksinään ei tarkoita, että sovellus tekee jotain pahaa. Ei ole kuitenkaan mitään keinoa tietää, millaista tietoa kukin sovellus kerää tai miten näitä tietoja käytetään. Alkup.
    https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

    Reply
  9. Tomi Engdahl says:

    Google torjui ennätyksellisen hyökkäyksen kuin Wikipedian päivän liikenne 10 sekunnissa https://www.tivi.fi/uutiset/tv/b701862c-005b-4800-a447-d8487153c60b
    Google on kertonut torjuneensa valtavan palvelunestohyökkäyksen, joka oli yhtiön mukaan historian voimakkain raportoitu palvelunestohyökkäys. Googlen pilvipalveluun kohdistunut https-hyökkäys oli voimakkuudeltaan ennätykselliset 46 miljoonaa palvelupyyntöä sekunnissa. 1. kesäkuuta tapahtunut hyökkäys oli peräti
    80 prosenttia voimakkaampi kuin aiempi ennätyshyökkäys, joka sekin tapahtui kesäkuussa. Tuolloin Cloudflare kertoi torjuneensa hyökkäyksen, jonka voimakkuus oli 26 miljoonaa palvelupyyntöä sekunnissa.

    Reply
  10. Tomi Engdahl says:

    Hyundain tietoturva murtui Google-haulla
    https://www.tivi.fi/uutiset/tv/899c5283-98b1-4899-af18-6e923df69816
    Yhdysvaltain Minnesotassa asuva ohjelmistokehittäjä Daniel Feldman onnistui päivittämään Hyundai-merkkisen autonsa kojelaudan viihdejärjestelmän omalla ohjelmistollaan, kun korealaisvalmistajan suojaukset osoittautuivat poskettoman heppoisiksi. Aiheesta uutisoi The Register. Alkup.
    https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/

    Reply
  11. Tomi Engdahl says:

    LockBit claims ransomware attack on security giant Entrust https://www.bleepingcomputer.com/news/security/lockbit-claims-ransomware-attack-on-security-giant-entrust/
    The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust. Last month, BleepingComputer broke the story that Entrust suffered a ransomware attack on June 18th, 2022.

    Reply
  12. Tomi Engdahl says:

    Grandoreiro banking malware targets manufacturers in Spain, Mexico https://www.bleepingcomputer.com/news/security/grandoreiro-banking-malware-targets-manufacturers-in-spain-mexico/
    The notorious ‘Grandoreiro’ banking trojan was spotted in recent attacks targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico. The malware has been active in the wild since at least 2017 and remains one of the most significant threats of its kind for Spanish-speaking users. The recent campaign, spotted by analysts at Zscaler, started in June 2022 and is still ongoing. It involves the deployment of a Grandoreiro malware variant featuring several new features to evade detection and anti-analysis, as well as a revamped C2 system.

    Reply
  13. Tomi Engdahl says:

    AirTag leads to arrest of airline worker accused of stealing at least $15, 000 worth of items from luggage
    https://www.nbcnews.com/news/us-news/airtag-leads-arrest-airline-worker-accused-stealing-least-15000-items-rcna43547
    An Apple AirTag led to the arrest of an airline subcontractor accused of stealing thousands of dollars’ worth of items from luggage at a Florida airport.

    Reply
  14. Tomi Engdahl says:

    Hackers steal crypto from Bitcoin ATMs by exploiting zero-day bug https://www.bleepingcomputer.com/news/security/hackers-steal-crypto-from-bitcoin-atms-by-exploiting-zero-day-bug/
    Hackers have exploited a zero-day vulnerability in General Bytes Bitcoin ATM servers to steal cryptocurrency from customers. When customers would deposit or purchase cryptocurrency via the ATM, the funds would instead be siphoned off by the hackers. According to a General Bytes security advisory published on August 18th, the attacks were conducted using a zero-day vulnerability in the company’s Crypto Application Server (CAS). “The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user, ” reads the General Bytes advisory. “This vulnerability has been present in CAS software since version 20201208.”

