This posting is here to collect cyber security news in January 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
412 Comments
Tomi Engdahl says:
Azorult Trojan Steals Passwords While Hiding as Google Update
https://www.bleepingcomputer.com/news/security/azorult-trojan-steals-passwords-while-hiding-as-google-update/
The AZORult information stealer and downloader malware strain was observed by Minerva Labs’ research team posing as a signed Google Update installer and achieving persistence by replacing the legitimate Google Updater program on compromised machines
Tomi Engdahl says:
https://www.uusiteknologia.fi/2019/01/28/yritykset-kiinnostavat-edelleen-kryptovaluutan-louhijoita/
Tomi Engdahl says:
Drone Sightings, A New British Comedy Soap Opera
https://hackaday.com/2019/01/28/drone-sightings-a-new-british-comedy-soap-opera/
Here at Hackaday we’ve brought you news of the UK’s peculiar habit of bad reporting and shoddy investigation of questionable drone sightings several times over the last year or two. Most recently we covered a series of events before Christmas that closed Gatwick, London’s second airport for several days over what turned out to be nothing of substance.
Unfortunately it didn’t end there. We’re back once more to catch up with the latest events down on the tarmac, and come away with a fresh set of reasonable questions unanswered by the popular coverage of the matter.
Another Day, Another Police Helicopter
The Gatwick airport was closed over more than a day based on eyewitness reported sightings of a drone — which we take to mean a small unmanned aircraft. After much investigation (and the arrest and release of suspects) the embarrassing admission that it might all have been about nothing came just before Christmas
But the second week of January brought another story. This time it was London’s main airport, Heathrow, and yet again at dusk on a winter’s evening a drone spotting was reported. The airport was closed, and in contrast to Gatwick there were multiple reports of sightings. Surely with lights spotted over the runway there could be no doubt, we’d caught the pesky drone red-handed!
The ADSB records show that the police helicopter arrived in the Heathrow area at about 17:33 on the 8th of January and left at about 18:26, having spent a considerable time hovering over various parts of the airport environs through the time that observers on the ground claimed to have seen some lights in the sky.
Confusing a Hovering Helicopter for a Drone
Repeat After Us: Show Us The Drone
If a Hackaday reader can spend ten minutes with a web browser to reveal G-MPSC’s path that night then it is not unreasonable to expect that the formidable investigative resources of a global news organisation could do the same. We need to see better reporting, a readiness to investigate official accounts rather than regurgitate them, and above all a willingness to consult experts in the field rather than people from other fields with a vested interest. An airline pilot is not an expert on drones, it’s akin to saying a supertanker captain is an expert on kayaks because both vessels are boats.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:NEW
IT security and cloud data management firm Rubrik leaves server online without password, exposing tens of GBs of data, customer names, contact info, case work
Data management giant Rubrik leaked a massive database of client data
https://techcrunch.com/2019/01/29/rubrik-data-leak/
A server security lapse has exposed a massive database of customer information belonging to Rubrik, an IT security and cloud data management giant.
The company pulled the server offline Tuesday within an hour of TechCrunch alerting the company, after the data was found by security researcher Oliver Hough. The exposed server wasn’t protected with a password, allowing access to anyone who knew where to find the server.
The database itself, running on a hosted Amazon Elasticsearch server, was storing tens of gigabytes of data, including customer names, contact information, and case work for each corporate customer.
It’s believed the data goes back to October 2018, according to timestamps found inside.
From a cursory review, we also found some emails included sensitive information about that customers’ setup and configuration.
It’s somewhat ironic, given that the IT unicorn, valued at $3.3 billion, recently announced that it’s expanding into security and compliance services.
Ribrik has thousands of major clients
In remarks, Rubrik said it was investigating.
“While building a new solution for customer support, a sandbox environment containing a subset of our customer corporate contact information and support interaction data was potentially accessible for a brief period of time,” said a spokesperson for Rubrik. “We rectified this issue immediately.”
It’s not known who might have accessed it, but the exposed server was indexed on Shodan, a search engine for exposed devices and databases, making it easily discoverable and accessible.
“We have traced the cause to human error, a default access setting was not changed per our standard practice. We have enacted changes to our processes to prevent this from happening again. Privacy and security is our top concern and we sincerely apologize for the mistake,” the spokesperson said.
