CHB Cybersecurity Digest 02/09/19
by Cameron Hunter Bell
HEADLINES IN BRIEF
- A team of French police dubbed "cybergendarmes" has destroyed a virus that infected more than 850,000 computers worldwide, authorities say. The network of infected computers, known as a botnet, was controlled from France and is thought to have made millions of euros from fraud.
- A North Korean state-sponsored hacking group has been targeting retired South Korean diplomats, government, and military officials.
- A hugely popular Android app that takes high quality photographs of documents has been found to contain malware.CamScanner has been downloaded more than 100 million times by Android users.
- Gatwick-bound plane forced to avoid 'high risk' drone.
- Security researchers at Google have found evidence of a “sustained effort” to hack iPhones over a period of at least two years.
- Paige A. Thompson, the alleged hacker behind the theft of more than 100 million customer records from Capital One Financial Corp., has been indicted on additional charges for hacking more than 30 companies.
- A hacker group is exploiting vulnerabilities in more than ten WordPress plugins to create rogue admin accounts on WordPress sites across the internet.
- The co-founder and chief executive of Twitter had his own account on the service briefly taken over by hackers.
IN GREATER DEPTH
Motherboard: This was no doubt the biggest story of the week. Google found evidence that a number of websites were quietly hacking into iPhones for at least two years using zero-day vulnerabilities to gain root access to iOS. The aim appears to have been to spy on messages, photos and near-real time location. Sources said the targets were Uyghur Muslims with China as the culprit. In total, 14 separate iOS exploits were used to target "thousands" of iPhones every week. Apple fixed the vulnerabilities in February, but news of the hacks came out this week. It's unknown if Android was at risk of the same attacks.
Reuters: Voter registration rolls are the new target for foreign hackers, according to sources speaking to Reuters. Forget voting equipment, hackers are said to be directly going after voter data to "manipulate, disrupt or destroy the data." Homeland Security's CISA said they're concerned these voter records might get hit by ransomware. More: @CISAgov
ProPublica: Why are insurance companies happy to pay to get their ransomed files back? Because attacks are "good for business," reports ProPublica in this deep-dive investigative report. Not only are insurance companies benefiting from paying the ransomware operators to get their files back. "The onus isn't on the insurance company to stop the criminal, that's not their mission," said one insurance expert. "Their objective is to help you get back to business. But it does beg the question, when you pay out to these criminals, what happens in the future?" More: @raj_samani | Archive: ProPublica
CNET: After months of reports uncovering the scale and scope of Amazon's Ring working with local police, the company finally came clean and dumped an official map of police departments it works with. In short, the camera-equipped doorbell device maker has partnered with police across the U.S., giving them warrantless access to footage. Gizmodo and Motherboard were also on this story for months, reporting off leaks and public records requests. There's likely a lot more to come. More: Ring | Vice | Gizmodo
Wired ($): Well that was embarrassing. @jack's own Twitter account was hacked. Twitter kept details of the hack fairly vague, blaming the stream of unauthorized tweets on his compromised phone number "due to a security oversight by the mobile provider." In other words, AT&T dropped the ball. The SIM swap attack let the hackers tweet on his behalf using text message codes. No need to break into his account if they could just tweet by text message. More: TechCrunch | @TwitterComms
Los Angeles Times ($): An anti-terror program, BioWatch, which samples the air and checks for biochemicals or traces of bioweapons, mistakenly left sensitive program data outside the government firewall — on a dot-org domain, no less. That has since changed. But it's not known if hackers gained access to the system. Officials said they have no idea. The leaked data exposed "the locations of bio-agent detectors across the U.S., test results, a list of pathogens it could detect, and response plans in the event of an attack." More: @latimes tweet thread | @Emily_Baum tweet thread
TechCrunch: Some less bad news this week: Apple is backtracking on its Siri audio review and turning it off by default. Any opt-in review will be done by staff in-house and not contractors as it was before. Apple caught heat for hiring contractors to manually review Siri recordings to improve the voice assistant. Although the recordings were meant to be anonymous, some audio clips contained personally identifiable information. More: Apple | Background: The Guardian
The Verge: Another case has emerged of police asking Google to turn over a dragnet of location data from devices in the vicinity of a crime. This time it was a bank robbery. Unsure of who was behind the heist, police asked Google to hand over all the location records of phone owners in the area surrounding the bank at the time of the robbery. It's not the first time this has happened. Forbeshas covered these "reverse location" search warrants for the past year. More: MPR News | Slate | Forbes~ ~
Cyberscoop: Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency, reports Cyberscoop. The course is aimed at introducing students to cyber law and to offensive and defensive cyber operations.
ZDNet: Windows 7 will fall out of support starting January 2020 — just a few months away. With that, consumers and enterprises alike will no longer receive much-needed security updates. Some enterprises, however, will be able to get a year's worth of free extended updates. Everyone else will have to pay. ZDNet has the breakdown of who can get extended updates, and here's the Microsoft document [PDF] for reference.
TechCrunch: Travelers visiting the U.S. are increasingly turned away from the border because of material found on their phones — but sent by other people. You read that right. One would-be Harvard student was recently told he couldn't enter the U.S. because of someone else's social media posts seen by officers during a phone inspection. The same applies to WhatsApp, which automatically downloads photos and videos — even unsolicited messages — to a person's camera roll. (Disclosure: I wrote this story.)
Krebs on Security: Internet firewall firm Imperva said this week it was hit by a data breach. Only problem is that Imperva's post was about as clear as mud. Security reporter Brian Krebs said some customers using Imperva's web firewall (WAF) had their accounts breached after mid-September 2017. That includes API keys and customer-provided SSL certificates. Ouch. You can read Imperva's blog post here.~ ~
Sealed cases should stay... well, sealed. But it turns out New York police are using supposedly using off-limits mug shots for its massive facial recognition database. Privacy advocates claim that feeding sealed mug shots into facial recognition databases violates state law, reports @michaelhayes.
Here's a fascinating thread on what happens when you load Chrome for the first time on a Windows 10 machine. @jonathansampson also did several other tweet threads looking at other web browsers. It's a pretty interesting read — and one likely to stress out the privacy minded. Mozilla said it will look into it.
An interesting story: Motherboard reports French police took down a near million-strong cryptocurrency mining botnet with help from Avast after its security researchers found a design flaw in the malware's command and control server. By seizing and swapping out the malicious C&C server with one reverse engineered by the researchers, they were able to disinfect 850,000 computers without having to remotely run code on those infected computers. French police said they took down one of the largest botnets in the world today.
About the Author
Cameron is a UK InfoSec veteran and an experienced innovation strategist. He speaks regularly at conferences and industry events about commercial strategy, ecosystem creation and business design. In 2009, he helped found the cyber security startup Vacta Ltd, which was integrated into the ECS Group in 2012. Cameron has successfully implemented innovation programs for several multinational defence, logistics, automotive manufacturers and financial service providers. He previously established the highly successful Berlin Studio for Idean (now part of the CapGemini Invent Group), specialising in service and ecosystem design for autonomous automotive. More recently, Cameron led the team delivering LORCA, the new 13.5M London cyber innovation centre, for Plexal in association with Deloitte, CSIT Belfast and the UK Department for Culture Media and Sport. Cameron advises Casta Spes Technologies, an AI driven robotics startup tackling the challenge of physical perimeter security.
The article has been originally published at: https://www.linkedin.com/pulse/chb-cybersecurity-digest-020919-cameron-hunter-bell/