Cyber security news in July 2019

This posting is here to collect cyber security news in July 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

120 Comments

  1. Tomi Engdahl says:

    Kubernetes CLI tool security flaw lets attackers run code on host machine
    Interesting bug can lead to total compromise of cloud production environments.
    https://www.zdnet.com/article/kubernetes-cli-tool-security-flaw-lets-attackers-run-code-on-host-machine/

    Reply
  2. Tomi Engdahl says:

    Facebook: We valuate your privacy so much that we want you to give up some of it to make us money out of it.

    Reply
  3. Tomi Engdahl says:

    https://www.tripwire.com/state-of-security/government/new-york-law-expands-cyber-protection/

    The New York State Legislature recently passed a bill that aims to protect New York residents, regardless of the location of the business. The law, known as the Stop Hacks and Improve Electronic Data Security (SHIELD) Act is designed to address unauthorized access of data.

    Reply
  4. Tomi Engdahl says:

    Backdoor discovered in Ruby strong_password library
    http://nakedsecurity.sophos.com/2019/07/09/backdoor-discovered-in-ruby-strong_password-library/

    the mystery 0.0.7 version embedded a download link which:

    Fetches and runs the code stored in a pastebin.com, only if running in production, with an empty exception handling that ignores any error it may raise.

    The backdoor would download code from the Pastebin address for production sites, giving the attackers the power of remote code execution, silently hijacking any websites unfortunate to have updated to the rogue strong_password gem.

    Reply
  5. Tomi Engdahl says:

    Huawei website ████ ██████ security flaws ██████ customer info and biz operations at risk: ███████ patched
    Is this the Chinese giant’s Winnie the Pooh moment?

    https://www.theregister.co.uk/2019/07/09/huawei_to_address_security_holes/

    Reply
  6. Tomi Engdahl says:

    Flaws in hospital anesthesia and respiratory devices allow remote tampering
    https://techcrunch.com/2019/07/09/flaws-anesthesia-respiratory-devices-tampering/

    Security researchers have discovered vulnerabilities in two models of hospital anesthesia machines manufactured by General Electric (GE).

    The two devices found to be vulnerable are GE Aestiva and GE Aespire — models 7100 and 7900.

    “As long as the device is ported to the network through a terminal server, anyone familiar with the communication protocol can force a revert and send a variety of illegitimate commands to the machine,” he said.

    Vulnerabilities found in GE anesthesia machines
    https://www.zdnet.com/article/vulnerabilities-found-in-ge-anesthesia-machines/

    GE recommends not connecting vulnerable anesthesia machines to hospital networks.

    Reply
  7. Tomi Engdahl says:

    Intel Patches High-Severity Flaw in Processor Diagnostic Tool
    https://threatpost.com/intel-patches-high-severity-flaw-in-processor-diagnostic-tool/146352/

    Intel issued patches for a high-severity flaw in its processor diagnostic tool as well as a fix for a medium-severity vulnerability in its data center SSD lineup.

    The Intel Processor Diagnostic tool is a free product that allows users to test and diagnose any issues in their processor before having to contact tech support.

    Reply
  8. Tomi Engdahl says:

    Logitech Unifying Receivers Vulnerable to Key Injection Attacks
    https://www.bleepingcomputer.com/news/security/logitech-unifying-receivers-vulnerable-to-key-injection-attacks/

    Four new vulnerabilities were found to affect all Logitech’s Unifying USB receivers that allow users to connect up to six different compatible Logitech wireless presentation remotes, mice, and keyboards to the same computer via a 2.4 GHz radio connection.

    Out of the four vulnerabilities found by Mengs, Logitech confirmed that they’ll only fix two of them

    https://www.bettercap.org/modules/hid/

    Reply
  9. Tomi Engdahl says:

    https://seclists.org/fulldisclosure/2019/Jul/12

    Mozilla’s MSI installers: FUBAR (that’s spelled “fucked-up beyond all repair”)

    Reply
  10. Tomi Engdahl says:

    Detroit’s facial recognition surveillance system exposed
    https://www.wsws.org/en/articles/2019/07/09/face-j09.html

    After the extent of the surveillance was exposed and public anger began to rise, Detroit Police Chief James Craig hastily called a press conference on June 27 in an effort to downplay the invasive nature of the system and justify its implementation.

    Forced to admit that the artificial intelligence and biometrics system had been in place for the past two years without review

    Reply
  11. Tomi Engdahl says:

    London Underground wi-fi data collection ‘has huge potential’
    https://www.bbc.com/news/uk-england-london-48921411

    From this week, Transport for London (TfL) is going to collect data anonymously through its wi-fi from our phones as we move about the network.