Tomi Engdahl says:
Lie Junius / The Keyword:
Alphabet’s Jigsaw expands its free Project Shield service to organizations across EU, including journalists, to defend against DDoS attacks ahead of elections
An update on our work to prevent abuse ahead of the EU elections
https://www.blog.google/around-the-globe/google-europe/update-our-work-prevent-abuse-ahead-eu-elections/
Concerns about disinformation run high ahead of elections, a time when secure access to authoritative information is essential. Over the past few years, as more attempts to disrupt democratic processes have come to light, the scale of our response has increased. The upcoming European Parliament elections in May of this year are a big focus for our teams.
Project Shield for political campaigns, journalists and NGOs in Europe
Journalists, campaigns and political parties, NGOs and election monitoring groups ensure people can stay informed during election periods. It’s never been more necessary to defend these groups from digital attacks that can exploit many thousands of computers to overwhelm a website’s servers and take it offline—preventing voters from getting official information when they need it most. Project Shield uses Google’s infrastructure to protect independent news sites from distributed denial of service attacks (DDoS) and from today, Jigsaw will be offering strong, free DDoS-protections to the organizations across Europe that are vital to free and fair elections. You can find out more about Jigsaw and apply for Shield protection here
Protecting
election news
from digital attacks
Free tools to help defend information when it matters most.
https://protectyourelection.withgoogle.com/intl/en/?_ga=2.18501627.334794669.1548867197-1604367932.1548867197
Tomi Engdahl says:
Cyber Threat: Russia and China Poised to Cripple US Power Grid, Gas Pipelines at a Moment’s Notice
https://www1.cbn.com/cbnnews/national-security/2019/january/cyber-threat-russia-and-china-poised-to-cripple-us-power-grid-gas-pipelines-at-a-moments-notice
Russia and China are capable of launching cyberattacks that could disrupt electric grids and gas pipelines in the US, according to a new government report the intelligence community delivered to the Senate Intelligence Committee Tuesday.
Tomi Engdahl says:
Special Report: Inside the UAE’s secret hacking team of U.S. mercenaries
https://www.reuters.com/article/us-usa-spying-raven-specialreport/special-report-inside-the-uaes-secret-hacking-team-of-u-s-mercenaries-idUSKCN1PO19O
Two weeks after leaving her position as an intelligence analyst for the U.S. National Security Agency in 2014, Lori Stroud was in the Middle East working as a hacker for an Arab monarchy.
She had joined Project Raven, a clandestine team that included more than a dozen former U.S. intelligence operatives recruited to help the United Arab Emirates engage in surveillance of other governments, militants and human rights activists critical of the monarchy.
Tomi Engdahl says:
DON’T TOSS THAT BULB, IT KNOWS YOUR PASSWORD
https://hackaday.com/2019/01/29/dont-toss-that-bulb-it-knows-your-password/
In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.
https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/
Tomi Engdahl says:
Head of Android Security Says Locking Out Law Enforcement Is an ‘Unintended Side Effect’
https://motherboard.vice.com/en_us/article/yw8vm7/android-security-locking-out-law-enforcement-unintended-side-effect
Google is taking steps to make it harder for someone to push a malicious update that disables the security features on an Android phone.
In 2016, the FBI asked Apple to help the law enforcement agency get into the iPhone
in a talk at the USENIX Enigma conference in Burlingame, California on Tuesday, Rene Mayrhofer, Google’s Director of Android Platform Security, made clear that Google is taking technical steps to be able to make the same argument in case the FBI comes knocking.
Thanks to these new security features—announced last year—Google can’t push out a malicious software update to an Android phone. Nor, Mayrhofer said, can Google modify its firmware to disable security features
“We want to make it impossible for insiders to get this kind of access for whatever reasons, whatever motivation,” Mayrhofer said. “And law enforcement is, I would say—the inability to react to legal requests here is an unintended side effect of this mitigation.”
There are security challenges for Android beyond the operating system or hardware. Mayrhofer admitted that Android’s app ecosystem has “issues” that need to be resolved.
