Cyber Security News January 2019

This posting is here to collect cyber security news in January 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

412 Comments

  1. Tomi Engdahl says:

    Azorult Trojan Steals Passwords While Hiding as Google Update
    https://www.bleepingcomputer.com/news/security/azorult-trojan-steals-passwords-while-hiding-as-google-update/

    The AZORult information stealer and downloader malware strain was observed by Minerva Labs’ research team posing as a signed Google Update installer and achieving persistence by replacing the legitimate Google Updater program on compromised machines

    Reply
  2. Tomi Engdahl says:

    Drone Sightings, A New British Comedy Soap Opera
    https://hackaday.com/2019/01/28/drone-sightings-a-new-british-comedy-soap-opera/

    Here at Hackaday we’ve brought you news of the UK’s peculiar habit of bad reporting and shoddy investigation of questionable drone sightings several times over the last year or two. Most recently we covered a series of events before Christmas that closed Gatwick, London’s second airport for several days over what turned out to be nothing of substance.

    Unfortunately it didn’t end there. We’re back once more to catch up with the latest events down on the tarmac, and come away with a fresh set of reasonable questions unanswered by the popular coverage of the matter.

    Another Day, Another Police Helicopter

    The Gatwick airport was closed over more than a day based on eyewitness reported sightings of a drone — which we take to mean a small unmanned aircraft. After much investigation (and the arrest and release of suspects) the embarrassing admission that it might all have been about nothing came just before Christmas

    But the second week of January brought another story. This time it was London’s main airport, Heathrow, and yet again at dusk on a winter’s evening a drone spotting was reported. The airport was closed, and in contrast to Gatwick there were multiple reports of sightings. Surely with lights spotted over the runway there could be no doubt, we’d caught the pesky drone red-handed!

    The ADSB records show that the police helicopter arrived in the Heathrow area at about 17:33 on the 8th of January and left at about 18:26, having spent a considerable time hovering over various parts of the airport environs through the time that observers on the ground claimed to have seen some lights in the sky.

    Confusing a Hovering Helicopter for a Drone

    Repeat After Us: Show Us The Drone

    If a Hackaday reader can spend ten minutes with a web browser to reveal G-MPSC’s path that night then it is not unreasonable to expect that the formidable investigative resources of a global news organisation could do the same. We need to see better reporting, a readiness to investigate official accounts rather than regurgitate them, and above all a willingness to consult experts in the field rather than people from other fields with a vested interest. An airline pilot is not an expert on drones, it’s akin to saying a supertanker captain is an expert on kayaks because both vessels are boats.

    Reply
  3. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:NEW
    IT security and cloud data management firm Rubrik leaves server online without password, exposing tens of GBs of data, customer names, contact info, case work

    Data management giant Rubrik leaked a massive database of client data
    https://techcrunch.com/2019/01/29/rubrik-data-leak/

    A server security lapse has exposed a massive database of customer information belonging to Rubrik, an IT security and cloud data management giant.

    The company pulled the server offline Tuesday within an hour of TechCrunch alerting the company, after the data was found by security researcher Oliver Hough. The exposed server wasn’t protected with a password, allowing access to anyone who knew where to find the server.

    The database itself, running on a hosted Amazon Elasticsearch server, was storing tens of gigabytes of data, including customer names, contact information, and case work for each corporate customer.

    It’s believed the data goes back to October 2018, according to timestamps found inside.

    From a cursory review, we also found some emails included sensitive information about that customers’ setup and configuration.

    It’s somewhat ironic, given that the IT unicorn, valued at $3.3 billion, recently announced that it’s expanding into security and compliance services.

    Ribrik has thousands of major clients

    In remarks, Rubrik said it was investigating.

    “While building a new solution for customer support, a sandbox environment containing a subset of our customer corporate contact information and support interaction data was potentially accessible for a brief period of time,” said a spokesperson for Rubrik. “We rectified this issue immediately.”

    It’s not known who might have accessed it, but the exposed server was indexed on Shodan, a search engine for exposed devices and databases, making it easily discoverable and accessible.

    “We have traced the cause to human error, a default access setting was not changed per our standard practice. We have enacted changes to our processes to prevent this from happening again. Privacy and security is our top concern and we sincerely apologize for the mistake,” the spokesperson said.

