This posting is here to collect cyber security news in August 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
273 Comments
Tomi Engdahl says:
Cryptographic ICE Cube tests orbital cybersecurity protocols aboard the ISS
https://tcrn.ch/2SYaYar
Encryption in space can be tricky. Even if you do everything right, a cosmic ray might come along and flip a bit, sabotaging the whole secure protocol. So if you can’t radiation-harden the computer, what can you do? European Space Agency researchers are testing solutions right now in an experiment running on board the ISS.
Tomi Engdahl says:
Urgent11 security flaws impact routers, printers, SCADA, and many IoT devices
Security updates are out, but patching will most likely take months, if not years.
https://www.zdnet.com/article/urgent11-security-flaws-impact-routers-printers-scada-and-many-iot-devices/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d3f2673ba8d0400013cb8f5&utm_medium=trueAnthem&utm_source=facebook
11 Zero Day Vulnerabilities Impacting VxWorks, the Most Widely Used Real-Time Operating System (RTOS)
https://armis.com/urgent11/
Tomi Engdahl says:
Facebook Plans on Backdooring WhatsApp
https://www.schneier.com/blog/archives/2019/08/facebook_plans_.html
This article points out that Facebook’s planned content moderation scheme will result in an encryption backdoor into WhatsApp:
The Encryption Debate Is Over – Dead At The Hands Of Facebook
https://www.forbes.com/sites/kalevleetaru/2019/07/26/the-encryption-debate-is-over-dead-at-the-hands-of-facebook/#2b7a8b405362
72 519 views|Jul 26, 2019,10:37 pm
The Encryption Debate Is Over – Dead At The Hands Of Facebook
Kalev LeetaruContributor
AI & Big Data
I write about the broad intersection of data and society.
Getty Images
Getty Images GETTY
The encryption debate was back in the news this week as Attorney General William Barr railed against “warrant-proof” encryption that he argued protects criminals and terrorists, continuing the same arguments that have been made for almost 30 years. As the cybersecurity community dismissed Barr’s demands
the encryption debate is already over – Facebook ended it earlier this year.
The ability of encryption to shield a user’s communications rests upon the assumption that the sender and recipient’s devices are themselves secure, with the encrypted channel the only weak point.
After all, if either user’s device is compromised, unbreakable encryption is of little relevance.
This is why surveillance operations typically focus on compromising end devices, bypassing the encryption debate entirely.
Historically, compromising end devices was an expensive and complex process, powered by a cat-and-mouse game with hardware manufacturers and software vendors
Facebook announced earlier this year preliminary results from its efforts to move a global mass surveillance infrastructure directly onto users’ devices where it can bypass the protections of end-to-end encryption.
In Facebook’s vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user’s device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.
Tomi Engdahl says:
Cisco Systems Inc has agreed to settle a whistleblower’s claim that it improperly sold video surveillance software with known vulnerabilities to U.S. federal and state governments, marking the first payout on a False Claims Act case brought over failure to meet cybersecurity standards.
https://thehackernews.com/2019/08/cisco-surveillance-technology.html
Tomi Engdahl says:
https://nakedsecurity.sophos.com/2019/08/01/five-eyes-nations-demand-access-to-encrypted-messaging/
An alliance of national intelligence partners known as the Five Eyes – Australia, Canada, New Zealand, the UK and the US – is demanding encryption backdoors in apps such as Facebook’s WhatsApp.
In a communique that reportedly came out of the meeting, the Five Eyes nations called for backdoors:
Tech companies should include mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.
Tomi Engdahl says:
Amazon says U.S. government demands for customer data went up
https://tcrn.ch/2Ka5XIT
Tomi Engdahl says:
Got a creative idea on how to visualize cyber conflict, hacking, and privacy? A new contest wants your submission. ‘There is a massive opportunity to improve the ways in which cybersecurity is communicated, taught, and visualized,’ says the contest’s sponsors.
https://www.openideo.com/challenge-briefs/cybersecurity-visuals
Tomi Engdahl says:
Apple suspends Siri response grading in response to privacy concerns
https://techcrunch.com/2019/08/01/apple-suspends-siri-response-grading-in-response-to-privacy-concerns/?tpcc=ECFB2019
In response to concerns raised by a Guardian story last week over how recordings of Siri queries are used for quality control, Apple is suspending the program world wide.
https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings
Tomi Engdahl says:
Is privacy making something of a comeback? It really isn’t, according to this engineer.