Tomi Engdahl says:
How I exploited ACME TLS-SNI-01 issuing Let’s Encrypt SSL-certs for any domain using shared hosting
https://labs.detectify.com/2018/01/12/how-i-exploited-acme-tls-sni-01-issuing-lets-encrypt-ssl-certs-for-any-domain-using-shared-hosting/
Tomi Engdahl says:
The Case of the Bumbling Spy: A Watchdog Group Gets Him on Camera
https://www.nytimes.com/2019/01/28/world/black-cube-nso-citizen-lab-intelligence.html
Citizen Lab, a cybersecurity watchdog organization at the University of Toronto, has published hard-hitting research on powerful targets in recent years: Chinese government censorship, Silicon Valley’s invasion of customers’ privacy, despotic regimes’ electronic surveillance of dissidents. It’s the kind of work that can make enemies.
So when John Scott-Railton, a senior researcher at Citizen Lab, got an odd request for a meeting last week from someone describing himself as a wealthy investor from Paris, he suspected a ruse and decided to set a trap.
Tomi Engdahl says:
Unsecured MongoDB databases expose Kremlin’s backdoor into Russian businesses
https://www.zdnet.com/google-amp/article/unsecured-mongodb-databases-expose-kremlins-backdoor-into-russian-businesses/?__twitter_impression=true
“[email protected]” account spotted on thousands of Russian-linked, internet-exposed MongoDB databases.
A Dutch security researcher has stumbled upon the Kremlin’s backdoor account that the government had been using to access the servers of local and foreign businesses operating in Russia.
The backdoor account was found inside thousands of MongoDB databases that had been left exposed online without a password.
Tomi Engdahl says:
Facebook knowingly duped game-playing kids and their parents out of money
https://www.revealnews.org/article/facebook-knowingly-duped-game-playing-kids-and-their-parents-out-of-money/
Facebook orchestrated a multiyear effort that duped children and their parents out of money, in some cases hundreds or even thousands of dollars, and then often refused to give the money back, according to court documents unsealed tonight in response to a Reveal legal action.
Tomi Engdahl says:
Google’s also peddling a data collector through Apple’s back door
It looks like Facebook is not the only one abusing Apple’s system for distributing employee-only apps to sidestep the App Store and collect extensive data on users. Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple, TechCrunch has learned.
It looks like Facebook is not the only one abusing Apple’s system for distributing employee-only apps to sidestep the App Store and collect extensive data on users. Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple, TechCrunch has learned.
Tomi Engdahl says:
ht,tps://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/?sr_share=facebook&utm_source=tcfbpage
Tomi Engdahl says:
India’s largest bank SBI leaked account data on millions of customers
https://techcrunch.com/2019/01/30/state-bank-india-data-leak/?sr_share=facebook&utm_source=tcfbpage
India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.
Tomi Engdahl says:
Inside the UAE’s secret hacking team of American mercenaries
https://www.reuters.com/investigates/special-report/usa-spying-raven/
Ex-NSA operatives reveal how they helped spy on targets for the Arab
monarchy dissidents, rival leaders and journalists.. see also
https://www.reuters.com/article/us-usa-spying-karma-exclusive/exclusive-uae-used-cyber-super-weapon-to-spy-on-iphones-of-foes-idUSKCN1PO1AN
Tomi Engdahl says:
Employee Data Compromised in Airbus Breach
https://www.securityweek.com/employee-data-compromised-airbus-breach
Aircraft maker Airbus on Wednesday revealed that information on some of its employees was compromised as a result of a data breach.
According to the company, it detected an intrusion on systems associated with its Commercial Aircraft business, but claims that the incident has not impacted its commercial operations.
https://www.airbus.com/content/dam/corporate-topics/publications/press-release/EN-Airbus-Cyber-Security-Statement.pdf
Tomi Engdahl says:
Firefox 65 Brings Improved Privacy Protections
https://www.securityweek.com/firefox-65-brings-improved-privacy-protections
Mozilla this week released the stable version of Firefox 65 with privacy protection improvements, patches, and other security enhancements inside.
“As a result of some of our previous testing, we’re happy to announce a new set of redesigned controls for the Content Blocking section in today’s Firefox release where users can choose their desired level of privacy protection,” Mozilla’s Nick Nguyen notes in a blog post.
https://blog.mozilla.org/blog/2019/01/29/todays-firefox-gives-users-more-control-over-their-privacy/
Tomi Engdahl says:
Yahoo Breach Settlement Rejected by Judge
https://www.securityweek.com/yahoo-breach-settlement-rejected-judge
A U.S. judge has rejected the settlement between Yahoo and users impacted by the massive data breaches suffered by the company, citing, among other things, inadequate disclosure of the settlement fund and high attorney fees.