    Reply
  4. Tomi Engdahl says:

    Lie Junius / The Keyword:
    Alphabet’s Jigsaw expands its free Project Shield service to organizations across EU, including journalists, to defend against DDoS attacks ahead of elections

    An update on our work to prevent abuse ahead of the EU elections
    https://www.blog.google/around-the-globe/google-europe/update-our-work-prevent-abuse-ahead-eu-elections/

    Concerns about disinformation run high ahead of elections, a time when secure access to authoritative information is essential. Over the past few years, as more attempts to disrupt democratic processes have come to light, the scale of our response has increased. The upcoming European Parliament elections in May of this year are a big focus for our teams.

    Project Shield for political campaigns, journalists and NGOs in Europe

    Journalists, campaigns and political parties, NGOs and election monitoring groups ensure people can stay informed during election periods. It’s never been more necessary to defend these groups from digital attacks that can exploit many thousands of computers to overwhelm a website’s servers and take it offline—preventing voters from getting official information when they need it most. Project Shield uses Google’s infrastructure to protect independent news sites from distributed denial of service attacks (DDoS) and from today, Jigsaw will be offering strong, free DDoS-protections to the organizations across Europe that are vital to free and fair elections. You can find out more about Jigsaw and apply for Shield protection here

    Protecting
    election news
    from digital attacks
    Free tools to help defend information when it matters most.
    https://protectyourelection.withgoogle.com/intl/en/?_ga=2.18501627.334794669.1548867197-1604367932.1548867197

    Reply
  5. Tomi Engdahl says:

    Cyber Threat: Russia and China Poised to Cripple US Power Grid, Gas Pipelines at a Moment’s Notice
    https://www1.cbn.com/cbnnews/national-security/2019/january/cyber-threat-russia-and-china-poised-to-cripple-us-power-grid-gas-pipelines-at-a-moments-notice

    Russia and China are capable of launching cyberattacks that could disrupt electric grids and gas pipelines in the US, according to a new government report the intelligence community delivered to the Senate Intelligence Committee Tuesday.

    Reply
  6. Tomi Engdahl says:

    Special Report: Inside the UAE’s secret hacking team of U.S. mercenaries
    https://www.reuters.com/article/us-usa-spying-raven-specialreport/special-report-inside-the-uaes-secret-hacking-team-of-u-s-mercenaries-idUSKCN1PO19O

    Two weeks after leaving her position as an intelligence analyst for the U.S. National Security Agency in 2014, Lori Stroud was in the Middle East working as a hacker for an Arab monarchy.

    She had joined Project Raven, a clandestine team that included more than a dozen former U.S. intelligence operatives recruited to help the United Arab Emirates engage in surveillance of other governments, militants and human rights activists critical of the monarchy.

    Reply
  7. Tomi Engdahl says:

    DON’T TOSS THAT BULB, IT KNOWS YOUR PASSWORD
    https://hackaday.com/2019/01/29/dont-toss-that-bulb-it-knows-your-password/

    In a series of posts on the [Limited Results] blog, low-cost “smart” bulbs are cracked open and investigated to see what kind of knowledge they’ve managed to collect about their owners. Not only was it discovered that bulbs manufactured by Xiaomi, LIFX, and Tuya stored the WiFi SSID and encryption key in plain-text, but that recovering said information from the bulbs was actually quite simple. So next time one of those cheapo smart bulb starts flickering, you might want to take a hammer to it before tossing it in the trash can; you never know where it, and the knowledge it has of your network, might end up.

    https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/

    Reply
  8. Tomi Engdahl says:

    Head of Android Security Says Locking Out Law Enforcement Is an ‘Unintended Side Effect’
    https://motherboard.vice.com/en_us/article/yw8vm7/android-security-locking-out-law-enforcement-unintended-side-effect

    Google is taking steps to make it harder for someone to push a malicious update that disables the security features on an Android phone.

    In 2016, the FBI asked Apple to help the law enforcement agency get into the iPhone

    in a talk at the USENIX Enigma conference in Burlingame, California on Tuesday, Rene Mayrhofer, Google’s Director of Android Platform Security, made clear that Google is taking technical steps to be able to make the same argument in case the FBI comes knocking.

    Thanks to these new security features—announced last year—Google can’t push out a malicious software update to an Android phone. Nor, Mayrhofer said, can Google modify its firmware to disable security features

    “We want to make it impossible for insiders to get this kind of access for whatever reasons, whatever motivation,” Mayrhofer said. “And law enforcement is, I would say—the inability to react to legal requests here is an unintended side effect of this mitigation.”

    There are security challenges for Android beyond the operating system or hardware. Mayrhofer admitted that Android’s app ecosystem has “issues” that need to be resolved.