An engineer explains why you’re an idiot to want privacy
https://www.zdnet.com/article/an-engineer-explains-why-youre-an-idiot-to-want-privacy/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d3e5363ba8d0400013cab99&utm_medium=trueAnthem&utm_source=facebook
Privacy Is An Illusion. Discuss.
Forget Privacy. Look To The Glorious Future.
Because he’s worked with big tech companies a lot, I asked him whether he thought they cared about privacy. He said no. Privacy is always far behind revenue in importance.
So is it a good thing if everybody can just know everything about everyone else?
“Personally, I think it would be a good thing, but that’s the idealist socialist in me. If there were no secrets, then there’s no leverage, and voilà, world peace,” George said, being humorous. (I think.)
The more we talked, the more it seemed George thinks you’re a fool if you expect — or even want — privacy. He’s even pleased with some of the ads he receives on the basis of Google’s intimate knowledge of his inner life
Is There Still A Line To Be Drawn?
For George, the loss of privacy is, in fact, business as usual
Tomi Engdahl says:
It’s 2019, and one third of businesses still have active Windows XP deployments
https://www.techrepublic.com/article/its-2019-and-one-third-of-businesses-still-have-active-windows-xp-deployments/?utm_source=fark&utm_medium=website&utm_content=link&ICID=ref_fark
As end of support for the still-popular Windows 7 draws near, risks of unpatched operating systems are likely to be a significant security concern in the near future.
Tomi Engdahl says:
https://nationandstate.com/2019/08/02/apple-suspends-program-that-records-users-having-sex-and-buying-drugs/
Tomi Engdahl says:
https://www.forbes.com/sites/zakdoffman/2019/08/01/social-media-warfare-new-military-cyber-unit-will-fight-russias-dark-arts/?utm_source=FACEBOOK&utm_medium=social&utm_term=Jennie/#6a656e6e696
Tomi Engdahl says:
Woman Charged As Hacker In Capital One Data Breach Exposing Over 100 Million Customers
https://www.npr.org/2019/07/30/746475401/woman-charged-as-hacker-of-capital-one-data-that-exposes-over-100-million-custom?utm_source=facebook.com&utm_medium=social&utm_campaign=morningedition&utm_term=nprnews&utm_content=20190730
Tomi Engdahl says:
Flaws allow attackers to bypass payment limits on Visa contactless cards
https://www.helpnetsecurity.com/2019/07/31/visa-contactless-cards-flaws/
The attack was tested with five major UK banks, successfully bypassing the UK contactless verification limit of £30 on all tested Visa cards, irrespective of the card terminal.
Tomi Engdahl says:
“The payment industry believes that contactless payments are protected by the safeguards they have put in place, but the fact is that contactless fraud is increasing,” said Tim Yunusov, Head of Banking Security for Positive Technologies.
“While it’s a relatively new type of fraud and might not be the number one priority for banks at the moment, if contactless verification limits can be easily bypassed, it means that we could see more damaging losses for banks and their customers.”
https://www.helpnetsecurity.com/2019/07/31/visa-contactless-cards-flaws/
Tomi Engdahl says:
Hong Kong Protesters Use Lasers to Block Facial Recognition Tech
https://futurism.com/the-byte/hong-kong-protesters-lasers-facial-recognition
Tomi Engdahl says:
program that let its employees listen to your Siri recordings
https://www.cnbc.com/2019/08/02/apple-suspends-program-that-let-employees-listen-to-siri-recordings.html
Google and Amazon also analyze recordings, but have better controls for users when it comes to seeing and deleting what they’ve spoken in the past.
Tomi Engdahl says:
https://www.schneier.com/blog/archives/2019/08/more_on_backdoo.html
Tomi Engdahl says:
Filecoder isn’t perfect malware but has the potential to become a serious threat.
This new Android ransomware infects you through SMS messages
https://www.zdnet.com/article/this-new-android-ransomware-infects-you-through-sms-messages/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d4093f5ba8d0400013ccea9&utm_medium=trueAnthem&utm_source=facebook
Filecoder isn’t perfect malware but has the potential to become a serious threat.