Tomi Engdahl says:
Bangladesh to Sue Philippine Bank Over $81M Cyber Heist
https://www.securityweek.com/bangladesh-sue-philippine-bank-over-81m-cyber-heist
Bangladesh will Wednesday file a lawsuit in New York against a Philippine bank over its involvement in one of the biggest-ever cyber heists, the country’s central bank governor said.
Unidentified hackers stole $81 million from the Bangladesh central bank’s account with the US Federal Reserve in New York in February 2016.
The money was then transferred to a Manila branch of the Rizal Commercial Banking Corp (RCBC), swiftly withdrawn and laundered through local casinos.
A case will be filed against RCBC and “all others” involved in the heist to try and retrieve the stolen funds, Bangladesh central bank governor Fazle Kabir told AFP.
https://www.securityweek.com/industry-reactions-bangladesh-bank-hack-feedback-friday
Tomi Engdahl says:
Spam Injector Disguised as License Key in WordPress Website
https://blog.sucuri.net/2019/01/spam-injector-disguised-as-license-key-in-wordpress.html
Here at Sucuri, we clean WordPress websites every day. There are various types of common malware, but when we stumble upon a different scenario, our research team likes to dig deeper and conduct a complete investigation.
A license key is a place where a webmaster might not expect to find an infection, however, in this particular case, this is where we found one.
Tomi Engdahl says:
Theoretical Ransomware Attack Could Lead to Global Damages Says Report
https://www.bleepingcomputer.com/news/security/theoretical-ransomware-attack-could-lead-to-global-damages-says-report/
According to a speculative cyber risk scenario prepared by Cambridge University for risk management purposes, a ransomware strain that would manage to impact more than 600,000 businesses worldwide within 24 hours would potentially lead to damages of billions not covered by insurers.
First of all, it is important to understand that although the numbers look very scary, this type of an attack is practically impossible to pull off at the moment when taking into consideration the current capabilities of malware, anti-malware, and current IT ecosystems.
Insurance firms refusing to cover ransomware attack losses
Although the report “identifies opportunities for insurers to expand their business in insurance classes associated with ransomware attacks,” quite recent events show that, in some circumstances, insurers have refused to cover the losses generated by ransomware attacks.
Tomi Engdahl says:
Various Google Play “Beauty Camera” Apps Sends Users Pornographic Content, Redirects Them to Phishing Websites and Collects Their Pictures
https://blog.trendmicro.com/trendlabs-security-intelligence/various-google-play-beauty-camera-apps-sends-users-pornographic-content-redirects-them-to-phishing-websites-and-collects-their-pictures/
Tomi Engdahl says:
Inside the UAE’s secret hacking team of American mercenaries
https://www.reuters.com/investigates/special-report/usa-spying-raven/
Ex-NSA operatives reveal how they helped spy on targets for
the Arab monarchy — dissidents, rival leaders and journalists.
Tomi Engdahl says:
Apple bans Facebook’s Research app that paid users for data
https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/
Tomi Engdahl says:
New LockerGoga Ransomware Allegedly Used in Altran Attack
https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/
Hackers have infected the systems of Altran Technologies with malware that spread through the company network, affecting operations in some European countries. To protect client data and their own assets, Altran decided to shut down its network and applications.
The attack occurred on January 24, but the French engineering consultancy released a public statement only yesterday and kept details to a bare minimum, saying that third-party technical experts and digital forensics specialists are on the case.
Altran allegedly hit with new LockerGoga ransomware
Altran made no reference to the type of malware affecting their network, but security researcher have following the trail of public breadcrumbs found sufficient evidence to determine that it’s a ransomware attack.
When encrypting files, the ransomware will append the .locked extension to encrypted file’s names.
https://resource.globenewswire.com/Resource/Download/0663f8d4-0acf-4463-b0fd-bb05042d1373
Tomi Engdahl says:
Israel Blocks Iran Cyber-attacks ‘Daily’: Netanyahu
https://www.securityweek.com/israel-blocks-iran-cyber-attacks-daily-netanyahu
Prime Minister Benjamin Netanyahu on Tuesday accused arch-foe Iran of regularly launching cyber-attacks on Israel that the Jewish state blocks each day.
