Latest News
David Shepardson, Diane Bartz / Reuters
White House Eyes Executive Order That Would Bar U.S. Companies From Using Huawei, ZTE Gear, Sources
The White House is preparing to invoke the International Emergency Economic Powers Act in an executive order to declare a national emergency that would bar U.S. companies from using telecommunications equipment made by China’s Huawei and ZTE, according to sources familiar with the matter. The U.S. and several other countries fear that Huawei and ZTE technology could be used to spy on users on behalf of the Chinese government. The executive order could be issued as soon as January and is unlikely to name Huawei and ZTE specifically, although the intent behind the order is to bar the two companies’ products. Rural telecom operators, in particular, are opposed to the purported order, according to the Rural Wireless Association, because they fear it would also require them to rip out existing Chinese-made equipment without compensation.
Bate Felix / Reuters
French Personal Data Watchdog Fines Bouygues Telecom Around $286,000 for Exposing More Than Two Million Customers’ Data Online for More Than Two Years
France’s personal data protection authority CNIL has fined Bouygues Telecom 250,000 euros (around $286,000) for a data breach incident that exposed the personal data of more than two million “B & You” entry-level tier customers for more than two years on the Bouygues Telecom website. Bouygues Telecom said it had no evidence the data had been accessed and corrected the problem as soon as it was informed of the matter. Subscribers to the B & You prior to 2014 were affected by the breach.
Zack Whittaker / TechCrunch
Popular Guardzilla Security System Has Flaw That Gives Access to Customer-Uploaded Video Recordings, Researchers
A popular smart security system, Guardzilla, has ignored security researchers’ warnings that its flagship device has several security vulnerabilities, including one (CVE-2018-5560), that allows anyone to access to the company’s central store of customer-uploaded video recordings, researchers at 0DayAllDay discovered. Guardzilla’s indoor wireless system, Guardzilla Security Video System Model #: GZ521W, contains a set of hardcoded keys that can be easily extracted, giving a moderately skilled hacker unlimited access to all S3 buckets provisioned for that account. The issue was first discovered on September 29 and the issue was disclosed to the vendor in coordination with security firm Rapid 7 on October 24.
KPIX San Francisco
California Alcohol Retailer BevMo Suffered Credit Card Data Stealing Malware Website Breach, Nearly 15,000 Customers Affected
California-based alcohol retailer BevMo has suffered a data breach on its e-commerce site, BevMo.com, that compromised credit card data of nearly 15,000 customers according to a notice filed to the California Attorney General’s Office. An investigation by NCR Corporation, BevMo’s website service provider, an unauthorized individual gained access to the site and installed “malicious code” on the checkout page capturing payment information from any orders placed between August 2 and September 26.
Todd Spangler / Variety
FTC Issues Warning of New Phishing Scam Targeting Netflix Customers
The Federal Trade Commission (FTC) has issued a warning about a new “phishing” scam targeting Netflix customers which requests updated payment information. The email claims the recipient’s Netflix account is “on hold” because the company is “having some trouble with your current billing information” and urges the user to click on a link to update their payment details.
Stu Woo and Andrew Beaton / Wall Street Journal
Washington Redskins Killed Huawei WiFi Deal After Being Warned Company Was Cybersecurity Threat, Report
The Washington Redskins killed a deal with controversial and embattled Chinese tech giant Huawei in 2014 to provide free WiFi through the suites at the team’s FedEx field in exchange for advertising after being warned that the company was a cybersecurity threat, a source familiar with the matter said. Michael Wessel, a member of the U.S.-China Economic and Security Review Commission, raised concerns about the deal after Huawei issued press releases and tweets celebrating the partnership out of concern for the number of federal officials who visit FedEx field. The deal eventually went to Verizon and Cisco.
Charlie Osborne / ZDNet
‘Reputation-Jacking’ Business Email Compromise Scheme Uses Google Cloud Storage to Bypass Security Mechanisms, Researchers
A new business email compromise scheme aimed at bank and financial service employees in the U.S. and UK has been spreading malware through Google Cloud Storage, researchers at Menlo Security report. The scheme has been active since August of last year, with the phishing messages containing malicious .zip or .gz files stored on storage.googleapis.com. The use of popular, legitimate services, such as Google Cloud Storage, to circumvent security measures when deploying malware, has been dubbed “reputation-jacking” by the researchers. In this particular campaign, if the victims download and execute the files, the VBS scripts and JAR files act as droppers to download and execute Trojans from the Houdini malware family, which moves laterally through networks to execute ransomware or cryptojacking malware.