Tomi Engdahl says:
Matt Day / Bloomberg:
Amazon says it will let users opt out of human review of the voice recordings picked up by Alexa, following similar moves by Apple and Google — – Alexa reviewers transcribe, annotate some voice recordings — Apple, Google suspended human voice review programs this week
Amazon Gives Option to Disable Human Review of Alexa Recordings
https://www.bloomberg.com/news/articles/2019-08-02/amazon-gives-option-to-disable-human-review-of-alexa-recordings
Alexa reviewers transcribe, annotate some voice recordings
Apple, Google suspended human voice review programs this week
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Google’s Project Zero says 95.8% of the 1,585 security flaws it reported since July 2014 were fixed before its 90-day deadline for a public disclosure
Google Project Zero: 95.8% of all bug reports are fixed before deadline expires
https://www.zdnet.com/article/google-project-zero-95-8-of-all-bug-reports-are-fixed-before-deadline-expires/
Google Project Zero: Disclosing technical bug reports and PoCs help defenders more than attackers.
Tomi Engdahl says:
There’s stupid and then there’s this article
GITHUB ‘ACTIVELY ENCOURAGES’ HACKING, SUIT FILED AGAINST COMPANY AFTER CAPITAL ONE HACK SAYS
https://www.newsweek.com/github-lawsuit-capital-one-hack-1452392
Lawfirm Tycko & Zavareei LLP has filed a class-action lawsuit against source-code hosting site GitHub for its link to a massive Capital One hack, alleging the company is guilty of negligence, negligence per se, violation of the federal Wiretap Act and violation of the California civil code. The suit also levies charges against Capital One.
Capital One announced earlier this week that it had suffered a hack that exposed the personal information of 106 million people
A federal complaint charging Paige Thompson, the alleged hacker, says that the exfiltration on Capital One information took place between March and April, when it was posted on GitHub. Capital One was notified on July 17 that its information had been published on GitHub.
information was posted online for months and alleges that the company violated state law to remove the information.
Tomi Engdahl says:
Everyone should be securing their data, whether or not they’re doing anything wrong or embarrassing. https://red.ht/31dAIm5
Tomi Engdahl says:
Amazon quietly adds ‘no human review’ option to Alexa settings as voice AIs face privacy scrutiny
https://tcrn.ch/2yClIBO
Tomi Engdahl says:
Norwegian F-35 Spy on Its Owner: Send Sensitive Data Back to USA
(Discussion on HN – http://bit.ly/2yG1zL7)
Tomi Engdahl says:
Capital One’s breach was inevitable, because we did nothing after Equifax
https://techcrunch.com/2019/07/29/capital-one-breach-was-inevitable/?tpcc=ECFB2019
Another day, another massive data breach.
This time it’s the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians.
The FBI already has a suspect in custody.
She’s been accused of stealing data by breaching a web application firewall, which was supposed to protect it.
Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had — and hid from the public for several months — two years prior.
Why should we be surprised? Equifax faced zero fallout until its eventual fine.
Equifax got off lightly.
Legislatively, nothing has changed. Equifax remains as much of a “victim” in the eyes of the law as it was before
Capital One is likely to face largely the same rigmarole as Equifax did.
Blame the lawmakers all you want. They had their part to play in this. But fool us twice, shame on the credit companies for not properly taking action in the first place.
The companies continued on with the mentality that “it could happen to us, but probably won’t.” It was always going to happen again unless there was something to force the companies to act.
these breaches will continue so long as the companies continue to collect our data and not take their data security responsibilities seriously.
Tomi Engdahl says:
New SystemBC malware spotted in the wild helping other malware strains bypass firewalls, hide bad traffic.
https://www.zdnet.com/article/new-windows-malware-sets-up-proxies-on-your-pc-to-relay-malicious-traffic/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d43edb808fd96000181cd46&utm_medium=trueAnthem&utm_source=facebook
Tomi Engdahl says:
E3 organization leaks data for over 2,000 journalists and analysts
https://venturebeat.com/2019/08/02/e3-data-leak/
If you attended the Electronic Entertainment Expo trade show this year with a media badge, it’s possible that some of your sensitive data is now public.
list was accessible to anyone who clicked on a button on the ESA website, as first spotted by YouTube creator Sophia Narwitz. Since then, The ESA has removed the spreadsheet from its site. But it did not do that before other people were able to download it.
The Entertainment Software Association just doxxed over 2000 journalists and content creators
https://m.youtube.com/watch?v=aDflWZ1CbrA&t=69s
Tomi Engdahl says:
“End-to-end encrypted messaging is a genuine issue for law enforcement. As the world has shifted from…SMS and email messaging to ‘over the top’ IP platforms like WhatsApp…investigators have ‘gone dark,’ with no ability to access discussions.”
