CHB Cybersecurity Briefing 15/07/19
by Cameron Hunter Bell
Zoom was caught in a storm this week after a researcher found the popular video chat app left a hidden and undocumented web server on Macs, which ran in the background and wasn't removed when the app was uninstalled. That meant anyone could join users to a call, often without their permission. Zoom's response was probably worse than the bug itself. Here's NIST's writeup on the bug. In the end, Apple pushed a silent update to Macs to patch the bug and prevent exploitation.
DarkMatter, a UAE surveillance and hacking outfit, was recently accused of targeting journalists and high profile critics of the UAE government — but the company's side business as a certificate authority has a clean track record. So when the hackers asked to be included on Mozilla's whitelist, it put the Firefox browser maker in a bind. The fear was that DarkMatter could abuse its position to spy on users. In the end, Mozilla dropped DarkMatter like it's hot and refused, calling the company a "significant risk" to its users.
The U.K. data protection watchdog handed down a record $230 million fine for British Airways for its credit card breach, in which card skimmers installed malware on the airline's website and downloaded 500,000 users' data over a period of several weeks. It's the biggest U.K. fine handed out since GDPR went into effect. A day later Marriott, which owns Starwood, was fined$123 million for its guest booking system hack last year.
A deep-dive into the WannaCry attack two years ago. Zack Whitaker spoke to the two researchers — @malwaretechblog and @2sec4u who found the "kill switch" and kept it alive for a week, despite police raids and botnet attacks, until they handed it off to Cloudflare. The kill switch was the only thing keeping another outbreak at bay. @2sec4u described it as the most stressful week of his life. No more relevant than now given the current threat posed by BlueKeep.
The Trump administration has refused to allow lawmakers in Congress to see a classified order issued by the president a year ago that explains how the government decides, plans and operates its use of cyber-weapons, despite bipartisan efforts to receive the directive. Worst timing possible given the use of a recent offensive U.S. cyberattack against Iran a few weeks ago.
US Immigration officials are sifting through and mining facial recognition data from millions of driver's license photos, according to documents obtained by Georgetown University. Federal agencies weren't given congressional approval to mine the data, but did it anyway over a span of five years. In some cases ICE agents would simply ask states for the data without bothering for a warrant.
@shanvav has a deep-dive into Cyber Command's latest malware sample share, which was submitted to VirusTotal and tweeted out. In the rare case the DoD agency goes public with malware it finds, the government doe sit as a power move to demonstrate agencies' "visibility into attacks in order to discourage adversaries from launching more."
Palantir, the secretive surveillance company in Silicon Valley, is used in hundreds of California districts alone — and many across the U.S. for various reasons — including law and immigration enforcement. This document gives the first major insight into Palantir's capabilities — and the kinds of companies that use it.
OpenPower Foundation, a non-profit set up by Google and IBM executives, is helping Chinese chip maker Semptian to create far more advanced microprocessors which are said to be critical in China's surveillance market. Semptian claims its technology is used to covertly monitor the internet activity of 200 million citizens. Sen. Mark Warner (D-VA) said it was "disturbing to see that China has successfully recruited Western companies" to build out its surveillance machine. Slate has an interesting read on how automatic license plate readers (ALPR) are creeping into neighbourhoods all across the U.S.
Good short-ish read on the risks associated with any network equipment supplier, not just Huawei. Given Cisco hardware is also riddled with bugs, who can you trust? This piece suggests that often decisions are made based on what's politically efficient, and not what's necessarily most secure.
A cautionary tale from Lake City, Florida and told by The New York Times ($)about how the city paid to get its documents back after a ransomware attack but not everything was restored. Audrey Sikes, city clerk, "spent years digitising all the papers of a city that incorporated before the Civil War." But all those documents still have not been decrypted, she said. "It puts us years and years and years behind," Sikes said.
Beware if you use the "strong_password" Ruby library. It contained a backdoor, which downloaded and ran a second payload from Pastebin. That allowed the attacker – whose identity isn't known — to run code inside any app that included the backdoored library. The library owner explained how this happened in a Hacker News thread.
Some good news: the FEC now says it will allow one security company to offer discounted help to federal political campaigns, such as for president and Congress. Area 1 Security, which brought the case to the FEC, is allowed to provide services to fight disinformation campaigns and hacking efforts, both of which were prevalent during the 2016 presidential election. The ruling was made because Area 1 said it was not giving anyone a special deal — which could've been seen as an "in kind donation" — but are offered the same price as others on its lowest tier of service.
Cisco researchers at its Talos group say DNS hijacking, which first triggered alarms earlier this year, continues to pose a problem. The researchers say a new hijacking technique is currently in play. There are a few new nuggets in here that network defenders need to know. "Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent," they write. Maybe it's time to DNSSEC up your domains?
"Apple patched a high-severity iMessage bug found by Google Project Zero that can be exploited by an attacker who sends a specially-crafted message to a vulnerable iOS device," reports Threatpost. "Those iPhones receiving the malicious message are rendered inoperable, or bricked." Apple patched the bug in iOS 12.3 in mid-May.
Remember earlier this year when Firefox ground to a halt because an expired certificate meant add-ons weren't loading? Mozilla posted its post-mortem this week and finally confirmed this week: yeah, they let the certificate expire and apologized for the outage. Turns out it was a bit more complicated than we first thought: "The team responsible for the system which generated the signatures knew that the certificate was expiring but thought (incorrectly) that Firefox ignored the expiration dates," the blog post said.
U.K. efforts to police online porn isn't going so well. Delay after delay, the porn verification system is slated to go into effect later this year. Anyone over 18 must obtain proof that they're old enough to access online porn. What's the catch? "The British government isn’t operating the system itself. Instead, it’s being outsourced to private companies, which can sell their own age verification technology to porn sites." Hoo-boy. If this is the first time you're hearing of this, buckle up. This AP dispatch has a good rundown of just how bad it is.
Google was forced to respond to a report this week by Belgian broadcaster, which revealed contractors had access to Google Assistant user recordings — similar to the situation with Amazon's Echo. Google said in its blog post that language experts "only review around 0.2 percent of all audio snippets." Assuming users collectively ask their devices a billion requests per year, that's still two million recordings.
About the Author
Cameron is a UK InfoSec veteran and an experienced innovation strategist. He speaks regularly at conferences and industry events about commercial strategy, ecosystem creation and business design. In 2009, he helped found the cyber security startup Vacta Ltd, which was integrated into the ECS Group in 2012. Cameron has successfully implemented innovation programs for several multinational defence, logistics, automotive manufacturers and financial service providers. He previously established the highly successful Berlin Studio for Idean (now part of the CapGemini Invent Group), specialising in service and ecosystem design for autonomous automotive. More recently, Cameron led the team delivering LORCA, the new 13.5M London cyber innovation centre, for Plexal in association with Deloitte, CSIT Belfast and the UK Department for Culture Media and Sport. Cameron advises Casta Spes Technologies, an AI driven robotics startup tackling the challenge of physical perimeter security.
The article has been originally published at: https://www.linkedin.com/pulse/chb-cybersecurity-briefing-150719-cameron-hunter-bell/