    Reply
  9. Tomi Engdahl says:

    The Case of the Bumbling Spy: A Watchdog Group Gets Him on Camera
    https://www.nytimes.com/2019/01/28/world/black-cube-nso-citizen-lab-intelligence.html

    Citizen Lab, a cybersecurity watchdog organization at the University of Toronto, has published hard-hitting research on powerful targets in recent years: Chinese government censorship, Silicon Valley’s invasion of customers’ privacy, despotic regimes’ electronic surveillance of dissidents. It’s the kind of work that can make enemies.

    So when John Scott-Railton, a senior researcher at Citizen Lab, got an odd request for a meeting last week from someone describing himself as a wealthy investor from Paris, he suspected a ruse and decided to set a trap.

    Reply
  10. Tomi Engdahl says:

    Unsecured MongoDB databases expose Kremlin’s backdoor into Russian businesses
    https://www.zdnet.com/google-amp/article/unsecured-mongodb-databases-expose-kremlins-backdoor-into-russian-businesses/?__twitter_impression=true

    [email protected]” account spotted on thousands of Russian-linked, internet-exposed MongoDB databases.

    A Dutch security researcher has stumbled upon the Kremlin’s backdoor account that the government had been using to access the servers of local and foreign businesses operating in Russia.

    The backdoor account was found inside thousands of MongoDB databases that had been left exposed online without a password.

    Reply
  11. Tomi Engdahl says:

    Facebook knowingly duped game-playing kids and their parents out of money
    https://www.revealnews.org/article/facebook-knowingly-duped-game-playing-kids-and-their-parents-out-of-money/

    Facebook orchestrated a multiyear effort that duped children and their parents out of money, in some cases hundreds or even thousands of dollars, and then often refused to give the money back, according to court documents unsealed tonight in response to a Reveal legal action.

    Reply
  12. Tomi Engdahl says:

    Google’s also peddling a data collector through Apple’s back door
    It looks like Facebook is not the only one abusing Apple’s system for distributing employee-only apps to sidestep the App Store and collect extensive data on users. Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple, TechCrunch has learned.

    It looks like Facebook is not the only one abusing Apple’s system for distributing employee-only apps to sidestep the App Store and collect extensive data on users. Google has been running an app called Screenwise Meter, which bears a strong resemblance to the app distributed by Facebook Research that has now been barred by Apple, TechCrunch has learned.

    Reply
  13. Tomi Engdahl says:

    ht,tps://techcrunch.com/2019/01/30/googles-also-peddling-a-data-collector-through-apples-back-door/?sr_share=facebook&utm_source=tcfbpage

    Reply
  14. Tomi Engdahl says:

    India’s largest bank SBI leaked account data on millions of customers
    https://techcrunch.com/2019/01/30/state-bank-india-data-leak/?sr_share=facebook&utm_source=tcfbpage

    India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.

    Reply
  15. Tomi Engdahl says:

    Inside the UAE’s secret hacking team of American mercenaries
    https://www.reuters.com/investigates/special-report/usa-spying-raven/
    Ex-NSA operatives reveal how they helped spy on targets for the Arab
    monarchy dissidents, rival leaders and journalists.. see also
    https://www.reuters.com/article/us-usa-spying-karma-exclusive/exclusive-uae-used-cyber-super-weapon-to-spy-on-iphones-of-foes-idUSKCN1PO1AN

    Reply
  16. Tomi Engdahl says:

    Employee Data Compromised in Airbus Breach
    https://www.securityweek.com/employee-data-compromised-airbus-breach

    Aircraft maker Airbus on Wednesday revealed that information on some of its employees was compromised as a result of a data breach.

    According to the company, it detected an intrusion on systems associated with its Commercial Aircraft business, but claims that the incident has not impacted its commercial operations.

    https://www.airbus.com/content/dam/corporate-topics/publications/press-release/EN-Airbus-Cyber-Security-Statement.pdf

    Reply
  17. Tomi Engdahl says:

    Firefox 65 Brings Improved Privacy Protections
    https://www.securityweek.com/firefox-65-brings-improved-privacy-protections

    Mozilla this week released the stable version of Firefox 65 with privacy protection improvements, patches, and other security enhancements inside.

    “As a result of some of our previous testing, we’re happy to announce a new set of redesigned controls for the Content Blocking section in today’s Firefox release where users can choose their desired level of privacy protection,” Mozilla’s Nick Nguyen notes in a blog post.

    https://blog.mozilla.org/blog/2019/01/29/todays-firefox-gives-users-more-control-over-their-privacy/

    Reply
  18. Tomi Engdahl says:

    Yahoo Breach Settlement Rejected by Judge
    https://www.securityweek.com/yahoo-breach-settlement-rejected-judge

    A U.S. judge has rejected the settlement between Yahoo and users impacted by the massive data breaches suffered by the company, citing, among other things, inadequate disclosure of the settlement fund and high attorney fees.

