Other articles we’re reading

Unwanted Truths: Inside Trump’s Battles With U.S. Intelligence Agencies. Since his campaign, Donald Trump has waged a war with the intelligence community. Today cowed intel officers steer clear of the topic of Russia and shy away from telling him the truth. Robert Draper has an astonishing story in the New York Times Magazine.

Russia Continues Interfering in Election to Help Trump, U.S. Intelligence Says. Russia and China are duking it out to influence the U.S. election this year but Russia is the graver threat intelligence officials say. The New York Times’ Julian Barnes has the story.

NCSC Offers Seven-Question Guidance on Cyber Insurance. Is cybersecurity insurance worth it? The UK’s National Cyber Security Center (NCSC) has guidance that highlights seven key cybersecurity questions for businesses to address to help them make more informed decisions around cyber insurance, Dan Raywood at Infosecurity Magazine reports.

The Department of Homeland Security is a rogue agency. Democrats must take action– The Nation’s Ken Klippenstein discovered that DHS was spying on journalists and each day new revelations emerge that DHS is abusing its spying powers, Trevor Timm points out in this Guardian essay.

1 month ago

This Version of Metacurity is on Hiatus While We Move to a New Format

While Metacurity has been a wonderful challenge over the past five years, it makes no financial sense in its current format. Therefore, we are going on hiatus until after Labor Day to create a new newsletter version of Metacurity. We are also going to set up an automated page, behind a paywall, that is lightly edited, with no original summaries, updated once per day, offering the same curated and clustered cybersecurity news developments you’ve come to expect from the site. Thanks to our smart and steady readers out there and sign up for our updates. Read more about this development here.
1 month ago

Online Exam Proctoring Company ProctorU Has Confirmed Data Breach, 440,000 People Allegedly Affected

Online exam proctoring solution ProctorU has confirmed a data breach after a threat actor released a stolen database of user records on a hacker forum. Last month, Bleeping Computer reported that a known data breach seller had leaked 18 company’s databases for free on a hacker forum. One of the leaked databases was for Proctoru.com and contains user records for 444,000 people allegedly registered at the online proctoring service. The database contains email addresses, full names, addresses, phone numbers, hashed passwords, the affiliated organization, and other information. Some of the colleges and universities that may be impacted are North Virginia Community College, UCLA, Princeton, University of Texas, Harvard, Yale, Syracuse University, Columbia, UC Davis, and many more. (Bleeping Computer)
1 month ago

Chinese Government is Blocking Encrypted HTTPS Connections That Use TLS 1.3 and ESNI

Since the end of July, the Chinese government has deployed an update to its national censorship tool, the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using interception-proof protocols and technologies, according to a joint report published this week by three organizations tracking Chinese censorship — iYouPort, the University of Maryland, and the Great Firewall Report. Chinese officials are only targeting HTTPS traffic that is set up with new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication). (ZDNet)
2 months ago

Russia and China in Tug-of-War Over U.S. Election, With Russia the Graver Threat, U.S. Intelligence Officials Say

Russia is using a range of techniques to denigrate Joseph R. Biden Jr., while China prefers to defeat Donald Trump, American intelligence officials said Friday in their first public assessment that Moscow continues to try to interfere in the 2020 campaign to help Trump. Even though there is a push-pull among these two leading foreign powers as to who should lead the United States, officials say Russias is the far graver threat. Russia is deploying a range of measures that are dangerous to the American body politic while China has so far signaled its position mostly through increased public criticism of the administration’s tough line on China on a variety of fronts. Mr. Evanina and other intelligence officials have expanded their warnings about election interference beyond Russia and have included China and Iran during briefings on Capitol Hill. (New York Times)
2 months ago

Facebook Launches Static Analyzer Called Pysa for Finding Bugs in Instagram’s Vast Python Codebase

Facebook has formally launched today one of Instagram’s secret tools for finding and fixing bugs in the app’s vast Python codebase, a static analyzer named Pysa.  Facebook said that in the first half of 2020, Pysa detected 44% of all security bugs in Instagram’s server-side Python code. (ZDNet)
2 months ago

Small Government Contractor Anomaly Six Can Track Movements of Hundreds of Millions of Mobile Phones Worldwide, Draw Location Data From More Than 500 Apps

A small U.S. company called Anomaly Six LLC with ties to the U.S. defense and intelligence communities has embedded its software in numerous mobile apps, allowing it to track the movements of hundreds of millions of mobile phones worldwide, according to interviews and documents reviewed by The Wall Street Journal. In its marketing material, Anomaly said it is able to draw location data from more than 500 mobile applications, in part through its own software development kit, or SDK, that is embedded directly in some of the apps. (Wall Street Journal)
2 months ago

U.S. State Department Was Behind Those Puzzling Text Messages Sent to Users in Iran and Russia Offering $10 Million Reward for Nation-State Hacker Identities

The U.S. State Department has admitted it was behind confusing and highly ridiculed text messages sent to people in Iran and Russia, and seemingly elsewhere in the world, offering them a $10 million reward for information about nation-state hackers attempting to interfere in the U.S. election. The State Department said its goal was to raise awareness of the award internationally. (Reuters)
2 months ago