“Iran attacks Israel on a daily basis,” he told a cyber conference in Tel Aviv. “We monitor these attacks, we see these attacks and we foil these attacks all the time.”
“Any country can be attacked today with cyber-attacks and every country needs the combination of a national cyber defence effort and a robust cyber security industry,” Netanyahu said.
Tomi Engdahl says:
U.S. Intel Community: Russia, China Can Disrupt Critical Infrastructure
https://www.securityweek.com/us-intel-community-russia-china-can-disrupt-critical-infrastructure
Russia and China are capable of disrupting critical infrastructure in the United States, and Iran is not far behind, according to the Worldwide Threat Assessment made public by the U.S. intelligence community on Tuesday.
The assessment covers a wide range of threats, including cyber. Similar to the reports published in the past years, it warns that the US’s adversaries and competitors will increasingly use their cyber capabilities for political, military and economic advantage.
China and Russia continue to pose the biggest threat, but Iran, North Korea, non-state terrorists and profit-driven cybercriminals should not be ignored either, intelligence agencies said.
Tomi Engdahl says:
Josh Constine / TechCrunch:
Apple says it revoked Facebook’s Enterprise Certificate yesterday used to distribute the Research app outside of App Store, before Facebook could shut it down — In the wake of TechCrunch’s investigation yesterday, Apple blocked Facebook’s Research VPN app before the social network could voluntarily shut it down.
Apple bans Facebook’s Research app that paid users for data
https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/
Tomi Engdahl says:
Chaos has reportedly erupted inside Facebook as employees find themselves unable to open the company’s apps on their iPhones
https://nordic.businessinsider.com/facebook-chaos-after-apple-blocks-internal-iphone-apps-report-2019-1?r=US&IR=T
Apple has blocked Facebook’s internal apps from working on employees’ phones, The Verge reported.
The move was in response to reports this week that Facebook’s misused Apple’s enterprise-app program, meant for internal use in a company, to run a research app that gathered data on people’s phone activity in exchange for payment.
Apple blocks Facebook from running its internal iOS apps
https://www.theverge.com/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps
Tomi Engdahl says:
DNS Providers to Cease Implementing DNS Resolver Workarounds
https://www.securityweek.com/dns-providers-cease-implementing-dns-resolver-workarounds
Starting on February 1, 2019, a number of DNS software and service providers will cease implementing DNS resolver workarounds for systems that don’t follow the Extensions to DNS (EDNS) protocol.
Intended for DNS Flag Day, the switch should solve two major problems DNS has at the moment due to these workarounds: slower responses to DNS queries and the difficulty of deploying new DNS protocol features such as improved distributed denial of service protections.
Although the Extension Mechanisms for DNS were specified in 1999 to establish rules for responding to queries with EDNS options or flags, some implementations continue to violate the rules. To address interoperability issues, DNS software developers implemented workarounds for non-standard behaviors.
“These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole,” the Internet Systems Consortium (ISC) points out.
Tomi Engdahl says:
Iran-Linked Hackers Use Array of Tools to Steal Data: FireEye
https://www.securityweek.com/iran-linked-hackers-use-array-tools-steal-data-fireeye
An Iran-linked cyber-espionage group responsible for widespread theft of data is using a broad range of custom and off-the-shelf tools, FireEye security researchers say.
Referred to as APT39, the group has been tracked since November 2014 and its activities largely align with the Chafer group, as well as with the OilRig cyberspies. Unlike other groups operating out of Iran, however, APT39 hasn’t been linked to influence operations, disruptive attacks, and other threats.
Tomi Engdahl says:
Crypto Hardware Maker nCipher Re-Emerges From Thales After 20 Years
https://www.securityweek.com/crypto-hardware-maker-ncipher-re-emerges-thales-after-20-years
Its divestiture by Thales was a competition condition imposed by the European Union for the acquisition of Gemalto by Thales. Gemalto and Thales were the two major providers of HSMs. European Commissioner Margrethe Vestager explained, the condition “allows the creation of a strong European player in this market, while still ensuring that the merger will not prevent customers from continuing to enjoy fair prices and innovative products.”
