recentpopularlog in

charlesarthur : hacking   416

« earlier  
New research: lessons from Password Checkup in action • Google Online Security Blog
:
<p>Back in February, we announced the <a href="https://chrome.google.com/webstore/detail/password-checkup/pncabnpcffmalkkjpajodfhijclecjno">Password Checkup extension</a> for Chrome to help keep all your online accounts safe from hijacking. The extension displays a warning whenever you sign in to a site using one of over 4 billion usernames and passwords that Google knows to be unsafe due to a third-party data breach. Since our launch, over 650,000 people have participated in our early experiment. In the first month alone, we scanned 21 million usernames and passwords and flagged over 316,000 as unsafe - 1.5% of sign-ins scanned by the extension.

Today, we are sharing our most recent lessons from the launch and announcing an updated set of features for the Password Checkup extension. Our full research study, <a href="https://ai.google/research/pubs/pub48399">available here</a>, will be presented this week as part of the USENIX Security Symposium.

Which accounts are most at risk?

Hijackers routinely attempt to sign in to sites across the web with every credential exposed by a third-party breach. If you use strong, unique passwords for all your accounts, this risk disappears. Based on anonymous telemetry reported by the Password Checkup extension, we found that users reused breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This risk was even more prevalent on shopping sites (where users may save credit card details), news, and entertainment sites.

In fact, outside the most popular web sites, users are 2.5x more likely to reuse vulnerable passwords, putting their account at risk of hijacking.</p>


Users are the problem, I guess. 4 billion username/password combinations are unsafe? That's really a lot.
password  security  hacking 
yesterday by charlesarthur
He tried to prank the DMV. Then his vanity license plate backfired big time • Mashable
Jack Morse:
<p>Everyone hates parking tickets. Not everyone, however, is an information security researcher with a mischievous side and a freshly minted vanity license plate reading "NULL."

That would be Droogie (his handle, if that's not obvious), a presenter at this year's DEF CON hacking conference in Las Vegas and man with a very specific problem: He's on the receiving end of thousands of dollars worth of tickets that aren't his. But don't tell that to the DMV.

It wasn't, of course, supposed to end up this way. In fact, exactly the opposite. Droogie registered a vanity California license plate consisting solely of the word "NULL" —  which in programming is a term for no specific value — for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV's ticketing system. 

"I was like, ‘I'm the shit,'" he joked to the crowd. "'I’m gonna be invisible.' Instead, I got all the tickets."

Things didn't go south immediately. As Droogie explained, he's a cautious driver and didn't get any tickets for the first year he owned the vanity plate. Then he went to reregister his tags online, and, when prompted to input his license plate, broke the DMV webpage. 

It seemed the DMV site didn't recognize the plate "NULL" as an actual input. </p>


It's a real-world version of <a href="https://www.xkcd.com/327/">little Bobby Drop Tables</a>.
database  car  hacking  sql 
2 days ago by charlesarthur
Major breach found in biometrics system used by banks, UK police and defence firms • The Guardian
Josh Taylor:
<p>The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks.

Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings.

Last month, Suprema announced its Biostar 2 platform was integrated into another access control system – AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police.

The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies’ systems that could potentially lead to data breaches.

In a search last week, the researchers found Biostar 2’s database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.</p>


Not clear how you could use the fingerprints, though.
security  biometrics  hacking 
2 days ago by charlesarthur
Even DSLR cameras are vulnerable to ransomware • Engadget
Steve Dent:
<p>researchers have discovered that some DSLRs and mirrorless cameras are actually vulnerable to ransomware attacks, of all things. Once in range of your camera's WiFi, a bad actor could easily install malware that would encrypt your valuable photos unless you paid for a key.

<a href="https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/">Check Point Software noticed</a> that the Picture Transfer Protocol (PTP) - which is unauthenticated in both wired and wireless modes - is particularly vulnerable to malware attacks. Ironically, they were able to uncover flaws in the Canon EOS 80D by using firmware originally cracked by Magic Lantern, which supplies its own open source app with extra features to Canon EOS owners.

In a video, the researchers showed how they first set up a rogue WiFi access point. Once the attackers were range of the camera, they ran an exploit to access the camera's SD card and encrypt any photos. The surprised owner would then see a message that his pictures are no longer available unless he's willing to pay a ransom.</p>
camera  ransomware  hacking 
5 days ago by charlesarthur
Inside the hidden world of elevator phone phreaking • WIRED
Andy Greenberg:
<p>"I can dial into an elevator phone, listen in on private conversations, reprogram the phone so that if someone hits it in an emergency it calls a number of my choosing," [security researcher Will] Caruana told me in our first conversation. Elevator phones typically emit audible beeps in the elevator when they connect. But if someone has dialed into the phone of the elevator you're riding before you enter it, Caruana warned me, the only indication might be a red light on the phone's panel. "It’s hard to notice if you're not looking for it," Caruana says.

Over the last year, Caruana has assembled what he believes is the largest public list of elevator phone numbers, which he plans to make available to a limited audience—although he declined to say where exactly he's publishing it. He says he's releasing the list of 80-plus numbers not just because he wants to foster more elevator phone phreaking as an opportunity for whimsy and chance encounters, but also to draw attention to the possibility that elevator phones could be abused for serious privacy invasion and even sabotage. Call up most elevator phones and press 2, and you'll be asked to enter a password to reprogram them. In far too many cases, Caruana says, phone installers and building managers don't change those passwords from easily guessable default codes, allowing anyone to tamper with their settings.</p>


Though who'd expect someone to create a list of all the phone numbers for lifts in the world?
security  hacking  lifts 
5 days ago by charlesarthur
How a Norwegian Viking comedy producer hacked Netflix’s algorithm • Hollywood Reporter
Scott Roxborough:
<p>Netflix had given ["Norsemen" showrunner Anders] Tangen an Aug. 18, 2017, date for the premiere of Norsemen in its English-language territories (the show shot back-to-back versions in Norwegian and English). Three weeks before launch, he set up a campaign on Facebook, paying for targeted posts and Facebook promotions. The posts were fairly simple — most included one of six short (20- to 25-second) clips of the show and a link, either to the show's webpage or to media coverage.

They used so-called A/B testing — showing two versions of a campaign to different audiences and selecting the most successful — to fine-tune. The U.S. campaign didn't cost much — $18,500, which Tangen and his production partners put up themselves — and it was extremely precise. Tangen focused the initial campaign in and around major US cities (L.A., New York, Miami, Chicago) with additional pushes in Minnesota, Wisconsin and South Dakota, three states with large ethnic Norwegian populations. He broke potential Norsemen fans down into seven separate target groups, with each getting its own tailored Facebook campaign.

In just 28 days, the Norsemen campaign reached 5.5 million Facebook users, generating 2 million video views and some 6,000 followers for the show. Netflix noticed. "Three weeks after we launched, Netflix called me: 'You need to come to L.A., your show is exploding,'" Tangen recalls.

Netflix's algorithm had started to kick in.</p>

Neat. And now everyone is going to do this (if they aren't already - the show aired two years ago, it seems).
netflix  hacking  recommendation  algorithm 
8 days ago by charlesarthur
Black Hat: GDPR privacy law exploited to reveal personal data • BBC News
Dave Lee:
<p>About one in four companies revealed personal information to a woman's partner, who had made a bogus demand for the data by citing an EU privacy law.
The security expert contacted dozens of UK and US-based firms to test how they would handle a "right of access" request made in someone else's name.

In each case, he asked for all the data that they held on his fiancée…

He declined to identify the organisations that had mishandled the requests, but said they had included:<br />• a UK hotel chain that shared a complete record of his partner's overnight stays<br />• two UK rail companies that provided records of all the journeys she had taken with them over several years<br />• a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey

[University of Oxford-based researcher James] Pavur has, however, named some of the companies that he said had performed well. He said they included:<br />• the supermarket Tesco, which had demanded a photo ID<br />• the domestic retail chain Bed Bath and Beyond, which had insisted on a telephone interview<br />• American Airlines, which had spotted that he had uploaded a blank image to the passport field of its online form.</p>


Social engineering: still one of the best kinds of hacking.
dataprotection  privacy  gdpr  hacking 
9 days ago by charlesarthur
Critical US election systems have been left exposed online despite official denials • VICE
Kim Zetter:
<p>For years, US election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can’t be hacked.

But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties—all states that are perennial battlegrounds in presidential elections.

Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida’s Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard…

…The systems the researchers found are made by Election Systems & Software, the top voting machine company in the country. They are used to receive encrypted vote totals transmitted via modem from ES&S voting machines on election night, in order to get rapid results that media use to call races, even though the results aren’t final.</p>
security  hacking  elections  voting 
9 days ago by charlesarthur
North Korea took $2bn in cyberattacks to fund weapons program: UN report • Reuters
Michelle Nichols:
<p>North Korea has generated an estimated $2bn for its weapons of mass destruction programs using “widespread and increasingly sophisticated” cyberattacks to steal from banks and cryptocurrency exchanges, according to a confidential UN report seen by Reuters on Monday.

Pyongyang also “continued to enhance its nuclear and missile programmes although it did not conduct a nuclear test or ICBM (Intercontinental Ballistic Missile) launch,” said the report to the UN Security Council North Korea sanctions committee by independent experts monitoring compliance over the past six months.

The North Korean mission to the United Nations did not respond to a request for comment on the report, which was submitted to the Security Council committee last week.

The experts said North Korea “used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income.” They also used cyberspace to launder the stolen money, the report said.</p>


Including cryptocurrency exchanges, of course. To get how significant that is: North Korea's nominal GDP in 2018 was $32bn. So that's a really significant amount of money, a 6% boost to the economy if it was done in a single year. And it's all foreign currency - even more useful.
northkorea  hacking 
10 days ago by charlesarthur
Microsoft catches Russian state hackers using IoT devices to breach networks • Ars Technica
Dan Goodin:
<p>Microsoft researchers <a href="https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/">discovered the attacks</a> in April, when a voice-over-IP phone, an office printer, and a video decoder in multiple customer locations were communicating with servers belonging to “Strontium,” a Russian government hacking group better known as Fancy Bear or APT28. In two cases, the passwords for the devices were the easily guessable default ones they shipped with. In the third instance, the device was running an old firmware version with a known vulnerability. While Microsoft officials concluded that Strontium was behind the attacks, they said they weren’t able to determine what the group’s ultimate objectives were.

Last year, the FBI concluded the hacking group was behind the infection of more than 500,000 consumer-grade routers in 54 countries. Dubbed VPNFilter, the malware was a Swiss Army hacking knife of sorts. Advanced capabilities included the ability to monitor, log, or modify traffic passing between network end points and websites or industrial control systems using Modbus serial communications protocol. The FBI, with assistance from Cisco's Talos security group, ultimately neutralized VPNFilter.

Fancy Bear was one of two Russian-sponsored groups that hacked the Democratic National Committee ahead of the 2016 presidential election. Strontium has also been linked to intrusions into the World Anti-Doping Agency in 2016, the German Bundestag, and France’s TV5Monde TV station, among many others. Last month, Microsoft said it had notified almost 10,000 customers in the past year that they were being targeted by nation-sponsored hackers. Strontium was one of the hacker groups Microsoft named.</p>
hacking  fancybear  iot 
10 days ago by charlesarthur
AT+T insiders bribed with over $1m to unlock two million phones and hack their employer, DOJ claims • Forbes
Thomas Brewster:
<p>A 34-year-old from Pakistan has been extradited from Hong Kong to the US, over allegations he bribed AT+T employees over five years to unlock more than 2 million phones. He was also accused of hacking into AT+T computers. It cost AT+T millions, whilst the insiders were paid more than $1m in bribes, according to <a href="https://www.justice.gov/usao-wdwa/press-release/file/1191031/download">an indictment unsealed Monday</a>.

Muhammad Fahd and his co-conspirator Ghulam Jiwani were accused of paying as much as $420,000 to individual AT&T staff at a call center in Boswell, Washington, asking them to unlock phones tied to the AT+T network. At the same time, US prosecutors claimed Fahd was helping people who were paying to unlock and escape AT+T; in some contracts where cellphone cost has been reduced, AT+T requires customers remain on its network. Fahd would simply get a phone's IMEI number from a willing buyer and then ask the AT+T insiders to unlock their device.

But Muhammad's alleged fraud went further, the Department of Justice said, as he asked employees to install malware on AT+T computers so that he could study how the telecoms giant's internal processes worked. He then created malware that used AT+T employees passwords to get access to different computers so that he could do the unlocking himself, according to the indictment.</p>


More fun: the co-conspirator is said to be deceased. The scam started in 2012, AT+T discovered it in October 2013 and thought it shut it down, and then it restarted in November 2014 and ran for another three years. So about 50 cents in bribes per unlocked phone; you've got to imagine they charged a lot more.