    Instead of building new Tube lines or buying new trains, why not use our existing ones in a much more efficient smarter way?

    You could get a message at every stage of your journey, or you could be given a different route to avoid overcrowding.

    Reply
  12. Tomi Engdahl says:

    YouTube’s ‘instructional hacking’ ban threatens computer security teachers
    YouTube now says takedown of a ‘white hat’ hacking channel was a mistake

    https://www.theverge.com/2019/7/3/20681586/youtube-ban-instructional-hacking-phishing-videos-cyber-weapons-lab-strike

    Reply
  13. Tomi Engdahl says:

    Bug in Anesthesia Machines Allows Changing Gas Mix Levels
    https://www.bleepingcomputer.com/news/security/bug-in-anesthesia-machines-allows-changing-gas-mix-levels/

    The flaw affects GE Aestiva and GE Aespire anesthesia systems, models 7100 and 7900, from GE Healthcare (part of General Electric Company) and permits sending them commands over the local network.

    No authentication or special privileges needed

    This downgrade attack would allow not only remotely adjusting the composition of the anesthetic gas mixture but also suppressing alarms, changing the time and date on the system, and modifying the barometric pressure.

    Reply
  14. Tomi Engdahl says:

    Cybersecurity Experts Worry About Satellite & Space Systems
    https://www.darkreading.com/attacks-breaches/cybersecurity-experts-worry-about-satellite-and-space-systems/d/d-id/1335131

    As nation-states and rogue actors increasingly probe critical infrastructure, policy and technology experts worry that satellite and space systems are on the front lines.

    Reply
  15. Tomi Engdahl says:

    Whoop whoop! Insane Clown Posse fans may have stumbled into a way to combat public surveillance
    https://consequenceofsound.net/2019/07/juggalo-makeup-facial-recognition/amp/

    Last year, Ticketmaster and LiveNation invested in a former military facial recognition company, with the hope that the technology could be used to both strengthen and speed up event entry. If that prospect thoroughly creeps you out, here’s a simple life-hack to defeat Big Brother: become a Juggalo. In a revelation that is sure to freak out the FBI, Insane Clown Posse’s passionate fan base have unintentionally unlocked the secret to thwarting facial recognition.

    Reply
  16. Tomi Engdahl says:

    Many popular wireless keyboards completely unprotected
    https://www.csoonline.com/article/3100026/many-popular-wireless-keyboards-completely-unprotected.html

    Many popular wireless keyboards on the market today are vulnerable to eavesdropping

    Reply
  17. Tomi Engdahl says:

    Apple co-founder thinks you should get off Facebook
    https://nypost.com/2019/07/09/apple-co-founder-thinks-you-should-get-off-facebook/

    Apple co-founder Steve Wozniak has some advice for most Facebook users: Delete your account.

    “There are many different kinds of people, and some [of] the benefits of Facebook are worth the loss of privacy,” Wozniak told TMZ, which spoke with the tech mogul at Reagan National Airport in DC. “But too many like myself, my recommendation is — to most people — you should figure out a way to get off Facebook.”

    Reply
  18. Tomi Engdahl says:

    Banned Chinese Security Cameras Are Almost Impossible to Remove
    https://www.bloomberg.com/news/articles/2019-07-10/banned-chinese-security-cameras-are-almost-impossible-to-remove

    An August deadline to remove them from federal agencies likely won’t be met as many departments don’t even know what cameras they’re using.

    U.S. federal agencies have five weeks to rip out Chinese-made surveillance cameras in order to comply with a ban imposed by Congress last year in an effort to thwart the threat of spying from Beijing.

    But thousands of the devices are still in place and chances are most won’t be removed before the Aug. 13 deadline. A complex web of supply chain logistics and licensing agreements make it almost impossible to know whether a security camera is actually made in China or contains components that would violate U.S. rules.

    Reply
  19. Tomi Engdahl says:

    The amendment singles out Zhejiang Dahua Technology Co. and Hangzhou Hikvision Digital Technology Co., both of which have raised security concerns with the U.S. government and surveillance industry.

    https://www.bloomberg.com/news/articles/2019-07-10/banned-chinese-security-cameras-are-almost-impossible-to-remove

    Reply
  20. Tomi Engdahl says:

    Agent Smith Malware Infects 25M Android Phones to Push Rogue Ads
    https://threatpost.com/malware-agent-smith-android-ads/146359/?utm_source=dlvr.it&utm_medium=twitter

    Researchers say malware infects phones in order to sneak ads on devices for profit.