    Reply
  15. Tomi Engdahl says:

    WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware https://www.bleepingcomputer.com/news/security/wordpress-sites-hacked-with-fake-cloudflare-ddos-alerts-pushing-malware/
    WordPress sites are being hacked to display fake Cloudflare DDoS protection pages to distribute malware that installs the NetSupport RAT and the RaccoonStealer password-stealing Trojan. As detailed in a report by Sucuri, threat actors are hacking poorly protected WordPress sites to add a heavily obfuscated JavaScript payload that displays a fake Cloudflare protection DDoS screen. This screen, shown below, requests that the visitor clicks on a button to bypass the DDoS protection screen. However, clicking on the button will download a ‘security_install.iso’ file to the computer, which pretends to be a tool required to bypass the DDoS verification.

    Reply
  16. Tomi Engdahl says:

    A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal.
    https://news.yahoo.com/dad-took-photos-naked-toddler-142928196.html

    Mark noticed something amiss with his toddler. His son’s penis looked swollen and was hurting him. Mark, a stay-at-home dad in San Francisco, grabbed his Android smartphone and took photos to document the problem so he could track its progression.

    It was a Friday night in February 2021. His wife called an advice nurse at their health care provider to schedule an emergency consultation for the next morning, by video because it was a Saturday and there was a pandemic going on. The nurse said to send photos so the doctor could review them in advance.

    Mark’s wife grabbed her husband’s phone and texted a few high-quality close-ups of their son’s groin area to her iPhone so she could upload them to the health care provider’s messaging system.

    With help from the photos, the doctor diagnosed the issue and prescribed antibiotics, which quickly cleared it up. But the episode left Mark with a much larger problem, one that would cost him more than a decade of contacts, emails and photos, and make him the target of a police investigation.

    Because technology companies routinely capture so much data, they have been pressured to act as sentinels, examining what passes through their servers to detect and prevent criminal behavior. Child advocates say the companies’ cooperation is essential to combat the rampant online spread of sexual abuse imagery. But it can entail peering into private archives, such as digital photo albums — an intrusion users may not expect — that has cast innocent behavior in a sinister light in at least two cases The New York Times has unearthed.

    Jon Callas, a technologist at the Electronic Frontier Foundation, a digital civil liberties organization, called the cases canaries “in this particular coal mine.”

    “There could be tens, hundreds, thousands more of these,” he said.

    Given the toxic nature of the accusations, Callas speculated that most people wrongfully flagged would not publicize what had happened.

    “I knew that these companies were watching and that privacy is not what we would hope it to be,” Mark said. “But I haven’t done anything wrong.”

    Police agreed. Google did not.

    Not only did he lose emails, contact information for friends and former colleagues, and documentation of his son’s first years of life, his Google Fi account shut down, meaning he had to get a new phone number with another carrier. Without access to his old phone number and email address, he couldn’t get the security codes he needed to sign in to other internet accounts, locking him out of much of his digital life.

    “The more eggs you have in one basket, the more likely the basket is to break,” he said.

    In a statement, Google said, “Child sexual abuse material is abhorrent, and we’re committed to preventing the spread of it on our platforms.”

    A few days after Mark filed the appeal, Google responded that it would not reinstate the account, with no further explanation.

    Mark didn’t know it, but Google’s review team had also flagged a video he made and the San Francisco Police Department had already started to investigate him.

    “It was a headache,” Cassio said.

    Images of children being exploited or sexually abused are flagged by technology giants millions of times each year. In 2021, Google alone filed more than 600,000 reports of child abuse material and disabled the accounts of more than 270,000 users as a result. Mark’s and Cassio’s experiences were drops in a big bucket.

    Callas of the Electronic Frontier Foundation called the scanning intrusive, saying a family photo album on someone’s personal device should be a “private sphere.” (A Google spokesperson said the company scans only when an “affirmative action” is taken by a user; that includes when the user’s phone backs up photos to the company’s cloud.)

    “This is precisely the nightmare that we are all concerned about,” Callas said. “They’re going to scan my family album, and then I’m going to get into trouble.”

    A human content moderator for Google would have reviewed the photos after they were flagged by AI to confirm they met the federal definition of child sexual abuse material. When Google makes such a discovery, it locks the user’s account, searches for other exploitative material and, as required by federal law, makes a report to the CyberTipline at the National Center for Missing and Exploited Children.

    The nonprofit organization has become the clearinghouse for abuse material; it received 29.3 million reports last year, or about 80,000 reports a day.

    CyberTipline staff members add any new abusive images to the hashed database that is shared with technology companies for scanning purposes. When Mark’s wife learned this, she deleted the photos Mark had taken of their son from her iPhone, for fear Apple might flag her account. Apple announced plans last year to scan the iCloud for known sexually abusive depictions of children, but the rollout was delayed indefinitely after resistance from privacy groups.

