Your favourite news roundup from the last seven days across cybersecurity, infosec and digital defence.
- Lloyds Bank says a new high-tech defence system which sniffs out fraudsters before they can strike has stopped more than 2,000 customers losing cash so far. Called “the Rat” by the fraud team at Lloyds, the technology looks for signs of unusual and suspect behaviour when people log into its banking services – which does not match customers’ normal habit
- High-profile YouTubers have been targeted by cybercriminals over the weekend [21/22 September] in what appears to have been a highly coordinated and "massive" attack.
- A new real estate email scam has cybercriminals cashing in. Losses have soared from $360 million in 2016 to $1.3 billion last year.
- Russian hacker Andrei Tyurin has pleaded guilty to involvement in a massive data theft that targeted several financial firms, including JPMorgan Chase.
- Airbus played down the risk of cyberattacks on Friday and said it had "appropriate measures" to mitigate any danger after an AFP investigation revealed a series of hacking incidents targeting the European aerospace giant.
- A UK teenager convicted of hacking TalkTalk has been indicted in the US for a cryptocurrency computer fraud involving at least $800,000 (£640,000).
- Comscore, a company that’s performance metrics are widely touted in the media world, has settled with the SEC following charges of inflating its own metrics.
- A hacking group has targeted U.S. veterans through a fake hiring website hosting malware, according to research published Tuesday. The hacking unit, known as Tortoiseshell, created the Hire Military Heroes website.
- Hackers looking into injecting card stealing code on routers, rather than website. Magecart (web skimming) attacks are evolving into a direction where they're gonna be harder and harder to detect.
Wired ($): This year's Def Con Voting Village results are out. Some voting machines still contain vulnerabilities dating back decades. Most of the six machines tested during the security conference are still in use today. What's the US Congress doing about it? More: Voting Village report [PDF] | @mattblaze
Ars Technica: The new "Checkm8" exploit published this week allows users to jailbreak their iPhone X and earlier devices. The bug is said to be unpatchable because the bootrom contains read-only memory inside a chip. It's the biggest exploit for iPhones in years. Malwarebytes said the bug can be exploited even on a locked device. Meanwhile, Trail of Bits noted that the exploit doesn't allow the phone contents to be decrypted. In a later interview, the developer said the exploit may not be used to exfiltrate data but could still allow a backdoor to be installed. More: ipwndfu on GitHub | Malwarebytes | @chronic
Ars Technica: A Russian national has admitted to carrying out the 2014 breach at JP Morgan Chase, which generated hundreds of millions of dollars in illicit revenue. Some 80 million banking clients were affected by the breach. The hacker could serve between 15 and 20 years in jail. More: Justice Dept. | Background: Ars Technica
Motherboard: First it started out with Crowdstrike trending on Twitter because Trump mentioned the cybersecurity company in a call with the Ukrainian president — for reasons not quite known — and ended with news of a secret server containing tons of highly classified presidential recordings. This Motherboard report dives into what Trump was doing with the codeword-level server based off former National Security Council officials, and why it matters — regardless of your political persuasions. More: Cyberscoop | Wall Street Journal ($)
Forbes: High-profile Tibetans have seen their Apple iPhones and Android devices targeted by one-click exploits delivered in messages sent over WhatsApp. A victim only had to tap on a link and the attacker would get access to their phone. Those are the latest findings from Citizen Lab. It's the same hacking group, said to be China, that targeted Uyghurs, the researchers said. More: TechCrunch | Citizen Lab
DoorDash: The food delivery giant is blaming an unknown third-party for a data breach affecting 4.9 million users, including users and merchants, as well as the theft of 100,000 driver's licenses of delivery workers. Anyone who signed up before April 5, 2018 are affected. The company wouldn't say why it took months to detect the breach, or answer even the most basic of questions. It comes a year after customers said their accounts had been hacked. More: Motherboard
NPR: Last week it was the Lamo story, this week the same reporter took on how the NSA is targeting Islamic State fighters. "ISIS routinely used encrypted apps, social media and splashy online magazines and videos to spread its message, find recruits and launch attacks." This dives into how the NSA fights back using phishing emails to plant malware, open backdoors, conduct recon and then crash critical servers. More: NPR~ ~
Koen Rouwhorst: Twitter user @koenrh found that Dropbox Paper publicly exposes the name and email address of any Dropbox user who has ever opened a document. Rouwhorst said this seems "problematic." Dropbox said it won't fix the apparent issue.
Motherboard: Vice looks at Project Zero, Google's elite vulnerability finding unit. The hackers find bugs day in and day out, from Google and afar, as part of an effort to make the internet safer. @lorenzoFB looks at the current exploit market for some of the most dangerous flaws in the world — and how Project Zero plays its part.
Cyberscoop: AB5 will change how employers classify independent contractors, but some say it may also affect bug bounty companies — like Bugcrowd and HackerOne — which help other companies fix security flaws through crowdsourced bounties. "If a bug bounty company’s primary job is to test companies by hiring out that work to contractors, that work is now questionable," said one expert speaking to Cyberscoop.
The Guardian: Many suspected it but now there's proof. A leaked document confirms Chinese video app TikTok instructs its moderators to censor videos that mention Tibet, the banned religious group Falun Gong, and any mention of Tiananmen Square. China has one of the most restrictive internets in the world. TikTok said the rules are "no longer in use."
A zero-day affecting Internet Explorer is under active exploitation. Microsoft issued out-of-band patches this week to all supported Windows versions to patch the vulnerability. Homeland Security issued its own advisory warning users of the issue.
New documents received by @alfredwng show Ring was working on a system that would trigger the cameras on its video-enabled doorbells in the vicinity of incoming 911 calls. Ring, for its part, said the system was no longer being pursued.
Microsoft said this week it'll continue to ask that the government allows it to inform customers when it comes for their data. The software giant said "sneak and peak" searches are unlawful, despite losing the case in federal court. This tweet thread from @dinabass runs through the issue simply.