    Reply
  21. Tomi Engdahl says:

    More than 1,000 Android apps harvest data even after you deny permissions
    https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/

    The apps gather information such as location, even after owners explicitly say no. Google says a fix won’t come until Android Q.

    Reply
  22. Tomi Engdahl says:

    How to enable DNS-over-HTTPS (DoH) in Firefox
    https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/

    A step by step guide to enable DNS-over-HTTPS (DoH) support in the Firefox browser.

    Internet group brands Mozilla ‘internet villain’ for supporting DNS privacy feature
    https://techcrunch.com/2019/07/05/isp-group-mozilla-internet-villain-dns-privacy/

    Reply
  23. Tomi Engdahl says:

    Seriously, stop using RSA
    https://blog.trailofbits.com/2019/07/08/fuck-rsa/

    Let me save you a bit of time and money and just say outright—if you come to us with a codebase that uses RSA, you will be paying for the hour of time required for us to explain why you should stop using it.

    RSA is an intrinsically fragile cryptosystem containing countless foot-guns which the average software engineer cannot be expected to avoid. Weak parameters can be difficult, if not impossible, to check, and its poor performance compels developers to take risky shortcuts. Even worse, padding oracle attacks remain rampant 20 years after they were discovered.

    Reply
  24. Tomi Engdahl says:

    Google employees are eavesdropping, even in Flemish living rooms, VRT NWS has discovered
    https://www.vrt.be/vrtnws/en/2019/07/10/google-employees-are-eavesdropping-even-in-flemish-living-rooms/

    Google employees are systematically listening to audio files recorded by Google Home smart speakers and the Google Assistant smartphone app.

    Reply
  25. Tomi Engdahl says:

    Australia’s anti-encryption laws being used to bypass journalist protections, expert says
    https://www.theguardian.com/australia-news/2019/jul/08/australias-anti-encryption-laws-being-used-to-bypass-journalist-protections-expert-says

    New legislation has given AFP ‘power to strike a chilling blow against press freedom’, cybersecurity researcher tells parliamentary review

    Reply
  26. Tomi Engdahl says:

    British Airways faces record £183m fine for data breach
    https://www.bbc.com/news/business-48905907

    Reply
  27. Tomi Engdahl says:

    Cyberattack lands ship in hot water
    http://nakedsecurity.sophos.com/2019/07/11/cybersecurity-attack-lands-ship-in-hot-water/

    Less than two months after warning of cybersecurity problems on ships, the US Coast Guard has revealed that a large international vessel has suffered a cyberattack.

    On Monday 8 July 2019 the Coast Guard issued a Marine Safety Alert reporting a successful malware attack on a vessel back in February.

    The alert describes the affected craft as a ‘deep draft’ vessel.

    It experienced a “significant cyberincident” on its way to the Port of New York and New Jersey.

    The crew avoided losing complete control of the ship, but it should be a wake-up call.

    The crew did use the network for official business like updating electronic charts and managing cargo data, and members would routinely plug USB drives into the ship’s systems without scanning them for malware

    Researchers have found problems with vessel cybersecurity in the past.

    Reply
  28. Tomi Engdahl says:

    Hacked surveillance firm pitches NYC with invasive camera tech to track driver journeys
    https://www.zdnet.com/article/hacked-surveillance-firm-pitches-nyc-with-ml-cameras-to-track-driver-journeys/

    Scanning technology already in use at the Mexican border was pitched as a way to build profiles of driver habits.

    Reply
  29. Tomi Engdahl says:

    Good news. Samba 4.11 will be the next version of the Samba suite and SMB1 is disabled by default. SMB1 exploit were wild and unpatched system will still get rooted: https://github.com/samba-team/samba/blob/59cca4c5d699be80b4ed22b40d8914787415c507/WHATSNEW.txt

    See how to disable SMB1 on Linux or Unix https://www.cyberciti.biz/faq/how-to-configure-samba-to-use-smbv2-and-disable-smbv1-on-linux-or-unix/ #OpenSource #security

    Reply
  30. Tomi Engdahl says:

    ‘World’s first Bluetooth hair straighteners’ can be easily hacked
    https://techcrunch.com/2019/07/11/bluetooth-hair-straighteners-hacked/

    Here’s a thing that should have never been a thing: Bluetooth-connected hair straighteners.

    Glamoriser, a U.K. firm that bills itself as the maker of the “world’s first Bluetooth hair straighteners“, allows users to link the device to an app, which lets the owner set certain heat and style settings. The app can also be used to remotely switch off the straighteners within Bluetooth range.

    Big problem, though. These straighteners can be hacked.