Cyrus Farivar / Ars Technica
ACLU, Civil Liberties Organizations Sue Eleven Federal Agencies Demanding They Reveal How They ‘Legally Hack’ Entities
The American Civil Liberties Union, along with UK-based Privacy International and the University at Buffalo Law School’s Civil Liberties & Transparency Clinic have filed a Freedom of Information Act lawsuit against eleven federal agencies demanding disclosure of basic information about government hacking. Contending that the government reveals little about how it “legally hacks” entities, the lawsuit demands that the agencies disclose which hacking tools and methods they use, how often they use them, the legal basis for employing these methods, and any internal rules that govern them along with internal audits or investigations related to their use.
Catalin Cimpanu / ZDNet
Over 19,000 Orange Modems Are Leaking WiFi Credentials By Exploiting Bug That Can Allow On-Location Proximity Attacks, Enable Botnets
Nearly 19,500 Orange Livebox ADSL modems are leaking WiFi credentials, researcher Troy Mursch, co-founder of Bad Packets, discovered when one of his company’s honeypots detected at least one threat actor scanning heavily for Orange modems. The attacker is exploiting a vulnerability affecting Orange LiveBox devices (CVE-2018-20377) that was first described in 2012 which allows a remote attacker to obtain the WiFi password and network ID (SSID) for the modem’s internal WiFi network just by accessing the modem’s get_getnetworkconf.cgi. The vulnerability can be used for on-location proximity attacks and used to build online botnets.
Steven Luke and R. Stickney / NBC San Diego
San Diego Unified School District Suffered Data Breach Compromising Personal Data of As Many As 500,000 Students
San Diego Unified School District officials are informing parents and former students of a large data breach that compromised personal data including Social Security numbers, birth dates, phone numbers, state student identification numbers and more from as many as 500,000 students. The breach dates back to January 2018 and was discovered in October and affects students from as far back as 2008. The District sent a letter to students saying “[s]taff determined an unauthorized person or persons, was gathering network access log-in information from staff and using that information to log into the district’s network services, including the district student database.” The unauthorized person had the ability to change the data accessed.
David Shepardson, Makini Brice / Reuters
Justice Department Arrests Chinese National For Stealing Trade Secrets From Employer, Oklahoma Petroleum Company Phillips 66
The Justice Department has arrested Chinese national, Hongjin Tan, for stealing trade secrets from his employer, Oklahoma U.S.-based petroleum company Phillips 66, related to a product worth more than $1 billion. The Department alleged that Tan downloaded hundreds of files related to the manufacture of a “research and development downstream energy market product,” which he planned to use to benefit a company in China that had offered him a job. Tan was responsible for research and development of Phillips 66 battery program and developing battery technologies using its proprietary processes. The FBI found on Tan’s laptop an employment agreement from a Chinese company that has developed production lines for lithium ion battery materials.
Julian E. Barnes / New York Times
Classified Intel Community Report Says Russia Ran Polarizing Propaganda Campaign During U.S. Midterm Elections
Russia propaganda operations aimed at polarizing the U.S. electorate took place prior to the 2018 midterm elections but there was no Russian corresponding campaign to compromise the actual voting infrastructure, an assessment by Dan Coats, Director of National Intelligence concludes. Russia continued to use social media, fake personas, and Moscow-controlled media to influence positions on opposite ideological sides with an aim of further polarizing the United States, the report says. The report, which is classified, was sent to the White House and is not expected to be made public.
Zack Whittaker / TechCrunch
Anonymous Social Network Blind Exposed A Wealth of Account Data, Posts, Comments Via Unsecured Database
Blind, an app-based “anonymous social network” designed to reveal malfeasance and improper conduct at companies, which is popular among major tech companies such as Apple, Facebook, Google, Microsoft, Twitter, Uber and more, left one of its database servers exposed without a password, allowing anyone to gain access to users’ account information and identify would-be whistleblowers, a security researcher who goes by the handle Mossab H discovered. The researcher found one of the company’s Kibana dashboards for its backend ElasticSearch database, which contained several tables, including private messaging data and web-based content, for both of its U.S. and Korean sites. The database provided a real-time stream of user logins, user posts, comments, and other interactions, allowing anyone to read private comments and posts as well as the unencrypted private messages between members but not their associated email addresses. The database also included plaintext emails, passwords, stored as an outdated and easy-to-crack MD5 hash, login records and user account access tokens. Blind said the exposure only affects users who signed up or logged in between November 1 and December 19. Blind pulled the database only after TechCrunch followed up on an earlier email. T
Christopher Bing, Jack Stubbs, Joseph Menn / Reuters
China’s Cloudhopper Hackers Breached IBM, Hewlett Packard Enterprise, Then Attacked Clients, Sources
Hackers working for China’s Ministry of State Security breached the networks of Hewlett Packard Enterprise and IBM, then used the access to hack into their clients’ computers as part of a Chinese campaign known as Cloudhopper, according to five sources familiar with the attacks. The U.S., UK, Australia, New Zealand and Canada all condemned the campaign, and the Justice Department brought charges against two of the hackers. IBM said it had no evidence that sensitive corporate data had been compromised. Hewlett Packard Enterprise (HPE) said it could not comment on the Cloudhopper campaign.