Read on:
https://www.forbes.com/sites/zakdoffman/2019/07/30/u-s-and-u-k-propose-forcing-whatsapp-and-others-to-include-encryption-backdoor/#76c09f3c628e
Tomi Engdahl says:
https://beta.washingtonpost.com/technology/2019/08/01/capital-one-hack-couldnt-have-come-worse-time-amazons-most-profitable-business/?outputType=amp
How the timing of the recent capital one hacking incident may affect amazon
Tomi Engdahl says:
“Any major breach involving a cloud provider is going to blow back on them, whether it’s at all their fault, and whether or not that’s fair,” said Brian Krebs, an investigative cybersecurity researcher and blogger who has written about the breach. These companies “just want to know how they can avoid falling into the same trap.”
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
Tomi Engdahl says:
Murfreesboro Water Department’s bill pay website hacked
https://www.newschannel5.com/news/murfreesboro-water-departments-bill-pay-website-hacked
Visitors there are greeted with an image of the Iranian flag with a Guy Fawkes mask next to it.
“Hacked By Iranian Hackers.” Below that reads, “Hacked By Mamad Warning.”
Tomi Engdahl says:
When Battlefield Surveillance Comes to Your Town
https://www.wsj.com/articles/when-battlefield-surveillance-comes-to-your-town-11564805394?fbclid=IwAR2qMP44s0cyMw7J-UkC0mWSuDNmkzRPuSdEKgJXwlfIKssB9yTi9dT5R1Y
All-seeing 24/7 video surveillance technology, first developed for use in war, is now affordable enough to be used domestically to fight crime and terrorism. Some lawmakers are wary.
Tomi Engdahl says:
New Dragonblood vulnerabilities found in WiFi WPA3 standard
https://www.zdnet.com/article/new-dragonblood-vulnerabilities-found-in-wifi-wpa3-standard/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5d455b5708fd96000181e319&utm_medium=trueAnthem&utm_source=facebook
Two new Dragonblood bugs allow attackers to recover passwords from WPA3 WiFi networks
Earlier this year in April, two security researchers disclosed details about five vulnerabilities (collectively known as Dragonblood)
Yesterday, the same security researchers disclosed two new additional bugs impacting the same standard.
allow attackers to leak information from WPA3 cryptographic operations and brute-force a WiFi network’s password.
https://wpa3.mathyvanhoef.com/#new
Tomi Engdahl says:
On the Amazon panopticon
https://tcrn.ch/31fB63n
Last year, “Amazon employees met with ICE officials … to market the company’s facial recognition technology,” the ACLU informs us. Amazon VP Brad Huseman later said “We believe the government should have the best available technology.” Then, last month, Motherboard revealed Amazon has partnered with police departments
Amazon shareholders, tech employees, warehouse employees, and customers are all protesting this marketing of Rekognition to ICE, as well as the services provided by Amazon to infamous Palantir. More than 500 Amazon tech employees, in particular, have signed a letter of protest
Tomi Engdahl says:
E3 2019 Leaked Data Of Thousands Of Journalists Due To A Website Flaw
https://latesthackingnews.com/2019/08/05/e3-2019-leaked-data-of-thousands-of-journalists-due-to-a-website-flaw/
The organization behind the E3 2019 leaked data of thousands of registered media personnel due to a website flaw.
a major security flaw that led to a data breach.
Tomi Engdahl says:
Microsoft Invites Researchers to Hack Their Azure Security Lab
https://www.bleepingcomputer.com/news/security/microsoft-invites-researchers-to-hack-their-azure-security-lab/
Microsoft launched today the Azure Security Lab, a sandbox-like environment designed to enable security professionals to test Azure security without actually endangering the company’s customers.
Tomi Engdahl says:
A Multimillionaire Surveillance Dealer Steps Out Of The Shadows . . . And His $9 Million WhatsApp Hacking Van
https://www.forbes.com/sites/thomasbrewster/2019/08/05/a-multimillionaire-surveillance-dealer-steps-out-of-the-shadows-and-his-9-million-whatsapp-hacking-van/
It’s a converted GMC ambulance, pimped out with millions of dollars of surveillance kit, antennas on top reaching out to learn what it can from any smartphone within a 1-kilometer radius and, at the click of a button, empty them of all the content within. WhatsApp messages, Facebook chats, texts, calls, contacts? Everything? “Exactly,” says Dilian, a 24-year Israeli intelligence veteran and multimillionaire spy-tech dealer, though he doesn’t look it
His van, which costs between $3.5 million and $9 million, depending on how much spy tech the customer desires, is the A-Team truck spliced with a Bond car.