Tomi Engdahl says:
Salt Security Emerges From Stealth With API Protection Solution
https://www.securityweek.com/salt-security-emerges-stealth-api-protection-solution
Application programming interfaces (APIs) have been involved in several high profile security incidents in the past years and an increasing number of companies have started offering API protection solutions.
Salt Security claims that solutions from other vendors can only detect known API attacks, but its own AI-powered technology can spot anomalies in real time and block threats in the reconnaissance phase.
The company says it can provide an inventory of all APIs within hours and helps organizations assess the risks associated with each component. Its solution should be able to detect zero-day attacks by creating a profile of legitimate APIs.
Salt also helps customers identify insecure APIs and provides information on how these weak spots can be remediated in minutes, the company claims.
Tomi Engdahl says:
Major Apple Security Bug Lets You Spy on Your Buddies
https://www.pandasecurity.com/mediacenter/mobile-news/facetime-bug/
Earlier today Apple users from all over the world, including US citizens and permanent residents, realized that they could spy on each other by taking advantage of a FaceTime exploit that allows eavesdropping. First reported by 9 to 5 Mac, the bug in Apple’s videotelephony app allowed users without any technical skills to eavesdrop on virtually anyone in the world who uses FaceTime. By simply making a FaceTime video call users were able to listen through the callee’s device, even if the call recipient was not picking up.
Tomi Engdahl says:
Relaying Exchange?s NTLM authentication to domain admin (and more)
https://isc.sans.edu/forums/diary/Relaying+Exchanges+NTLM+authentication+to+domain+admin+and+more/24578/
Now folks, this is HUGE. Extremely huge. If you are running Exchange make sure that you read this diary and the original blog.
Basically, the PoC tool exploits the fact that Exchange servers have very high privileges in Active Directory domains – the WriteDacl privilege that allows them to change domain privileges. Exchange servers are part of the Exchange Trusted Subsystem group, which is further included in the Exchange Windows Permissions group which has this critical privilege enabled.
Tomi Engdahl says:
Police Shut Down xDedic – An Online Market for Cyber Criminals
https://thehackernews.com/2019/01/cyber-criminal-marketplace.html
In an international operation involving law enforcement authorities from the U.S. and several European countries, feds have shut down an online underground marketplace and arrested three suspects in Ukraine.
Dubbed xDedic, the illegal online marketplace let cybercriminals buy, sell or rent out access to thousands of hacked computers and servers across the world and personally identifiable information of U.S. residents.
Tomi Engdahl says:
Google provides EU politicians with DDoS protection
https://www.itproportal.com/news/google-provides-eu-politicians-with-ddos-protection/
Tomi Engdahl says:
Murtoyritykset havahduttivat suomalaiset vesihuoltoyhtiöt kyberuhkiin: “käytössä paljon vanhaa teknologiaa”
https://www.tivi.fi/Kaikki_uutiset/murtoyritykset-havahduttivat-suomalaiset-vesihuoltoyhtiot-kyberuhkiin-kaytossa-paljon-vanhaa-teknologiaa-6756627
Tomi Engdahl says:
How a teenage ‘Fortnite’ player found Apple’s FaceTime bug — and why it was so hard to report it
https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961
Grant Thompson just wanted to play “Fortnite” and chat with friends. His discovery led Apple to suspend a popular iPhone feature.
Grant Thompson, a 14-year-old high school student in Tucson, Arizona, just wanted to chat with friends and play some “Fortnite” when he discovered a major bug in Apple’s popular FaceTime feature.
On Jan. 19, Thompson called his friend Nathan using FaceTime, but Nathan didn’t pick up. So Thompson swiped up and added another friend, a move that instantly connected him with Nathan, whose phone was still ringing.
“We were pretty shocked at first because it was still ringing on his phone,” he said in an interview. “After that we tested it for about half an hour to see if it worked every time.”
It did. Thompson had discovered a bug that allowed him to force other iPhones to answer a FaceTime call, even if the other person doesn’t take any action. Apple has since disabled the “Group FaceTime” feature, and a software update to fix the bug is expected to be released, but not before users expressed widespread shock at the flaw in an Apple device typically known for security.
Thompson brought his discovery to his mother, Michele Thompson, a lawyer. She could hardly believe it herself.
