CHB Cybersecurity Digest 30/09/19

CHB Cybersecurity Digest 30/09/19

by Cameron Hunter Bell


Your favourite news roundup from the last seven days across cybersecurity, infosec and digital defence.

  • Lloyds Bank says a new high-tech defence system which sniffs out fraudsters before they can strike has stopped more than 2,000 customers losing cash so far. Called “the Rat” by the fraud team at Lloyds, the technology looks for signs of unusual and suspect behaviour when people log into its banking services – which does not match customers’ normal habit
  • High-profile YouTubers have been targeted by cybercriminals over the weekend [21/22 September] in what appears to have been a highly coordinated and "massive" attack.
  • A new real estate email scam has cybercriminals cashing in. Losses have soared from $360 million in 2016 to $1.3 billion last year.
  • Russian hacker Andrei Tyurin has pleaded guilty to involvement in a massive data theft that targeted several financial firms, including JPMorgan Chase.
  • Airbus played down the risk of cyberattacks on Friday and said it had "appropriate measures" to mitigate any danger after an AFP investigation revealed a series of hacking incidents targeting the European aerospace giant.
  • A UK teenager convicted of hacking TalkTalk has been indicted in the US for a cryptocurrency computer fraud involving at least $800,000 (£640,000).
  • Comscore, a company that’s performance metrics are widely touted in the media world, has settled with the SEC following charges of inflating its own metrics.
  • A hacking group has targeted U.S. veterans through a fake hiring website hosting malware, according to research published Tuesday. The hacking unit, known as Tortoiseshell, created the Hire Military Heroes website.
  • Hackers looking into injecting card stealing code on routers, rather than website. Magecart (web skimming) attacks are evolving into a direction where they're gonna be harder and harder to detect.

Some US voting machines still have decade-old flaws.

Wired ($): This year's Def Con Voting Village results are out. Some voting machines still contain vulnerabilities dating back decades. Most of the six machines tested during the security conference are still in use today. What's the US Congress doing about it? More: Voting Village report [PDF] | @mattblaze

Unpatchable bug in millions of iOS devices exploited, developer says.

Ars Technica: The new "Checkm8" exploit published this week allows users to jailbreak their iPhone X and earlier devices. The bug is said to be unpatchable because the bootrom contains read-only memory inside a chip. It's the biggest exploit for iPhones in years. Malwarebytes said the bug can be exploited even on a locked device. Meanwhile, Trail of Bits noted that the exploit doesn't allow the phone contents to be decrypted. In a later interview, the developer said the exploit may not be used to exfiltrate data but could still allow a backdoor to be installed. More: ipwndfu on GitHub | Malwarebytes | @chronic

Russian national confesses to biggest bank hack in U.S. history.

Ars Technica: A Russian national has admitted to carrying out the 2014 breach at JP Morgan Chase, which generated hundreds of millions of dollars in illicit revenue. Some 80 million banking clients were affected by the breach. The hacker could serve between 15 and 20 years in jail. More: Justice Dept. | Background: Ars Technica

What's in Trump's super classified server?

Motherboard: First it started out with Crowdstrike trending on Twitter because Trump mentioned the cybersecurity company in a call with the Ukrainian president — for reasons not quite known — and ended with news of a secret server containing tons of highly classified presidential recordings. This Motherboard report dives into what Trump was doing with the codeword-level server based off former National Security Council officials, and why it matters — regardless of your political persuasions. More: Cyberscoop | Wall Street Journal ($)

Tibetans targeted with Android and iPhones hacks.

Forbes: High-profile Tibetans have seen their Apple iPhones and Android devices targeted by one-click exploits delivered in messages sent over WhatsApp. A victim only had to tap on a link and the attacker would get access to their phone. Those are the latest findings from Citizen Lab. It's the same hacking group, said to be China, that targeted Uyghurs, the researchers said. More: TechCrunch | Citizen Lab

DoorDash breach affects 4.9 million users, drivers, and merchants.

DoorDash: The food delivery giant is blaming an unknown third-party for a data breach affecting 4.9 million users, including users and merchants, as well as the theft of 100,000 driver's licenses of delivery workers. Anyone who signed up before April 5, 2018 are affected. The company wouldn't say why it took months to detect the breach, or answer even the most basic of questions. It comes a year after customers said their accounts had been hackedMore: Motherboard

How the NSA hacked the Islamic State.