Former Employees Say Online Therapy App Talkspace Applies Data Mining Techniques to Patients’ Chat Transcripts, Gave Employees Burner Phones to Skirt Google App Store’s False Review Screening Mechanism

Online app Talkspace, which lets people talk with a licensed therapist throughout the day, has questionable privacy practices and treats patient chat logs as data mines, according to former employees. Talkspace has been analyzing transcripts to develop bots that monitor and augment therapists’ work, the former employees say. The company also reportedly uses the data to sell Talkspaces products better. Since the pandemic and recession began, Talkspace’s client base has soared. But in 2015 and 2016, the company purportedly also sought to improve its rating by asking its workers to write positive reviews, even going so far as to give employees “burner” phones to help evade the Google app stores’ techniques for detecting false reviews. (New York Times)
2 months ago

Hackers Deface Tens of Reddit Channels to Show Pro-Trump Messages, NFL, Disneyland, Boston Celtics Channels Affected

A massive hack hit Reddit after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign. The Reddit channels defaced include those for NFL, many TV shows, The Pirate Bay, Disneyland, Disney’s Avengers, Boston Celtics, several city channels, and more. The channels have combined tens of millions of subscribers. Although Reddit hasn’t issued any details on the hack, the massive scale of the incident suggests that the intruder(s) might have gained access to a high-privileged moderator or admin account. Channel owners who are having problems have been asked to report problems in a Reddit ModSupport thread. The Reddit hack also comes after Reddit banned r/The_Donald, a channel for Donald Trump supporters. (ZDNet)
2 months ago

Troy Hunt Open Sources ‘Have I Been Pwned,’ Asks the Community to Help Support the Effort

On the heels of an aborted merger and acquisition initiative, highly respected cybersecurity expert Troy Hunt has decided open source his ground-breaking Have I Been Pwned code base. He said he is turning over the code to the public “for the betterment of the project and frankly for the betterment of everyone who uses it.” He said the project solely depends on him and is asking the community to help support the effort. (TroyHunt.com)
2 months ago

Flaws in Qualcomm’s Snapdragon DSP Chip Could Allow Attackers to Control Almost 40% of Smartphones

Six security vulnerabilities were found in Qualcomm’s Snapdragon chip Digital Signal Processor (DSP) chip that could allow attackers to take control of almost 40% of all smartphones, spy on their users, and create un-removable malware capable of evading detection, researchers at Check Point say. The chips can be found in nearly every Android phone, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more. Qualcomm has already patched the six security flaws found to affect the Qualcomm Snapdragon DSP chip; mobile vendors still have to implement and deliver security fixes to their devices’ users. (Bleeping Computer)
2 months ago

Chinese State-Sponsored Hacking Group ‘Operation Skeleton Key’ Has Compromised at Least Seven Taiwanese Chip Firms

A hacking campaign called Operation Skeleton Key has compromised at least seven Taiwanese chip firms over the past two years, researchers at Taiwanese cybersecurity firm CyCraft say. The deep intrusions, which use a skeleton key injector” technique, appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. CyCraft previously called the group of hackers Chimera, the company’s new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom. (Wired)
2 months ago

More Than a Dozen Vulnerabilities in Mercedes-Benz E-Class Cars Allowed Security Researchers to Remotely Open Doors, Start Engine

More than a dozen vulnerabilities in a Mercedes-Benz E-Class car allowed security researchers at the Sky-Go Team, the car hacking unit at Qihoo 360, to remotely open its doors and start the engine. The 19 security vulnerabilities are now fixed but could have affected as many as two million Mercedes-Benz connected cars in China. (ZDNet)
2 months ago

Researchers Who Intercepted Signals of Eighteen Satellites Says Satellite Communications Put Millions of People at Risk

Satellite-based Internet is putting millions of people at risk, despite providers adopting new technologies that are supposed to be more advanced Oxford Ph.D. candidate James Pavur showed. Pavur intercepted the signals of 18 satellites beaming Internet data to people, ships, and planes in a 100 million-square-kilometer swath that stretches from the United States, Caribbean, China, and India. Pavur said current solutions such as VPNs are ineffective for satellite communications and that he is presenting his findings so that the community can devise solutions. (Ars Technica)
2 months ago

Fraudsters Reportedly Responsible for Collecting Millions in COVID-19 Loans, Unemployment Benefits Got Massively Detailed Consumer Dossiers from Little-Known Data Broker Whose Legit Business Customers Were Likely Hacked

A group of thieves thought to be responsible for collecting millions in fraudulent small business loans, and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S. consumer data broker, Interactive Data, also known as IDIdata.com. The fraudsters obtained massively data-rich consumer dossiers from IDI that included full Social Security number and date of birth, current and all known previous physical addresses, all known current and past mobile and home phone numbers, the names of any relatives and known associates, all known associated email addresses, available lines of credit and amounts, vehicle registrations and much more. IDI believes that its legitimate business customers experienced a breach giving the fraudsters access to the data and says the firm is working with law enforcement. Communication among the fraudsters indicates they are cashing out their ill-gotten gains primarily through financial instruments like prepaid cards and a small number of online-only banks that allow consumers to establish accounts and move money just by providing a name and associated date of birth and SSN. (Krebs on Security)