    ‘No Crime Occurred’

    In December, Mark received a manila envelope in the mail from the San Francisco Police Department. It contained a letter informing him that he had been investigated as well as copies of the search warrants served on Google and his internet service provider. An investigator, whose contact information was provided, had asked for everything in Mark’s Google account: his internet searches, his location history, his messages and any document, photo and video he’d stored with the company.

    Mark called the investigator, Nicholas Hillard, who said the case was closed.

    “I determined that the incident did not meet the elements of a crime and that no crime occurred,” Hillard wrote in his report. Police had access to all the information Google had on Mark and decided it did not constitute child abuse or exploitation.

    Mark asked if Hillard could tell Google that he was innocent so he could get his account back.

    “You have to talk to Google,” Hillard said, according to Mark. “There’s nothing I can do.”

    Mark appealed his case to Google again, providing the police report, but to no avail. After getting a notice two months ago that his account was being permanently deleted, Mark spoke with a lawyer about suing Google and how much it might cost.

    “I decided it was probably not worth $7,000,” he said.

    Kate Klonick, a law professor at St. John’s University in New York who has written about online content moderation, said it can be challenging to “account for things that are invisible in a photo, like the behavior of the people sharing an image or the intentions of the person taking it.” False positives, when people are erroneously flagged, are inevitable given the billions of images being scanned. While most people would probably consider that trade-off worthwhile, given the benefit of identifying abused children, Klonick said companies need a “robust process” for clearing and reinstating innocent people who are mistakenly flagged.

    It could have been worse, she said, with a parent potentially losing custody of a child. “You could imagine how this might escalate,” Klonick said.

    Reply
  17. Tomi Engdahl says:

    Varo härskiä Instagram-huijausta! Suomalaisia vedätetään nyt JBL-kaiuttimen voittamisella
    https://www.iltalehti.fi/tietoturva/a/1589d76e-c62a-4531-a7ab-7736a17fb363
    Suomalaiset on alettu viime päivinä merkitä kuviin, joissa väitetään, että he ovat voittaneet JBL:n kaiuttimen. Merkinnän on tehnyt valetili. “Jos sinut on merkitty, olet voittanut JBL:n kannettavan kaiuttimen”, kuvassa sanotaan. Kuvasta merkitty henkilö halutaan saada siirtymään toiselle tilille, jonka nimenä on käytetty esimerkiksi “jbl.finland” tai “audio.jbl”. Tilejä on ollut kymmenittäin ja niitä on perustettu sitä mukaa uusia, kun vanhoja on poistettu, luultavasti ihmisten tekemien ilmoitusten takia. Valetileillä käytetään JBL:n oikeaa logoa ja oikeita mainoskuvia. Tilin kuvauksessa on linkki sivustolle, jonne henkilö yritetään houkutella. Tätä linkkiä ei kannata avata, sillä kyseessä on tietojenkalastelusivusto.

    Reply
  18. Tomi Engdahl says:

    Tietoturvapäivitys pani potilastietojärjestelmät solmuun palvelimet kaatuivat https://www.tivi.fi/uutiset/tv/7cada9e2-7579-4a91-873f-18baf5b7a1dd
    Turun yliopistollisen keskussairaalan (Tyks) oli viime viikon torstaina it-ongelmia, jotka vaikuttivat useiden potilastietojärjestelmien toimivuuteen. Tyks tiedotti Twitterissä, että häiriö oli 2M-IT:n konesalissa. Myöhemmin selvisi, että vika johtui tietoturvapäivityksestä it-ympäristössä. Päivityksen takia useita kymmeniä palvelimia kaatui. Potilastietojärjestelmiin häiriö vaikutti reilun tunnin ajan. Turun Sanomien mukaan ongelma haittasi muun muassa laboratorionäytteiden vastaanottamista.

    Reply
  19. Tomi Engdahl says:

    Software developer cracks Hyundai car security with Google search https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
    A developer says it was possible to run their own software on the car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples. Luck held out, in a way.
    “Greenluigi1″ found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like “RSA Encryption & Decryption Example with OpenSSL in C.”. That tutorial and other projects implementing OpenSSL include within their source code that public key and the corresponding RSA private key. This means Hyundai used a public-private key pair from a tutorial, and placed the public key in its code, allowing “greenluigi1″ to track down the private key. Thus he was able to sign Hyundai’s files and have them accepted by the updater.

