This posting is here to collect cyber security news in January 2020.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
174 Comments
Tomi Engdahl says:
https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/
Tomi Engdahl says:
US court fully legalized website scraping and technically prohibited it
https://parsers.me/us-court-fully-legalized-website-scraping-and-technically-prohibited-it/
On September 9, the U.S. 9th circuit court of Appeals ruled (Appeal from the United States District Court for the Northern District of California) that web scraping public sites does not violate the CFAA (Computer Fraud and Abuse Act).
This is a really important decision. The court not only legalized this practice, but also prohibited competitors from removing information from your site automatically if the site is public.
The court confirmed the clear logic that the entry of the web scraper bot is not legally different from the entry of the browser. In both cases, the “user” requests open data — and does something with it on their side.
Now many site owners are trying to put technical obstacles to competitors who completely copy their information that is not protected by copyright. For example, ticket prices, product lots, open user profiles, and so on. Some sites consider this information “their own”, and consider web scraping as “theft”. Legally, this is not the case, which is now officially enshrined in the US.
CFAA applies only to information or computer systems that are initially closed to the public — usually indicated by the requirement of authorization at the entrance.
HiQ only takes information from public LinkedIn profiles. By definition, any member of the public has the right to access this information.
Tomi Engdahl says:
According to Gemini Advisory, a firm that researches cybercrime, a well known hacker known as Joker Stash posted the data for sale on Monday evening on the so-called dark web—an anonymous layer of the Internet popular with criminals.
https://fortune.com/2020/01/28/wawa-data-breach-credit-card/
Tomi Engdahl says:
Katy Stech Ferek / Wall Street Journal:
US Interior Department introduces a no-fly rule for Chinese drones or those made with Chinese parts, with some exceptions, amid espionage concerns — Order reflects concern that data collected ‘could be valuable to foreign entities’ — WASHINGTON—Interior Department officials plan …
Interior Department Adopts Restrictions Aimed at Chinese Drones
Order reflects concern that data collected ‘could be valuable to foreign entities’
https://www.wsj.com/articles/interior-department-adopts-restrictions-aimed-at-chinese-drones-11580295602
Interior Department officials plan to formally adopt a no-fly rule aimed at drones made in China or with Chinese parts, but will grant exceptions when drones are needed to help respond to natural disasters and other emergencies.
The new policy, which will be issued in an order Wednesday, follows the temporary grounding of the department’s drone fleet last year amid rising concerns that the devices could be used for espionage. Interior officials have acknowledged that all of the department’s roughly 800 drones are made in China or with Chinese parts.
In an interview with The Wall Street Journal, Interior Secretary David Bernhardt said his department will grant exceptions for tracking wildfires by air and for emergencies where human safety or property damage are at risk, such as search-and-rescue operations. Officials also will make exceptions for training flights.
The department order doesn’t mention China by name but instead directs department officials to favor domestically made drones out of concerns information collected by aerial drones could be “valuable to foreign entities, organizations and governments.”
But the cost savings and advantages of drones came up against rising national security concerns. In 2017, the U.S. Department of Homeland Security warned that it believes Chinese drone manufacturer DJI is “selectively targeting government and privately owned entities…to expand its ability to collect and exploit sensitive U.S. data.”
DJI officials have disputed that claim. DJI said users can prevent their drones from transmitting data back to the company or connecting to the internet and that the Chinese government has never sought the data that it has stored.
The U.S. military has largely stopped buying Chinese-made drones. And in September, a bipartisan group of lawmakers introduced legislation to bar federal agencies from buying drones from China and any other country deemed a national security risk, though the bill has gained little traction since then.
In a statement, DJI said it was disappointed that the new Interior policy “inappropriately treats a technology’s country of origin as a litmus test for its performance, security and reliability.”
Tomi Engdahl says:
Shoshana Wodinsky / Gizmodo:
Facebook’s Off-Facebook Activity tool won’t actually clear the data collected about you from other apps and sites, only its connection to your Facebook account — When we talk about Facebook’s myriad foibles and fuckups, we’re usually laying the blame on things that happen within the Big Blue App …
Facebook’s ‘Clear History’ Tool Doesn’t Clear Shit
https://gizmodo.com/facebooks-clear-history-tool-doesnt-clear-shit-1841305764
Tomi Engdahl says:
Bill Budington / Electronic Frontier Foundation:
Ring app on Android covertly sends personally identifiable information of users to third parties including Facebook and MixPanel — Ring isn’t just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers.
Ring Doorbell App Packed with Third-Party Trackers
https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers
Tomi Engdahl says:
Remember FindFace? The Russian Facial Recognition Company Just Turned On A Massive, Multimillion-Dollar Moscow Surveillance System
https://www.forbes.com/sites/thomasbrewster/2020/01/29/findface-rolls-out-huge-facial-recognition-surveillance-in-moscow-russia/
Built on several tens of thousands of cameras and what’s claimed to be one of the most advanced facial recognition systems on the planet, Moscow has been quietly switching on a massive surveillance project this month.