Given the way AT+T locks people into absurd phone contracts, though, it's hardly surprising that the demand exists.
att  hacking  phones 
11 days ago by charlesarthur
Google reveals fistful of flaws in Apple's iMessage app • BBC News
Leo Kelion:
<p>A team of bug-hunters at Google have shared details of five flaws in Apple's iMessage software that could make its devices vulnerable to attack.

In one case, the researchers said the vulnerability was so severe that the only way to rescue a targeted iPhone would be <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1826&can=1&q=label%3AiMessage&colspec=ID%20Status%20Restrict%20Reported%20Vendor%20Product%20Finder%20Summary">to delete all the data off it</a>.

Another example, they said, could be used to copy files off a device <a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1858">without requiring the owner to do anything to aid the hack</a>.

Apple released fixes last week. But the researchers said they had also flagged a sixth problem to Apple, which had not been rectified in the update to its mobile operating system. [And which they're withholding from public disclosure until its deadline - so far unknown.]

"That's quite unusual," commented Prof Alan Woodward, a cyber-security expert at the University of Surrey. "The reputation of the Google Zero team is such that it is worth taking notice of."</p>


The bugs would have been worth millions on the black market - and still might be against phones that haven't been updated. Over the years, iMessage has been a world of pain as well as one of Apple's strongest selling points.
apple  imessage  hacking 
18 days ago by charlesarthur
Thuoghts on the Capital One US and Canada breach • OpenSecurity.global
Kevin Beaumont:
<p>A bunch of things stand out:

• Why did the WAF account apparently have access to the S3 storage buckets?<br />• Why wasn't the data of hundreds of millions of people's credit checks encrypted?  Should that kind of data have been left for so long in cloud buckets?<br />• Why didn't they notice all these S3 buckets being sync'd to a random VPN IP address?  It happened 4 months ago.<br />• Why didn't they notice the Gitlab pages listing their config?<br />• Why didn't they notice until somebody random emailed them to tell them?

I don't know if more details will go public (they probably don't want it to get to trial for obvious reasons).

I guess lessons learned from outside looking in is:

- Monitoring.  Ingest your cloud logs.  Alert against them.  Monitor sites like Github and Gitlab for obviously sensitive information, e.g. usernames, bucket names etc.

And yes, this is the kind of incident that would (and still will) catch many orgs with their pants down, Capital One aren't alone.</p>


It's quite a mess, and Capital One really has harder questions to answer than "is it Amazon's fault?"
capitalone  hacking 
18 days ago by charlesarthur
You may be entitled to $125 or more in the Equifax breach settlement • TidBITS
Josh Centers:
<p>Equifax has now agreed to a $425m settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and all 50 US states. (That’s just the amount directed to consumers—Equifax will separately pay another $175m to the states and $100m to the Consumer Financial Protection Bureau.) If you were affected by this breach—and chances are that you were—you’re entitled to either up to 10 years of credit monitoring or a $125 cash payment.

Most coverage has focused on the $125 amount, but as the FTC page clearly says and Jessamyn West emphasized on Twitter, you can claim up to 10 hours of compensation for dealing with the breach, at $25 per hour, without submitting any additional documentation, for a total payment of $375. You just have to describe what you did and the approximate dates you took those actions. If you have supporting documentation for things you had to do to deal with identity theft, fraud, or other misuse of your information, you can claim up to 20 hours, for a total of $625. And if you have unreimbursed losses or expenses due to the breach—such as fees paid to an attorney or accountant—you can apply to get up to $20,000 back.

If you choose a cash payment instead of credit monitoring, you’ll be asked to affirm that you already have credit monitoring. <a href="https://www.creditkarma.com/credit-monitoring/">Credit Karma already offers this service for free</a>, so you should take the cash.</p>


Please, American readers, do this. Do this. Make them hurt as much as is possible.
equifax  hacking 
18 days ago by charlesarthur
Equifax to pay up to $700m in data breach settlement • NPR
Avie Schneider and Chris Arnold:
<p>Equifax will pay up to $700m in fines and monetary relief to consumers over a 2017 data breach at the credit reporting bureau that affected nearly 150m people.

The proposed settlement, which is subject to approval by a federal court, was announced Monday by the company, the Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, the District of Columbia and Puerto Rico.

The consumer data exposed in the breach included Social Security numbers, birthdates and addresses and, in some cases, driver's license numbers.

CFPB Director Kathleen Kraninger said the settlement includes $425m to cover the "time and money [people affected by the breach] spent to protect themselves from potential threats of identity theft or addressing incidents of identity theft as a result of the breach."

Equifax also agreed to pay $175m to the states and $100m to the CFPB in civil penalties.

And, starting in January, Equifax "will provide all US consumers with six free credit reports each year for seven years," the FTC said. That's in addition to the free annual credit reports that Equifax, and the two other nationwide credit reporting agencies — Experian and TransUnion — currently provide.
</p>

But the problem is that the “free” will turn into “paid for”, and so Equifax wins for being crap.
Equifax  hacking 
26 days ago by charlesarthur
404 • FT.com
:
<p>Why wasn't this page found?

We asked some leading economists.

Stagflation: The cost of pages rose drastically, while the page production rate slowed down.

General economics: There was no market for it.

Liquidity traps: We injected some extra money into the technology team but there was little or no interest so they simply kept it, thus failing to stimulate the page economy.

Pareto inefficiency: There exists another page that will make everyone better off without making anyone worse off.

Supply and demand: Demand increased and a shortage occurred.

Classical economics: There is no such page. We are not going to interfere.

Keynesian economics: Aggregate demand for this page did not necessarily equal the productive capacity of the website.

Malthusianism: Unchecked, exponential page growth outstripped the pixel supply. There was a catastrophe, and now the population is at a lower, more sustainable level.</p>


And there are many more. The FT's 404 page now rules the internet.
hacking  404  ft 
27 days ago by charlesarthur
Malicious apps infect 25 million Android devices with 'Agent Smith' malware • Phys.org
Cat Ferguson:
<p>The apps, most of them games, were distributed through third-party app stores by a Chinese group with a legitimate business helping Chinese developers promote their apps on outside platforms. Check Point is not identifying the company, because they are working with local law enforcement. About 300,000 devices were infected in the US.

The malware was able to copy popular apps on the phone, including WhatsApp and the web browser Opera, inject its own malicious code and replace the original app with the weaponized version, using a vulnerability in the way Google apps are updated. The hijacked apps would still work just fine, which hid the malware from users.

Armed with all the permissions users had granted to the real apps, "Agent Smith" was able to hijack other apps on the phone to display unwanted ads to users. That might not seem like a significant problem, but the same security flaws could be used to hijack banking, shopping and other sensitive apps, according to Aviran Hazum, head of Check Point's analysis and response team for mobile devices.

"Hypothetically, nothing is stopping them from targeting bank apps, changing the functionality to send your bank credentials" to a third party, Hazum said. "The user wouldn't be able to see any difference, but the attacker could connect to your bank account remotely."</p>
security  android  hacking  counterfeit 
4 weeks ago by charlesarthur
Apple has pushed a silent Mac update to remove hidden Zoom web server • TechCrunch
Zack Whittaker:
<p>Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

Apple said the update does not require any user interaction and is deployed automatically.

The video conferencing giant took flack from users following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in which he described how “any website [could] forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” The undocumented web server remained installed even if a user uninstalled Zoom. Leitschuh said this allowed Zoom to reinstall the app without requiring any user interaction…

…The update will now prompt users if they want to open the app, whereas before it would open automatically.</p>
apple  mac  zoom  hacking  vulnerability 
5 weeks ago by charlesarthur
Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping • TechCrunch
Matthew Panzarino:
<p>Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.

Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.

The Walkie Talkie app on Apple Watch allows two users who have accepted an invite from each other to receive audio chats via a “push to talk” interface reminiscent of the PTT buttons on older cell phones.</p>


People use the Walkie Talkie app? Amazing.
apple  watch  security  vulnerability  hacking 
5 weeks ago by charlesarthur
Marriott to face £99m GDPR fine from ICO over November 2018 data breach • Computing
Graeme Burton:
<p>The breach revealed in November 2018 involved the leak of 500 million customer records from the guest reservation database of Marriott's Starwood Hotels and Resorts division. The attackers - who are unknown but believed to have links with China's Ministry of State Security - appear to have had access to the system since 2014.

The organisation only became aware of the compromise in September 2018 following an alert from an internal security tool over an attempt to gain access to the reservation system. The company claims that it "quickly engaged" a group of security experts to investigate the apparent attack and "learned during the investigation that there had been unauthorised access to the Starwood network since 2014".

Logs of encrypted communications were uncovered and, when decrypted on 19 November 2018, it was found to contain the contents of the Starwood guest reservation database - 500 million records in total. The compromised customer records included mailing addresses, phone numbers, email addresses, and passport numbers. Payment card details were also found, but these, the organisation claimed, had been encrypted with AES-128 encryption.</p>


Hotels are terrible hoarders of data, and they're so remiss with it, and they have security that doesn't expect they'll face aggressive hackers. Perhaps they will now: that size of fine is sure to concentrate minds, and it wouldn't cost £99m to install good security.

GDPR's a year old, and now its teeth are showing.
gdpr  marriott  starwood  hotel  hacking 
5 weeks ago by charlesarthur
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! • Medium
Jonathan Leitschuh:
<p>This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.</p>


Zoom puts a server with an open port on your machine, and doesn't wipe it if the app is deleted, all so you won't have to click "OK" to access your camera. It can re-download the app if you delete; a host can force your video camera on when you join a meeting. It's an unbelievable hot mess of security vulnerabilities, to which it responded with a <a href="https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/">mea not so much culpa</a> ("There is only one scenario where a Zoom user’s video is automatically enabled upon joining a meeting. Two conditions must be met: 1) The meeting creator (host) has set their participants’ video to be on AND 2) The user has not checked the box to turn their video off" 🙄). Zoom really doesn't understand it. But it's a publicly traded company whose mission is "make video communications frictionless"; notice that "frictionless" doesn't have to mean "secure", nor does it contain any concern about collateral damage in getting rid of friction.
security  vulnerability  hacking  zoom 
5 weeks ago by charlesarthur
BA hit by biggest GDPR fine to date • Financial Times
Chris Nuttall:
<p>The UK Information Commissioner's Office says it intends to fine BA £183m (€204m, $229m) — 1.5% of BA’s worldwide turnover in 2017 — after it admitted that more than half a million customers' data had been stolen by hackers last August from its website and mobile app.

Under pre-GDPR powers, the maximum penalty was £500,000 but this has now risen to up to 4% of turnover. In the first nine months of GDPR, national data protection agencies in 11 countries had levied a total of €56m in fines, made up mostly of a €50m fine that France’s CNIL imposed on Google in January.

The ICO said poor security arrangements at BA had given hackers access to personal data, including customer logins, payment card details, travel bookings and name and address information. BA will be able to make representations to the ICO over the finding and fine.</p>


This, you'll recall, was <a href="https://www.bbc.co.uk/news/technology-45481976">the remarkably clever Magecart scam</a>, which replaced an innocent script from the BA baggage handling site to steal peoples' credit card and other details when they paid for flights. Then BA found a <a href="https://www.bbc.com/news/technology-45953237">second hacking script on the site</a>, announced in October.
magecart  ba  britishairways  hacking 
5 weeks ago by charlesarthur
A city paid a hefty ransom to hackers, but its pains are far from over • The New York Times
Frances Robles:
<p>More than 100 years’ worth of municipal records, from ordinances to meeting minutes to resolutions and City Council agendas, have been locked in cyberspace for nearly a month, hijacked by unidentified hackers who encrypted [Florida's Lake City] city’s computer systems and demanded more than $460,000 in ransom.

Weeks after the city’s insurer paid the ransom, the phones are back on and email is once again working, but the city has still not recovered all of its files. There is a possibility that thousands of pages of documents that had been painstakingly digitized by Ms. Sikes and her team will have to be manually scanned, again.

Lake City’s troubles are hardly unique. In the past month alone, at least three Florida cities have been victims of ransomware attacks, after intrusions on larger cities such as Atlanta, Dallas and Baltimore.

What sets the latest cyberattacks apart is the stunning size of their ransom demands. Riviera Beach, Fla., last month agreed to pay more than $600,000, several times what was asked of Baltimore, which did not have insurance and did not pay. The Village of Key Biscayne, near Miami, has not publicly disclosed whether it plans to pay the perpetrators of a recent ransomware attack. Earlier this year Jackson County, Ga., paid $400,000.