    Reply
  20. Tomi Engdahl says:

    Greek natural gas operator suffers ransomware-related data breach https://www.bleepingcomputer.com/news/security/greek-natural-gas-operator-suffers-ransomware-related-data-breach/
    Greece’s largest natural gas distributor DESFA confirmed on Saturday that they suffered a limited scope data breach and IT system outage following a cyberattack. In a public statement shared with local news outlets on Saturday, DESFA explained that hackers attempted to infiltrate its network but were thwarted by the quick response of its IT team. However, some files and data were accessed and possibly “leaked, ” so there was a network intrusion, even if limited.

    Reply
  21. Tomi Engdahl says:

    Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts https://thehackernews.com/2022/08/researchers-find-counterfeit-phones.html
    Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps. The trojans, which Doctor Web first came across in July 2022, were discovered in the system partition of at least four different smartphones: P48pro, radmi note 8, Note30u, and Mate40

    Reply
  22. Tomi Engdahl says:

    Microsoft Shares Details on Critical ChromeOS Vulnerability
    https://www.securityweek.com/microsoft-shares-details-critical-chromeos-vulnerability

    Microsoft on Friday published technical details on a critical ChromeOS vulnerability that could be exploited for denial-of-service (DoS) attacks and – in limited cases – for remote code execution.

    Tracked as CVE-2022-2587 (CVSS score of 9.8) and described as an out-of-bounds write, the vulnerability was addressed with the release of a patch in June.

    The issue was identified in the CRAS (ChromiumOS Audio Server) component, and could be triggered using malformed metadata associated with songs.

    CRAS resides between the operating system and ALSA (Advanced Linux Sound Architecture) to route audio to newly attached peripherals that support audio.

    Microsoft’s security researchers discovered that the server contained a function that did not check a user-supplied ‘identity’ argument, thus leading to a heap-based buffer overflow – a type of bug often exploited to achieve remote code execution.

    https://chromereleases.googleblog.com/2022/06/stable-channel-update-for-chromeos.html

    Reply
  23. Tomi Engdahl says:

    New Open Source Tool Shows Code Injected Into Websites by In-App Browsers
    https://www.securityweek.com/new-open-source-tool-shows-code-injected-websites-app-browsers

    A researcher has conducted an analysis to see how major companies could track user activity through their mobile in-app browsers, and released a free and open source tool that allows anyone to check what code is being injected by such browsers.

    Some mobile applications use built-in browsers to allow users to quickly access third-party websites. Other apps include a browser to load their own resources, which may be needed to perform various activities. However, these internal browsers could also pose security and privacy risks.

    Researcher Felix Krause published a blog post earlier this month claiming that the iOS apps of Instagram and Facebook could monitor everything a user does on an external website opened through the application’s internal browser. This claim was based on the JavaScript code the applications inject into the website displayed by the in-app browser.

    Later tests showed that TikTok also injects JavaScript code that modifies the content of the third-party websites opened through the social media app. TikTok appears to monitor all keyboard inputs and screen taps, potentially allowing the company to collect passwords and other sensitive information entered via the built-in browser.

    https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser

    Reply
  24. Tomi Engdahl says:

    Fake DDoS Protection Prompts on Hacked WordPress Sites Deliver RATs
    https://www.securityweek.com/fake-ddos-protection-prompts-hacked-wordpress-sites-deliver-rats

    Website security firm Sucuri is warning of an increase in fake distributed denial-of-service (DDoS) protection notifications that lead to the delivery of malware.

    DDoS protection notifications are web pages that the browser serves to users when checks are performed to verify that the visitor is indeed a human and not a bot or part of a DDoS attack.

    These notifications may seem like a nuisance, but they were meant to be nothing more than checks before the user accesses the desired web page, and are necessary to ensure malicious traffic is stopped before reaching its targets.

    Recently, Sucuri’s researchers discovered a surge in JavaScript injections targeting WordPress websites to deliver fake Cloudflare DDoS protection prompts to visitors.

    Once the user clicks on the fake popup, a remote access trojan (RAT) is downloaded on their computer, in the form of an ISO file. Furthermore, the victim is instructed to open the file to obtain a verification code in order to access the destination website.

    The ISO file was observed dropping the NetSupport RAT, along with the RaccoonStealer information stealer, and two additional payloads.

