Cyber security news November 2019

This posting is here to collect cyber security news in November 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

 

37 Comments

  1. Tomi Engdahl says:

    New Google Chrome Security Alert: Update Your Browsers As ‘High Severity’ Zero-Day Exploit Confirmed
    https://www.forbes.com/sites/daveywinder/2019/11/01/new-google-chrome-security-alert-update-your-browsers-as-high-severity-zero-day-exploit-confirmed/

    The October 31 disclosure from Google confirmed that the “stable channel” desktop Chrome browser is being updated to version 78.0.3904.87 across the Windows, Mac, and Linux platforms. This urgent update will start rolling out “over the coming days/weeks,” according to Google. Unlike recent Windows 10 security alerts advising not to install an update, Chrome users should ensure they do install this one.

    Reply
  2. Tomi Engdahl says:

    [Alert] ClamAV 0Day Exploit Dropped itw by Unknown

    0Day PrivEsc. in Clam AntiVirus, an open-source antivirus engine for Linux based systems. Exploit dropped in the wild.

    https://pastebin.com/cfP7X89m

    Note:- PoC only works when JIT is enabled and ClamAV is compiled with it from v0.97.0 to 0.100.2. The bug is also present in 0.102.0 latest.

    Reply
  3. Tomi Engdahl says:

    Chinese users attack Notepad++ app after ‘Free Uyghur’ release
    https://www.zdnet.com/article/chinese-users-attack-notepad-app-after-free-uyghur-release/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5dba32458021ed000132c72b&utm_medium=trueAnthem&utm_source=facebook

    Notepad++’s GitHub issue tracker flooded with pro-Chinese and anti-western messages. Anti-Chinese activists are fighting back with their own spam and attacks on the Beijing regime.

    Reply
  4. Tomi Engdahl says:

    DNS-over-HTTPS Is The Wrong Partial Solution
    https://hackaday.com/2019/10/21/dns-over-https-is-the-wrong-partial-solution/

    The idea of also encrypting DNS requests isn’t exactly new, with the first attempts starting in the early 2000s, in the form of DNSCrypt, DNS over TLS (DoT), and others. Mozilla, Google, and a few other large internet companies are pushing a new method to encrypt DNS requests: DNS over HTTPS (DoH).

    DoH not only encrypts the DNS request, but it also serves it to a “normal” web server rather than a DNS server, making the DNS request traffic essentially indistinguishable from normal HTTPS.

    And in comparison to DoT, DoH centralizes information about your browsing in a few companies: at the moment Cloudflare, who says they will throw your data away within 24 hours, and Google, who seems intent on retaining and monetizing every detail about everything you’ve ever thought about doing.

    Reply
  5. Tomi Engdahl says:

    New PHP7 bug CVE-2019-11043 can allow even non-technical attackers to take over servers.

    Nasty PHP7 remote code execution bug exploited in the wild

    https://www.zdnet.com/article/nasty-php7-remote-code-execution-bug-exploited-in-the-wild/?ftag=COS-05-10aaa0h&utm_campaign=trueAnthem%3A+Trending+Content&utm_content=5db4ec698021ed0001327898&utm_medium=trueAnthem&utm_source=facebook

    New PHP7 bug CVE-2019-11043 can allow even non-technical attackers to take over servers.

    Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week.

    ONLY NGINX SERVERS AFFECTED
    Fortunately, not all PHP-capable web servers are impacted. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager

    Reply
  6. Tomi Engdahl says:

    NordVPN users’ passwords used in credential-stuffing attacks

    Ars Technica: NordVPN had a second wave of headlines this week after its breach last month. This time, a number of users’ credentials have been found in several Pastebin posts used in credential stuffing attacks.

    [https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/](https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/)

    Reply
  7. Tomi Engdahl says:

    Microsoft Users Hit with Phishing Kits Hosted on Thousands of Domains
    https://www.bleepingcomputer.com/news/security/microsoft-users-hit-with-phishing-kits-hosted-on-thousands-of-domains/

    Microsoft’s users were the most targeted by phishing campaigns among the top targeted brands with attackers using thousands of domains specifically registered to be used for harvesting credentials from their targets.

    6,035 domains were used to host 120 phishing kit variants according to Akamai’s 2019 State of the Internet / Security Report

    Overall, Microsoft, PayPal, DHL, Dropbox, DocuSign, and LinkedIn were the top targets for phishers throughout this year in the attacks Akamai’s researchers detected.

    Reply
  8. Tomi Engdahl says:

    Sites are using Audio Fingerprinting (no permissions needed) to track users.