The software that’s helping monitor all those faces is FindFace, the product of NtechLab, a company that some reports claimed would bring “an end to anonymity” with its FindFace app. Launched in the mid-2010s, it allowed users to take a picture of someone and match their face to their to social media profiles on Russian site Vkontakte (VK).
Tomi Engdahl says:
https://cacheoutattack.com/
Tomi Engdahl says:
Top-Tier Russian Organized Cybercrime Group Unveils Fileless Stealthy “PowerTrick” Backdoor for High-Value Targets
https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
Tomi Engdahl says:
https://www.forbes.com/sites/rachelsandler/2020/01/21/bezoss-phone-hacked-by-saudi-crown-prince-report-says/amp/
Tomi Engdahl says:
Skimming heist that hit convenience chain may have compromised 30 million cards
Point-of-sale machines at ~850 Wawa locations were infected for 9 months.
https://arstechnica.com/information-technology/2020/01/for-sale-data-for-up-to-30-million-payment-cards-stolen-in-skimming-heist/
Tomi Engdahl says:
Avast shuts down marketing analytics subsidiary Jumpshot amid controversy over selling user data
Avast shuts down marketing analytics subsidiary Jumpshot amid controversy over selling user data
https://tcrn.ch/37D8yog
Avast has made a huge business out of selling antivirus protection for computers and mobile devices, but more recently it was revealed that the Czech-based cybersecurity specialist was also cultivating another, more controversial, revenue stream: harvesting and selling on user data, some of which it amassed by way of those security tools.
Tomi Engdahl says:
“There were lengthy delays in security projects, and, internally, departments were ignoring compliance efforts……over the nearly 1,500 websites and web apps identified only a single one had carried out a security assessment.”
UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it
https://www.theregister.co.uk/2020/01/29/un_covered_up_hack/
For an organization accused of being ‘all talk, no action’, there’s not even enough talking – to its own employees
The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants’ fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public.
That is the extraordinary claim of The New Humanitarian, which until a few years ago was an official UN publication covering humanitarian crises. Today, it said the UN has confirmed both the hack and the decision not to divulge any details.
Dozens of UN servers were impacted in an attack that began in mid-July 2019 but was only noticed one month later, according to a confidential report dated September 20. The publication gained access to that report, which outlines a series of security holes discovered by an external forensic company as well as internal efforts to contain the hack.
A senior IT official dubbed the attack a “major meltdown,” in which personnel records – as well as contract data covering thousands of individuals and organizations – was accessed
Tomi Engdahl says:
Hackers may have gained ‘almost total control’ of an election server in Georgia, report says
https://www.independent.co.uk/news/world/americas/us-election/georgia-election-server-hacking-brian-kemp-stacey-abrams-vulnerabilities-report-a9290236.html
Tomi Engdahl says:
Exonerated: Charges dropped against pentesters paid to break into Iowa courthouse
Dismissal is a victory for the security industry and the customers who rely on it.
https://arstechnica.com/information-technology/2020/01/criminal-charges-dropped-against-2-pentesters-who-broke-into-iowa-courthouse/
Prosecutors have dropped criminal charges against two security professionals who were arrested and jailed last September for breaking into an Iowa courthouse as part of a contract with Iowa’s judicial arm.
Coalfire CEO Tom McAndrew added, “With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement. We’re grateful to the global security community for their support throughout this experience.”
Tomi Engdahl says:
Severe ‘Perfect 10.0’ Microsoft Flaw Confirmed: ‘This Is A Cloud Security Nightmare’
https://www.forbes.com/sites/zakdoffman/2020/01/30/severe-perfect-100-microsoft-flaw-confirmed-this-is-a-cloud-security-nightmare/
Microsoft quickly fixed the vulnerability when Check Point approached them in the fall, and customers who have patched their systems are now safe. The vulnerability is as punchy as it gets, “a perfect 10.0,” Balmas says, referring to the CVE score on Microsoft’s disclosure in October. “It’s huge—I can’t even start to describe how big it is.” The reason for the hyperbole is that Balmas says his team found the first remote code execution (RCE) exploit on a major cloud platform. One user could break the cloud isolation separating themselves and others, intercepting code, manipulating programs. That isolation is the basis of cloud security, enabling the safe sharing of common hardware.
There was no detail when Microsoft patched the flaw, just a short explainer. “An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code,” the company said at the time, “thereby escaping the Sandbox.” This week, Microsoft confirmed Check Point’s report, telling me that “we released updates to address these issues in 2019.” The spokesperson added that “customers who have applied the updates are protected,” as covered at CVE-2019-1372 and CVE-2019-1234.