NPR: Last week it was the Lamo story, this week the same reporter took on how the NSA is targeting Islamic State fighters. "ISIS routinely used encrypted apps, social media and splashy online magazines and videos to spread its message, find recruits and launch attacks." This dives into how the NSA fights back using phishing emails to plant malware, open backdoors, conduct recon and then crash critical servers. More: NPR~ ~

Dropbox Paper exposes document visitors' names and email addresses.

Koen Rouwhorst: Twitter user @koenrh found that Dropbox Paper publicly exposes the name and email address of any Dropbox user who has ever opened a document. Rouwhorst said this seems "problematic." Dropbox said it won't fix the apparent issue.

How Google Project Zero changes the secretive market for exploits.

Motherboard: Vice looks at Project Zero, Google's elite vulnerability finding unit. The hackers find bugs day in and day out, from Google and afar, as part of an effort to make the internet safer. @lorenzoFB looks at the current exploit market for some of the most dangerous flaws in the world — and how Project Zero plays its part.

California's new labor law could impact bug bounty firms.

Cyberscoop: AB5 will change how employers classify independent contractors, but some say it may also affect bug bounty companies — like Bugcrowd and HackerOne — which help other companies fix security flaws through crowdsourced bounties. "If a bug bounty company’s primary job is to test companies by hiring out that work to contractors, that work is now questionable," said one expert speaking to Cyberscoop.

How TikTok censors videos that do not please Beijing.

The Guardian: Many suspected it but now there's proof. A leaked document confirms Chinese video app TikTok instructs its moderators to censor videos that mention Tibet, the banned religious group Falun Gong, and any mention of Tiananmen Square. China has one of the most restrictive internets in the world. TikTok said the rules are "no longer in use."

Emergency patch for Windows zero-day.

A zero-day affecting Internet Explorer is under active exploitation. Microsoft issued out-of-band patches this week to all supported Windows versions to patch the vulnerability. Homeland Security issued its own advisory warning users of the issue.

Amazon's Ring wanted to use 911 calls to activate its video doorbells.

New documents received by @alfredwng show Ring was working on a system that would trigger the cameras on its video-enabled doorbells in the vicinity of incoming 911 calls. Ring, for its part, said the system was no longer being pursued.

Microsoft said it'll continue to fight secrecy orders.

Microsoft said this week it'll continue to ask that the government allows it to inform customers when it comes for their data. The software giant said "sneak and peak" searches are unlawful, despite losing the case in federal court. This tweet thread from @dinabass runs through the issue simply.

If you wish to submit a story, event, research or article to the CHB Cybersecurity Briefing, please email [email protected] The information contained within the brief is gathered from current, open source data supplied through contacts within diplomatic posts, law enforcement agencies & UK intelligence services. Credit to Dillitas International Risk and Zack Whitaker at Tech Crunch.

This information keeps you informed of current security situations and risks within the UK and internationally. Please forward this briefing to colleagues. You can follow Cameron on Twitter @CamHunterBell.


About the Author
Cameron is a UK InfoSec veteran and an experienced innovation strategist. He speaks regularly at conferences and industry events about commercial strategy, ecosystem creation and business design. In 2009, he helped found the cyber security startup Vacta Ltd, which was integrated into the ECS Group in 2012. Cameron has successfully implemented innovation programs for several multinational defence, logistics, automotive manufacturers and financial service providers. He previously established the highly successful Berlin Studio for Idean (now part of the CapGemini Invent Group), specialising in service and ecosystem design for autonomous automotive. More recently, Cameron led the team delivering LORCA, the new 13.5M London cyber innovation centre, for Plexal in association with Deloitte, CSIT Belfast and the UK Department for Culture Media and Sport. Cameron advises Casta Spes Technologies, an AI driven robotics startup tackling the challenge of physical perimeter security.


The article has been originally published at: https://www.linkedin.com/pulse/chb-cybersecurity-digest-300919-cameron-hunter-bell/


Pic: Defcon Voting Village hacking surfaces voting machine security issues. Photograph ROGER KISBY @ WIRED.com

September 30, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013