Cyber security news August 2019

This posting is here to collect cyber security news in August 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.



  1. Tomi Engdahl says:

    With warshipping, hackers ship their exploits directly to their target’s mail room

    Just drop your exploit in the mail and let your friendly postal worker deliver it to your target’s door.

    This newly named technique — dubbed “warshipping” — is not a new concept. Just think of the traditional Trojan horse rolling into the city of Troy

    “It uses disposable, low cost and low power computers to remotely perform close-proximity attacks, regardless of the cyber criminal’s location,” wrote Charles Henderson, who heads up the IBM offensive operations unit.

  2. Tomi Engdahl says:

    Microsoft catches Russian state hackers using IoT devices to breach networks
    Fancy Bear servers are communicating with compromised devices inside corporate networks

  3. Tomi Engdahl says:

    Sites using Facebook ‘Like’ button liable for data, EU court rules

    Europe’s top court ruled Monday (30 July) that companies that embed Facebook’s “Like” button on their websites must seek users’ consent to transfer their personal data to the US social network, in line with the bloc’s data privacy laws

    According to the European Court of Justice ruling, a site that embeds the Facebook “like” icon and link on its pages also sends user data to the US web giant.

  4. Tomi Engdahl says:

    Hackers Inject Multi-Gateway Card Skimmer via Fake Google Domains

    Attackers are using fake Google domains spoofed with the help of internationalized domain names (IDNs) to host and load a Magecart credit card skimmer script with support for multiple payment gateways.

  5. Tomi Engdahl says:

    All big phones security at risk .. #oneplus #blackshark #oppo #redmi #nokia8 #redmi #snapdragon #googlepixel #nubia #asus #realme

    Security warning for the users of these 34 Android smartphones

    Qualcomm has said that a bug (code name: CVE-2019-10540) may have impacted more than a few of its popular chipsets like Snapdragon 855, 845, 730, 710, 675

  6. Tomi Engdahl says:

    Severe local 0-Day escalation exploit found in Steam Client Services
    This trivially-exploited security allows any user root—er, LOCALSYSTEM—privileges.

    Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.

    The vulnerability lies within Steam Client Service.

    it’s possible to pass arguments to services that run under extremely privileged accounts—such as msiserver, the Windows Installer service.

    A genuinely malicious user might use this procedure to directly pop a locally or remotely accessible shell with LOCALSYSTEMprivileges, after which they can do whatever they like with no further tricks necessary.

    With this second rejection, Vasily decided there was no further recourse but public disclosure, and he informed HackerOne that he would disclose after July 30.

  7. Tomi Engdahl says:


    LATE ONE NIGHT last September, security researcher Ruben Santamarta sat in his home office

    He was surprised to discover a fully unprotected server on Boeing’s network, seemingly full of code designed to run on the company’s giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.

    Now, nearly a year later, Santamarta claims that leaked code has led him to something unprecedented: security flaws in one of the 787 Dreamliner’s components, deep in the plane’s multi-tiered network.

    Boeing flatly denies that such an attack is possible, and it rejects his claim of having discovered a potential path to pull it off.

    multiple serious security flaws in the code for a component of the 787 known as a Crew Information Service/Maintenance System

    Santamarta says, from the in-flight entertainment system to the CIS/MS to send commands to far more sensitive components that control the plane’s safety-critical systems, including its engine, brakes, and sensors.

  8. Tomi Engdahl says:

    Instagram ad partner secretly sucked up and tracked millions of users’ locations and stories

    Hyp3r, an apparently trusted marketing partner of Facebook and Instagram, has been secretly collecting and storing location and other data on millions of users, against the policies of the social networks, Business Insider reported today. It’s hard to see how it could do this for years without intervention by the platforms except if the latter were either ignorant or complicit.

  9. Tomi Engdahl says:

    If you are somehow under the impression that you — the customer — are in control over the security, privacy and integrity of your mobile phone service, think again. And you’d be forgiven if you assumed the major wireless carriers or federal regulators had their hands firmly on the wheel.

  10. Tomi Engdahl says:

    Hackers have crafted malware that’s designed to kill people. Here’s what we know about it.