    “This is NetSupport RAT. It has been linked to FakeUpdates/SocGholish and typically used to check victims before ransomware rollout. The ISO file contains a shortcut disguised as an executable that runs PowerShell from another text file,” Malwarebytes researcher Jerome Segura said.

    https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html

    Reply
  25. Tomi Engdahl says:

    Novant Health Says Malformed Tracking Pixel Exposed Health Data to Meta
    https://www.securityweek.com/novant-health-says-malformed-tracking-pixel-exposed-health-data-meta

    Healthcare services provider Novant Health has sent notifications to more than 1.3 million individuals that their protected health information (PHI) might have been inadvertently exposed to Facebook parent company Meta.

    Novant Health, which operates a network of hospitals, clinics, and medical facilities, says that the potential data breach was the result of an incorrectly configured tracking pixel that Meta had placed on its website.

    Reply
  26. Tomi Engdahl says:

    Google Blocks Record-Setting DDoS Attack That Peaked at 46 Million RPS
    https://www.securityweek.com/google-blocks-record-setting-ddos-attack-peaked-46-million-rps

    In June 2022, Google mitigated a Layer 7 distributed denial-of-service (DDoS) attack that peaked at 46 million requests per second (RPS).

    Disclosed this week, this is the third HTTPS attack this year to reach tens of millions of RPS, after two lower-volume assaults were mitigated by Cloudflare.

    The first of them peaked at 15.3 million RPS, Cloudflare announced in April, while the second reached 26 million RPS, the web security company announced in June.

    What makes these assaults stand out from the crowd is the use of encrypted requests (HTTPS), meaning that they need significantly higher computational resources compared to typical DDoS attacks.

    Reply
  27. Tomi Engdahl says:

    Ring Camera Recordings Exposed Due to Vulnerability in Android App
    https://www.securityweek.com/ring-camera-recordings-exposed-due-vulnerability-android-app

    A vulnerability patched recently by Amazon in the Android app for its Ring surveillance cameras exposed user data and video recordings, according to cybersecurity firm Checkmarx, whose researchers identified the flaw.

    Checkmarx researchers discovered earlier this year that the official Ring Android app, which has been installed more than 10 million times from Google Play, was affected by several issues that could be chained to obtain information such as name, email address, phone number, physical address, geolocation data, and camera recordings.

    The attack relies on a malicious application installed on the same Android device as the Ring camera app. Exploitation involves loading content from a malicious web page, exfiltrating an authorization token to the attacker’s server, and using the token to obtain a cookie needed to call Ring APIs. These APIs could then be abused to obtain sensitive user data and recordings.

    Checkmarx made the technical details of the attack public on Thursday, along with a video describing its potential impact.

    https://checkmarx.com/blog/amazon-quickly-fixed-a-vulnerability-in-ring-android-app-that-could-expose-users-camera-recordings/

    Reply
  28. Tomi Engdahl says:

    FBI Warns of Proxies and Configurations Used in Credential Stuffing Attacks
    https://www.securityweek.com/fbi-warns-proxies-and-configurations-used-credential-stuffing-attacks

    The Federal Bureau of Investigation (FBI) has raised an alarm for cybercriminals using proxies and configurations to hide and automate credential stuffing attacks against companies in the United States.

    Creedential stuffing attacks, also called account cracking, involve trying to access online accounts using username and password combinations from existing data leaks or which were purchased on dark web portals.

    https://www.ic3.gov/Media/News/2022/220818.pdf

    Reply
  29. Tomi Engdahl says:

    Washington Post:
    Whistleblower complaint: Twitter’s ex-head of security Peiter Zatko alleges the company misled the FTC over its security plans, did not protect users, and more — In an explosive whistleblower complaint obtained by The Washington Post, former Twitter security chief Peiter ‘Mudge’ Zatko alleges …

    https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/

    Reply
  30. Tomi Engdahl says:

    A free VPN service aimed mainly at Asian users has been found guilty of exposing over 5.7 billion data entries. The staggering amount of users’ personal information that was sitting on the Internet for anyone to discover includes the following:

    User IDs
    Source IP addresses (exact location)
    Domain names visited
    Timestamps
    And, to make matters even worse, this information was not anonymized, meaning every search can be traced back to a real person. This may not be a problem for some of us, but people in China and Russia, for example, use VPN services to access websites and services their government blocks. Because these people can now be tracked back to their front door, this leak will cause many problems worldwide.

    https://www.goincognito.co/alert-this-vpn-has-exposed-5-7-billion-records-do-not-use-it/

    Reply
  31. Tomi Engdahl says:

    Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies
    https://edition.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html

    Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.