    Fingerprinting is a way of identifying users based on one or more set of unique device characteristics. Along with Canvas fingerprinting, Audio fingerprinting takes advantage of device performance specs to build up an identifying fingerprint of a user. The problem is it does not need to take any permission from the users and works on all browsers and can be used to track users across browsers.

    Demonstration (test your own audio fingerprint): [https://audiofingerprint.openwpm.com](https://audiofingerprint.openwpm.com/)

    Reply
  9. Tomi Engdahl says:

    Researchers hack Siri, Alexa, and Google Home by shining lasers at them
    MEMS mics respond to light as if it were sound. No one knows precisely why.
    https://arstechnica.com/information-technology/2019/11/researchers-hack-siri-alexa-and-google-home-by-shining-lasers-at-them/

    Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible—and sometimes invisible—commands into the devices and surreptitiously cause them to unlock doors, visit websites, and locate, unlock, and start vehicles, researchers report in a research paper published on Monday. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones.

    Shining a low-powered laser into these voice-activated systems allows attackers to inject commands of their choice from as far away as 360 feet (110m). Because voice-controlled systems often don’t require users to authenticate themselves, the attack can frequently be carried out without the need of a password or PIN.

    Reply
  10. Tomi Engdahl says:

    Hackers Claim ‘Any’ Smartphone Fingerprint Lock Can Be Broken In 20 Minutes
    https://www.forbes.com/sites/daveywinder/2019/11/02/smartphone-security-alert-as-hackers-claim-any-fingerprint-lock-broken-in-20-minutes/amp

    Chinese hackers have demonstrated how, they say, any fingerprint scanner can be beaten using equipment costing $140 (£108) and an app that analyzes a photograph of your print.

    The hackers work as part of the X-Lab security research team at a Chinese company called Tencent. They demonstrated their fingerprint hacking methodology at the GeekPwn 2019 conference in Shanghai.

    Reply
  11. Tomi Engdahl says:

    Despite the warnings, they were running Windows 95 and what was expected happened: the virus rolled over the Berlin Court of Appeal, will not be up until 2020.

    The Berlin Court of Appeal was hit by a devastating virus attack. As a result, the court had to disconnect all its computers. The virus got bitten badly and destroyed files over decades.

    Experts had already demanded the abolition of the program based on the Windows 95 operating system in 2017. The report prepared by the consulting firm “Accenture Operations” note under the keyword “risks”: “Unsupported software and operating systems are a serious security risk.” The conclusion of the investigation continues: “Please do not wait any longer! Budget and support a comprehensive transformation program. ”

    https://www.tagesspiegel.de/berlin/experten-warnten-schon-2017-it-katastrophe-am-berliner-kammergericht-kam-mit-ansage/25163810.html
    https://www.tivi.fi/uutiset/varoituksista-huolimatta-kaytossa-windows-95-ja-nainhan-siina-sitten-kavi-virus-jyrasi-berliinin-hovioikeuden-paasee-pystyyn-vasta-2020/d97c5ef8-5251-40ab-8b8a-517f0a19883d

    Reply
  12. Tomi Engdahl says:

    Emotion recognition was the crime prevention buzz-phrase at China’s largest surveillance tech expo held in Shenzhen, according to Financial Times correspondent Sue-Lin Wong.

    https://m.9gag.com/gag/aj59y8R?ref=fb.s
    https://www.ft.com/content/68155560-fbd1-11e9-a354-36acbbb0d9b6

    Reply
  13. Tomi Engdahl says:

    Hackers could control Alexa with a cheap laser. The only real defense is to keep your devices out of sight of your windows

    .Amazon Alexa Can Be Hacked By A Laser From 100 Meters — Is It Time To Hide Your Echo?
    http://on.forbes.com/61881z86g

    Amazon Alexa—as well as home devices from Google and Apple—can be tricked into carrying out actions with a laser pointed at their microphones.

    Reply
  14. Tomi Engdahl says:

    “Encryption is not a technology that can be bypassed sometimes. It either works or it doesn’t. Saying that there should be a way to weaken it for only specific people in specific situations is a lot like saying, “you should leave a key under the mat to your front door, just in case there’s an emergency and the police need to come in.” That sounds great in theory, but what bad guy wouldn’t think to look under the mat, take the key, and create the bad situation in the first place?”

    Owning Your Keys: The Technical and Human Side of Encryption
    https://www.internetsociety.org/blog/2019/11/owning-your-keys-the-technical-and-human-side-of-encryption/

    Efforts to weaken encryption threaten our ability to keep our most vulnerable communities safe online. As the best tool available to protect our digital security, encryption helps ensure that data and messages are kept private and make it much more difficult for outside parties to get access to sensitive information. Encryption helps ensure that your digital bank transactions are secure, your passwords are kept safe, and your stored data can’t be accessed by any unintended parties.