Atlanta’s mayor testified last week to Congress that an attack last year, when the city refused to pay $51,000 in extortion demands, has so far cost the city $7.2m.</p>


After some years of random phishing, the criminals have figured out that cities have both the resources and the urgent need to pay a sizeable ransom.
ransomware  criminals  hacking 
5 weeks ago by charlesarthur
D-Link agrees to new security monitoring to settle FTC charges • Ars Technica
:
<p>Tuesday’s agreement settles a 2017 complaint by the US Federal Trade Commission that alleged D-Link left thousands of customers open to potentially costly hack attacks. The hardware maker, the FTC said, failed to test its gear against security flaws ranked among the most critical and widespread by the Open Web Application Security Project. The 2017 suit also said that, despite the lack of testing and hardening of its products, D-Link misrepresented its security regimen as reasonable.
Specific shortcomings cited by the FTC included:

• hard-coded login credentials on its D-Link camera software that used easily guessed passwords<br />• storing mobile app login credentials in human-readable text on a user’s mobile device<br />• expressly or implicitly describing its hardware as being secure from unauthorized access<br />• repeatedly failing to take reasonable testing and remediation measures to protect hardware from well-known and easily preventable software security flaws

“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a <a href="https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation">release</a>.</p>


There are almost surely more egregious IoT flaws out there, but they simply haven't come to the FTC's notice. (Though my current router has had a firmware upgrade available for roughly two years, and I haven't wanted to install it because, well, it works fine at the moment.)
dlink  iot  software  hacking 
6 weeks ago by charlesarthur
Global telecom carriers attacked by suspected Chinese hackers • WSJ
Timothy W. Martin and Eva Dou:
<p>Hackers believed to be backed by China’s government have infiltrated the cellular networks of at least 10 global carriers, swiping users’ whereabouts, text-messaging records and call logs, according to a new report, amid growing scrutiny of Beijing’s cyberoffensives.

The multiyear campaign, which is continuing, targeted 20 military officials, dissidents, spies and law enforcement—all believed to be tied to China—and spanned Asia, Europe, Africa and the Middle East, says Cybereason Inc., a Boston-based cybersecurity firm that first identified the attacks. The tracked activity in the report occurred in 2018.

The cyberoffensive casts a spotlight on a Chinese group called APT 10; two of its alleged members were indicted by the US Department of Justice in December for broad-ranging hacks against Western businesses and government agencies. Cybereason said the digital fingerprints left in the telecom hacks pointed to APT 10 or a threat actor sharing its methods.</p>


Scary, right? However:
<p>The Wall Street Journal was unable to independently confirm the report. Cybereason, which is run by former Israeli counterintelligence members, declined to name the individuals or the telecom firms targeted, citing privacy concerns.</p>


Nobody has been able to independently verify this claim. There are lots of security companies making these claims. It's increasingly difficult to figure out who's telling the truth, who's exaggerating but truthful, and who's spinning some big ones. Don't forget that people once believed what Theranos told them too.
cyberattack  china  hacking 
7 weeks ago by charlesarthur
2017: The CIA spied on people through their smart TVs, leaked documents reveal • VICE
Lorenzo Franceschi-Bicchierai, in March 2017:
<p>The CIA and MI5 called the project to spy on Samsung Smart TVs "Weeping Angel," perhaps a reference to Doctor Who, where weeping angels are "the deadliest, most powerful, most malevolent life-form ever produced." The malware was designed to keep the smart TVs on even when they were turned off. This was dubbed "Fake-Off mode," <a href="https://wikileaks.org/ciav7p1/cms/index.html">according to the documents</a>. The CIA hackers even developed a way to "suppress" the TVs LED indicators to improve the "Fake-Off" mode.

"Weeping Angel already hooks key presses from the remote (or TV goes to sleep) to cause the system to enter Fake-Off rather than Off," one of the leaked document reads. "Since the implant is already hooking these events, the implant knows when the TV will be entering Fake-Off mode."

After this article was published, Samsung reacted with a statement. 

"Protecting consumers' privacy and the security of our devices is a top priority at Samsung," read the statement sent via email. "We are aware of the report in question and are urgently looking into the matter."</p>


This precedes, of course, Samsung's bizarre tweet (since deleted) earlier this week about scanning your TV for malware. Maybe just unplug it?
surveillance  hacking  smarttv 
8 weeks ago by charlesarthur
Russian hacks on US voting system wider than previously known • Bloomberg
Michael Riley and Jordan Robertson:
<p>Russia’s cyberattack on the US electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported.

In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. Details of the wave of attacks, in the summer and fall of 2016, were provided by three people with direct knowledge of the US investigation into the matter. In all, the Russian hackers hit systems in a total of 39 states, one of them said.

The scope and sophistication so concerned Obama administration officials that they took an unprecedented step - complaining directly to Moscow over a modern-day “red phone.” In October [2016], two of the people said, the White House contacted the Kremlin on the back channel to offer detailed documents of what it said was Russia’s role in election meddling and to warn that the attacks risked setting off a broader conflict.

The new details, buttressed by a classified National Security Agency document recently disclosed by the Intercept, show the scope of alleged hacking that federal investigators are scrutinizing as they look into whether Trump campaign officials may have colluded in the efforts.</p>
russia  election  hacking 
8 weeks ago by charlesarthur
Akamai: hackers have carried out 12 billion attacks against gaming sites in 17 months • VentureBeat
Dean Takahashi:
<p>Hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites in the 17 months ended March 2019, according to a <a href="https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-security-web-attacks-and-gaming-abuse-report-2019.pdf">new report</a> by internet delivery and cloud services company Akamai.

This puts the gaming community among the fastest rising targets for credential stuffing attacks — where hackers use stolen credentials to take over an account — and one of the most lucrative targets for criminals looking to make a quick profit. During the same time period, Akamai saw a total of 55 billion credential stuffing attacks across all industries…

…“One reason that we believe the gaming industry is an attractive target for hackers is because criminals can easily exchange in-game items for profit,” said Martin McKeay, security researcher at Akamai editorial director of the report, in a statement. “Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”</p>


"Why rob banks? Because it's where the money is." (And also because gaming sites aren't that hot at making people use two-factor authentication.)
hacking  sqli  games 
8 weeks ago by charlesarthur
US escalates online attacks on Russia’s power grid • The New York Times
David Sanger and Nicole Perlroth:
<p>In interviews over the past three months, the officials described the previously unreported deployment of American computer code inside Russia’s grid and other targets as a classified companion to more publicly discussed action directed at Moscow’s disinformation and hacking units around the 2018 midterm elections.

Advocates of the more aggressive strategy said it was long overdue, after years of public warnings from the Department of Homeland Security and the FBI that Russia has inserted malware that could sabotage American power plants, oil and gas pipelines, or water supplies in any future conflict with the United States.

But it also carries significant risk of escalating the daily digital Cold War between Washington and Moscow.</p>


Quite a thing, right? And now look at this little extra, buried wayyyy down the story:
<p>Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.

Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017 when he mentioned a sensitive operation in Syria to the Russian foreign minister.

Because the new law defines the actions in cyberspace as akin to traditional military activity on the ground, in the air or at sea, no such briefing would be necessary, they added.</p>


Shall we tell the president? Nah, better not.
infrastructure  russia  power  hacking  security 
8 weeks ago by charlesarthur
New security warning issued for Google's 1.5 billion Gmail and Calendar users • Forbes
Davey Winder:
<p>users of the Gmail service are being targeted primarily through the use of malicious and unsolicited Google Calendar notifications. Anyone can schedule a meeting with you, that's how the calendar application is designed to work. Gmail, which receives the notification of the invitation, is equally designed to tightly integrate with the calendaring functionality.

When a calendar invitation is sent to a user, a pop-up notification appears on their smartphone. The threat actors craft their invitations to include a malicious link, leveraging the trust that user familiarity with calendar notifications brings with it.

The researchers have noticed attackers throughout the last month using this technique to effectively spam users with phishing links to credential stealing sites. By populating the location and topic fields to announce a fake online poll or questionnaire with a financial incentive to participate, the threat actors encourage the victim to follow the malicious link where bank account or credit card details can be collected. By exploiting such a "non-traditional attack vector," the criminals can get around the fact that people are increasingly aware of common methods to encourage link-clicking.

"Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks," says Javvad Malik, security awareness advocate at KnowBe4. Malik told me that in order to gain access to a building, for example, you could put in a calendar invite for an interview or similar face to face appointment such as building maintenance which, he warns "could allow physical access to secure areas."</p>


Google was told about this in 2017, and said that "making this change would cause major functionality drawbacks for legitimate API events with regards to Calendar." But don't worry! It scans for malicious links. Huh. Apple had a similar problem like this - spammy calendar invites being sent, mainly from China - <a href="http://www.nytimes.com/2016/11/25/technology/personaltech/fighting-ios-calendar-spam.html?ref=technology&_r=0">in November 2016</a>. Seems to have solved it.
security  hacking  google 
8 weeks ago by charlesarthur
LaLiga’s app listened in on fans to catch bars illegally streaming soccer • The Verge
Dami Lee:
<p>Spain’s data protection agency has fined the country’s soccer league, LaLiga, €250,000 (about $280,000) for allegedly violating EU data privacy and transparency laws. The app, which is used for keeping track of games and stats, was using the phone’s microphone and GPS to track bars illegally streaming soccer games, Spanish newspaper El País reported.

Using a Shazam-like technology, the app would record audio to identify soccer games, and use the geolocation of the phone to locate which bars were streaming without licenses. El Diario reports that fans have downloaded that app more than 10 million times, essentially turning them into undercover narcs. The league claims that the app asks for permission to access the phone’s microphone and location, and that the data — which is received as a code, not audio — is only used to detect LaLiga streams.</p>


You've got to admit: that is clever. Sneaky, but ever so clever. Of course people will be at bars with their smartphones. Of course.
privacy  hacking  smartphone 
9 weeks ago by charlesarthur
TalkTalk hacker Daniel Kelley sentenced to four years • BBC News
<p>Kelley turned to hacking when he failed to get the GCSE grades to get on to a computer course, the court heard.

He hacked the college "out of spite" before targeting companies in Canada, Australia and the UK - including TalkTalk which has four million customers.

The 22-year-old has Asperger's syndrome and has suffered from depression and extreme weight loss since he pleaded guilty to the 11 hacking-related offences in 2016, the court heard.

Judge Mark Dennis told the Old Bailey that Kelley hacked computers "for his own personal gratification" regardless of the damage caused.

He went on to blackmail company bosses, revealing a "cruel and calculating side to his character", he said, though a blackmail charge was previously dropped by the Crown Prosecution Service.

Prosecutor Peter Ratliff previously described Kelley as a "prolific, skilled and cynical cyber-criminal" who was willing to "bully, intimidate, and then ruin his chosen victims from a perceived position of anonymity and safety - behind the screen of a computer".

Between September 2013 and November 2015, he engaged in a wide range of hacking activities, using stolen information to blackmail individuals and companies.</p>


The strange thing is that Kelley was <a href="https://www.theguardian.com/uk-news/2016/sep/27/teenager-accused-of-talktalk-cyber-attack">arrested in November 2015</a>, pleaded guilty in 2016 to 11 charges, but it's only now that he's sentenced. What's been happening in the meantime?

Thanks Graham Cluley for pointing it out.
hacking  talktalk 
9 weeks ago by charlesarthur
For sale: Have I Been Pwned • Gizmodo
Jennings Brown:
<p>In a <a href="https://www.troyhunt.com/project-svalbard-the-future-of-have-i-been-pwned/">blog post</a>, [security researcher Troy] Hunt explained the reasons for his decisions and hopes for the future of the platform.

“It’s time to go from that one guy doing what he can in his available time to a better-resourced and better-funded structure that’s able to do way more than what I ever could on my own,” Hunt wrote.

The blog states that HIBP now has almost 3 million subscribers for notifications, and the platform can now check about eight billion breached records. According to Hunt the site usually gets around 150,000 unique visits on a typical day, and 10 million unique visits on an “abnormal day.”

Troy wrote that traffic spiked in January when he broke the news of the behemoth “Collection #1” breach that exposed 773 million emails and 21 million passwords. Since then, the site has continued to grow and Hunt has come to the realization he “was getting very close to burn-out.”

Now he’s ready to hand much of the workload off. Hunt said he is laying the groundwork for acquisition and has had some early talks with organizations who may be interested in acquiring HIBP.</p>


One possible buyer is, apparently, Mozilla; wonder if they'll try to monetise it if they do purchase it. HIBP is good if you care about data breaches, but since Hunt started it in December 2013, they've gone from being a bit unusual to being completely quotidien. It's almost a surprise if you have an email address that <em>hasn't</em> been revealed in a breach at some point.
hacking  security  troyhunt 
9 weeks ago by charlesarthur
US Customs and Border Protection says photos of travelers were taken in a data breach • The Washington Post
Drew Harwell and Geoffrey Fowler:
<p>U.S. Customs and Border Protection officials said Monday that photos of travelers had been compromised as part of a “malicious cyber-attack,” raising concerns over how federal officials’ expanding surveillance efforts could imperil Americans’ privacy.

Customs officials said in a statement Monday that the images, which included photos of people’s license plates, had been compromised as part of an attack on a federal subcontractor.