MANISH SINGH / Venture Beat
India Authorizes Ten Federal Agencies to Intercept, Monitor, Decrypt Data on Any Computer, Failure to Comply With Government Requests Punished With Seven Years in Prison
In an unprecedented move for any world government, Narendra Modi’s government in India has authorized 10 central agencies to intercept, monitor, and decrypt data on any computer. The government broadened the scope of Section 69 of the nation’s IT Act, 2000 to require a subscriber, service provider, or any person in charge of a computer to “extend all facilities and technical assistance to the agencies.” Punishment for failing to comply with requests under the new law is seven years of imprisonment and an unspecified fine. Each case of interception, monitoring, and decryption is to be approved by the competent authority, which is the Union Home Secretary. India’s Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Research and Analysis Wing, Directorate of Signal Intelligence (in service areas of J-K, North East, and Assam), and Delhi Police have all been authorized to demand these actions.
Jackie Crosby / Minneapolis Star Tribune
Caribou Coffee Discloses Point-of-Sale Data Breach Affecting 265 Stores, Customer Names, Payment Card Data Stolen
Caribou Coffee disclosed Thursday that customers’ credit card numbers and other security information may have been accessed as part of a point-of-sale data breach at 265 of its company-owned stores. Caribou first discovered the data breach on November 30 affecting customers who made a purchase with a credit or debit card between Aug. 28 and Dec. 3. Among the data compromised in the breach are customers’ names, credit card numbers, expiration dates and security codes. Most of the affected stores are in Minnesota but stores in ten other states were affected as well.
Kevin Collier / Buzzfeed News
Five Eye Countries Align in Condemning Chinese State Hackers, More Countries Might Join Them
At least four other countries have condemned the Chinese state hackers that the FBI and Justice Department have accused of hacking foreign businesses and organizations to benefit its own companies. The statements condemning the hackers have come from the US’s closest intelligence-sharing partner, the United Kingdom, followed Australia, Canada, and New Zealand, America’s so-called “Five Eye” partners, marking only the second time those countries have jointly accused a country of malicious cyber activity, following the Five Eye joint condemnation of Russia’s hackers earlier this year. Officials from several other countries say they also plan to join the chorus against Chinese hackers.
Catalin Cimpanu / ZDNet
Researcher ‘SandboxEscaper’ Publishes Proof-of-Concept for New Windows Zero-Day Flaw For Third Time, GitHub Account Taken Down
A security researcher known only under the pseudonym of SandboxEscaper has published proof-of-concept code online for a new zero-day vulnerability affecting the Microsoft Windows operating system, marking the third time this same researcher has posted a Windows zero-day online since August. Few details are available but it’s known that the zero-day impacts ReadFile, the de-facto Windows OS function for reading data from files and it’s an elevation of privilege exploit that allows a low-privileged user to read any file that can be accessed by Local System account. The researcher’s GitHub account was taken down shortly after they posted the proof-of-concept code. Last week, the US Federal Bureau of Investigation (FBI) subpoenaed Google requesting details about their account.
Brian Krebs / Krebs on Security
Feds Seize and Shutter Fifteen Different DDoS Attack-for-Hire Sites, Bring Charges Against Two of the Alleged Operators
Federal authorities seized and shut down 15 different “booter” or “stresser” sites, DDoS attack-for-hire services that helped paying customers to launch tens of thousands of attacks capable of knocking Web sites and entire network providers offline. A seizure notice featuring the seals of the U.S. Justice Department, FBI and other law enforcement agencies appeared on the booter sites. In conjunction with the seizure and shut down of the stresser sites, Matthew Gatrel and Juan Martinez, the alleged operators of “Downthem,” a booter service the government says helped around 2,000 customers launch debilitating digital assaults at more than 200,000 targets, were charged in a Los Angeles federal court this week.