    This security tool protects all Internet users, but it is critical for vulnerable communities.

    We’ve already seen what can happen when security is weakened. Take the TSA luggage lock, which has become a favorite example of why “exceptional access” for law enforcement doesn’t always pan out as planned. These locks were supposed to only allow verified TSA agents to access the contents of your suitcase, but after an agent posted a picture of a key online, people copied it and made it readily available for purchase or to 3D print. The agent made an understandable mistake that probably seemed harmless at first. But that’s the problem. We’re human, and we make mistakes. When it comes to security, those mistakes can have huge impacts on all of us

    Over the last several years, there has been a debate in the United States and around the world about the use of encrypted technologies. Many technologists, academics, manufacturers, civil society, and others have long fought to ensure devices and software are as secure as possible through encryption. However, some individuals, particularly those in government or law enforcement, have argued that there are times when actors – such as themselves – may need to bypass this critical security measure.

    But there’s a problem with that. Encryption is not a technology that can be bypassed sometimes. It either works or it doesn’t.

    Reply
  15. Tomi Engdahl says:

    https://thehackernews.com/2019/11/ring-doorbell-wifi-password.html?fbclid=IwAR1ygUYPiArdR_lQmIQg78tW9GVpzJEbszB9hBWtwivjo1hBBp5cXc3G50k&m=1

    Security researchers at Bitdefender have discovered a high-severity security vulnerability in Amazon’s Ring Video Doorbell Pro devices that could allow nearby attackers to steal your WiFi password and launch a variety of cyberattacks using MitM against other devices connected to the same network

    Reply
  16. Tomi Engdahl says:

    Riot Games’ Millionaire Founder Defrauded In $5 Million Amazon Cloud Cryptocurrency Mining Scam, DOJ Says
    http://on.forbes.com/61881zoBa

    Reply
  17. Tomi Engdahl says:

    “A UK ISP called Mozilla an “[internet villain](https://www.zdnet.com/article/uk-isp-group-names-mozilla-internet-villain-for-supporting-dns-over-https/)” for its plans to roll out DoH, and a Comcast-backed lobby group has been caught [preparing a misleading document about DoH](https://www.vice.com/en_us/article/9kembz/comcast-lobbying-against-doh-dns-over-https-encryption-browsing-data) that they were planning to present to US lawmakers in the hopes of preventing DoH’s broader rollout.”

    Reply
  18. Tomi Engdahl says:

    It was long thought that large-scale censorship on decentralized networks like Russia, United States, India and the United Kingdom was prohibitively difficult.

    Thus exhaustive study of Russia’s censorship infrastructure shows that that is not the case.

    https://censoredplanet.org/russia

    Russian government is gradually building national-level censorship policies on thousands of ISPs using commodity DPIs, a trend that we fear other countries with similar topological structure will follow.

    we confirm that Russia is succeeding at building a national censorship apparatus out of commodity equipment (i.e., inexpensive DPIs). This raises alarm and confirms that there is neither a need for a government-run technical choke points with several layers of complexity nor major government investment, as seen by the Chinese GFW, to achieve synchronized and homogeneous nationally restrictive internet access.

    websites in the blocklist, we find that 63% of the websites are in Russian and 28% are in English. While the top categories include gambling and pornography, we find some Russian-language news, politics and circumvention websites in the blocklist.
    what is striking is the transparency of ISPs in injecting explicit notices to users when censorship is enforced, which we later determined is based on guidelines dictated by Roskomnadzor.

    Our findings suggest that data centers block differently from the residential ISPs both in quantity and in method of blocking. In most countries, residential ISPs are subject to different laws and policies for information control.

    Information control has long been a goal of many countries, and with advancements in technology that enable it, entities like the Great Firewall of China are not the only threats to freedom on the Internet. As filtering technology gets cheaper to buy and easier to deploy, more nation-states are moving towards using them to achieve network and information control.

    Our study has shown that the implementation of such decentralized control breaks the mold of what “censorship” traditionally connotes: the monolithic blocking of large swaths of content from border to border within a country. But in Russia with the advent of SORM and commoditization of censorship and surveillance technology it has become relatively easy and cheap for ISPs to comply. However, the means by which ISPs comply vary widely, as does their degree of compliance.

