This posting is here to collect cyber security news in July 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
237 Comments
Tomi Engdahl says:
https://securityaffairs.co/wordpress/88233/malware/finfisher-spyware-new-versions.html
Tomi Engdahl says:
MIDDLE EAST DICTATORS BUY SPY TECH FROM COMPANY LINKED TO IBM AND GOOGLE
https://theintercept.com/2019/07/12/semptian-surveillance-mena-openpower/
Tomi Engdahl says:
Zoom patches Mac client after flaw allowed websites to turn on webcams without permission
https://techcrunch.com/2019/07/08/a-vulnerability-in-zooms-mac-client-could-allow-websites-to-turn-on-cameras-without-permission/
Video conferencing giant Zoom has published a patch for its Mac client removing a rogue web server from users’ computers that allowed any website to join a video call without permission.
Tomi Engdahl says:
OpenPGP experts targeted by long-feared ‘poisoning’ attack
http://nakedsecurity.sophos.com/2019/07/05/openpgp-experts-targeted-by-long-feared-poisoning-attack/
Tomi Engdahl says:
German banks to stop using SMS to deliver second authentication/verification factor
https://www.helpnetsecurity.com/2019/07/12/german-banks-sms-tan/
German banks are moving away from SMS-based customer authentication and transaction verification (called mTAN or SMS-TAN), as the method is deemed to be too insecure.
Tomi Engdahl says:
Most 2020 Presidential Campaign Not Using Proper Email Security
https://www.bleepingcomputer.com/news/security/most-2020-presidential-campaign-not-using-proper-email-security/
Tomi Engdahl says:
https://threatpost.com/linux-ransomware-nas-servers/146441/
Tomi Engdahl says:
Never Commit a Crime When Your Phone Is Connected to a Wi-Fi Network
https://slate.com/technology/2019/07/glenelg-high-school-graffiti-wifi-login.html
Four students who left racist graffiti on their high school were caught when their smartphones betrayed them.
Tomi Engdahl says:
Google is investigating the source of voice data leak, plans to update its privacy policies
https://techcrunch.com/2019/07/11/google-is-investigating-the-source-of-voice-data-leak-plans-to-update-its-privacy-policies/
Google has responded to a report this week from Belgian public broadcaster VRT NWS, which revealed that contractors were given access to Google Assistant voice recordings, including those which contained sensitive information
https://www.blog.google/products/assistant/more-information-about-our-processes-safeguard-speech-data/
Tomi Engdahl says:
The FTC Lawsuit over D-Link: Technical Perspective of Routers Security
https://www.vdoo.com/blog/ftc-lawsuit-over-d-link
The U.S. Federal Trade Commission (FTC) sued D-Link for putting consumers’ most sensitive personal data at risk due to the inadequate security of its routers and cameras. D-Link was criticized for releasing products which lack basic security measures, and for responding late
Tomi Engdahl says:
Greece’s Top Level Domain registries breached By Hacker
https://akonnor.online/greeces-top-level-domain-registries-breached-by-hacker/
State-sponsored hackers have broken ICS-Forth, the organization that manages Greece’s superior domain country codes of .gr and .el.
gain access to accounts at domain registrars and managed DNS suppliers where they make modifications to a company’s DNS settings. By modifying DNS records for internal servers, they intercept traffic meant for a company’s legitimate apps or webmail services to clone servers wherever they do man-in-the-middle attacks and intercept login credentials.
Tomi Engdahl says:
Hey, Google, why are your contractors listening to me?
https://nakedsecurity.sophos.com/2019/07/12/hey-google-why-are-your-contractors-listening-to-me/
Thanks to how your Google Home voice assistant records our conversations, which are sometimes triggered by mistake, audio clips – both those recorded on purpose and otherwise – are being sent to engineers working on Google Home voice processing.
Tomi Engdahl says:
As Florida cities use insurance to pay $1 million in ransoms to hackers, Baltimore and Maryland weigh getting covered
https://beta.washingtonpost.com/local/as-florida-cities-use-insurance-to-pay-1-million-in-ransoms-to-hackers-baltimore-and-maryland-weigh-getting-covered/2019/07/06/d1c0dc16-9f77-11e9-9ed4-c9089972ad5a_story.html?outputType=amp
Lake City’s experience and that of another Florida city are examples of the rapidly growing role of insurance providers in helping governments and businesses respond to cyberattacks. In each case, cities that faced losing valuable records avoided that calamity, and at a modest financial cost.