    Reply
  19. Tomi Engdahl says:

    Bangladesh to Sue Philippine Bank Over $81M Cyber Heist
    https://www.securityweek.com/bangladesh-sue-philippine-bank-over-81m-cyber-heist

    Bangladesh will Wednesday file a lawsuit in New York against a Philippine bank over its involvement in one of the biggest-ever cyber heists, the country’s central bank governor said.

    Unidentified hackers stole $81 million from the Bangladesh central bank’s account with the US Federal Reserve in New York in February 2016.

    The money was then transferred to a Manila branch of the Rizal Commercial Banking Corp (RCBC), swiftly withdrawn and laundered through local casinos.

    A case will be filed against RCBC and “all others” involved in the heist to try and retrieve the stolen funds, Bangladesh central bank governor Fazle Kabir told AFP.

    https://www.securityweek.com/industry-reactions-bangladesh-bank-hack-feedback-friday

    Reply
  20. Tomi Engdahl says:

    Spam Injector Disguised as License Key in WordPress Website
    https://blog.sucuri.net/2019/01/spam-injector-disguised-as-license-key-in-wordpress.html

    Here at Sucuri, we clean WordPress websites every day. There are various types of common malware, but when we stumble upon a different scenario, our research team likes to dig deeper and conduct a complete investigation.

    A license key is a place where a webmaster might not expect to find an infection, however, in this particular case, this is where we found one.

    Reply
  21. Tomi Engdahl says:

    Theoretical Ransomware Attack Could Lead to Global Damages Says Report
    https://www.bleepingcomputer.com/news/security/theoretical-ransomware-attack-could-lead-to-global-damages-says-report/

    According to a speculative cyber risk scenario prepared by Cambridge University for risk management purposes, a ransomware strain that would manage to impact more than 600,000 businesses worldwide within 24 hours would potentially lead to damages of billions not covered by insurers.

    First of all, it is important to understand that although the numbers look very scary, this type of an attack is practically impossible to pull off at the moment when taking into consideration the current capabilities of malware, anti-malware, and current IT ecosystems.

    Insurance firms refusing to cover ransomware attack losses

    Although the report “identifies opportunities for insurers to expand their business in insurance classes associated with ransomware attacks,” quite recent events show that, in some circumstances, insurers have refused to cover the losses generated by ransomware attacks.

    Reply
  22. Tomi Engdahl says:

    Inside the UAE’s secret hacking team of American mercenaries
    https://www.reuters.com/investigates/special-report/usa-spying-raven/

    Ex-NSA operatives reveal how they helped spy on targets for
    the Arab monarchy — dissidents, rival leaders and journalists.

    Reply
  23. Tomi Engdahl says:

    Apple bans Facebook’s Research app that paid users for data
    https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/

    Reply
  24. Tomi Engdahl says:

    New LockerGoga Ransomware Allegedly Used in Altran Attack
    https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/

    Hackers have infected the systems of Altran Technologies with malware that spread through the company network, affecting operations in some European countries. To protect client data and their own assets, Altran decided to shut down its network and applications.

    The attack occurred on January 24, but the French engineering consultancy released a public statement only yesterday and kept details to a bare minimum, saying that third-party technical experts and digital forensics specialists are on the case.

    Altran allegedly hit with new LockerGoga ransomware

    Altran made no reference to the type of malware affecting their network, but security researcher have following the trail of public breadcrumbs found sufficient evidence to determine that it’s a ransomware attack.

    When encrypting files, the ransomware will append the .locked extension to encrypted file’s names.

    https://resource.globenewswire.com/Resource/Download/0663f8d4-0acf-4463-b0fd-bb05042d1373

    Reply
  25. Tomi Engdahl says:

    Israel Blocks Iran Cyber-attacks ‘Daily’: Netanyahu
    https://www.securityweek.com/israel-blocks-iran-cyber-attacks-daily-netanyahu

    Prime Minister Benjamin Netanyahu on Tuesday accused arch-foe Iran of regularly launching cyber-attacks on Israel that the Jewish state blocks each day.

    “Iran attacks Israel on a daily basis,” he told a cyber conference in Tel Aviv. “We monitor these attacks, we see these attacks and we foil these attacks all the time.”