“I was doubtful,” she said. “He showed it to me on my iPhone and it worked.”
For the next week, Michele Thompson, 43, tried to notify Apple of the flaw through a variety of avenues, many of which were dead ends.
“It was very frustrating getting them to respond,” she said. “I get it. I’m sure they get all sorts of kooks that try to report things to them.”
Thompson provided emails to NBC News that showed her efforts to contact Apple, including an Apple representative who directed her to the company’s “bug reporter” program and bug bounty program.
Thompson also tried to alert the media, tweeting what her son had found.
Turning to the bounty program, Thompson said she registered as a developer so that she could bring it to the company’s attention.
The bug comes at an inopportune time for Apple. The company reports quarterly earnings on Tuesday afternoon, financial updates that the company has already warned will come in under analysts’ expectations.
Apple has also positioned itself as a champion of privacy in the social media age, with CEO Tim Cook routinely espousing the company’s dedication to keeping users safe.
Thompson, who specializes in medical malpractice defense, sent a letter on her firm’s letterhead on Jan. 22 to Apple’s general counsel. The letter was headed: “Urgent Security Issue Regarding iOS 12.1.3.” There was no response.
With little success in getting the company’s attention, Thompson said her son convinced her to reveal the full details of the bug. The family made a video and uploaded it to YouTube
Thompson said she planned to wait a week before sending the video to the press. Then, on Monday, the Apple-centric tech publication 9to5Mac broke the story of the bug. The story was picked up by dozens of news outlets.
Apple flaw shows that while most people have embraced smartphones, they are still devices with cameras and microphones that can violate users’ privacy.
Payton added that she understands the challenges companies can face in terms of the sheer volume of false alarms, but noted that language-processing technologies can help comb through responses to help determine which ones are likely to be legitimate.
Thompson said she has not heard back from Apple concerning her attempts to alert the company about the bug since it was publicly revealed. She added that she would not have done anything differently.
Tomi Engdahl says:
Microsoft starting last-minute push to get Windows users to upgrade to IE11
https://mspoweruser.com/microsoft-starting-last-minute-push-to-get-windows-users-to-upgrade-to-ie11/
IE10 will soon exit support, leaving many Windows users without any security or non-security updates, free or paid assisted support options, or online technical content.
Fortunately, Microsoft is giving Windows users a last chance to upgrade to IE11, currently behind Firefox the 3rd most popular browser on the internet. While IE10 is exiting support in 2020, IE11 will remain supported for some time still.
Tomi Engdahl says:
Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653
https://badpackets.net/over-9000-cisco-rv320-rv325-routers-vulnerable-to-cve-2019-1653/
On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652)
Tomi Engdahl says:
Australia’s Assistance and Access Bill: An In-Depth Guide
https://medium.com/@mattlshearing/australias-aa-bill-an-in-depth-guide-to-the-death-of-digital-rights-72f47606cf45
Five Eyes is an intelligence alliance of five member states — Australia, New Zealand, Canada, the United Kingdom and the United States. It’s essentially a multi-national spy network which allows agencies from member states to ‘assist’ other agencies within the network.
Basically, if you’re involved in any way with technology, this Bill applies to you
under your control;
install, maintain, test and use software or equipment;
provide access to your facility, equipment, devices, services, software, applications or communications;
test, modify, deploy and maintain technology which they install on your software/hardware;
modify your business model or service;
cease using a certain service provider in your software and begin using another (which they stipulate); and
conceal the fact that you’ve done any of the above acts, as long as you do not have to be dishonest.
Tomi Engdahl says:
Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts
https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
Motherboard has identified a specific UK bank that has fallen victim to so-called SS7 attacks, and sources say the issue is wider than previously reported.
Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.
Tomi Engdahl says:
Casey Newton / The Interface:
Apple shutting down Facebook’s internal iOS apps should serve as a reminder of the power Apple holds over the rest of us — At around 2:30 a.m. ET on Wednesday, Facebook sent me an update about the controversial market research program revealed on Tuesday by TechCrunch.
The Apple-Facebook feud is now a shooting war
https://www.getrevue.co/profile/caseynewton/issues/the-apple-facebook-feud-is-now-a-shooting-war-157707
Some of that, I think, is fair: it seems wrong to call a program advertised publicly on various apps, and known as Facebook Research, a secret spying program.
