6 hours ago

Password Manager LastPass Releases Update to Fix Dangerous Bug Reported by Google Project Zero’s Ormandy

Password manager LastPass has released an update to fix a dangerous and potentially exploitable security bug that exposes credentials entered on a previously visited site, a flaw that was discovered last month by Tavis Ormandy, a security researcher with Google’s Project Zero. LastPass fixed the reported issue in version 4.33.0, released last week, on September 12 and said the bug only impacts its Chrome and Opera browser extensions. Users that haven’t enabled automatic updates for their browser extensions are advised to perform a manual update as soon as possible because Ormandy has now published details about the flaw he found. (ZDNet)
11 hours ago

Tor Project Has Raised $86,000 For Bug Fund That Pays Developers to Fix Critical Bugs

The Tor Project has raised $86,000 for a Bug Bash Fund that will be used to pay developers to quickly fix critical bugs in the privacy-oriented Tor browser. The types of bugs Tor considers critical are privacy issues such as when the browser may leak an IP address, issues with signing certificates for Tor addons or to evaluate and upgrade the Tor browser to new Firefox ESR releases.  Donors to the Fund can track how that money is being used as they will tag any bug tickets that utilize this money with the “BugSmashFund” tag. (Bleeping Computer)
11 hours ago

Smash Hit Mobile App TikTok Might Be Complying With China’s ‘Great Firewall’ by Censoring Videos Related to Hong Kong Protests, Researcher

TikTok, which has quickly become one of America’s most popular mobile apps, might be bringing Chinese-style censorship to mainstream U.S. audiences because TikTok has a dearth of videos related to the protests in Hong Kong, Yaqiu Wang, a Hong Kong-based researcher for Human Rights Watch, said. TikTok’s parent company, Beijing-based ByteDance, said in a statement that U.S. user data is stored domestically and that the app’s content and moderation policies in the U.S. are led by a U.S.-based team not influenced by the Chinese government. Even though ByteDance is required to comply with China’s “Great Firewall,” which blocks major news sources and censors what the party regards as objectionable facts and ideas, ByteDance says the lack of Hong Kong protest videos on its app reflects its audience’s desire for positive and joyful content. (Washington Post)
12 hours ago

Misconfigured Database Exposed Personal Records of Most Ecuadorians Including Nearly Seven Million Children

In one of the biggest breaches in the country’s history, the personal records of most of Ecuador’s population, including 6.78 million children, was left exposed online in a misconfigured Elasticsearch server owned by an Ecuadorian analytics service named Novaestrat, Noam Rotem and Ran Locar of vpnMentor discovered and ZDNet confirmed.  The server contained a total of approximately 20.8 million user records, a number larger than the country’s total population count due to duplicate records. The exposed data contained names, information on family members/trees, civil registration data, financial and work information, as well as data on car ownership. The most extensive data appears to be have been collected from the Ecuadorian government’s civil registry. ZDNet and vpnMentor confirmed records for the country’s president, and even Julian Assange, who once received political asylum from the small South American country, and was issued a national ID number (cedula).  Other data appeared to be imported or scraped from BIESS, or the Banco del Instituto Ecuatoriano de Seguridad Social, and contained financial information for some Ecuadorian citizens, such as account status, account balance, credit type, and information about the account owner, including job details. The data also appeared to be imported or scraped from AEADE, or the Asociación de Empresas Automotrices del Ecuador, and contained information on car owners, and their respective cars, including car models and car license plates. The database was eventually secured later last week, but only after vpnMentor reached out to the Ecuador CERT (Computer Emergency Response Team) team. (ZDNet)
15 hours ago

In New Memoir Whistleblower Edward Snowden Says Predicted Harms From His Disclosures Have Not Come to Pass, Warns That Greatest Surveillance Dangers Lie Ahead in Facial and Pattern Recognition