    “Any country can be attacked today with cyber-attacks and every country needs the combination of a national cyber defence effort and a robust cyber security industry,” Netanyahu said.

    Reply
  26. Tomi Engdahl says:

    U.S. Intel Community: Russia, China Can Disrupt Critical Infrastructure
    https://www.securityweek.com/us-intel-community-russia-china-can-disrupt-critical-infrastructure

    Russia and China are capable of disrupting critical infrastructure in the United States, and Iran is not far behind, according to the Worldwide Threat Assessment made public by the U.S. intelligence community on Tuesday.

    The assessment covers a wide range of threats, including cyber. Similar to the reports published in the past years, it warns that the US’s adversaries and competitors will increasingly use their cyber capabilities for political, military and economic advantage.

    China and Russia continue to pose the biggest threat, but Iran, North Korea, non-state terrorists and profit-driven cybercriminals should not be ignored either, intelligence agencies said.

    Reply
  27. Tomi Engdahl says:

    Josh Constine / TechCrunch:
    Apple says it revoked Facebook’s Enterprise Certificate yesterday used to distribute the Research app outside of App Store, before Facebook could shut it down — In the wake of TechCrunch’s investigation yesterday, Apple blocked Facebook’s Research VPN app before the social network could voluntarily shut it down.

    Apple bans Facebook’s Research app that paid users for data
    https://techcrunch.com/2019/01/30/apple-bans-facebook-vpn/

    Reply
  28. Tomi Engdahl says:

    Chaos has reportedly erupted inside Facebook as employees find themselves unable to open the company’s apps on their iPhones
    https://nordic.businessinsider.com/facebook-chaos-after-apple-blocks-internal-iphone-apps-report-2019-1?r=US&IR=T

    Apple has blocked Facebook’s internal apps from working on employees’ phones, The Verge reported.
    The move was in response to reports this week that Facebook’s misused Apple’s enterprise-app program, meant for internal use in a company, to run a research app that gathered data on people’s phone activity in exchange for payment.

    Apple blocks Facebook from running its internal iOS apps
    https://www.theverge.com/2019/1/30/18203551/apple-facebook-blocked-internal-ios-apps

    Reply
  29. Tomi Engdahl says:

    DNS Providers to Cease Implementing DNS Resolver Workarounds
    https://www.securityweek.com/dns-providers-cease-implementing-dns-resolver-workarounds

    Starting on February 1, 2019, a number of DNS software and service providers will cease implementing DNS resolver workarounds for systems that don’t follow the Extensions to DNS (EDNS) protocol.

    Intended for DNS Flag Day, the switch should solve two major problems DNS has at the moment due to these workarounds: slower responses to DNS queries and the difficulty of deploying new DNS protocol features such as improved distributed denial of service protections.

    Although the Extension Mechanisms for DNS were specified in 1999 to establish rules for responding to queries with EDNS options or flags, some implementations continue to violate the rules. To address interoperability issues, DNS software developers implemented workarounds for non-standard behaviors.

    “These workarounds excessively complicate DNS software and are now also negatively impacting the DNS as a whole,” the Internet Systems Consortium (ISC) points out.

    Reply
  30. Tomi Engdahl says:

    Iran-Linked Hackers Use Array of Tools to Steal Data: FireEye
    https://www.securityweek.com/iran-linked-hackers-use-array-tools-steal-data-fireeye

    An Iran-linked cyber-espionage group responsible for widespread theft of data is using a broad range of custom and off-the-shelf tools, FireEye security researchers say.

    Referred to as APT39, the group has been tracked since November 2014 and its activities largely align with the Chafer group, as well as with the OilRig cyberspies. Unlike other groups operating out of Iran, however, APT39 hasn’t been linked to influence operations, disruptive attacks, and other threats.

    Reply
  31. Tomi Engdahl says:

    Crypto Hardware Maker nCipher Re-Emerges From Thales After 20 Years
    https://www.securityweek.com/crypto-hardware-maker-ncipher-re-emerges-thales-after-20-years

    Its divestiture by Thales was a competition condition imposed by the European Union for the acquisition of Gemalto by Thales. Gemalto and Thales were the two major providers of HSMs. European Commissioner Margrethe Vestager explained, the condition “allows the creation of a strong European player in this market, while still ensuring that the merger will not prevent customers from continuing to enjoy fair prices and innovative products.”