Tomi Engdahl says:
Microsoft Issues Excel Security Alert As $100 Million ‘Evil Corp’ Campaign Evolves
https://www.forbes.com/sites/daveywinder/2020/01/31/microsoft-issues-excel-threat-alert-as-100-million-evil-corp-campaign-evolves/#659dbe996044
Evil Corp may well be best known to millions of viewers of the Mr. Robot TV drama as the multi-national corporation that Elliot and FSociety hack. However, back in the real world, Evil Corp not only exists but is weaponizing Microsoft Excel to spread a malware payload. Researchers from Microsoft Security Intelligence have this week taken to Twitter to warn users to be alert to the ongoing campaign being run by Evil Corp, also known as TA505. Like most successful cybercriminals, Evil Corp is constantly evolving in terms of techniques and tools. The latest twist in this felonious tale involves Microsoft Excel as a payload delivery vehicle.
Tomi Engdahl says:
United Nations Confirms ‘Serious’ Cyberattack With 42 Core Servers Compromised
https://www.google.com/amp/s/www.forbes.com/sites/daveywinder/2020/01/30/united-nations-confirms-serious-cyberattack-with-42-core-servers-compromised/amp/
One week after the United Nations called for an investigation into the claims that Jeff Bezos’ smartphone was hacked by Saudi Crown Prince Mohammed bin Salman, a claim that I first reported in March 2019, another investigation has revealed that the UN itself has been hacked.
The leak of an internal UN report to investigators at The New Humanitarian shows that core infrastructure servers were compromised during a successful cyberattack last year. The report, dated September 20, 2019, was from the United Nations Office of Information and Technology. Associated Press, which has also seen the report, said that 42 servers in all were compromised and a further 25 categorized as suspicious. According to The New Humanitarian, at least some of the affected systems were at the UN human rights offices and the UN human resources department, at locations in Geneva and Vienna. The confidential report is said to show that “some administrator accounts” were breached, and staff told to change passwords. “The ‘core infrastructure’ affected included systems for user and password management, system controls, and security firewalls,” The New Humanitarian said.
Although not yet attributed, attack fingerprint suggests sophisticated APT actors
–
So sophisticated a caveman could exploit it, APT is such an abused word (when convenient) that it effectively is a near meaningless short code for shit administrators https://www.rapid7.com/db/?q=CVE-2019-0604&type=nexpose
Tomi Engdahl says:
Threat intelligence expert calls failure to disclose a ‘really bad decision’
Tomi Engdahl says:
Facebook to Pay $550 Million to Settle Facial Recognition Suit
https://www.nytimes.com/2020/01/29/technology/facebook-privacy-lawsuit-earnings.html
It was another black mark on the privacy record of the social network, which also reported its quarterly earnings.
Facebook said on Wednesday that it had agreed to pay $550 million to settle a class-action lawsuit over its use of facial recognition technology in Illinois, giving privacy groups a major victory that again raised questions about the social network’s data-mining practices.
The case stemmed from Facebook’s photo-labeling service, Tag Suggestions, which uses face-matching software to suggest the names of people in users’ photos.
Facebook Biometric Privacy Settlement
https://edelson.com/facebook-settlement
Tomi Engdahl says:
UN hacked: Attackers got in via SharePoint vulnerability
https://www.helpnetsecurity.com/2020/01/30/un-hacked/
In summer 2019, hackers broke into over 40 (and possibly more) UN servers in offices in Geneva and Vienna and downloaded “sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the UN,” The New Humanitarian reported on Wednesday.
Tomi Engdahl says:
Microsoft Says Cyber Thieves Exploiting Death of Kobe Bryant, Installing Crypto Malware in Desktop Wallpaper
https://dailyhodl.com/2020/02/01/microsoft-says-cyber-thieves-exploiting-death-of-kobe-bryant-installing-crypto-malware-in-desktop-wallpaper/amp/
Security experts at Microsoft have discovered malicious malware hiding in downloadable images of the late Kobe Bryant.
Microsoft Security Intelligence says the software is designed to hijack a computer’s CPU to mine cryptocurrency. The process is known as cryptojacking.
https://mobile.twitter.com/MsftSecIntel/status/1223032390555033600
Tomi Engdahl says:
Buffer overflow when pwfeedback is set in sudoers
https://www.sudo.ws/alerts/pwfeedback.html
Tomi Engdahl says:
Department of Interior grounding drone fleet over cybersecurity concerns
https://www.cyberscoop.com/drone-ban-interior-department-cybersecurity/
The secretary of the Interior issued an order Wednesday grounding all of the Department of the Interior’s non-emergency drones so the agency can assess potential cybersecurity concerns before operating the devices any further.