Tomi Engdahl says:
https://www.cbsnews.com/news/riviera-beach-florida-ransomware-attack-city-council-pays-600000-to-hackers-who-seized-its-computer-system/
Tomi Engdahl says:
Last year, [investigators in the Netherlands discovered]( https://www.zdnet.com/article/dutch-government-report-says-microsoft-office-telemetry-collection-breaks-gdpr/ ) that that data could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines.
All of which contravenes the EU’s General Data Protection Regulation, or GDPR, the Dutch said.
https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears/
Tomi Engdahl says:
Symantec reveals WhatsApp and Telegram exploit that gives hackers access to your personal media
https://venturebeat.com/2019/07/15/symantec-reveals-whatsapp-and-telegram-exploit-that-gives-hackers-access-to-your-personal-media/
Cybersecurity company Symantec found an exploit that could allow WhatsApp and Telegram media files — from personal photos to corporate documents — to be exposed and manipulated by malicious actors.
The security flaw, dubbed Media File Jacking, stems from the time lapse between when media files received through the apps are written to a disk and when they are loaded in an app’s chat user interface.
Tomi Engdahl says:
Facebook Embeds ‘Hidden Codes’ To Track Who Sees And Shares Your Photos
https://www.forbes.com/sites/zakdoffman/2019/07/14/facebook-is-embedding-hidden-codes-to-track-all-your-uploaded-photos-report/
an Australian cyber researcher has reopened a years-old debate as to whether the social media giant is embedding “hidden codes” in photos uploaded by users onto the site.
“Facebook is embedding tracking data inside photos you download,” Edin Jusupovic claimed on Twitter
contained what I now understand is an IPTC special instruction.” The IPTC (International Press Telecommunications Council) sets technical publishing standards, including those for image metadata.
“the take from this is that they can potentially track photos outside of their own platform with a disturbing level of precision about who originally uploaded the photo (and much more).”
According to one analyst, the metadata has been added since 2016 and “contains an IPTC block with an ‘Original Transmission Reference’ field that contains some kind of text-encoded sequence. This coding method lets Facebook “know it has seen the image before when it gets uploaded again,” explained a user on Reddit.
Not everyone is willing to play along with the Facebook scheme though. Twitter strips out the basic level of IPTC coding when images are posted on its site.
Tomi Engdahl says:
Researcher Bypasses Instagram 2FA to Hack Any Account
https://threatpost.com/researcher-bypasses-instagram-2fa/146466/
Tomi Engdahl says:
Sextortion was invented by one woman in the Philippines, Maria Caparas. She turned the idea of making friends online and video chats into a clever, evil scam that would not exist without social media.
Read more at https://www.channelnewsasia.com/news/video-on-demand/the-dark-web/queen-of-sextortion-11679252
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/9672-uusi-agenttivirus-saastutti-25-miljoonaa-android-puhelinta#ETNartikel
Tomi Engdahl says:
FBI Releases Master Decryption Keys for GandCrab Ransomware
https://www.bleepingcomputer.com/news/security/fbi-releases-master-decryption-keys-for-gandcrab-ransomware/
Tomi Engdahl says:
‘My job application was withdrawn by someone pretending to be me’
https://www.bbc.com/news/business-48995846
“It feels concerning that someone is potentially using my identity and that I can’t do much about it.”
Tomi Engdahl says:
https://thezerohack.com/hack-any-instagram
Tomi Engdahl says:
Why you should really, really update your Logitech wireless dongle
MouseJack never really went away
https://www.theverge.com/2019/7/14/20692471/logitech-mousejack-wireless-usb-receiver-vulnerable-hack-hijack
Tomi Engdahl says:
Logitech wireless USB dongles vulnerable to new hijacking flaws
Vulnerabilities found in Logitech’s proprietary Unifying USB dongle technology.
https://www.zdnet.com/article/logitech-wireless-usb-dongles-vulnerable-to-new-hijacking-flaws/
Tomi Engdahl says:
Academics steal data from air-gapped systems via a keyboard’s LEDs
CTRL-ALT-LED technique can exfiltrate data from air-gapped systems using Caps Lock, Num Lock, and Scroll Lock LEDs.