    Reply
  32. Tomi Engdahl says:

    Salt Security Emerges From Stealth With API Protection Solution
    https://www.securityweek.com/salt-security-emerges-stealth-api-protection-solution

    Application programming interfaces (APIs) have been involved in several high profile security incidents in the past years and an increasing number of companies have started offering API protection solutions.

    Salt Security claims that solutions from other vendors can only detect known API attacks, but its own AI-powered technology can spot anomalies in real time and block threats in the reconnaissance phase.

    The company says it can provide an inventory of all APIs within hours and helps organizations assess the risks associated with each component. Its solution should be able to detect zero-day attacks by creating a profile of legitimate APIs.

    Salt also helps customers identify insecure APIs and provides information on how these weak spots can be remediated in minutes, the company claims.

    Reply
  33. Tomi Engdahl says:

    Major Apple Security Bug Lets You Spy on Your Buddies
    https://www.pandasecurity.com/mediacenter/mobile-news/facetime-bug/

    Earlier today Apple users from all over the world, including US citizens and permanent residents, realized that they could spy on each other by taking advantage of a FaceTime exploit that allows eavesdropping. First reported by 9 to 5 Mac, the bug in Apple’s videotelephony app allowed users without any technical skills to eavesdrop on virtually anyone in the world who uses FaceTime. By simply making a FaceTime video call users were able to listen through the callee’s device, even if the call recipient was not picking up.

    Reply
  34. Tomi Engdahl says:

    Relaying Exchange?s NTLM authentication to domain admin (and more)
    https://isc.sans.edu/forums/diary/Relaying+Exchanges+NTLM+authentication+to+domain+admin+and+more/24578/

    Now folks, this is HUGE. Extremely huge. If you are running Exchange make sure that you read this diary and the original blog.

    Basically, the PoC tool exploits the fact that Exchange servers have very high privileges in Active Directory domains – the WriteDacl privilege that allows them to change domain privileges. Exchange servers are part of the Exchange Trusted Subsystem group, which is further included in the Exchange Windows Permissions group which has this critical privilege enabled.

    Reply
  35. Tomi Engdahl says:

    Police Shut Down xDedic – An Online Market for Cyber Criminals
    https://thehackernews.com/2019/01/cyber-criminal-marketplace.html

    In an international operation involving law enforcement authorities from the U.S. and several European countries, feds have shut down an online underground marketplace and arrested three suspects in Ukraine.

    Dubbed xDedic, the illegal online marketplace let cybercriminals buy, sell or rent out access to thousands of hacked computers and servers across the world and personally identifiable information of U.S. residents.

    Reply
  36. Tomi Engdahl says:

    How a teenage ‘Fortnite’ player found Apple’s FaceTime bug — and why it was so hard to report it
    https://www.nbcnews.com/tech/security/how-teenage-fortnite-player-found-apple-s-facetime-bug-why-n963961

    Grant Thompson just wanted to play “Fortnite” and chat with friends. His discovery led Apple to suspend a popular iPhone feature.

    Grant Thompson, a 14-year-old high school student in Tucson, Arizona, just wanted to chat with friends and play some “Fortnite” when he discovered a major bug in Apple’s popular FaceTime feature.

    On Jan. 19, Thompson called his friend Nathan using FaceTime, but Nathan didn’t pick up. So Thompson swiped up and added another friend, a move that instantly connected him with Nathan, whose phone was still ringing.

    “We were pretty shocked at first because it was still ringing on his phone,” he said in an interview. “After that we tested it for about half an hour to see if it worked every time.”

    It did. Thompson had discovered a bug that allowed him to force other iPhones to answer a FaceTime call, even if the other person doesn’t take any action. Apple has since disabled the “Group FaceTime” feature, and a software update to fix the bug is expected to be released, but not before users expressed widespread shock at the flaw in an Apple device typically known for security.

    Thompson brought his discovery to his mother, Michele Thompson, a lawyer. She could hardly believe it herself.

    “I was doubtful,” she said. “He showed it to me on my iPhone and it worked.”

    For the next week, Michele Thompson, 43, tried to notify Apple of the flaw through a variety of avenues, many of which were dead ends.

    “It was very frustrating getting them to respond,” she said. “I get it. I’m sure they get all sorts of kooks that try to report things to them.”

    Thompson provided emails to NBC News that showed her efforts to contact Apple, including an Apple representative who directed her to the company’s “bug reporter” program and bug bounty program.

    Thompson also tried to alert the media, tweeting what her son had found.

    Turning to the bounty program, Thompson said she registered as a developer so that she could bring it to the company’s attention.