The agency maintains a database including passport and visa photos that is used at airports as part of an agency facial-recognition program. CBP declined to say what images were stolen or how many people were affected.

But CBP makes extensive use of cameras and video recordings at the arrival halls of international airports as well as land border crossings, where vehicle license plates are also captured.

A CBP statement said none of the image data had been identified “on the Dark Web or Internet.” But reporters at The Register, a British technology news site, <a href="https://www.theregister.co.uk/2019/05/23/perceptics_hacked_license_plate_recognition/">reported late last month</a> that a large haul of breached data from the firm Perceptics was being offered as a free download on the dark web.</p>


A malicious cyberattack rather than an accidental cyberattack? These things are always going to be catnip to a certain group - apparently, in this case, professionals seeking to sell the data. (Though you'd expect this to be amateurs offering it so it can be validated as stolen; or state actors doing the same.)

Suddenly makes it hard to argue that this data should be retained, though.
facialrecognition  database  hacking 
9 weeks ago by charlesarthur
The battle in Israel to build an unhackable phone • FT
Mehul Srivastava:
<p>The Intactphone is used by senior UN officials, heads of states and, in one country the company will not name, by a national prosecutor whose predecessor was hacked.

Its cost ranges anywhere from a few thousand dollars to the millions. The most expensive set-up includes privately hosted servers that generate the ephemeral encryption keys that lock each individual communication into a sealed vault, and dozens of phones distributed among government officials.

The company saw a boost after the Israel Innovation Authority took a stake and helped market the technology abroad, especially in the US and in Mexico. Now it is developing a commercial version, that will run on a custom-built phone designed to mimic the look of a normal smartphone. That would allow people to carry a secure phone without drawing attention.

“In the first few years we have had the product battle-test by some very high-tech customers — intelligence agencies, governments,” said Mr Sasson. “Now we are going wider.”

The battle lines are oddly concentrated in Israel, where NSO and Communitake are part of an industry that includes companies like Cellebrite, recently valued at $600m, which unlocks encrypted smartphones for governments, and Verint Systems, the $3.7bn cyber surveillance company that has hundreds of engineers in Israel working on software used by the FBI and European law enforcement.

They thrive on graduates of the Israeli army’s surveillance units, including Unit 8200, the signals intelligence and decryption division from which Eran Karpen, Communitake’s chief operating officer, hails. And they also benefit from Israel’s reputation for world-beating cyber surveillance, and the mystique of its intelligence agencies, especially in the Middle East.

For smaller companies like Communitake, that is a key asset.</p>

I'm a little wary of this story, because there's no external validation of its claims. Which governments have bought it? Why hasn't everyone bought it? There are plenty of claims, but actual empirical proof is much harder to come by.
Hacking  phone 
9 weeks ago by charlesarthur
China accused of 'rigging' 5G tests to favour Huawei • Daily Telegraph
Anna Isaac, Christopher Williams and Hannah Boland:
<p>More than 100 computer security experts are conducting a security test of 5G equipment, from makers including Huawei and Western rivals Nokia and Ericsson, in which hacking techniques are used to check for weak spots. The ostensibly legitimate exercise is part of planning for 5G and its leap forward in speed and data capacity in the world’s biggest mobile market.

However, British officials and industry sources tracking the tests allege they are being rigged to defend Huawei. It is believed that vulnerabilities discovered by China’s secret state hackers have been passed to the 5G testers to ensure Nokia and Ericsson’s equipment is found to be unsecure.

Officials and Western telecoms executives held crisis meetings about the campaign last week.

Although knowledge of the effort is patchy, it is expected that testing will end around June 10, in time for Beijing to use the results to attempt to influence a crucial EU review of 5G security this summer. Two sources suggested China particularly intends to undermine cautionary advice on Huawei provided by British intelligence. Beijing’s hacking attack comes after a series of steps to turn China into what one corporate source has called a “hostile environment for non-Chinese telecoms firms”.</p>

The discomfort of western intelligence agencies at this is very clear. It would be astonishing if China's leaders didn't long ago decide that telecoms is a critical infrastructure for the future, and that if they happen to be the ones supplying to the rest of the world, all the better.
huawei  hacking  security 
10 weeks ago by charlesarthur
What I learned trying to secure Congressional Campaigns • Idle Words
Maciej Cieglowski spent a lot of last year helping candidates lock down their accounts against hackers:
<p>There are two big areas of sensitive information around a political campaign. Let's call them 'Bucket A' and 'Bucket B'.

Bucket A is the stuff that is campaign-specific and needs to be kept confidential. This includes fundraising numbers and mailing lists, campaign memos on issue positions, research on opponents, strategy documents, media buys, correspondence with the national party, unflattering photos of the candidate and so on. The training materials the Democratic Party provides to campaigns are meant to keep this stuff safe.

Bucket B is what lives in people's personal accounts. This includes every email they've written, their social media history, complete access (via password reset) to all the online services they've signed up for, their chat history, creepy DMs, sexts to minors, plus all the stuff they've forwarded to their personal accounts from the campaign account, the Dropbox folder they keep their passwords in, and so on.

As an attacker, I would be drawn to bucket B. There is nothing interesting in a campaign's financials or strategy. The strategy is always ‘talk about health care’, and the financials have to be disclosed every quarter by law. Everything juicy lives in the personal accounts, and moving laterally between those accounts will eventually give you access to bucket A anyway, because people are terrible at keeping this stuff separate.

Targeting Bucket B means you can also target more people, like the candidate's spouse and family, who the people defending Bucket A consider out of scope.

In our training, we worked off the assumption that the Podesta hacks were a template for what might happen to campaigns, and that securing campain-adjacent personal accounts was more important than worrying about campaign data.</p>


As ever, he's hilarious, wry, and laser-accurate.
security  hacking  podesta 
11 weeks ago by charlesarthur
In Baltimore and beyond, a stolen NSA tool wreaks havoc • The New York Times
Nicole Perlroth and Scott Shane:
<p>Before it leaked, EternalBlue was one of the most useful exploits in the N.S.A.’s cyberarsenal. According to three former N.S.A. operators who spoke on the condition of anonymity, analysts spent almost a year finding a flaw in Microsoft’s software and writing the code to target it. Initially, they referred to it as EternalBluescreen because it often crashed computers — a risk that could tip off their targets. But it went on to become a reliable tool used in countless intelligence-gathering and counterterrorism missions.

EternalBlue was so valuable, former N.S.A. employees said, that the agency never seriously considered alerting Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand.

The Baltimore attack, on May 7, was a classic ransomware assault. City workers’ screens suddenly locked, and a message in flawed English demanded about $100,000 in Bitcoin to free their files: “We’ve watching you for days,” said the message, obtained by The Baltimore Sun. “We won’t talk more, all we know is MONEY! Hurry up!”

Today, Baltimore remains handicapped as city officials refuse to pay, though workarounds have restored some services. Without EternalBlue, the damage would not have been so vast, experts said. The tool exploits a vulnerability in unpatched software that allows hackers to spread their malware faster and farther than they otherwise could.

North Korea was the first nation to co-opt the tool, for an attack in 2017 — called WannaCry — that paralyzed the British health care system, German railroads and some 200,000 organizations around the world. Next was Russia, which used the weapon in an attack — called NotPetya — that was aimed at Ukraine but spread across major companies doing business in the country. The assault cost FedEx more than $400 million and Merck, the pharmaceutical giant, $670 million.

The damage didn’t stop there.</p>
hacking  nsa 
11 weeks ago by charlesarthur
Inside GCHQ: the art of spying in the digital age • Financial Times
David Bond:
<p>Over the past year I have interviewed 20 people, the majority of whom used only their first name or a cover name to protect their identity. At all times, I was escorted by members of the agency’s press and security staff.

The picture that emerged is of an organisation still heavily bound up in its traditional work of secretive code-cracking and surveillance, but also braced for another wave of technological change that is thrusting it and its staff of 6,000 people into the spotlight.

As the nature of intelligence work becomes increasingly digital, GCHQ is no longer a passive collector and distributor of intelligence, but is transforming into a key player in offensive combat operations.

“In the past, you could characterise what we did as producing pieces of paper which we handed to government who could take action,” explains Tony Comer, GCHQ’s historian and one of just seven people allowed to speak publicly on its behalf. “Now we are the ones actually taking the action.”

Nearly three decades after the birth of the world wide web forced GCHQ to rapidly shift from cold war-era listening posts to a digital surveillance and security service, the arrival of artificial intelligence and machine learning, the internet of things and the sheer scale and complexity of modern online communications is upending the agency again, forcing it to rethink how it delivers its expanding mission…

…In the coming months, Britain will launch a new offensive cyber force, made up of more than 2,000 people, which will build significantly on existing powers to initiate online operations that can degrade or destroy computer networks and have real-world effects, such as turning off energy grids or water supplies. While no decision has yet been made public, the force is expected to be led by GCHQ.
</p>


If Britain has one, then it's a good bet that the US and China do.
gchq  hacking 
12 weeks ago by charlesarthur
Why WhatsApp will never be secure • Telegram blog
Pavel Durov is one of the authors of Telegram:
<p>Everything on your phone, including photos, emails and texts was accessible by attackers just because <a href="https://www.businessinsider.com/whatsapp-hacked-attackers-installed-spyware-2019-5?r=US&IR=T">you had WhatsApp installed</a>.  

This news didn’t surprise me though. Last year WhatsApp had to admit they had a very similar issue – a single video call via WhatsApp was all a hacker needed to <a href="https://securitytoday.com/articles/2018/10/12/whatsapp-bug-allowed-hackers-to-hijack-accounts.aspx">get access to your phone’s entire data</a>. 

Every time WhatsApp has to fix a critical vulnerability in their app, a new one seems to appear in its place. All of their security issues are conveniently suitable for surveillance, and look and work a lot like backdoors.  

Unlike Telegram, WhatsApp is not open source, so there’s no way for a security researcher to easily check whether there are backdoors in its code. Not only does WhatsApp not publish its code, they do the exact opposite: WhatsApp deliberately obfuscates their apps’ binaries to make sure no one is able to study them thoroughly. 

WhatsApp and its parent company Facebook may even be required to implement backdoors – via secret processes such as the FBI’s gag orders. It’s not easy to run a secure communication app from the US. A week our team spent in the US in 2016 prompted three <a href="https://www.neowin.net/news/fbi-asked-durov-and-developer-for-telegram-backdoor">infiltration attempts</a> <a href="https://thebaffler.com/salvos/the-crypto-keepers-levine">by the FBI</a><a href="https://thebaffler.com/salvos/the-crypto-keepers-levine">https://thebaffler.com/salvos/the-crypto-keepers-levine</a>. Imagine what 10 years in that environment can bring upon a US-based company. </p>


The open-source argument is probably good. The argument that its flaws are conveniently about surveillance isn't; the general purpose of hacking into apps or phones is always surveillance. And Telegram has its own problems - emanating from its users.
security  whatsapp  hacking  telegram 
12 weeks ago by charlesarthur
The trade secret: firms that promised high-tech ransomware solutions almost always just pay the hackers • ProPublica
Renee Dudley:
<p>In a statement that day [in November 2018], the FBI said the “criminal actors” were “out of the reach of US law enforcement.” But they weren’t beyond the reach of an American company that says it helps victims regain access to their computers. Proven Data Recovery of Elmsford, New York, regularly made ransom payments to SamSam hackers over more than a year, according to Jonathan Storfer, a former employee who dealt with them.

Although bitcoin transactions are intended to be anonymous and difficult to track, ProPublica was able to trace four of the payments. Sent in 2017 and 2018, from an online wallet controlled by Proven Data to ones specified by the hackers, the money was then laundered through as many as 12 bitcoin addresses before reaching a wallet maintained by the Iranians, according to an analysis by bitcoin tracing firm Chainalysis at our request. Payments to that digital currency destination and another linked to the attackers were later banned by the US Treasury Department, which cited sanctions targeting the Iranian regime.

“I would not be surprised if a significant amount of ransomware both funded terrorism and also organized crime,” Storfer said. “So the question is, is every time that we get hit by SamSam, and every time we facilitate a payment — and here’s where it gets really dicey — does that mean we are technically funding terrorism?”</p>


Yes. Next question. Oh, you're wondering if Proven Data was just getting the decryption keys from the hackers rather than using some Amazing Method? Yes to that too.
hacking  ransomware  terrorism 
may 2019 by charlesarthur
Microsoft patches zero-day bug under active attack • Threatpost
Tom Spring:
<p>Microsoft has released a patch for an elevation-of-privileges vulnerability rated important, which is being exploited in the wild.

The bug fix is part of Microsoft’s May Patch Tuesday Security Bulletin. It’s tied to the Windows Error Reporting feature and is being abused by attackers who have gained local access to affected PCs. They are able to trigger arbitrary code-execution in kernel mode — resulting in a complete system compromise.