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-via-a-keyboards-leds/
Tomi Engdahl says:
WhatsApp, Telegram had security flaws that let hackers change what you see
https://www.cnet.com/news/whatsapp-telegram-had-security-flaws-that-let-hackers-change-what-you-see/
In a demo clip, Symantec’s security researchers altered all the faces to show Nicolas Cage instead.
Tomi Engdahl says:
EXCLUSIVE: GCHQ, NSA Still Using Punched Paper Tape to Produce Crypto Keys
https://www.cbronline.com/feature/punched-tape-ukkpa
Top secret cryptographic keys are being distributed across the national security estate on ribbons of paper. Here’s why…
The United Kingdom Key Production Authority (UKKPA) secures a sprawling array of networks, radios, weapons and other sensitive infrastructure from would-be eavesdropping eyes and ears, using technologies that marry all the technological sophistication and weight of the modern nation state, with tools that one exasperated industry leader close to the work describes as “all a bit 1960s really”.
There’s a startling reason for this substantial workload: the UKKPA still uses rolls of punched paper tape for swathes of its key distribution, despite ongoing attempts to phase out its use. (Punched paper tape is a data storage medium. On the ribbons of tape, a hole represents a binary 1, and the absence of a hole a binary 0.)
The UK is not alone in the ongoing use of this legacy technology at the heart of the national security system: across the Atlantic, British intelligence partners at the National Security Agency (NSA)
This is where the UKKPA’s “comsec accounting” or information assurance role comes in: the responsibility for not just producing, but distributing, updating, and auditing the keys, which need to be changed on a regular basis: both for security reasons, and because the “boxes” holding them stop working if not refreshed regularly.
“Helping Industry Sort out Interfaces”
He adds: “The challenge then becomes what are the rules and guidelines and what is permissible and what’s not permissible…
Others mutter darkly about a botched paper tape replacement programme some years ago: overly ambitious and poorly executed, it “came to a crashing end”.
piecemeal effort to digitalise cryptographic key management is underway, but many industry partners say more could be done
“There’s two issues here: one is that you’ve got to distribute the key, so you’ve got to physically move the things around the country or even overseas. If you’re moving things they’re vulnerable to being intercepted or compromised. Then secondly there’s the cost and logistical burden of doing all that.
“The authority has a huge challenge to produce all those keys and then it’s got a challenge to distribute and install them all.
MoD “Lives, Breaths and Sleeps Physical Media”
“The challenge is that there is such a wide variety of platforms that these devices are installed into: they’re not always online, and they’re not always in-country.
“So we sit with NCSC [UKKPA] who create the keys and work with MoD to work with user requirements and user operator interface.
UKKPA: Keys for HMG, and NATO…
An additional responsibility for the UKKPA, meanwhile, is NATO.
The authority is one of just two cryptographic key suppliers to the military alliance; the other being the NSA: both provide keys for distribution via an entity called DACAN.
“In the ‘good old days’ where distribution used to be ‘put a bunch of key tape into the back of a van, driven to a HQ, they’d take and log and distribute it to different units – it was a man-in-a-van exercise – we’re now moving keys electronically via speciality networks.”
UKKPA’s punched paper tape machine has more than a few production runs to do before it joins its NSA counterpart in museum-bound retirement.
It is a powerful reminder that modernising legacy systems is never entirely easy, even if – or rather, particularly when – those systems are mission-critical.
Tomi Engdahl says:
Read this before using FaceApp — you give up more personal data than you realize on this Russian-made app
https://www.marketwatch.com/story/having-fun-using-faceapp-think-again-you-give-up-more-data-than-you-think-with-this-russian-made-app-2019-07-17
FaceApp has gone viral again with a feature that makes users look elderly, but experts say it may pose security concerns
FaceApp, a smartphone app that allows users to apply filters onto selfies they upload, has grown in popularity again thanks to a feature that allows users to make themselves look older.
But cybersecurity experts have raised several red flags about FaceApp. It’s made by a Wireless Lab, a small company based in Russia and, according to its terms and conditions, your photos could be used in unexpected ways.
‘Any app gathering data points that could lead to facial recognition should be of concern especially when it’s being used by government agencies.’
Tomi Engdahl says:
Viral App FaceApp Now Owns Access To More Than 150 Million People’s Faces And Names
https://www.forbes.com/sites/johnkoetsier/2019/07/17/viral-app-faceapp-now-owns-access-to-more-than-150-million-peoples-faces-and-names/
Everyone’s seen them: friends posting pictures of themselves now, and years in the future.