He forces the mock target’s Huawei phone to connect to his Wi-Fi hub, and from there he hacks into the device, silently installing surveillance software. No clicks required from the victim. Inside the vehicle, seconds after they’re sent, WhatsApp messages from the device appear on a monitor in front of Dilian.
His van offers a cornucopia of spyware tools that Dilian is offering as part of his new enterprise: Intellexa. It’s a one-stop-shop, cyber arsenal for cops in the field. Alongside Android hacking tools, there’s tech that can recognize your face wherever you travel, listen in on your calls, and locate all the phones in an entire country within minutes, Dilian boasts. Every 15 minutes, he can know where you are, he says.
Tomi Engdahl says:
WIFI HACKING
Crack WEP/WPA/WPA2 Password Without Dictionary/Bruteforce NEW METHODE : Fluxion
https://null-byte.wonderhowto.com/forum/wifi-hacking-crack-wep-wpa-wpa2-password-without-dictionary-bruteforce-new-methode-fluxion-0174280/
Tomi Engdahl says:
Analysing WPA3′s Dragonfly Handshake
https://wpa3.mathyvanhoef.com/#new
Tomi Engdahl says:
New Dragonblood vulnerabilities found in WiFi WPA3 standard
Two new Dragonblood bugs allow attackers to recover passwords from WPA3 WiFi networks
https://www.zdnet.com/article/new-dragonblood-vulnerabilities-found-in-wifi-wpa3-standard/
Tomi Engdahl says:
AT&T employees took bribes to plant malware on the company’s network
https://www.zdnet.com/article/at-t-employees-took-bribes-to-plant-malware-on-the-companys-network/
DOJ charges Pakistani man with bribing AT&T employees more than $1 million to install malware on the company’s network, unlock more than 2 million devices.
The bribery scheme lasted from at least April 2012 until September 2017.
AT&T estimated it lost revenue of more than $5 million/year from Fahd’s phone unlocking scheme.
Tomi Engdahl says:
https://www.securityweek.com/recovering-wi-fi-password-dragonblood-attack-costs-1-computing-power
Tomi Engdahl says:
https://www.venafi.com/blog/overheard-press-encryption-backdoor-debate
Tomi Engdahl says:
https://www.linkscommunications.com/2018/07/10/lte-networks-may-be-vulnerable-to-hacking/
Tomi Engdahl says:
https://www.technologyreview.com/f/614062/russian-hackers-fancy-bear-strontium-infiltrate-iot-networks-microsoft-report/
A group of hackers linked to Russian spy agencies are using “internet of things” devices like internet-connected phones and printers to break into corporate networks, Microsoft announced on Monday.
In multiple cases, Microsoft saw Fancy Bear get access to targeted networks because the IoT devices were deployed with default passwords. In another case, the latest security update was not applied. Using those devices as a starting point, the hackers established a beachhead and looked for further access.
Tomi Engdahl says:
With warshipping, hackers ship their exploits directly to their target’s mail room
https://techcrunch.com/2019/08/06/warshipping-hackers-ship-exploits-mail-room/?tpcc=ECFB2019
Why break into a company’s network when you can just walk right in — literally?
Just drop your exploit in the mail and let your friendly postal worker deliver it to your target’s door.
This newly named technique — dubbed “warshipping” — is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy
“It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal’s location,” wrote Charles Henderson, who heads up the IBM offensive operations unit.
The researchers developed a proof-of-concept device — the warship — which has a similar size to a small phone, into a package and dropped it off in the mail. The device, which cost about $100 to build, was equipped with a 3G-enabled modem, allowing it to be remote controlled so long as it had cell service.
Tomi Engdahl says:
https://www.technologyreview.com/f/613660/hackers-have-stolen-photos-of-travelers-taken-by-the-us-border-agency/?utm_medium=tr_social&utm_campaign=site_visitor.unpaid.engagement&utm_source=Facebook#Echobox=1565110172
Tomi Engdahl says:
Microsoft catches Russian state hackers using IoT devices to breach networks
Fancy Bear servers are communicating with compromised devices inside corporate networks
https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/
Tomi Engdahl says:
Revealed: Microsoft Contractors Are Listening to Some Skype Calls
https://www.vice.com/en_us/article/xweqbq/microsoft-contractors-listen-to-skype-calls
Documents, screenshots, and audio obtained by Motherboard show that humans listen to Skype calls made using the app’s translation function.