“They would need to first gain access to run code on a target system, but malware often uses elevations like this one to go from ‘user’ to ‘admin’ code execution,” wrote Dustin Childs, communications manager for Trend Micro’s Zero Day Initiative, in a blog post on Tuesday. “While details about the use of the exploit are not available, it is likely being used in limited attacks against specific targets.”</p>


It's been quite the week for exploits - WhatsApp, Intel CPUs, now this.
microsoft  windows  hacking 
may 2019 by charlesarthur
Intel flaw lets hackers siphon secrets from millions of PCs • WIRED
Andy Greenberg:
<p>MORE THAN A year has passed since security researchers revealed Meltdown and Spectre, a pair of flaws in the deep-seated, arcane features of millions of chip sold by Intel and AMD, putting practically every computer in the world at risk. But even as chipmakers scrambled to fix those flaws, researchers warned that they weren't the end of the story, but the beginning—that they represented a new class of security vulnerability that would no doubt surface again and again. Now, some of those same researchers have uncovered yet another flaw in the deepest guts of Intel's microscopic hardware. This time, it can allow attackers to eavesdrop on virtually every bit of raw data that a victim's processor touches.

Today Intel and a coordinated supergroup of microarchitecture security researchers are together announcing a new, serious form of hackable vulnerability in Intel's chips. It's four distinct attacks, in fact, though all of them use a similar technique, and all are capable of siphoning a stream of potentially sensitive data from a computer's CPU to an attacker.</p>


😫😫😫😫
intel  hacking 
may 2019 by charlesarthur
The Tinder hacker • The Cut
Francesca Mari:
<p>It all started when Sean recruited his close friend and roommate Haley to create a Tinder profile. Haley, in the words of a Tinder user who would soon encounter her, was a “tall, dark, younger, better-looking version of Kim Kardashian.” Together Sean and Haley selected her profile photos — Haley lounging in a tube with a serving of side boob, Haley in shorts leaning on a baseball bat. Sean wanted her to appear seductive but approachable. Once finished, Sean ran two rather mischievous programs.

The first program had her dummy account indiscriminately swipe right on some 800 men. The second program was one that Sean had spent months coding. It paired men who matched with Haley with one another, in the order that they contacted her. A man would send a message thinking he was talking to Haley — he saw her pictures and profile — and instead another dude would receive the message, which, again, would appear to be coming from Haley. When the first dude addressed Haley by name, Sean’s code subbed in the name of the man receiving the message.

As soon as they ran this code, it was off to the races. Conversations streamed in, around 400 of them unfurling between the most unlikely people, the effect something like same-sex Tinder chat roulette.

“There was a certain breed of guy that this really worked on,” Sean told me. “It wasn’t the kind of guy looking for a girlfriend or looking to talk or be casual. It was the guy looking for a hookup.” And those guys cut to the chase, thrilled at how down “Haley” was to sext, thrusting their way through any miscommunication. (Remember, both dudes think the other is Haley.)</p>


I feel that I've seen this before, but it's so splendid that it's worth bringing back.
ai  hacking  tinder  dating 
may 2019 by charlesarthur
WhatsApp voice calls used to inject Israeli spyware on phones • Financial Times
Mehul Srivastava:
<p>WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. 

The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.

WhatsApp, which is owned by Facebook, is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, said a person familiar with the issue.

As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method. </p>


Further reading on this: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3568">the CVE details about which platforms the WhatsApp vulnerability exists on</a> (all of them, including Tizen, because the weakness is in the WhatsApp VOIP stack.

Iyad El-Baghdadi's <a href="https://arabtyrantmanual.com/press-release/full-text-of-iyad-el-baghdadis-statement-in-press-conference-about-saudi-threats/">press conference transcript about being targeted by the Saudis using this attack</a>.

A story from May 7, in the Guardian, about <a href="https://www.theguardian.com/us-news/2019/may/07/cia-warns-arab-activist-of-potential-threat-from-saudi-arabia">how the CIA and others warned El-Baghdadi he was being targeted</a>.

<a href="https://www.amnesty.org/en/latest/news/2019/05/Israel-Amnesty-legal-action-stop-NSO-Group-web-of-surveillance/">Amnesty International's supporting action for legal action in Israel to suspect NSO Group's export licence</a>, which would stop is selling software to governments which target human rights defenders.
security  hacking  nso  israel  whatsapp 
may 2019 by charlesarthur
Israel’s NSO: the business of spying on your iPhone • Financial Times
Mehul Srivastava and Robert Smith:
<p>At an investor presentation in London in April, NSO bragged that the typical security patches from Apple did not address the “weaknesses exploited by Pegasus”, according to an unimpressed potential investor. Despite the annual software updates unveiled by companies such as Apple, NSO had a “proven record” of identifying new weaknesses, the company representative told attendees.

NSO’s pitch has been a runaway success — allowing governments to buy off the shelf the sort of software that was once thought to be restricted to only the most sophisticated spy agencies, such as GCHQ in the UK and the National Security Agency in America.

The sale of such powerful and controversial technologies also gives Israel an important diplomatic calling card. Through Pegasus, Israel has acquired a major presence — official or not — in the deeply classified war rooms of unlikely partners, including, researchers say, Gulf states such as Saudi Arabia and the United Arab Emirates. Although both countries officially reject the existence of the Jewish state, they now find themselves the subject of a charm offensive by Prime Minister Benjamin Netanyahu that mixes a shared hostility to Iran with intelligence knowhow.

The Israeli government has never talked publicly about its relationship with NSO. Shortly after he stepped down as defence minister in November, Avigdor Lieberman, who had responsibility for regulating NSO’s sales, said: “I am not sure now is the right time to discuss this . . . I think that I have a responsibility for the security of our state, for future relations.” But he added: “It is not a secret today that we have contact with all the moderate Arab world. I think it is good news.”</p>
security  hacking  nso  iphone 
may 2019 by charlesarthur
Why rewards for loyal spenders are ‘a honeypot for hackers’ • The New York Times
Tiffany Hsu:
<p>Some brands have hooked their rewards to other companies. Walgreens offers points to shoppers who connect their accounts to Fitbit fitness trackers. In March, Chipotle briefly promoted a new loyalty program with cash prizes for consumers who also used the social payments app Venmo. Participants submitted the phone number associated with their Venmo accounts on a website created by Chipotle.

Companies are collecting so much data that it is often “more than they can actually use,” said Emily Collins, an analyst with Forrester Research.

“They’ve got oceans of data and puddles of insight,” she said.

As consumers hand over more data, many of them fail to monitor their accounts closely. More than half of the rewards memberships in the United States are inactive, and more than $100 billion a year in rewards points go unredeemed, according to the marketing firm Bond Brand Loyalty.
Tate Holcombe, a photographer in Arlington, Va., said he was usually “pretty religious about changing passwords and multiple verifications,” especially for accounts linked to payment data. With rewards programs, he was much more lax.

“Of course, that’s the one place I got hacked,” he said.

On March 23, Mr. Holcombe woke up at home to a 3 a.m. notification from his Domino’s loyalty account: His pizza was ready for pickup in Santa Clarita, Calif.

Someone had hacked his profile and used a coupon for a free pizza, he said. Personal details, like his phone number and address, had been overwritten with gibberish. When he complained, the company replaced his coupon.</p>


A honeypot, because there are 3.8bn rewards memberships in the US - an average of 10 per person. Of course they'll get hacked; that it's only $1bn in value lost suggests hackers are only just warming up, or that rewards programs are pretty worthless.
rewards  hacking 
may 2019 by charlesarthur
How Chinese spies got the NSA’s hacking tools, and used them for attacks • NY Times
Nicole Perlroth, David E. Sanger and Scott Shane:
<p>Symantec’s discovery, <a href="https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit">unveiled on Monday</a>, suggests that the same Chinese hackers the agency has trailed for more than a decade have turned the tables on the agency.

Some of the same N.S.A. hacking tools acquired by the Chinese were later dumped on the internet by a still-unidentified group that calls itself the Shadow Brokers and used by Russia and North Korea in devastating global attacks, although there appears to be no connection between China’s acquisition of the American cyberweapons and the Shadow Brokers’ later revelations.

But Symantec’s discovery provides the first evidence that Chinese state-sponsored hackers acquired some of the tools months before the Shadow Brokers first appeared on the internet in August 2016.

Repeatedly over the past decade, American intelligence agencies have had their hacking tools and details about highly classified cybersecurity programs resurface in the hands of other nations or criminal groups.</p>

This makes it much more risky to deploy hacks; any and all targets are getting much better at isolating and identifying cyberweapons. It's getting like chemical or biological warfare: the tools are getting too dangerous to deploy.
Malware  hacking  state 
may 2019 by charlesarthur
Japan to develop computer virus to defend against cyberattacks • Japan Times
<p>Japan will develop its first-ever computer virus by next March as a defense measure against cyberattacks, sources have said.

The Defense Ministry is considering malware that can break into a computer system, hoping such a computer virus could work as a deterrent against cyberattacks, the sources said Monday.

The government has said it is looking to enhance its defense capabilities beyond the ground, marine and air domains to address security challenges in new areas such as cyberspace and outer space amid technological advances in recent years.

Japan lags behind other countries in addressing the threat of cyberattacks. It plans to increase the number of personnel in its cyberspace unit to 220 from 150, compared with 6,200 in the United States, 7,000 in North Korea and 130,000 in China, according to the ministry.</p>

"Only to be used for defensive purposes", apparently.
Japan  hacking  cyberwar 
may 2019 by charlesarthur
The facts about parental control apps • Apple
<p>We recently removed several parental control apps from the App Store, and we did it for a simple reason: they put users’ privacy and security at risk. It’s important to understand why and how this happened.

Over the last year, we became aware that several of these parental control apps were using a highly invasive technology called Mobile Device Management, or MDM. MDM gives a third party control and access over a device and its most sensitive information including user location, app use, email accounts, camera permissions, and browsing history. We started exploring this use of MDM by non-enterprise developers back in early 2017 and updated our guidelines based on that work in mid-2017.

MDM does have legitimate uses. Businesses will sometimes install MDM on enterprise devices to keep better control over proprietary data and hardware. But it is incredibly risky—and a clear violation of App Store policies—for a private, consumer-focused app business to install MDM control over a customer’s device. Beyond the control that the app itself can exert over the user's device, research has shown that MDM profiles could be used by hackers to gain access for malicious purposes.</p>


It's very unusual for Apple to make a public statement like this. It removed 11 of 17 of the most-downloaded screen time/parental control apps, which the <a href="https://www.nytimes.com/2019/04/27/technology/apple-screen-time-trackers.html">NY Times suggested</a> was anti-competitive. Apple's saying: not at all.
apple  apps  security  hacking  parental 
april 2019 by charlesarthur
P2P weakness exposes millions of IoT devices • Krebs on Security
Brian Krebs:
<p>The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders.

iLnkP2P is designed to allow users of these devices to quickly and easily access them remotely from anywhere in the world, without having to tinker with one’s firewall: Users simply download a mobile app, scan a barcode or enter the six-digit ID stamped onto the bottom of the device, and the P2P software handles the rest.

<img src="https://krebsonsecurity.com/wp-content/uploads/2019/04/i-lnk-map.jpg" width="100%" />

But according to an in-depth analysis shared with KrebsOnSecurity by security researcher Paul Marrapese, iLnkP2P devices offer no authentication or encryption and can be easily enumerated, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions.

Marrapese said a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39% of the vulnerable IoT things were in China; another 19% are located in Europe; 7% of them are in use in the United States.</p>


You might say "why would you trust Chinese P2P software?" but the problem is that it's often embedded in the device, and you don't really get a chance to query it. And Chinese software is notoriously bad. There'll be a botnet using these within a few days, at a guess.
china  p2p  software  hacking 
april 2019 by charlesarthur
How Nest, designed to keep intruders out of people’s homes, effectively allowed hackers to get in • Washington Post
Reed Albergotti:
<p>Nest, which is part of Google, has been featured on local news stations throughout the country for hacks similar to what the Thomases experienced [where hackers accessed a webcam in a child's room]. And Nest’s recognizable brand name may have made it a bigger target. While Nest’s thermostats are dominant in the market, its connected security cameras trail the market leader, Arlo, according to Jack Narcotta, an analyst at the market research firm Strategy Analytics. Arlo, which spun out of Netgear, has around 30% of the market, he said. Nest is in the top five, he said.

Nik Sathe, vice president of software engineering for Google Home and Nest, said Nest has tried to weigh protecting its less security-savvy customers while taking care not to unduly inconvenience legitimate users to keep out the bad ones. “It’s a balance,” he said. Whatever security Nest uses, Sathe said, needs to avoid “bad outcomes in terms of user experience.”