During an interview to mark the publication of his memoirs, Permanent Record, former NSA contractor and whistleblower Edward Snowden said dire warnings that his disclosures would cause harm had not come to pass, and even former critics now conceded “we live in a better, freer and safer world” because of his revelations. In his book, Snowden outlines what led him to leak details of the secret programs being run by the US National Security Agency (NSA) and the UK’s secret communication headquarters, GCHQ. He also warns that the greatest surveillance dangers lie ahead in the form of artificial intelligence capabilities, such as facial and pattern recognition. Snowden further said he’s reconciled to living in exile in Russia for years to come although reports following this interview state that Snowden is calling on France to grant him asylum. (The Guardian)
18 hours ago

In ‘Stunning’ Breakthrough, Russia Cracked Encryption Used by FBI’s Mobile Surveillance Teams Used to Track Russian Spies, Led to Obama Seizing Russian Estates, Intelligence Officials

In a “stunning” technical breakthrough in 2011, Russia developed the ability to crack certain types of encryption used by the FBI’s mobile surveillance teams to track the movements of Russian spies on American soil while also compromising the FBI teams’ backup communications systems, according to a Yahoo investigation that involved more than 50 current and former intelligence and national security officials. The discovery of Russia’s new-found capabilities was in part the secret rationale for the Obama administration to expel three dozen Russian diplomats and seize two rural East Coast estates in Maryland and New York owned by the Russian government on December 29, 2016. The discovery of the operation also caused the FBI and CIA to cease contact with some of their Russian assets, and prompted tighter security procedures at key U.S. national security facilities in the Washington area and elsewhere, Those facilities were “basically being used as signals intelligence facilities,” with some of the clandestine eavesdropping annexes staffed by the wives of Russian intelligence officers. Counterintelligence officials from the FBI and CIA held limited briefings about the discovering of the eavesdropping for Congressional committee leadership and staff directors. (Yahoo News)
18 hours ago

Australian Signals Directorate Attributed Cyberattacks on Parliament, Political Parties to China but Report Kept Under Wraps to Avoid Disrupting Trade Relations

The Australian Signals Directorate (ASD) concluded in a classified report last March that China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election in May, according to five sources. The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, according to two of the sources. The attack on parliament was revealed last February with authorities at that time saying an unnamed sophisticated attacker was the culprit. The ASD also determined that the attackers accessed the networks of the ruling Liberal party, its coalition partner the rural-based Nationals, and the opposition Labor party, two of the sources said. (Reuters)
3 days ago

RCMP Arrest One of Their Own Senior Intelligence Officials for Espionage Dating Back to 2015, Amassed Terabytes of Sensitive Information and Now Stands Accused of Passing Information to Foreign Entity

In what could be one of the worst cases of espionage the country has ever experienced, Canada’s national police have arrested a senior intelligence official in the RCMP, Cameron Ortis, who now faces seven counts dating as far back as 2015, including breach of trust, communicating “special operational information,” and obtaining information in order to pass it to a “foreign entity.” The case was uncovered by U.S. authorities as part of a wider operation involving NATO allies and the Five Eyes countries of Canada, Australia, New Zealand, the U.S. and U.K. The charges did not specify which foreign entity or what type of information, but a source said he had amassed “terabytes of information,” including a list of undercover operatives. John MacFarlane, Public Prosecution Service of Canada official, said Ortis was accused of having “obtained, stored, processed sensitive information we believe with the intent to communicate it to people that he shouldn’t be communicating it to.” (Global News)
3 days ago

Apple’s Upcoming iOS 13 Has Reappearance of Lock-Screen Bypass That Gives Attackers Access to Contact List

Apple’s upcoming iOS 13, slated for release on September 19, appears to have the same sort of lock-screen bypass that plagued previous versions of the iThing firmware security researcher Jose Rodriguez has demonstrated in a video. The bypass involves receiving a call and opting to respond with a text message and then changing the “to” field of the message, which can be accomplished via voice-over.  The “to” field pulls up the owner’s contacts list, giving an unauthorized miscreant the ability to crawl through the address book without ever needing to actually unlock the phone. Apple refused to give Rodriguez a bug bounty for discovering this flaw because researchers can’t claim bug rewards on beta builds of the operating system the company says. (The Regsiter)
3 days ago

T-Mobile Offers an Unpublicized Feature Called NOPORT That Offers Greater Protection Against SIM Swapping Attacks