    Search + Menu
    Computing / Cybersecurity
    Triton is the world’s most murderous malware, and it’s spreading

    The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too

  11. Tomi Engdahl says:

    “Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple’s Siri, Amazon’s Alexa and Google’s Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors, wire money or buy stuff online — simply with music playing over the radio.”

  12. Tomi Engdahl says:

    The Fully Remote Attack Surface of the iPhone

    There are several attack surfaces of the iPhone that have these qualities, including SMS, MMS, VVM, Email and iMessage.

  13. Tomi Engdahl says:

    Corporate Surveillance in Everyday Life

    Report: How thousands of companies monitor, analyze, and influence the lives of billions. Who are the main players in today’s digital tracking?

  14. Tomi Engdahl says:

    Flawed office printers are a silent but serious target for hackers

    The latest research by the NCC Group just revealed at the Def Con security conference shows just how easy of a target office printers can be.

    Think about it: Office printers at some of the largest organizations in finance, government and tech all print corporate secrets — and classified material — and often keep a recorded copy in their memory.

  15. Tomi Engdahl says:

    FBI tells lawmakers it can’t access Dayton gunman’s phone

    Top FBI officials informed congressional lawmakers this week that they have been unable to access the smartphone of the suspected gunman in the Dayton, Ohio, mass shooting, two sources told The Hill.

    The Trump administration has criticized tech companies’ ability to fully encrypt communications. Attorney General William Barr said in a speech last month that encrypted messaging services allow “criminals to operate with impunity.”

    The cost of encryption is “ultimately measured in a mounting number of victims — men, women and children who are the victims of crimes, crimes that could have been prevented if law enforcement had been given lawful access to encrypted evidence,” Barr said during a speech at a cybersecurity conference.

  16. Tomi Engdahl says:

    A series of critical vulnerabilities have been discovered in Qualcomm chipsets that could allow hackers to compromise Android devices remotely just by sending malicious packets over-the-air with no user interaction.

    the vulnerabilities, collectively known as QualPwn, reside in the WLAN and modem firmware of Qualcomm chipsets that powers hundreds of millions of Android smartphones and tablets.

    “One of the vulnerabilities allows attackers to compromise the WLAN and Modem over-the-air. The other allows attackers to compromise the Android Kernel from the WLAN chip. The full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstances,” researchers said in a blog post.

    Once compromised, the kernel gives attackers full system access

    Though Tencent researchers tested their QualPwn attacks against Google Pixel 2 and Pixel 3 devices that are running on Qualcomm Snapdragon 835 and Snapdragon 845 chips, the vulnerabilities impact many other chipsets

    Google just yesterday released security patches for these vulnerabilities as part of its Android Security Bulletin for August 2019. So, you are advised to download the security patches as soon as they are available

  17. Tomi Engdahl says:

    Apple locks new iPhone batteries to prevent third-party repair, report says
    It’s yet another change that keep iPhone owners inside Apple’s ecosystem.

  18. Tomi Engdahl says:

    New Windows hack warning: Patch Intel systems now to block SWAPGSAttack exploits

    Researchers detail hardware vulnerability that bypasses mitigations against Spectre and Meltdown CPU vulnerabilities on Windows systems – and impacts all systems using Intel processors manufactured since 2012.

    A newly uncovered vulnerability affecting every Windows computer using an Intel processor built since 2012 could allow attackers to bypass safeguards and access information held in a system’s protected kernel memory

  19. Tomi Engdahl says:

    Serious vulnerabilities in #WhatsApp, disclosed in 2018, can still be exploited in several attacks to manipulate chats.

  20. Tomi Engdahl says:

    Leo Kelion / BBC:
    Researcher says one in four UK- and US-based companies contacted to test a GDPR “right of access” request made in someone else’s name revealed personal data

    Black Hat: GDPR privacy law exploited to reveal personal data

    About one in four companies revealed personal information to a woman’s partner, who had made a bogus demand for the data by citing an EU privacy law.

    The security expert contacted dozens of UK and US-based firms to test how they would handle a “right of access” request made in someone else’s name.