Google spokeswoman Nicol Addison said Thomas could have avoided being hacked by implementing two-factor authentication, where in addition to a password, the user must enter a six-digit code sent via text message. Thomas said she had activated two-factor authentication; Addison said it had never been activated on the account.</p>

That last bit is worth noting: Thomas probably thought her Nest was protected because it's a Google device and she has 2FA on her Gmail account. That's not the same as her Nest account - but understanding that requires a lot of compartmentalisation.

But 2FA v password isn't "a balance". It's an on-off switch, a Rubicon. 2FA is robust; a password isn't.
Google  nest  hacking  security 
april 2019 by charlesarthur
Chinese hacking steals billions; US businesses turn a blind eye • PBS
Laura Sullivan and Cat Schuknecht:
<p>for its part, the Chinese government officially denied to NPR and FRONTLINE that it has been involved in such practices.

But that’s not what former U.S. Attorney David Hickton found. When he took over in the Western District of Pennsylvania in 2010, he says, he was inundated with calls from companies saying they suspected China might be inside their computer systems.

“I literally received an avalanche of concern and complaints from companies and organizations who said, ‘We are losing our technology — drip, drip, drip,’ ” he says.

Hickton opened an investigation and quickly set his sights on a special unit of the Chinese military — a secretive group known as Unit 61398. Investigators were able to watch as the unit’s officers, sitting in an office building in Shanghai, broke into the computer systems of American companies at night, stopped for an hour break at China’s lunchtime and then continued in the Chinese afternoon.

“They were really using a large rake — think of a rake [like] you rake leaves in the fall,” he says. “They were taking everything … personal information, strategic plans, organizational charts. Then they just figured out later how they were going to use it.”

But when Hickton went to the companies, eager for them to become plaintiffs, he ran into a problem. None of the companies wanted any part of it. Hickton says they had too much money on the line in China.</p>


Greed, or fear. But it's been going on for absolutely years. Now it seems companies might feel it's time to act, or at least speak up.
hacking  china 
april 2019 by charlesarthur
CIA warning over Huawei • The Times
Lucy Fisher and Michael Evans:
<p>American intelligence shown to Britain says that Huawei has taken money from the People’s Liberation Army, China’s National Security Commission and a third branch of the Chinese state intelligence network, according to a UK source.

The US shared the claims with Britain and its other partners in the Five Eyes intelligence alliance — Australia, New Zealand and Canada — earlier this year, with the UK entering the final stages of a wider review into its next generation mobile network rollout.

The funding allegation is the most serious claim linking the world’s largest telecoms equipment manufacturer to the Chinese state. Huawei insists that it is a private company that is independent of influence from the government and has repeatedly denied posing any security risks. Critics, however, warn that China’s laws oblige companies to co-operate with its security branches, and that “backdoors” could be built into software allowing it to spy on or disrupt British communications.

The Whitehall review into plans for Britain’s introduction of 5G will be discussed by Theresa May, cabinet ministers and security chiefs at the National Security Council, expected to be held next week. A Whitehall source said of the review: “I don’t think it’s massively supportive [towards Huawei].”</p>


Obliging cooperation with security branches and building in backdoors is something that the UK's Regulation of Investigatory Powers Act (RIPA) forces too. It's also instructive to notice the sources here: Lucy Fisher is the defence correspondent. This is careful leaking by UK security sources to push a narrative. That doesn't necessarily mean it's untrue; only that this is intended to be aired.
cia  huawei  defence  hacking 
april 2019 by charlesarthur
Microsoft: hackers compromised support agent’s credentials to access customer email accounts | TechCrunch
Ingrid Lunden and Zack Whittaker:
<p>Microsoft has confirmed to TechCrunch that a certain “limited” number of people who use web email services managed by Microsoft — which cover services like @msn.com and @hotmail.com — had their accounts compromised.

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in an email.

According to an email Microsoft has sent out to affected users (the reader who tipped us off got his late Friday evening), malicious hackers were potentially able to access an affected user’s e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with — “but not the content of any e-mails or attachments,” nor — it seems — login credentials like passwords.

Microsoft is still recommending that affected users change their passwords regardless.

The breach occurred between January 1 and March 28, Microsoft’s letter to users said. </p>


They "hacked" one of the customer support team.
microsoft  hacking  email 
april 2019 by charlesarthur
December 2011: US Army piles on evidence in final arguments in WikiLeaks hearing • WIRED
Kim Zetter, writing in 2011, when Chelsea Manning was still identified as a male US recruit accused of leaking secrets:
<p>In another chat, dated March 8, 2010, Manning asked “Nathaniel Frank,” believed to be [Wikileaks founder Julian] Assange, about help in cracking the main password on his classified SIPRnet computer so that he could log on to it anonymously. He asked “Frank” if he had experience cracking IM NT hashes (presumably it’s a mistype and he meant NTLM for the Microsoft NT LAN Manager). “Frank” replied yes, that they had “rainbow tables” for doing that. Manning then sent him what looked like a hash.

The WikiLeaks twitter feed noted the new allegation on Thursday, without confirming or denying the password-cracking charge.</p>


This is almost surely the "computer-related" US charges on which Assange was re-arrested in Britain after being forced out of the Ecuadorean embassy, where he had been for nearly 2,500 days. In general, Wikileaks is a publisher, not a hacker - but in this case, if the US can link "Nathaniel Frank" to Assange, there's a clear incitement to hack.
wikileaks  assange  hacking 
april 2019 by charlesarthur
Mysterious hackers hid their 'Swiss Army' spyware for five years • WIRED
Andy Greenberg:
<p>Kaspersky says it first detected the TajMahal spyware framework last fall, on only a single victim's network: The embassy of a Central Asian country whose nationality and location Kaspersky declines to name. But given the software's sophistication, Shulmin says TajMahal has likely been deployed elsewhere. "It seems highly unlikely that such a huge investment would be undertaken for only one victim," he writes. "This suggests that there are either further victims not yet identified, or additional versions of this malware in the wild, or possibly both."

Those initial findings may indicate a very cautious and discreet state-sponsored intelligence-gathering operation, says Jake Williams, a former member of the National Security Agency's elite Tailored Access Operations hacking group. "The extensibility of it requires a large developer team," Williams notes. He points out also that the ability to avoid detection and the single known victim suggest extreme care in targeting, stealth, and operation security. "There's all kinds of stuff here that screams opsec and very regimented tasking."

Shulmin says Kaspersky hasn't yet been able to connect TajMahal, named for a file the spyware uses to move stolen data off a victim's machine, to any known hacker groups with the usual methods of code-matching, shared infrastructure, or familiar techniques. Its Central Asian target doesn't exactly provide any easy clues as to the hackers' identities either, given the vagueness of that description and the countries with sophisticated hacker teams with Central Asian interests, including China, Iran, Russia and the US. Nor has Kaspersky determined how the hackers behind TajMahal gain initial access to a victim network. But they do note that the group plants an initial backdoor program on machines, which the hackers labelled Tokyo.</p>


"Central Asia" implies somewhere in the ambit of Russia and China to me. Could be US, could be Israel, could be China, could be Russia.
hacking  malware  state 
april 2019 by charlesarthur
A powerful spyware app now targets iPhone owners • TechCrunch
Zack Whittaker:
<p>Security researchers have discovered a powerful surveillance app first designed for Android devices can now target victims with iPhones.

The spy app, found by researchers at mobile security firm Lookout, said its developer abused their Apple-issued enterprise certificates to bypass the tech giant’s app store to infect unsuspecting victims.

The disguised carrier assistance app once installed can silently grab a victim’s contacts, audio recordings, photos, videos and other device information — including their real-time location data. It can be remotely triggered to listen in on people’s conversations, the researchers found. Although there was no data to show who might have been targeted, the researchers noted that the malicious app was served from fake sites purporting to be cell carriers in Italy and Turkmenistan.

Researchers linked the app to the makers of a previously discovered Android app, developed by the same Italian surveillance app maker Connexxa, known to be in use by the Italian authorities.</p>


What's not clear is whether the app could grab those contacts, photos etc without the user's permission, or whether iOS's permissions structure is robust against that threat. Of course the social engineering side - "this app needs to access…" - can still work.
iphone  malware  hacking  security 
april 2019 by charlesarthur
Feds: woman arrested at Mar-a-Lago had hidden-camera detector • Miami Herald
Jay Weaver, Sarah Blaskey, Caitlin Ostroff, and Nicholas Nehamas:
<p>A federal prosecutor argued in court Monday that Yujing Zhang, the Chinese woman arrested trying to enter President Donald Trump’s private Mar-a-Lago club in Palm Beach last month, “lies to everyone she encounters” and said a search of her hotel room uncovered more than $8,000 in cash, as well as a “signal-detector” device used to reveal hidden cameras.

Also uncovered in the search: $7,500 in US hundred-dollar bills and $663 in Chinese currency, in addition to nine USB drives, five SIM cards and other electronics, according to federal prosecutor Rolando Garcia.

Prosecutors are treating the case as a national-security matter and an FBI counterintelligence squad is investigating, sources familiar with the inquiry told the Miami Herald.

Zhang gave conflicting accounts of why she came to Mar-a-Lago on March 30, at one point saying she had been invited to attend a social event…

…Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.</p>


D'oh! You put the thumb drive in your sikrit FBI Computer?! (Among suggested tags for this story: "idiots".)
hacking  china  trump 
april 2019 by charlesarthur
The newest AI-enabled weapon: ‘deep-faking’ photos of the Earth • Nextgov
Patrick Tucker:
<p>Worries about deep fakes—machine-manipulated videos of celebrities and world leaders purportedly saying or doing things that they really didn’t—are quaint compared to a new threat: doctored images of the Earth itself.

China is the acknowledged leader in using an emerging technique called generative adversarial networks to trick computers into seeing objects in landscapes or in satellite images that aren’t there, says Todd Myers, automation lead and Chief Information Officer in the Office of the Director of Technology at the National Geospatial-Intelligence Agency.

“The Chinese are well ahead of us. This is not classified info,” Myers said Thursday at the second annual Genius Machines summit, hosted by Defense One and Nextgov. “The Chinese have already designed; they’re already doing it right now, using GANs—which are generative adversarial networks—to manipulate scenes and pixels to create things for nefarious reasons.”

For example, Myers said, an adversary might fool your computer-assisted imagery analysts into reporting that a bridge crosses an important river at a given point.  

“So from a tactical perspective or mission planning, you train your forces to go a certain route, toward a bridge, but it’s not there. Then there’s a big surprise waiting for you,” he said.</p>


The concern seems a little overblown, but you have to worry about malicious actors, especially with open source.
maps  ai  hacking 
april 2019 by charlesarthur
‘Beyond sketchy’: Facebook demanding some new users’ email passwords • Daily Beast
Kevin Poulsen:
<p>Facebook users are being interrupted by an interstitial demanding they provide the password for the email account they gave to Facebook when signing up. “To continue using Facebook, you’ll need to confirm your email,” the message demands. “Since you signed up with [email address], you can do that automatically …”

A form below the message asked for the users’ “email password.”

“That’s beyond sketchy,” security consultant Jake Williams told the Daily Beast. “They should not be taking your password or handling your password in the background. If that’s what’s required to sign up with Facebook, you’re better off not being on Facebook.”

In a statement emailed to The Daily Beast after this story published, Facebook reiterated its claim it doesn’t store the email passwords. But the company also announced it will end the practice altogether.  

“We understand the password verification option isn’t the best way to go about this, so we are going to stop offering it,” Facebook wrote.

It’s not clear how widely the new measure was deployed, but in its statement Facebook said users retain the option of bypassing the password demand and activating their account through more conventional means, such as “a code sent to their phone or a link sent to their email.” Those options are presented to users who click on the words “Need help?” in one corner of the page.</p>


Not stored, but fosters insecurity - if people are used to that on Facebook, they'll do it on a phishing page disguised as Facebook too. And at the same time, third-party apps integrated to Facebook <a href="https://www.upguard.com/breaches/facebook-user-data-leak">left a whole lot of stuff exposed on some Amazon cloud servers</a>.
facebook  hacking  password 
april 2019 by charlesarthur
Jeff Bezos’ investigator Gavin de Becker finds the Saudis obtained the Amazon chief’s private data • Daily Beast
De Becker points out that the Daily Beast wanted him and Bezos to sign a document saying there hadn't been any electronic surveillance - before they'd suggested there had:
<p>As has been reported elsewhere, my results have been turned over to federal officials. Since it is now out of my hands, I intend today’s writing to be my last public statement on the matter. Further, to respect officials pursuing this case, I won’t disclose details from our investigation. I am, however, comfortable confirming one key fact:

Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos’ phone, and gained private information. As of today, it is unclear to what degree, if any, AMI was aware of the details.