    The bug comes at an inopportune time for Apple. The company reports quarterly earnings on Tuesday afternoon, financial updates that the company has already warned will come in under analysts’ expectations.

    Apple has also positioned itself as a champion of privacy in the social media age, with CEO Tim Cook routinely espousing the company’s dedication to keeping users safe.

    Thompson, who specializes in medical malpractice defense, sent a letter on her firm’s letterhead on Jan. 22 to Apple’s general counsel. The letter was headed: “Urgent Security Issue Regarding iOS 12.1.3.” There was no response.

    With little success in getting the company’s attention, Thompson said her son convinced her to reveal the full details of the bug. The family made a video and uploaded it to YouTube

    Thompson said she planned to wait a week before sending the video to the press. Then, on Monday, the Apple-centric tech publication 9to5Mac broke the story of the bug. The story was picked up by dozens of news outlets.

    Apple flaw shows that while most people have embraced smartphones, they are still devices with cameras and microphones that can violate users’ privacy.

    Payton added that she understands the challenges companies can face in terms of the sheer volume of false alarms, but noted that language-processing technologies can help comb through responses to help determine which ones are likely to be legitimate.

    Thompson said she has not heard back from Apple concerning her attempts to alert the company about the bug since it was publicly revealed. She added that she would not have done anything differently.

    Reply
  37. Tomi Engdahl says:

    Microsoft starting last-minute push to get Windows users to upgrade to IE11
    https://mspoweruser.com/microsoft-starting-last-minute-push-to-get-windows-users-to-upgrade-to-ie11/

    IE10 will soon exit support, leaving many Windows users without any security or non-security updates, free or paid assisted support options, or online technical content.

    Fortunately, Microsoft is giving Windows users a last chance to upgrade to IE11, currently behind Firefox the 3rd most popular browser on the internet. While IE10 is exiting support in 2020, IE11 will remain supported for some time still.

    Reply
  38. Tomi Engdahl says:

    Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653
    https://badpackets.net/over-9000-cisco-rv320-rv325-routers-vulnerable-to-cve-2019-1653/

    On Friday, January 25, 2019, our honeypots detected opportunistic scanning activity from multiple hosts targeting Cisco Small Business RV320 and RV325 routers. A vulnerability exists in these routers that allow remote unauthenticated information disclosure (CVE-2019-1653) leading to remote code execution (CVE-2019-1652)

    Reply
  39. Tomi Engdahl says:

    Australia’s Assistance and Access Bill: An In-Depth Guide
    https://medium.com/@mattlshearing/australias-aa-bill-an-in-depth-guide-to-the-death-of-digital-rights-72f47606cf45

    Five Eyes is an intelligence alliance of five member states — Australia, New Zealand, Canada, the United Kingdom and the United States. It’s essentially a multi-national spy network which allows agencies from member states to ‘assist’ other agencies within the network.

    Basically, if you’re involved in any way with technology, this Bill applies to you

    under your control;
    install, maintain, test and use software or equipment;
    provide access to your facility, equipment, devices, services, software, applications or communications;
    test, modify, deploy and maintain technology which they install on your software/hardware;
    modify your business model or service;
    cease using a certain service provider in your software and begin using another (which they stipulate); and
    conceal the fact that you’ve done any of the above acts, as long as you do not have to be dishonest.

    Reply
  40. Tomi Engdahl says:

    Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts
    https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

    Motherboard has identified a specific UK bank that has fallen victim to so-called SS7 attacks, and sources say the issue is wider than previously reported.

    Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself.

    Reply
  41. Tomi Engdahl says:

    Casey Newton / The Interface:
    Apple shutting down Facebook’s internal iOS apps should serve as a reminder of the power Apple holds over the rest of us — At around 2:30 a.m. ET on Wednesday, Facebook sent me an update about the controversial market research program revealed on Tuesday by TechCrunch.

    The Apple-Facebook feud is now a shooting war
    https://www.getrevue.co/profile/caseynewton/issues/the-apple-facebook-feud-is-now-a-shooting-war-157707

    Some of that, I think, is fair: it seems wrong to call a program advertised publicly on various apps, and known as Facebook Research, a secret spying program.

    Apple, which last night took steps to invalidate the root certificates enabling both the market research program and every single app that Facebook uses for internal testing purposes, for tens of thousands of employees around the world.

    tensions between Apple and Facebook have been high for some time now. For Apple CEO Tim Cook, Facebook and its fellow ad-supported tech giant, Google, make for convenient punching bags.
    Cook wants to promote the idea that iOS devices are more valuable than others because they don’t use an advertising-based business model.