Viral app FaceApp has been giving people the power to change their facial expressions, looks, and now age for several years. But at the same time, people have been giving FaceApp the power to use their pictures — and names — for any purpose it wishes, for as long as it desires.
And we thought we learned a lesson from Cambridge Analytica.
More than 100 million people have downloaded the app from Google Play.
While according to FaceApp’s terms of service people still own their own “user content” (read: face), the company owns a never-ending and irrevocable royalty-free license to do anything they want with it … in front of whoever they wish
You might end up on a billboard somewhere in Moscow, but your face will most likely end up training some AI facial-recognition algorithm.
Peter Kostadinov
Whether that matters to you or not is your decision.
Tomi Engdahl says:
Brazil is at the forefront of a new type of router attack
Avast: More than 180,000 routers in Brazil had their DNS settings changed in Q1 2019.
https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/
Tomi Engdahl says:
What happens when a country’s entire adult population is hacked?
https://www.technologyreview.com/f/613973/what-happens-when-a-countrys-entire-adult-population-is-hacked/
The hack: A 20-year-old man was arrested in Sofia, Bulgaria, on Tuesday afternoon and charged with an unprecedented hack of the country’s tax authority, ending with the theft of sensitive personal records from nearly every adult in Bulgaria, according to local reports.
After a massive hack in Bulgaria, the prime minister called the attacker a “wizard,” but cybersecurity experts said the security was simply inadequate.
“It was alleged in the press that internal sources say the attack was an SQL injection,”
The facts: There is a gap between the hacker’s claims and what the Bulgarian government says happened. The facts are still being determined.
The hacker claimed to have stolen data from over 5 million Bulgarians. The country’s entire population is around 7 million. Finance Minister Vladislav Goranov said 3% of the NRA’s databases were impacted.
One thing is clear: a reckoning has arrived for Bulgaria’s cybersecurity. Whether the government recognizes it or not, outside hackers certainly will
Tomi Engdahl says:
FaceApp says it won’t hold on to your face photos. Should you trust it?
https://www.digitaltrends.com/news/faceapp-photos-privacy-terms-of-service/
If you use FaceApp, you’ve given its parent company permission to use your face photos for pretty much anything — even though the app-maker says it won’t use them for nefarious purposes.
Tomi Engdahl says:
Viral App FaceApp Now Owns Access To More Than 150 Million People’s Faces And Names
https://www.forbes.com/sites/johnkoetsier/2019/07/17/viral-app-faceapp-now-owns-access-to-more-than-150-million-peoples-faces-and-names/
Tomi Engdahl says:
Only three global banks given top website security score by ImmuniWeb
https://www.zdnet.com/article/only-three-global-banks-given-top-website-security-score-by-immuniweb/
The security testing firm found 97% of the world’s largest banks are vulnerable to web and mobile attacks.
Tomi Engdahl says:
EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users
https://thehackernews.com/2019/07/linux-gnome-spyware.html
Tomi Engdahl says:
https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/
Tomi Engdahl says:
Apple co-founder Steve Wozniak: Get off Facebook
https://www.cnbc.com/2019/07/09/apple-co-founder-steve-wozniak-get-off-facebook.html
Apple co-founder Steve Wozniak recommends most people get off Facebook.
“There are many different kinds of people, and [for] some, the benefits of Facebook are worth the loss of privacy,” Wozniak told TMZ. “But to many like myself, my recommendation is — to most people — is you should figure out a way to get off Facebook.”
Tomi Engdahl says:
10,000 polling sites could be hacked because they use Windows 7: report
https://nypost.com/2019/07/14/10000-polling-sites-could-be-hacked-because-they-use-windows-7-report/
Pennsylvania’s message was clear: The state was taking a big step to keep its elections from being hacked in 2020. Last April, its top election official told counties they had to update their systems. So far, nearly 60% have taken action, with $14.15 million of mostly federal funds helping counties buy brand-new electoral systems.
But there’s a problem: Many of these new systems still run on old software that will soon be outdated and more vulnerable to hackers.