We did not reach our conclusions lightly. The inquiry included a broad array of resources: investigative interviews with current and former AMI executives and sources, extensive discussions with top Middle East experts in the intelligence community, leading cyber security experts who have tracked Saudi spyware, discussions with current and former advisers to President Trump, Saudi whistleblowers, people who personally know the Saudi Crown Prince Mohammad bin Salman (also known as MBS), people who work with his close associate Saud al-Qahtani, Saudi dissidents, and other targets of Saudi action, including writer/activist Iyad el-Baghdadi.

Experts with whom we consulted confirmed New York Times reports on the Saudi capability to “collect vast amounts of previously inaccessible data from smartphones in the air without leaving a trace—including phone calls, texts, emails”—and confirmed that hacking was a key part of the Saudi’s “extensive surveillance efforts that ultimately led to the killing of [Washington Post] journalist Jamal Khashoggi.”</p>


He doesn't provide any of that evidence, though. Little tricky to put all one's faith in that.
bezos  amazon  saudi  hacking  spyware 
march 2019 by charlesarthur
Asus was warned of hacking risks months ago, thanks to leaky passwords • TechCrunch
Zack Whittaker:
<p>A security researcher warned Asus two months ago that employees were improperly publishing passwords in their GitHub repositories that could be used to access the company’s corporate network.

One password, found in an employee repo on the code sharing, allowed the researcher to access an email account used by internal developers and engineers to share nightly builds of apps, drivers and tools to computer owners. The repo in question was owned by an Asus engineer who left the email account’s passwords publicly exposed for at least a year. The repo has since been wiped clean, though the GitHub account still exists.

“It was a daily release mailbox where automated builds were sent,” said the researcher, who goes by the online handle SchizoDuckie, in a message to TechCrunch. Emails in the mailbox contained the exact internal network path where drivers and files were stored…

…The researcher’s findings would not have stopped the hackers who targeted Asus’ software update tool with a backdoor, revealed this week, but reveals a glaring security lapse that could have put the company at risk from similar or other attacks. Security firm Kaspersky warned Asus on January 31 — just a day before the researcher’s own disclosure on February 1 — that hackers had installed a backdoor in the company’s Asus Live Update app. </p>


That's two strikes against Asus; not looking good. Security is hard, especially when you do it badly.
asus  github  hacking  security 
march 2019 by charlesarthur
Damning Huawei security report: the top 10 key takeaways • Computer Business Review
Ed Targett:
<p>These are Computer Business Review’s Top 10 takeaways from the <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf">Huawei security report</a> [pdf].

1: Huawei’s build processes are dangerously poor<br />Huawei’s underlying build process provides “no end-to-end integrity, no good configuration management, no lifecycle management of software components across versions, use of deprecated and out of support tool chains (some of which are non-deterministic) and poor hygiene in the build environments” HCSEC said.

2: Security officials don’t blame Beijing<br />The National Cyber Security Centre (NCSC) which oversees HCSEC, said it “does not believe that the defects identified are a result of Chinese state interference.”

3: Pledges of a $2bn overhaul mean nothing, yet…<br />Huawei promises to transform its software engineering process through the investment of $2bn over five years are “currently no more than a proposed initial budget for as yet unspecified activities.” Until there is “evidence of its impact on products being used in UK networks” HCSEC has no confidence it will drive change.

4: The vulnerabilities are bad…<br />Vulnerabilities identified in Huawei equipment include unprotected stack overflows in publicly accessible protocols, protocol robustness errors leading to denial of service, logic errors, cryptographic weaknesses, default credentials and many other basic vulnerability types, HCSEC reported.</p>


Also there: old issues aren't fixed, managing the risk will grow, UK operators may have to replace hardware because of the "significant risk", it's using outdated OSs, and the lack of progress is becoming critical. You wonder if this is new? Read on.
huawei  security  hacking 
march 2019 by charlesarthur
Huawei bungled router security, leaving kit open to botnets, despite alert from ISP years prior • The Register
Gareth Corfield:
<p>Huawei bungled its response to warnings from an ISP's code review team about a security vulnerability common across its home routers – patching only a subset of the devices rather than all of its products that used the flawed firmware.

Years later, those unpatched Huawei gateways, still vulnerable and still in use by broadband subscribers around the world, were caught up in a Mirai-variant botnet that exploited the very same hole flagged up earlier by the ISP's review team.

The Register has seen the ISP's vulnerability assessment given to Huawei in 2013 that explained how a programming blunder in the firmware of its HG523a and HG533 broadband gateways could be exploited by hackers to hijack the devices, and recommended the remote-command execution hole be closed.

Our sources have requested anonymity.

After receiving the security assessment, which was commissioned by a well-known ISP, Huawei told the broadband provider it had fixed the vulnerability, and had rolled out a patch to HG523a and HG533 devices in 2014, our sources said. However, other Huawei gateways in the HG series, used by other internet providers, suffered from the same flaw because they used the same internal software, and remained vulnerable and at risk of attack for years because Huawei did not patch them.

One source described the bug as a "trivially exploitable remote code execution issue in the router."</p>


And exploited it was. Repeatedly. But Huawei would only patch as it was told about exploits, model by model, despite them all using the same firmware.
huawei  security  hacking 
march 2019 by charlesarthur
This spyware data leak is so bad we can't even tell you about it • Motherboard
Lorenzo Franceschi-Bicchierai:
<p>This breach is just the latest in a seemingly endless series of exposures or leaks of incredibly sensitive data collected by companies that promise to provide services for parents to keep children safe, monitor employees, or spy on spouses. In the last two years, there have been 12 stalkerware companies that have either been breached or left data exposed online: Retina-X (twice), FlexiSpy, Mobistealth, Spy Master Pro, SpyHuman, Spyfone, TheTruthSpy, Family Orbit, mSpy, Copy9, and Xnore.

We can’t tell you the name of the company that’s the latest—but certainly not the last—to join that list. That’s because despite our repeated efforts to alert the company to the leak, it has yet to fix the problem or acknowledge our request for comment. Because the leaked data violates the privacy of hundreds if not thousands of people, and because that data is still very easy for anyone to find and access, even naming the company publicly could lead bad actors to expose it.

The exposed database was found by security researcher Cian Heasley, who contacted us when he found it earlier this year. The database is still online, and has been online for at least six weeks. Pictures and audio recordings are still being uploaded to it nearly every day. We won’t name the company to protect the victims who may be getting spied on without their consent or knowledge, and—on top of that—are having their pictures and calls uploaded to a server open to anyone with an internet connection.</p>
Hacking  spyware 
march 2019 by charlesarthur
Cummings demands docs on Kushner's alleged use of WhatsApp for official business • POLITICO
Andrew Desiderio and Kyle Cheney:
<p>House Democrats are raising new concerns about what they say is recently revealed information from Jared Kushner’s attorney indicating that the senior White House aide has been relying on encrypted messaging service WhatsApp and his personal email account to conduct official business.

The revelation came in a Dec. 19 meeting — made public by the House Oversight and Reform Committee for the first time on Thursday — between Rep. Elijah Cummings (D-Md.), Rep. Trey Gowdy, the former chairman of the oversight panel, and Kushner’s lawyer, Abbe Lowell.

Cummings, who now leads the Oversight Committee, says in a new letter to White House Counsel Pat Cipollone that Lowell confirmed to the two lawmakers that Kushner “continues to use” WhatsApp to conduct White House business. Cummings also indicated that Lowell told them he was unsure whether Kushner had ever used WhatsApp to transmit classified information.

"That's above my pay grade," Lowell told the lawmakers, per Cummings' letter.

Lowell added, according to Cummings, that Kushner is in compliance with recordkeeping law. Lowell told the lawmakers that Kushner takes screenshots of his messages and forwards them to his White House email in order to comply with records preservation laws, Cummings indicated.

Kushner, whom the president charged with overseeing the administration’s Middle East policies, reportedly has communicated with Saudi Crown Prince Mohammed bin Salman via WhatsApp.</p>


Hmm. Kushner's an utterly talentless ballsack, but I can't see using WhatsApp as bad - especially compared to using email. There's no evidence it has ever been cracked. It's as insecure as your phone login - and you can decide if that's high or medium or low. Governments all over the place get things done via WhatsApp. I'd always recommend it over email, which offers far more targets to break into.
whatsapp  kushner  security  hacking 
march 2019 by charlesarthur
Hated and hunted: the ransomware cracker • BBC News
Joe Tidy:
<p>[Fabian Losar's] unassuming terraced house on the outskirts of London has no decorative furnishings at all. No pictures or paintings adorn the walls. No lamps or plants. The shelves are empty except for a collection of Nintendo games and some computer coding manuals.

He owns one board-game called Hacker: The Cyber Security Logic Game, which he admits he’s very good at - although he’s only ever played it alone. In short, his home isn’t very homely but this cheery, energetic young German doesn’t seem to mind. He even admits to spending “98%” of his time at home as he works from his office upstairs.

“I’m one of those people who if I don’t really have a reason to go outside, I won’t,” he says.

“I don’t really like to leave the house unless I have to. I do nearly all my shopping online and get everything delivered. I don’t really like too many things around as I spend nearly all of my time working.”

Strangely, Fabian has chosen the smallest room in his house to set up his office. This is where, with the curtains closed, he toils away for most of his waking life gaining grateful fans and hateful, dangerous enemies around the world.

He works remotely for a cyber security company, often sitting for hours at a time working with colleagues in different countries.

When he’s “in the zone”, the outside world becomes even less important and his entire existence focuses on the code on his screen. He once woke up with keyboard imprints all over his face after falling asleep during a 35-hour session.

All of this to create anti-ransomware programs that he and his company usually give away free. Victims simply download the tools he makes for each virus, follow the instructions and get their files back. You can see how he has built up such a vengeful group of angry cyber criminals.</p>


Losar has moved to an "unknown location" since he spoke here. You can imagine there are some people who really wish very bad things for him.
internet  ransomware  virus  hacking 
march 2019 by charlesarthur
Beto O’Rourke’s secret membership in America’s oldest hacking group • Reuters
Joseph Menn:
<p>The hugely influential Cult of the Dead Cow, jokingly named after an abandoned Texas slaughterhouse, is notorious for releasing tools that allowed ordinary people to hack computers running Microsoft’s Windows. It’s also known for inventing the word “hacktivism” to describe human-rights-driven security work.

Members of the group have protected O’Rourke’s secret for decades, reluctant to compromise his political viability. Now, in a series of interviews, CDC members have acknowledged O’Rourke as one of their own. In all, more than a dozen members of the group agreed to be named for the first time in a book about the hacking group by this reporter that is scheduled to be published in June by Public Affairs. O’Rourke was interviewed early in his run for the Senate.

There is no indication that O’Rourke ever engaged in the edgiest sorts of hacking activity, such as breaking into computers or writing code that enabled others to do so. But his membership in the group could explain his approach to politics better than anything on his resume. His background in hacking circles has repeatedly informed his strategy as he explored and subverted established procedures in technology, the media and government.

“There’s just this profound value in being able to be apart from the system and look at it critically and have fun while you’re doing it,” O’Rourke said. “I think of the Cult of the Dead Cow as a great example of that.”

An ex-hacker running for national office would have been unimaginable just a few years ago. But that was before two national elections sent people from other nontraditional backgrounds to the White House and Congress, many of them vowing to blow up the status quo.</p>


In some ways it's inevitable that a hacker would be a presidential candidate at some point. In the same way, a keen video game player will also be a candidate - and in time become president. It's just numbers.
hacking  politics 
march 2019 by charlesarthur
Iranian-backed hackers stole data from major US government contractor • NBC News
Dan De Luce and Courtney Kube:
<p>Iranian-backed hackers have stolen vast amounts of data from a major software company that handles sensitive computer projects for the White House communications agency, the U.S. military, the FBI and many American corporations, a cybersecurity firm told NBC News.

Citrix Systems Inc. came under attack twice, once in December and again Monday, according to Resecurity, which notified the firm and law enforcement authorities.

Employing brute force attacks that guess passwords, the assault was carried out by the Iranian-linked hacking group known as Iridium, which was also behind recent cyberattacks against numerous government agencies, oil and gas companies and other targets, Charles Yoo, Resecurity's president, said.

The hackers extracted at least six terabytes of data and possibly up to 10 terabytes in the assault on Citrix, Yoo said. The attackers gained access to Citrix through several compromised employee accounts, he said.</p>


Successful brute-force attacks? Citrix really needs to rethink its approach to security. Password lockouts and/or two-factor authentication.
citrix  iran  hacking  security 
march 2019 by charlesarthur
Teen becomes first hacker to earn $1m through bug bounties • Digit
Dominique Adams:
<p>Teen hacker Santiago Lopez from Argentina has become the world’s first white-hat hacker to earn a million dollars from bug bounties.

Lopez a.k.a @try_to_hack (his online moniker) started flagging up security weaknesses to companies via vulnerability coordination and bug bounty platform, HackerOne.

Since embarking on his legal hacking career in 2015, he has reported more than 1,600 security flaws to organisations, including social media platform Twitter and Verizon Media Company, as well as private corporate and government entities.