Apple, which last night took steps to invalidate the root certificates enabling both the market research program and every single app that Facebook uses for internal testing purposes, for tens of thousands of employees around the world.
tensions between Apple and Facebook have been high for some time now. For Apple CEO Tim Cook, Facebook and its fellow ad-supported tech giant, Google, make for convenient punching bags.
Cook wants to promote the idea that iOS devices are more valuable than others because they don’t use an advertising-based business model.
By invalidating Facebook’s enterprise certificate today, Cook flipped one of his lesser switches. And the result inside Facebook today was chaos
And just like that, Facebook’s entire day was wasted. What had been a cold conflict had suddenly escalated into a shooting war.
For those who believe that Facebook should be compelled to obtain and retain less consumer data, today likely felt like a win. In this view, Apple stepped in protected consumers.
But if you’re more interested in competition, today’s news may give you a chill. One giant platform declared another giant platform’s market research program inappropriate, then disappeared it with a Thanos-style finger snap.
Facebook is an enlightened dictatorship, but so is Apple. Tim Cook and his lieutenants dictate the terms of an enormous economy, and can change that economy on a whim. Today Apple may have acted out of consistency with its privacy principles, to the benefit of some consumers.
iPhone has matured as a development platform. Apple is currently the subject of a lawsuit, now before the Supreme Court, alleging that its App Store monopoly results in customers being overcharged. I suspect there is more of this kind of scrutiny ahead.
Tomi Engdahl says:
Joseph Cox / Motherboard:
UK’s Metro Bank confirms it has faced an SS7 attack intercepting 2FA codes; a telecom lobbying group previously told Congress such an attack is “theoretical”
Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts
https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank
Motherboard has identified a specific UK bank that has fallen victim to so-called SS7 attacks, and sources say the issue is wider than previously reported.
Tomi Engdahl says:
What Happens When A Regular Person Finds A Huge Security Flaw?
https://hackaday.com/2019/01/29/what-happens-when-a-regular-person-finds-a-huge-security-flaw/
The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.
This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.
That’s it. That’s the responsible disclosure. We’ve heard stories about random people on the Internet finding security flaws that make the heads of people running Trillion-dollar companies burst into flames, but here’s the evidence, rendered in tweet form. Additionally, [MGT7] also emailed Apple, Fox News (not an affiliate), CNBC, CNN, and 9to5Mac about this security flaw. There was no response until 9to5Mac ran the story eight days later.
If a random person on the Internet finds a security vulnerability, what should they do? This is in the hacker and infosec realm, so the most common advice is to request a CVE, contact the parties involved (in this case, Apple, and the best email to reach them is the twenty first link on this page), and negotiate a time after which the vulnerability will be disclosed. This is called responsible disclosure. You might want to check into bug bounties, because there might be a cash award. Alternatively, you could reach out to security researchers investigating the same platforms, and see if they could use their pull on Twitter to focus attention on the problem.
A random person on the Internet isn’t an infosec expert. The random person on the Internet simply wants things fixed, and in this case [MGT7] did exactly the right thing: they emailed Apple Support, including registering as a developer and going through the right channels. This reporting process should be easier, more obvious, and the response should be swift.
the best example of what you should do if you ever find a security flaw: find an email address on the company’s page for the security team. Email them, and sit back and wait. That’s all you need to know. It’s also the complete opposite of what security researchers suggest, and this is a failing of the entire community.
Major iPhone FaceTime bug lets you hear the audio of the person you are calling … before they pick up
https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
Tomi Engdahl says:
Dell Teams With CrowdStrike, Secureworks for New Endpoint Security Offering
https://www.securityweek.com/dell-teams-crowdstrike-secureworks-new-endpoint-security-offering
Dell on Thursday announced that it has teamed up with its subsidiary Secureworks and CrowdStrike for a new endpoint security offering that includes threat prevention, detection and response services.
The new Dell SafeGuard and Response offering coimbines unified endpoint protection, managed security, incident response expertise, and threat behavioral analytics.
Tomi Engdahl says:
Minnesota Department of Human Services Reports Data Breach
https://www.securityweek.com/minnesota-department-human-services-reports-data-breach
The Minnesota Department of Human Services says a data breach potentially exposed personal information on up to 3,000 people.