Holger Bleich / c't Magazine
Amazon Revealed to a Customer 1,700 Alexa Voice Files Recorded in a Stranger’s Living Room, Bedroom and Shower
A German Amazon customer, making use of his right to personal data access granted by the new EU General Data Protection Regulation (GDPR), also gained access to around 1,700 Alexa voice files recorded in a stranger’s living room, bedroom, and shower. After attempting to inform Amazon of the error, which the customer claimed Amazon ignored, the customer sent the data to c’t magazine, which, based on details such as the people’s names and local weather forecasts recorded in the files, was quickly able to identify the unfortunate Echo user whose data Amazon had illegally revealed. The victim was shocked when told what happened.
Podcasts
Cyber Security Sauna / F-Secure
Episode 18| Online Dating and Trading Data for Love (It’s Complicated)
Sean Sullivan joins Janne Kauhanen this episode to discuss the balancing act of maintaining your privacy while finding a match, avoiding romance scams and the tradeoffs you’re making when using Tinder and apps like it.
ISC StormCast
Problems with IE Emergency Patch; Bitcoin Blacklists; D-Link Password Overflow
Johannes Ullrich talks about Problems with IE Emergency Patch, Bitcoin Blacklists, D-Link DIR-816 A2 Stack Overflow.
Brakeing Down Security
End of the Year Podcast
Jerry Bell, Bill Gardner, Amanda Berlin, and Bryan Brake host the end of the year podcast.
If Then / Slate
Aftermath of a Data Breach
Josephine Wolff, a professor of public policy at Rochester Institute of Technology and the author of You’ll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches, talks with April Glaser and Will Oremus about some of the most significant breaches in the last decade, how the companies holding that information have been held accountable, and what it means for the everyday user who just wants to shop at Target.
Spotlight
David Shepardson, Diane Bartz / Reuters
White House Eyes Executive Order That Would Bar U.S. Companies From Using Huawei, ZTE Gear, Sources
27 mins ago
Zack Whittaker / TechCrunch
Popular Guardzilla Security System Has Flaw That Gives Access to Customer-Uploaded Video Recordings, Researchers
1 hour ago
Todd Spangler / Variety
FTC Issues Warning of New Phishing Scam Targeting Netflix Customers
6 hours ago
Stu Woo and Andrew Beaton / Wall Street Journal
Washington Redskins Killed Huawei WiFi Deal After Being Warned Company Was Cybersecurity Threat, Report
7 hours ago
Charlie Osborne / ZDNet
‘Reputation-Jacking’ Business Email Compromise Scheme Uses Google Cloud Storage to Bypass Security Mechanisms, Researchers
7 hours ago
Cyrus Farivar / Ars Technica
ACLU, Civil Liberties Organizations Sue Eleven Federal Agencies Demanding They Reveal How They ‘Legally Hack’ Entities
3 days ago
Catalin Cimpanu / ZDNet
Over 19,000 Orange Modems Are Leaking WiFi Credentials By Exploiting Bug That Can Allow On-Location Proximity Attacks, Enable Botnets
3 days ago
Steven Luke and R. Stickney / NBC San Diego
San Diego Unified School District Suffered Data Breach Compromising Personal Data of As Many As 500,000 Students
5 days ago
Cybersecurity Events
| Jan. 7-10 | Flocon | New Orleans, LA | USA |
| Jan. 18-20 | ShmooCon | Washington, DC | USA |
| Jan. 21-26 | SANS Miami | Miami, FL | USA |
| Jan. 21-28 | Cyber Threat Intelligence Summit | Arlington, VA | USA |
| Jan. 26 | BSides Long Island | Glen Head, NY | USA |
| Jan. 28-30 | Enigma 2018 | Burlingame, CA | USA |
| Feb. 15-16 | OffensiveCon | Berlin | Germany |
| Feb. 25-Mar. 3 | Open-Source Intelligence Summit | Alexandrai, VA | USA |
| Mar. 1-2 | Nullcon | Goa | India |
| Mar. 10 | BSides San Jose 2018 | San Jose | Costa Rica |
| Mar. 13-14 | Tactical Edge | Bogota | Colombia |
| Mar. 18-22 | TROOPERS19 | Heidelberg | Germany |
| Mar. 26-29 | BlackHat Asia | Singapore | Singapore |
| Apr. 11-12 | CypherCon | Milwaukee, WI | USA |
| Apr. 16-19 | LocoMocoSec | Kauai, Hawaii | USA |
Listen to Us on Alexa!
Join hundreds of your peers who listen to our concise summaries on Amazon Alexa every day. Search for cybersecurity news or go here.