    Reply
  31. Tomi Engdahl says:

    FTA: By exploiting CVE-2019-10915, a remote attacker could bypass HTTP authentication and access all administrator functionality by directly sending WebSocket commands to a server, Tenable says.
    Why would these even need to be available via HTTP at all?

    Researchers Disclose Vulnerability in Siemens’ ICS Software
    https://www.govinfosecurity.com/researchers-disclose-vulnerability-in-siemens-ics-software-a-12765#.XSdVbDTnzPQ.facebook

    Patch Issued in Light of Concerns Over Stuxnet-Like Attack Against Industrial Systems

    Reply
  32. Tomi Engdahl says:

    Google is investigating the source of voice data leak, plans to update its privacy policies
    https://techcrunch.com/2019/07/11/google-is-investigating-the-source-of-voice-data-leak-plans-to-update-its-privacy-policies/

    The company, by way of a blog post, explained that it partners with language experts around the world who review and transcribe a “small set of queries” to help Google better understand various languages.

    https://www.blog.google/products/assistant/more-information-about-our-processes-safeguard-speech-data/

    Reply
  33. Tomi Engdahl says:

    Over 17,000 Domains Infected with Code that Steals Card Data
    https://www.bleepingcomputer.com/news/security/over-17-000-domains-infected-with-code-that-steals-card-data/

    Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

    Reply
  34. Tomi Engdahl says:

    Japan cryptocurrency exchange loses $32 million of virtual money
    https://nypost.com/2019/07/12/japan-cryptocurrency-exchange-loses-32-million-of-virtual-money/?utm_campaign=iosapp&utm_source=facebook_app

    The reason for the losses, which include bitcoins as well as Ethereum, Ripple and other kinds of cryptocurrencies, is under investigation.

    Bitcoin has been a legal form of payment in Japan since April 2017.

    Reply
  35. Tomi Engdahl says:

    So it seems Mozilla is no longer going to be considered for an internet villainy award

    “Mozilla aren’t villains after all” – ISPs back down after public outcry
    https://nakedsecurity.sophos.com/2019/07/11/mozilla-arent-villains-after-all/

    A few short days ago, we wrote up the news that Mozilla was up for an internet award…

    …for cybervillainy!

    Seems it was all down to Mozilla’s enthusiastic adoption of a system called DNS-over-HTTPS.

    DNS-over-HTTPS: it’s a way of encrypting and authenticating your network lookups while you’re online.

    your DNS list of “sites of interest” remains private, which in turns keeps you more secure against snooping, surveillance and sneaky substiutions.

    OK, so there are various technical reasons why you might be against DNS-over-HTTPS

    Mozilla would suddenly make the internet too secure! Too private! Too safe! Too well-protected from busybodies, snoops and crooks!

    Horror of horrors!

    British ISPs would no longer be able to collect and collate innocent users’ high-level internet browsing habits themselves just in case the data ever came in handy for busting ACTUAL CROOKS!

    The ISPA has now officially and publicly backed down and taken Mozilla off the Internet Villainy shortlist.

    Reply
  36. Tomi Engdahl says:

    Facebook to be slapped with $5 billion fine for privacy lapses, says WSJ
    https://www.cnbc.com/2019/07/12/ftc-fines-facebook-5-billion-for-privacy-lapses.html?__source=facebook%7Cmain

    The Federal Trade Commission announced a settlement with Facebook over the company’s 2018 Cambridge Analytica scandal.
    The fine represents the largest ever imposed by the FTC against a tech company.

    Reply
  37. Tomi Engdahl says:

    Train maker’s coder goes loco, choo-choo-chooses to flee to China with top-secret code – allegedly
    https://www.theregister.co.uk/2019/07/12/train_software_theft/

    Xudong “William” Yao stole the software blueprints from his former employer, an unnamed locomotive manufacturer based in Chicago, it is claimed, flew to the Middle Kingdom, and took up a job with a Chinese biz that specializes in automotive telematics – think vehicle monitoring, tracking, and communications.

    Reply
  38. Tomi Engdahl says:

    T-Mobile quietly reported a sharp rise in police demands for cell tower data
    https://techcrunch.com/2019/07/12/t-mobile-cell-tower-government-demands/

    Reply
  39. Tomi Engdahl says:

    Confirmed: Microsoft Windows Zero-Day Exploit Used In Government Espionage Operation
    https://www.forbes.com/sites/daveywinder/2019/07/12/confirmed-microsoft-windows-zero-day-exploit-used-in-government-espionage-operation/

    The highly targeted attacks against government institutions in Eastern Europe, which took place during June 2019, employed the use of a Microsoft Windows zero-day exploit. In and of itself this isn’t unusual as there have been plenty of Windows zero-days discovered

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*