    It is one of the first tests of its kind to exploit the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

    “Generally if it was an extremely large company – especially tech ones – they tended to do really well,” he told the BBC.

    “Small companies tended to ignore me.

    “But the kind of mid-sized businesses that knew about GDPR, but maybe didn’t have much of a specialised process [to handle requests], failed.”

  21. Tomi Engdahl says:

    It appears the Trump administration is drafting an executive order that has the potential to radically change how the content posted on social networks are governed, stripping crucial protections from tech companies and inserting much more government oversight. This is being done under the guise of a popular political talking point claiming that social media networks are censoring conservatives.

  22. Tomi Engdahl says:

    How Reverse Engineering (and Cyber-Criminals’ Mistakes) Can Help You When You’ve Been a Ransomware Victim

  23. Tomi Engdahl says:

    I Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets
    Avoiding digital snoops takes more than throwing money at the problem, but that part can be really fun.

    As the spy gear piles up on my desk, my 10-year-old son asks me what my mission is. “I’m hiding,” I whisper, pointing in the direction I think is north, which is something I should probably know as a spy. “From Silicon Valley.”

    It isn’t going to be easy. I use Google, Facebook, Amazon, Lyft, Uber, Netflix, Hulu, and Spotify. I have two Amazon Echos, a Google Home, an iPhone, a MacBook Air, a Nest thermostat, a Fitbit, and a Roku. I shared the secrets of my genetic makeup by spitting in one vial for 23andMe, another for an ancestry site affiliated with National Geographic, and a third to test my athletic potential.

  24. Tomi Engdahl says:

    How safe are school records? Not very, says student security researcher

    If you can’t trust your bank, government or your medical provider to protect your data, what makes you think students are any safer?

    Among one of the more damaging issues Demirkapi found in Follett’s student information system was an improper access control vulnerability, which if exploited could have allowed an attacker to read and write to the central Aspen database and obtain any student’s data.

  25. Tomi Engdahl says:

    How tech is transforming the intelligence industry
    Technology and the future of spying

  26. Tomi Engdahl says:

    What a security researcher learned from monitoring traffic at Defcon

    He spent thousands on a data-collecting monstrosity to figure out why people considered the security conference’s network dangerous

    36-year-old security researcher saw me too. Or at least my network traffic. Because the hardware on Spicer’s back was a surveillance tool nicknamed the “Wi-Fi Cactus.”

    The Wi-Fi Cactus, which Spicer wears like a backpack, is made up of 25 Hak5 Pineapples, devices made to monitor, intercept and manipulate network traffic

  27. Tomi Engdahl says:

    Teen Security Researcher Suspended for Exposing Vulnerabilities in His School’s Software

    Another vulnerability that Bill Demirkapi found impacted 5,000 schools.

  28. Tomi Engdahl says:


    “I can dial into an elevator phone, listen in on private conversations, reprogram the phone

    As a result, he or any other similarly equipped phreaker could change the number the phone calls when someone in the elevator presses the “help” or “call” button. Instead of dialing emergency responders, a reprogrammed phone can be set to call the phreaker’s cell phone, or a pizza delivery place, or a number that plays a recording of Rick Astley’s “Never Gonna Give You Up.” Or a phreaker can reprogram the phone to change its location ID

  29. Tomi Engdahl says:

    Clever attack uses SQLite databases to hack other apps, malware servers

    Tainted SQLite database can run malicious code inside other apps, such as web apps or Apple’s iMessage.

    SQLite databases can be modified in such a way that they execute malicious code inside other apps that rely on them to store data, security researchers have revealed.

    When the third-party app, such as iMessage, reads the tainted SQLite database, it also inadvertantly executes the hidden code.

    For example, browsers store user data and passwords inside SQLite databases. Info-stealers — a class of malware — is specifically designed for stealing these SQLite user data files and uploading the files to a remote command-and-control (C&C) server.

    These C&C servers are usually coded in PHP and work by parsing the SQLite files to extract the user’s browser data so they can show it inside the malware’s web-based control panel.