    By invalidating Facebook’s enterprise certificate today, Cook flipped one of his lesser switches. And the result inside Facebook today was chaos

    And just like that, Facebook’s entire day was wasted. What had been a cold conflict had suddenly escalated into a shooting war.

    For those who believe that Facebook should be compelled to obtain and retain less consumer data, today likely felt like a win. In this view, Apple stepped in protected consumers.

    But if you’re more interested in competition, today’s news may give you a chill. One giant platform declared another giant platform’s market research program inappropriate, then disappeared it with a Thanos-style finger snap.

    Facebook is an enlightened dictatorship, but so is Apple. Tim Cook and his lieutenants dictate the terms of an enormous economy, and can change that economy on a whim. Today Apple may have acted out of consistency with its privacy principles, to the benefit of some consumers.

    iPhone has matured as a development platform. Apple is currently the subject of a lawsuit, now before the Supreme Court, alleging that its App Store monopoly results in customers being overcharged. I suspect there is more of this kind of scrutiny ahead.

    Reply
  42. Tomi Engdahl says:

    Joseph Cox / Motherboard:
    UK’s Metro Bank confirms it has faced an SS7 attack intercepting 2FA codes; a telecom lobbying group previously told Congress such an attack is “theoretical”

    Criminals Are Tapping into the Phone Network Backbone to Empty Bank Accounts
    https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

    Motherboard has identified a specific UK bank that has fallen victim to so-called SS7 attacks, and sources say the issue is wider than previously reported.

    Reply
  43. Tomi Engdahl says:

    What Happens When A Regular Person Finds A Huge Security Flaw?
    https://hackaday.com/2019/01/29/what-happens-when-a-regular-person-finds-a-huge-security-flaw/

    The biggest news in the infosec world, besides the fact that balaclavas are becoming increasingly popular due to record-low temperatures across the United States, is that leet haxors can listen to you from your iPhone using FaceTime without you even answering the call. There are obvious security implications of this bug: phones should only turn on the microphone after you pick up a call. This effectively turns any iPhone running iOS 12.1 or later into a party line. In response Apple has taken group FaceTime offline in preparation of a software update later this week.

    This is a story about how this security flaw was found, and what a normal person can do if they ever find something like this.

    That’s it. That’s the responsible disclosure. We’ve heard stories about random people on the Internet finding security flaws that make the heads of people running Trillion-dollar companies burst into flames, but here’s the evidence, rendered in tweet form. Additionally, [MGT7] also emailed Apple, Fox News (not an affiliate), CNBC, CNN, and 9to5Mac about this security flaw. There was no response until 9to5Mac ran the story eight days later.

    If a random person on the Internet finds a security vulnerability, what should they do? This is in the hacker and infosec realm, so the most common advice is to request a CVE, contact the parties involved (in this case, Apple, and the best email to reach them is the twenty first link on this page), and negotiate a time after which the vulnerability will be disclosed. This is called responsible disclosure. You might want to check into bug bounties, because there might be a cash award. Alternatively, you could reach out to security researchers investigating the same platforms, and see if they could use their pull on Twitter to focus attention on the problem.

    A random person on the Internet isn’t an infosec expert. The random person on the Internet simply wants things fixed, and in this case [MGT7] did exactly the right thing: they emailed Apple Support, including registering as a developer and going through the right channels. This reporting process should be easier, more obvious, and the response should be swift.

    the best example of what you should do if you ever find a security flaw: find an email address on the company’s page for the security team. Email them, and sit back and wait. That’s all you need to know. It’s also the complete opposite of what security researchers suggest, and this is a failing of the entire community.

    Major iPhone FaceTime bug lets you hear the audio of the person you are calling … before they pick up
    https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/

    Reply
  44. Tomi Engdahl says:

    Dell Teams With CrowdStrike, Secureworks for New Endpoint Security Offering
    https://www.securityweek.com/dell-teams-crowdstrike-secureworks-new-endpoint-security-offering

    Dell on Thursday announced that it has teamed up with its subsidiary Secureworks and CrowdStrike for a new endpoint security offering that includes threat prevention, detection and response services.

    The new Dell SafeGuard and Response offering coimbines unified endpoint protection, managed security, incident response expertise, and threat behavioral analytics.

    Reply
  45. Tomi Engdahl says:

    Minnesota Department of Human Services Reports Data Breach
    https://www.securityweek.com/minnesota-department-human-services-reports-data-breach

    The Minnesota Department of Human Services says a data breach potentially exposed personal information on up to 3,000 people.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*