Inspired by the movie Hackers, Lopez taught himself how to hack watching free online tutorials and reading popular blogs.

At the age of 16 he earned his first bounty of $50 and was motivated to continued hacking after school. He now hacks full-time earning nearly 40 times the average software engineer salary in Buenos Aires…

…Numerous global companies including the US Department of Defense, General Motors, Google, Twitter, GitHub, Nintendo, Lufthansa, Panasonic Avionics, Qualcomm, Starbucks, Dropbox, and Intel have partnered with HackerOne to discover more than 100,000 vulnerabilities and award more than $45m (£34m) in bug bounties.

Luta Security CEO and cybersecurity expert, Katie Moussouris, said that bug bounties although useful weren’t a “silver bullet”. Moussouris, who created the bug bounty at Microsoft, warned that if badly implemented such programmes could see talent leaving organisations in favour of pursuing bug bounties, and thus damage the talent pipeline.</p>


At a guess, the bounty will be distributed on the usual Pareto (power law) curve. Great for some, peanuts for many.
hacker  bugbounty  hacking  bounty 
march 2019 by charlesarthur
Facebook won’t let you opt-out of its phone number ‘look up’ setting • TechCrunch
Zack Whittaker:
<p>Users are complaining that the phone number Facebook hassled them to use to secure their account with two-factor authentication has also been associated with their user profile — which anyone can use to “look up” their profile.

Worse, Facebook doesn’t give you an option to opt out.

Last year, Facebook was forced to admit that after months of pestering its users to switch on two-factor by signing up their phone number, it was also using those phone numbers to target users with ads. But some users are finding out just now that Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number previously added to their account.

The recent hubbub began today after a <a href="https://twitter.com/jeremyburge/status/1101402001907372032">tweet</a> by Jeremy Burge blew up, criticizing Facebook’s collection and use of phone numbers, which he likened to “a unique ID that is used to link your identity across every platform on the internet.”</p>


Facebook has handled this badly because it handles anything where it gets more data, especially data tying to you individually, badly - that is, as a thing which it wants above all other things, and will not relent in its use. Last year, the complaint was that if you use your phone number for 2FA, it pings you - even if you have all "notify me" settings turned off - to say that things are happening on your account.

You can however use a code generator program such as Authy or Google Authenticator for the 2FA part.
facebook  privacy  phonenumber  ethics  security  hacking 
march 2019 by charlesarthur
US Cyber Command operation disrupted internet access of Russian troll factory on day of 2018 midterms • The Washington Post
Ellen Nakashima:
<p>The US military blocked Internet access to an infamous Russian entity seeking to sow discord among Americans during the 2018 midterms, several US officials said, a warning that the Kremlin’s operations against the United States are not cost-free.

The strike on the Internet Research Agency in St. Petersburg, a company underwritten by an oligarch close to President Vladi­mir Putin, was part of the first offensive cyber campaign against Russia designed to thwart attempts to interfere with a US election, the officials said.

“They basically took the IRA offline,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss classified information. “They shut them down.”

The operation marked the first muscle-flexing by US Cyber Command, with intelligence from the National Security Agency, under new authorities it was granted by President Trump and Congress last year to bolster offensive capabilities.

Whether the impact of the St. Petersburg action will be long-lasting remains to be seen. Russia’s tactics are evolving, and some analysts were skeptical the strike would deter the Russian troll factory or Putin, who, according to US intelligence officials, ordered an “influence” campaign in 2016 to undermine faith in US democracy. US officials have also assessed that the Internet Research Agency works on behalf of the Kremlin.</p>


Could they block the Trump family's Twitter and Instagram access next?
cyber  ira  internet  hacking 
february 2019 by charlesarthur
China surveillance firm tracking millions in Xinjiang - researcher • Reuters
Cate Cadell and Philip Wen:
<p>A Chinese surveillance firm is tracking the movements of more than 2.5 million people in the far-western Xinjiang region, according to a data leak flagged by a Dutch internet expert.

An online database containing names, ID card numbers, birth dates and location data was left unprotected for months by Shenzhen-based facial-recognition technology company SenseNets Technology Ltd, according to Victor Gevers, co-founder of non-profit organisation GDI.Foundation, who first noted the vulnerability in a series of social media posts last week.

Exposed data also showed about 6.7m location data points linked to the people which were gathered within 24 hours, tagged with descriptions such as “mosque”, “hotel,” “internet cafe” and other places where surveillance cameras were likely to be found.

“It was fully open and anyone without authentication had full administrative rights. You could go in the database and create, read, update and delete anything,” said Gevers.</p>


When surveillance states get sloppy.
china  hacking  surveillance 
february 2019 by charlesarthur
What I learned from the hacker who spied on me • WSJ
Joanna Stern:
<p>We’re putting cameras in more and more places, yet more and more people are putting tape over their computer webcams because they fear who may be looking.

How secure are these tiny eyes into our private lives? The bad news is, it was possible for Mr. Heid to get into my Windows 10 laptop’s webcam and, from there, my entire home network. He also eventually cracked my MacBook Air. The good news is that both operating systems were initially able to thwart the hacker. It took me performing some intentionally careless things for him to “succeed.”

If you’re on guard and aware that people are out there trying to trick you to let down your defenses, and you follow some basic practices, you can make it much more difficult for the bad guys to get to you…

…When connected to the Windows laptop, Mr. Heid was able to scan for other devices on my home Wi-Fi network. He quickly found two cameras: a Nest Camera and a Wansview 1080p connected baby monitor that I bought for this column along with the laptops.

From this point on, getting into the baby monitor didn’t even require hacking. He went to its IP address, searched Google for the default username and password and typed it in to the camera’s web portal. He had a nice stream of my son’s playroom—my son included.</p>


Windows 10: hard-ish to hack. MacBook Air: harder to hack. Android: harder to hack. iPhone: don't bother. (Yeah yeah FaceTime. Isn't the same.) Random webcams: cinch, especially if you don't change the default password - and lots of people don't.
hacking  webcam 
february 2019 by charlesarthur
Another demonstration of CRS/GDS insecurity • The Practical Nomad blog
Edward Hasbrouck:
<p>Zack Whittaker had a report yesterday for Techcrunch on the latest rediscovery of a continuing vulnerability affecting sensitive personal data in airline reservations that I first reported, both publicly and to the responsible companies, more than 15 years ago: computerized reservations systems and systems that rely on them for data storage and retrieval, including airline check-in Web sites, use a short, insecure, unchangeable, system-assigned, and fundamentally insecure "record locator" as though it were a secure password to control access to passenger name record (PNR) data.

I wrote about these vulnerabilities and reported them to each of the major CRS/GDS companies in 2001, 2002, and 2003, specifically noting their applicability to airline check-in Web sites (among many other Web services). I pointed these vulnerabilities out in a submission to the US Federal Trade Commission in 2009 which was co-signed by several consumer and privacy organizations, in my 2013 testimony as an invited expert witness before the Advisory Committee on Aviation Consumer Protection of the U.S. Department of Transportation, in a complaint which was which finally accepted and docketed by the European Commission in 2017, and in my comments to the European Commission in December 2018 with respect to its current review of the European Union's regulations governing protection of personal data by CRSs.</p>


Ah, so it's not a new thing by any means. That makes it a lot worse. (Thanks, Wendy Grossman.)
airlines  hacking  security 
february 2019 by charlesarthur
E-ticketing system exposes airline passengers' personal information via email • Cyberscoop
Jeff Stone:
<p>At least eight airlines, including Southwest, use e-ticketing systems that could allow hackers to access sensitive information about travelers merely by intercepting emails, according to <a href="https://www.wandera.com/mobile-security/airline-check-in-risk/">research published Wednesday by the mobile security company Wandera</a>.

The systems fail to secure customers’ personally identifiable information, including names, boarding passes, passport numbers and flight numbers, Wandera said.

The email vulnerabilities still exist, Wandera found, even though researchers notified affected companies weeks ago, and despite growing corporate awareness about the risks associated with sacrificing security for convenience.

The weakness is a check-in link that is emailed to customers, Wandera researchers found. Customer information is embedded in the links, allowing travelers to travel from their email to a website where they check in for a flight without needing to enter their username and password. However the links are unencrypted and re-usable, presenting a tempting target for hackers, according to Michael Covington, vice president of product at Wandera.</p>


"Weeks" isn't enough time to change a system that will be deeply embedded, and airlines aren't known for having the fastest-moving approach to changing their systems. I'm sure some readers would have more knowledge of this.
eticket  airline  hacking 
february 2019 by charlesarthur
Hands up who reuses the same password everywhere, even with your Nest. Keep your hand up if you like being spied on by hackers • The Register
Kieren McCarthy:
<p>Nest has urged its customers to not reuse passwords between their smart home gizmos and other websites and services.

This comes after miscreants were spotted taking usernames and passwords leaked or stolen from other websites, and using them to attempt to log into Nest accounts and hijack the internet-connected home gadgets, a type of attack known as credential stuffing.

Rishi Chandra, general manager of the Google-owned smart home outfit, sent an email to all Nest customers on Wednesday noting that the manufacturer had "heard from people experiencing issues with their Nest devices" before running through some security tips to secure their accounts…

…according to Nest, the likelihood is that dirtbags are trying out usernames and passwords dumped online from unrelated website security breaches, to access Nest accounts where credentials have been reused.

"Even though Nest was not breached, customers may be vulnerable because their email addresses and passwords are freely available on the internet," Chandra's email warned. "If a website is compromised, it's possible for someone to gain access to user email addresses and passwords, and from there, gain access to any accounts that use the same login credentials."

Nest claims to proactively look out for passwords being spilled online, "and when compromised accounts are found, we alert you and temporarily disable access. We also prevent the use of passwords that appear on known compromised lists."</p>


As we have said before, Nest <a href="https://nest.com/support/article/How-to-use-2-step-verification-to-add-stronger-security-to-your-Nest-Account">allows two-factor authentication</a>, though presently only via SMS (which is weaker than TOTP - timed one-time password - systems such as Authy or Google Authenticator). Odd that a company which is part of Google shouldn't have TOTP.
nest  2fa  hacking 
february 2019 by charlesarthur
Biohackers encoded malware in a strand of DNA • WIRED
Andy Greenberg:
<p>In new research they plan to present at the USENIX Security conference on Thursday, a group of researchers from the University of Washington has shown for the first time that it’s possible to encode malicious software into physical strands of DNA, so that when a gene sequencer analyzes it the resulting data becomes a program that corrupts gene-sequencing software and takes control of the underlying computer. While that attack is far from practical for any real spy or criminal, it's one the researchers argue could become more likely over time, as DNA sequencing becomes more commonplace, powerful, and performed by third-party services on sensitive computer systems. And, perhaps more to the point for the cybersecurity community, it also represents an impressive, sci-fi feat of sheer hacker ingenuity.

“We know that if an adversary has control over the data a computer is processing, it can potentially take over that computer,” says Tadayoshi Kohno, the University of Washington computer science professor who led the project, comparing the technique to traditional hacker attacks that package malicious code in web pages or an email attachment. “That means when you’re looking at the security of computational biology systems, you’re not only thinking about the network connectivity and the USB drive and the user at the keyboard but also the information stored in the DNA they’re sequencing. It’s about considering a different class of threat.”</p>


That is fabulously clever. (Thanks to the many people who sent this; Paul Guinnessy was first, I believe.) It's obvious when you think about it: a Turing machine reading an instruction set.
malware  hacking  dna 
february 2019 by charlesarthur
The problem with throwing away a smart device • Hackster Blog
Alasdair Allan:
<p>Last week a <a href="https://limitedresults.com/2019/01/pwn-the-lifx-mini-white/">teardown of the LiFX Mini white </a>was published on the Limited Results site, and it shows that this smart lightbulb is anything but smart.

In a very short space of time the teardown established that if you’ve connected the bulb to your Wi-Fi network then your network password will be stored in plain text on the bulb, and can be easily recovered just by downloading the firmware and inspecting it using a hex editor.
In other words, throwing this lightbulb in the trash is effectively the same as taping a note to your front door with your wireless SSID and password written on it. This probably isn’t something you should be comfortable doing.

Worse yet both the root certificate and RSA private key for the bulb are also present in the firmware in plain text, and the devices is completely open—no secure boot, no flash encryption, and with the debug interface fully enabled.

It turns out that this particular LiFX bulb is built around an Espressif ESP32 which, as we know, has a sprawling and fairly mature open source ecosystem. But that also means that the security implemented by LiFX for the bulb was inexplicably poor. Because while the recovery of the password and keys was aided by the mature state of the development environment, the ESP32 also supports both secure boot and flash encryption, and the later would have provided “at-rest” data encryption, and stopped the this sort of attack dead in its tracks.</p>
smarthome  hacking  security 
february 2019 by charlesarthur
« earlier      
per page:    204080120160

Copy this bookmark:





to read