  30. Tomi Engdahl says:

    Warning Issued For Apple’s 1.4 Billion iPad And iPhone Users

    Apple is having a bad week. Just days after Face ID was hacked and the company’s “user-hostile” iPhone battery practices were exposed, an extraordinary story of Apple neglect has resulted in a warning every iPhone and iPad user needs to know about.  

    Picked up by AppleInsider, security firm Check Point has revealed it has found a way to hack every iPhone and iPad running iOS 8 right up to betas of iOS 13.

    Contacts app built into iOS can be exploited using the industry-standard SQLite database so that any search of Contacts can trick the device into running malicious code capable of stealing user data and passwords. 

    In short: Apple got sloppy. As AppleInsider explains: “the bug has been considered unimportant because it was believed it could only be triggered by an unknown application accessing the database, and in a closed system like iOS, there are no unknown apps.

  31. Tomi Engdahl says:

    On Thursday at Black Hat USA in Las Vegas, Nevada, McAfee researchers revealed the existence of the security flaw in a desk phone developed by Avaya, a VOIP solution provider and vendor for business desk phones

    found a severe remote code execution (RCE) vulnerability present in an open-source component within the phone’s firmware.

    Decade-old remote code execution bug found in phones used by Fortune 500
    The firmware vulnerability lurked undetected for ten years.

  32. Tomi Engdahl says:

    China’s cyber-spies make money on the side by hacking video games

    Just because you’re a world-class Chinese government hacker busy conducting espionage against geopolitical adversaries doesn’t mean you can’t make a little extra money on the side.

  33. Tomi Engdahl says:

    3fun: Security glitch in threesome hook-up app reveals details of users in Downing Street and White House

    ‘Worst security of any dating app we’ve ever seen,’ say experts

    The app, 3fun, revealed users with locations appearing to be in No 10 in London, and the White House and the US Supreme Court in Washington DC, according to a report on cyber security firm Pen Test Partners’ website.

    Furthermore, private photographs were accessible too.

    Users of the app could restrict the app from showing their locations, but according to Pen Test Partners, the data was only filtered on the mobile app itself, not on the servers containing the data, which their experts were able to query to reveal location information.

  34. Tomi Engdahl says:

    Patrick Howell O’Neill / MIT Technology Review:
    FireEye: Chinese state-backed hacker group APT41 hacks video-game companies and sells virtual game currencies on the dark web as a side hustle

  35. Tomi Engdahl says:

    Patrick Howell O’Neill / MIT Technology Review:
    FireEye: Chinese state-backed hacker group APT41 hacks video-game companies and sells virtual game currencies on the dark web as a side hustle

    China’s cyber-spies make money on the side by hacking video games

  36. Tomi Engdahl says:

    Don’t Just Delete Facebook, Poison Your Data First

    If you’re savvy with code, you can employ a script that repeatedly alters your Facebook posts with nonsense, making it more difficult for the social media site to collect user data.

  37. Tomi Engdahl says:

    Researchers hacked a Canon DSLR with ransomware demanding Bitcoin
    The camera’s firmware has since been patched

    A group of security researchers have managed to exploit vulnerabilities in a Canon EOS 80D digital camera to hold its owner’s photos to a Bitcoin ransom, The Inquirer reports.

    Security boffins find that Canon DSLR cameras are vulnerable to ransomware
    Ransom, where!?

  38. Tomi Engdahl says:

    Google Warning: Tens Of Millions Of Android Phones Come Preloaded With Dangerous Malware

    Google’s Maddie Stone, a security researcher with the company’s Project Zero, shared her team’s findings at Black Hat on Thursday. “If malware or security issues come as preinstalled apps,” she warned, “then the damage it can do is greater, and that’s why we need so much reviewing, auditing and analysis.”

    Of particular concern were two particularly virulent malware campaigns: Chamois and Triada. Chamois generates various flavors of ad fraud, installs background apps, downloads plugins and can even send premium rate text messages. Chamois alone was found to have come installed on 7.4 million devices. Triada is an older variant of malware, one that also displays ads and installs apps.


Leave a Comment

Your email address will not be published. Required fields are marked *