    The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

    The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns.

    Zatko was fired by Twitter (TWTR) in January for what the company claims was poor performance. According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter’s board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier privacy agreement with the Federal Trade Commission. Zatko is being represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen.

    After this article was initially published, Alex Spiro, an attorney for Musk, told CNN, “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”

    In a statement, a Twitter spokesperson told CNN that security and privacy are both longtime priorities for the company.

    “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” the Twitter spokesperson said. “What we’ve seen so far is a false narrative about Twitter

    Some of Zatko’s most damning claims spring from his apparently tense relationship with Parag Agrawal, the company’s former chief technology officer who was made CEO after Jack Dorsey stepped down last November. According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter’s security problems to the company’s board of directors.

    The scathing disclosure, which totals around 200 pages, including supporting exhibits — was sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. The existence and details of the disclosure have not previously been reported.

    “Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” Grassley said. “The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”

    Zatko may be eligible for a monetary award from the US government as a result of his whistleblower activities. “Original, timely and credible information that leads to a successful enforcement action”

    Tye told CNN that Zatko filed his disclosure to the SEC “to help the agency enforce the laws,” and to gain federal whistleblower protections.

    Zatko first came to national attention in 1998 when he took part in the first congressional hearings on cybersecurity.
    “All my life, I’ve been about finding places where I can go and make a difference. I’ve done that through the security field. That’s my main lever,”

    What Zatko says he found was a company with extraordinarily poor security practices, including giving thousands of the company’s employees — amounting to roughly half the company’s workforce — access to some of the platform’s critical controls. His disclosure describes his overall findings as “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”

    the disclosure says, Zatko soon learned “it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.” Twitter also lacked the ability to hold workers accountable for information security lapses because it has little control or visibility into employees’ individual work computers

    Twitter’s flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors, according to the letter to regulators

    The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko’s disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.

    Twitter did not respond to questions about the risk of data center outages,

    Zatko alleges that despite the company’s claims to the contrary, it had “never been in compliance” with what the FTC demanded more than 10 years ago.

    Foreign threats
    Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll, the disclosure alleges.

    “The fact that Twitter’s current CEO even suggested Twitter become complicit with the Putin regime is cause for concern about Twitter’s effects on U.S. national security,” Zatko’s disclosure says.

    Zatko’s report is becoming public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia.

    The Musk element
    Zatko’s disclosure comes at a particularly fortuitous moment for Musk, who is engaged in a legal battle with Twitter over his attempt to back out of buying the company. Musk has accused Twitter of lying about the number of spam bots on its platform, an issue that he claims should let him terminate the deal.

    User numbers are vital information for any social media business, as advertising revenue depends on how many people could potentially see an ad. But figures about how many users a service has, or how many people actually view a given ad on a site, are notoriously unreliable throughout the tech and media industries due to manipulation and error.
    Alone among social media companies, Twitter reports its user numbers to investors and advertisers using a measurement it calls monetizable daily active users, or mDAUs.

    Experts on inauthentic behavior online say it can be difficult to quantify “bots” because there isn’t a widely agreed upon definition of the term, and because bad actors constantly change their tactics. There are also many harmless bots on Twitter (and across the internet), such as automated news accounts, and Twitter offers an opt-in feature to allow such accounts to transparently label themselves as automated.

    the challenge often lies in enforcing its policies.

    But in casting doubt on Twitter’s ability to estimate the true number of fake and spam accounts, Zatko’s allegations could provide ammunition to Musk’s central claim that the figure is much higher than Twitter has publicly reported.
    By going public, Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy. “Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission,” he said.

    Reply
  32. Tomi Engdahl says:

    IT-asiantuntijalta varoitus: Kesärannan kohukuva voi päätyä “mihin tahansa”
    Tietoturva-asiantuntija Jarno Ahlströmin mukaan levinneen kohukuvan julkaisu oli ongelmallista monesta näkökulmasta.
    https://www.iltalehti.fi/tietoturva/a/4e2729a4-0b23-4975-b739-2441b9d9f9a3

    Tietoturva-asiantuntija Jarno Ahlströmin mukaan Kesärannasta Tiktokiin levitetyt julkaisut ovat harkitsemattomia.
    Alhström arvioi, että julkaisut luovat informaatiovaikuttamisen uhan.
    Tiktokin tietoturvassa on havaittu viime aikoina merkittäviä haavoittuvuuksia.