    Previously, Russia was known for using naive censorship approaches. For example, while trying to block Telegram, they blocked entire subnets of Amazon Elastic Compute Cloud, Google Cloud, Digital Ocean, OVH (and hence other websites and services) causing collateral damage. They have since moved to more advanced technologies such as deep packet inspection (DPI) and keyword based blocking due to the commoditization of these technologies that make them cheaper and easier to deploy. The “Sovereign RUnet” law that comes into effect on November 1, 2019 requires telecom operators to install “special equipment” on their networks to handle 100% of all traffic in-path as a security measure against “external threats”. The most important part of this enforcement is that Roskomnadzor will be allowed to centrally manage the routing of traffic on this equipment.

    This is a trend we have observed in many countries: the United States, the United Kingdom, India, Indonesia, Portugal are all slowly moving towards this model and this should serve as a warning to researchers and policymakers. The United Kingdom’s censorship architecture is similar to Russia’s, with the government providing ISPs a list of websites to block

    Russia’s censorship architecture is a blueprint, and perhaps a forewarning of what national censorship regimes could look like in many other countries that have similarly diverse ISP ecosystems to Russia’s.

    Russia’s rise to prominence as a censor is wake-up call for censorship researchers, journalists, activists, and citizens of the global Internet.

    Reply
  19. Tomi Engdahl says:

    Concerning developments from down under.

    Now the police want your passwords – and you could be fined $60,000 or put in prison for five years if you refuse
    https://www.msn.com/en-au/news/australia/now-the-police-want-your-passwords-%E2%80%93-and-you-could-be-fined-dollar60000-or-put-in-prison-for-five-years-if-you-refuse/ar-BBNBzP6

    People could face up to five years’ in jail if they do not give their laptop password or mobile phone PIN to the authorities under proposed changes to the law.

    Reply
  20. Tomi Engdahl says:

    Simple Voice-Command SQL Injection Hack into Alexa Application
    https://www.protego.io/voice-command-sql-injection-hack/

    Reply
  21. Tomi Engdahl says:

    Chinese hackers developed malware to steal SMS messages from telco’s network
    MessageTap malware is meant to be installed on Short Message Service Center (SMSC) servers, on a telco’s network.
    https://www.zdnet.com/article/chinese-hackers-developed-malware-to-steal-sms-messages-from-telcos-network/

    Reply
  22. Tomi Engdahl says:

    Inside the Microsoft team tracking the world’s most dangerous hackers
    https://www.technologyreview.com/s/614646/inside-the-microsoft-team-tracking-the-worlds-most-dangerous-hackers/

    From Russian Olympic cyberattacks to billion-dollar North Korean malware, how one tech giant monitors nation-sponsored hackers everywhere on earth.

    Reply
  23. Tomi Engdahl says:

    Daily Crunch: Google announces open-source chip project
    https://techcrunch.com/2019/11/05/daily-crunch-google-announces-open-source-chip-project/

    1. Google launches OpenTitan, an open-source secure chip design project

    The aim of the new coalition is to build trustworthy chip designs for use in data centers, storage and computer peripherals.

    The project will allow anyone to inspect the hardware for security vulnerabilities and backdoors.

    Reply
  24. Tomi Engdahl says:

    Google launches OpenTitan, an open-source secure chip design project
    https://techcrunch.com/2019/11/05/google-opentitan-secure-chip/

    Reply
  25. Tomi Engdahl says:

    Tutkimusyhtiö: Joka neljännessä pc-tietokoneessa on käyttöjärjestelmä, jonka tuki loppuu 70 päivän päässä – Windows 7 jää nyt Windows 10:n jalkoihin

    https://tekniikanmaailma.fi/microsoftin-paansarky-windows-7n-tuki-loppuu-70-paivan-paasta-mutta-se-on-edelleen-kaytossa-joka-neljannessa-pc-tietokoneessa/

    Reply
  26. Tomi Engdahl says:

    Surveillance kit slinger accused of slapping ‘Made in America’ on Chinese gear, selling it to the US government
    https://www.theregister.co.uk/AMP/2019/11/08/aventura_china_charges/?__twitter_impression=true
    But sure, it’s Huawei that’s the big security threat

    Reply
  27. Tomi Engdahl says:

    2019 – Endpoint Protection Platforms Magic Quadrant

    https://pentestmag.com/2019-endpoint-protection-platforms-magic-quadrant/

    #pentest #magazine #pentestmag #pentestblog #PTblog #endpoint #protection #platforms #magic #quadrant #cybersecurity #infosecurity #infosec

    Reply
  28. Tomi Engdahl says:

    Google’s Secret ‘Project Nightingale’ Gathers Personal Health Data on Millions of Americans
    https://www.wsj.com/articles/google-s-secret-project-nightingale-gathers-personal-health-data-on-millions-of-americans-11573496790

    Search giant is amassing health records from Ascension facilities in 21 states; patients not yet informed

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*