T-Mobile has a feature NOPORT that gives its customers more protection from hackers trying to steal their phone number but doesn’t advertise it publicly and won’t even talk about it. NOPORT makes it harder for a hacker to hijack phone numbers with a SIM swapping attack by requiring customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card. NOPORT is not documented on any T-Mobile websites with the carrier preferring to push its Port Validation process that requires creating a special PIN for making changes to their accounts. (Motherboard)
3 days ago

London Police Arrest Man Under Investigation by Manhattan D.A. for Hacking Famous Music Acts to Steal Unreleased Songs

City of London Police arrested a 19-year-old man in Ipswich, a town in rural east England, on suspicion of hacking famous music acts to steal unreleased songs and sell them for cryptocurrency. The police arrested him after receiving a tip from the Manhattan District Attorney’s (D.A.) office which had been investigating the case based on referrals from the management companies of the recording artists. Neither the suspect nor the artists targeted in the scam were identified. (Reuters)
3 days ago

Cloudflare Rose 20% During First Trading Day on Public Market

Shares of security company Cloudflare rose 20% in its first day of trading on the public market, closing up $22 at $18 after it priced its IPO at $15 a share. Combined with its venture backers’ funding and the first trading day haul, Cloudflare has now raised one billion dollars. The dual-class structure under which the company went public gives all employees 10 times the voting rights of the shares sold to the public. (TechCrunch)
4 days ago

Treasury Department Imposes Sanctions on Three North Korean State-Sponsored Hacking Groups

The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions targeting three North Korean state-sponsored malicious cyber groups, Lazarus Group and two of Lazarus Group’s sub-groups known as Bluenoroff, and Andariel, which the government said is responsible for North Korea’s malicious cyber activity on critical infrastructure. All three groups are controlled by the U.S.- and United Nations (UN)-designated RGB, which is North Korea’s primary intelligence bureau. Lazarus Group was, among other things, involved in the destructive WannaCry 2.0 ransomware attack which the United States, Australia, Canada, New Zealand, and the United Kingdom publicly attributed to North Korea in December 2017. Bluenoroff has attempted to steal over $1.1 billion dollars from financial institutions and, according to press reports, had successfully carried out such operations against banks in Bangladesh, India, Mexico, Pakistan, Philippines, South Korea, Taiwan, Turkey, Chile, and Vietnam. Andariel has committed a host of financial crimes and was observed by cybersecurity firms attempting to steal bank card information by hacking into ATMs to withdraw cash or steal customer information to later sell on the black market, the Treasury Department stated in its announcement. (CNBC)
4 days ago

Election Officials and Security Experts Blast What Many Say Is a Quick-Buck, Error-Filled Election Security Report by Little-Known Cybersecurity Firm NormShield

Little-known Virginia-based cybersecurity company NormShield marketed to election officials across the country what it called “Rapid Cyber Risk Scorecards” that promised assessments of vulnerabilities in their internet-facing election systems, assessments that many officials say were riddled with errors and unhelpful for assessing actual election security. The putatively error-filed scorecards prompted multiple states to confront NormShield about the reports and federal government agencies to privately call NormShield irresponsible, while nonprofit groups panned NormShield’s failure to appropriately notify the states of vulnerabilities before threatening to report them publicly. Earlier this week NormShield published its work and garnered high-profile press attention from leading publications in articles that were likewise error-filled. The publication of NormShield’s work sparked an outcry from state election officials and election security experts that NormShield is looking to make a quick buck off a hot topic with little accuracy behind their so-called research. (ProPublica)
4 days ago

North Korea’s Kimsuky Group Expands Campaign to Spy on Experts Researching Nuclear Deterrence, North Korea’s Nuclear Sub Program and North Korean Economic Sanctions

North Korea-linked hackers known as the “Kimsuky” group have expanded their campaign dubbed “Autumn Aperture” to spy on experts researching nuclear deterrence, North Korea’s nuclear submarine program, and North Korean economic sanctions researchers from Prevalion say. The group has been previously tied to campaigns targeting South Korean entities and the academic sector. The attackers use trojanized documents sent via spearphishing emails that the victims were likely expecting to spread the spying malware. (Axios)