    Reply
  33. Tomi Engdahl says:

    Tietomurto suosittuun netti­kauppaan suomalaisten tietoja varastettu https://www.is.fi/digitoday/tietoturva/art-2000009021632.html
    SUOMESSAKIN suosittu saksalainen autojen varaosakauppa Autodoc on joutunut tietomurron kohteeksi, kertoo yhtiön asiakkailleen lähettämä tiedote. Autodocin mukaan hyökkääjät onnistuivat tunkeutumaan yhtiön sisäiseen “kommunikaatiotyökaluun” ja sitä kautta anastamaan asiakkaiden henkilötietoja. Hyökkäys saatiin yhtiön mukaan pysäytettyä pikaisesti, mutta järjestelmistä onnistuttiin silti kaapimaan tietoja.
    Tietomurrossa vietiin Autodocin asiakkaiden nimiä, tarkkoja kotiosoitteita, puhelinnumeroita sekä sähköpostiosoitteita.
    Salasanoja, luottokorttitietoja tai pankkitietoja hyökkääjät eivät kuitenkaan yhtiön mukaan onnistuneet varastamaan.

    Reply
  34. Tomi Engdahl says:

    TikTokin härski tiedon­keruu ei ole ainoa tapaus näin estät sovelluksia urkkimasta verkon käyttöäsi https://www.is.fi/digitoday/tietoturva/art-2000009019587.html
    TIKTOK joutui selittämään käyttäjien seurantaa, kun sen iOS-sovelluksen todettiin käyttävän omaa selaintaan ulkopuolisten verkkosivujen esittämiseen. Tietoturvatutkijan mukaan tässä yhteydessä TikTokin on teoriassa mahdollista seurata käyttäjän tekemisiä aina yksittäisiä näytön painalluksia myöten. Tällaiset sovellusten sisäiset selaimet ovat yleinen käytäntö mobiilialalla ja iOS:n lisäksi Androidin puolella. Tällä tarkoitetaan sovelluksen osaksi rakennettua, laitteen normaalista oletusselaimesta erillistä selainta. Esimerkiksi pikaviestisovellus Discord toimii puhelimessa näin. Se ei oletuksena avaa klikattavaa linkkiä ulkoiseen selaimeen, vaan omaansa.
    Tekniikassa ei sinänsä ole mitään vikaa, mutta se antaa sovelluksen kehittäjälle mahdollisuuden seurata käyttäjää eri tavoin ja eri tarkoituksiin syöttämällä verkkosivuille omaa koodiaan.

    Reply
  35. Tomi Engdahl says:

    Arkaluontoisia tietoja Yhdysvaltojen vaalijärjestelmästä levisi verkkoon lataajina Trumpin kannattajia ja salaliittoteoreetikkoja
    https://www.tivi.fi/uutiset/tv/e3adeb92-a8e7-4b31-b596-8dcbef2f1941
    Donald Trumpin vuoden 2020 presidentinvaalikampanjassa hankittuja arkaluontoisia vaalijärjestelmän tiedostoja jaettiin vaalituloksen kieltäjille, salaliittoteoreetikoille sekä oikeistolaisille kommentaattoreille, paljastaa The Washington Post. Trumpin asianajajat palkkasivat it-yhtiön tallentamaan tiedostot palvelimelle, josta niitä on ladattu useita kertoja. Lataajien joukossa oli useita salaliittoteorioita levittäviä henkilöitä ja Trumpin poliittisia tukijoita. Alkup.
    https://www.washingtonpost.com/investigations/2022/08/22/election-system-copied-files-trump/

    Reply
  36. Tomi Engdahl says:

    Android 13 vuotaa jo hakkerit iskivät heti
    https://www.tivi.fi/uutiset/tv/7991696d-055d-4cbf-8007-61b28bf0b163
    Android 13 -järjestelmä ei anna sovelluskauppojen ulkopuolelta ladatuille sovelluksille pääsyä helppokäyttötoimintoihin. Näin pyritään estämään esimerkiksi suoraan haitallisilta verkkosivuilta ladattujen haittaohjelmien pääsy helppokäyttötoimintoihin. Oikeudet helppokäyttötoimintoihin voidaan kuitenkin edelleen myöntää sellaisille apk- eli sovelluspakettitiedostoille, jotka asennetaan käyttäen niin kutsuttua sessioperusteista asennusmetodia. Tällöin ladatulle sovellukselle myönnetään valtuudet asentaa samalla kertaa myös muita apk-tiedostoja. Esimerkiksi sovellusten eri kielipaketteja asennetaan usein tällä tavoin. Tietoturvatutkijoiden ryhmä Threat Fabric on esitellyt havaitsemansa tavan väärinkäyttää Googlen määrittämiä sääntöjä. Uhri huijataan lataamaan ensin yksi sovellus, joka puolestaan asentaa samalla kertaa myös toisen apk-tiedoston, joka sisältää varsinaisen haittaohjelman. Asennusvaiheessa käyttäjä tulee helposti antaneeksi haittaohjelmalle oikeudet helppokäyttötoimintoihin, minkä myös järjestelmä hyväksyy. Alkup.
    https://www.bleepingcomputer.com/news/security/malware-devs-already-bypassed-android-13s-new-security-feature/

    Reply
  37. Tomi Engdahl says:

    “Maailmanlaajuinen valvontakoneisto” amerikkalaista it-jättiä syytetään peräti viiden miljardin ihmisen vakoilusta
    https://www.tivi.fi/uutiset/tv/1c4dd21a-5fe1-42b8-94cf-992420eefa47
    Maailman suurimpiin it-yhtiöihin lukeutuvaa Oraclea vastaan on nostettu Yhdysvalloissa ryhmäkanne, jossa yhtiötä syytetään peräti viiden miljardin ihmisen seurannasta ja vakoilusta. ICCL:n tiedotteen mukaan Oracle on koonnut yksityiskohtaisen rekisterin viiden miljardin ihmisen tiedoista, nimistä, kotiosoitteista, sähköpostiosoitteista, ostoksista, liikkumisesta, tuloista, poliittisista näkemyksistä ja toiminnasta internetissä. Statistan tilastojen mukaan maailmassa on noin viisi miljardia netinkäyttäjää.

    Reply
  38. Tomi Engdahl says:

    Vakoiluohjelma, joka tarttuu iPhoneen täysin automaattisesti tuhoaa tarvittaessa itsensä
    https://www.tivi.fi/uutiset/tv/6f554ac6-9278-4aa6-8951-3dfe75213e89
    Suurvallat urkkivat tietoja kehittyneillä vakoiluohjelmilla, mutta alalla toimii myös kaupallisia yrityksiä. Niistä tunnetuin on israelilainen NSO Group, jonka Pegasus-urkintaohjelmasta tuli viime vuoden paljastusten myötä kansainvälinen uutinen.

    Reply
  39. Tomi Engdahl says:

    Greek gas operator refuses to negotiate with ransomware group after attack https://therecord.media/greek-gas-operator-refuses-to-negotiate-with-ransomware-group-after-attack/
    Greece’s national natural gas operator DESFA confirmed this weekend that it was hit with a cyberattack but said it will not negotiate with the people behind the incident.

    Reply
  40. Tomi Engdahl says:

    Hackers demand $10 million from Paris hospital after ransomware attack https://www.bitdefender.com/blog/hotforsecurity/hackers-demand-10-million-from-paris-hospital-after-ransomware-attack/
    Malicious hackers are demanding $10 million from a French hospital they hit with ransomware last weekend. The National Cybersecurity Agency of France (ANSSI) has been informed of the incident, and is assisting in the investigation. Although not yet confirmed officially by the hospital, security experts believe that CHSF has been hit by a strain of the Ragnar Locker ransomware – which has also claimed the scalp of DESFA, one of Greece’s major natural gas operators, in recent days.

    Reply
  41. Tomi Engdahl says:

    Signal Phone Numbers Exposed in Twilio Hack https://www.schneier.com/blog/archives/2022/08/signal-phone-numbers-exposed-in-twilio-hack.html
    Twilio was hacked earlier this month, and the phone numbers of 1, 900 Signal users were exposed. Here’s what our users need to know:. All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected. For about 1, 900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal.
    This attack has since been shut down by Twilio. 1, 900 users is a very small percentage of Signal’s total users, meaning that most were not affected.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*