Tomi Engdahl says:
The election technology industry is dominated by three titans : Omaha, Nebraska-based Election Systems and Software LLC; Denver, Colorado-based Dominion Voting Systems Inc.; and Austin, Texas-based Hart InterCivic Inc. They make up about 92% of election systems used nationwide, according to a 2017 study
https://nypost.com/2019/07/14/10000-polling-sites-could-be-hacked-because-they-use-windows-7-report/
Tomi Engdahl says:
Microsoft Office 365: Banned in German schools over privacy fears
https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears/
State of Hesse says student and teacher information could be “exposed” to US spy agencies.
Tomi Engdahl says:
As Florida cities use insurance to pay $1 million in ransoms to hackers, Baltimore and Maryland weigh getting covered
https://beta.washingtonpost.com/local/as-florida-cities-use-insurance-to-pay-1-million-in-ransoms-to-hackers-baltimore-and-maryland-weigh-getting-covered/2019/07/06/d1c0dc16-9f77-11e9-9ed4-c9089972ad5a_story.html?outputType=amp
Tomi Engdahl says:
Google Photos is making your photos semi-public and you probably don’t realise
https://medium.com/@robertwiblin/google-photo-is-making-your-photos-semi-public-and-you-probably-dont-realise-6fcc74e40ac6
I’ve noticed something about Google Photos that is really weird. Crazy enough that I’ve told dozens of Photos users and none have believed me. They swear I have to be wrong, until I show them otherwise.
Whenever you share a photo with a specific person or account on Google Photos, it creates a link that will allow anyone in the world to view those photos, forever, until you go and manually deactivate that link in an obscure part of the interface.
Tomi Engdahl says:
Computer password inventor Fernando Corbato dies at 93
He also helped dramatically improve the speed of computing.
https://www.engadget.com/2019/07/13/computer-password-inventor-fernando-corbato-dies/
Tomi Engdahl says:
FaceApp isn’t taking all of your photos, but the privacy concerns are very real
https://www.cyberscoop.com/faceapp-privacy-russia-amazon-servers/
Using FaceApp to figure out how you’ll look when you’re old and wrinkly may be the viral sensation of the week, but that fun may not be worth it once you look at the fine print.
Users don’t have to explicitly click on any user agreement and aren’t forced to read through FaceApp’s privacy policy before using it, but when users apply “old” filters to their photos, they are giving FaceApp license to display their photos worldwide as well as access to location data, according to the fine print.
Tomi Engdahl says:
THINK FACEAPP IS SCARY? WAIT TILL YOU HEAR ABOUT FACEBOOK
https://www.wired.com/story/faceapp-privacy-backlash-facebook/?mbid=social_fb_onsiteshare
Tomi Engdahl says:
Security researchers uncover Bluetooth vulnerability that could let hackers track your LOCATION through iOS and Microsoft devices
https://www.dailymail.co.uk/sciencetech/article-7258715/Security-researchers-uncover-Bluetooth-vulnerability-let-hackers-track-LOCATION.html
Tomi Engdahl says:
controlling 40% Russian-speaking Dark Net.
Read here: https://www.apnews.com/b4ea6eccc2524f21852709df8645f55e
Ukraine has arrested an accused cyber criminal who has been wanted by the United States for years. Mykhailo Rytikov was arrested in the city of Odessa. The hacker was running a data center with about 150 servers and some control and cover of the Russian special services.
Read Here: https://buff.ly/30AQWW6
#Ukraine #CyberCriminial #UnitedStates #CyberSecurity #DataCenter #RussianSpecialService #Mykhailo Rytikov #NextWebHack
Tomi Engdahl says:
Ex-Microsoft dev used test account to swipe $10m in tech giant’s own store credits, live life of luxury, Feds allege
https://www.theregister.co.uk/2019/07/17/exmicrosoft_engineer_arrested_fraud/
‘No safeguards’ on QA accounts, and suddenly this guy gets a Tesla and $1.6m home, say prosecutors
Tomi Engdahl says:
Fast-growing web of doorbell cams raises privacy fears
https://www.apnews.com/9371972bf7bf4f28949a6167a75b3c85
The woodsy community of Wolcott, Connecticut, doesn’t see a lot of crime. But when the police chief heard about an opportunity to distribute doorbell cameras to some homes, he didn’t hesitate.
The police who keep watch over the town of 16,000 raffled off free cameras in a partnership with the camera manufacturer. So far, the devices have encountered more bears than criminals, but Chief Ed Stephens is still a fan. “Anything that helps keep the town safe, I’m going to do it,” he said.