We Don’t Care About No Stinking 5G Security…

Worse than ignoring the warnings, the Trump administration has repealed existing protections. Shortly after taking office, the Trump F.C.C. removed a requirement imposed by the Obama F.C.C. that the 5G technical standard must be designed from the outset to withstand cyberattacks. For the first time in history, cybersecurity was being required as a forethought in the design of a new network standard — until the Trump F.C.C. repealed it. The Trump F.C.C. also canceled a formal inquiry seeking input from the country’s best technical minds about 5G security, retracted an Obama-era F.C.C. white paper about reducing cyberthreats, and questioned whether the agency had any responsibility for the cybersecurity of the networks they are entrusted with overseeing.

Former FCC Chairman Tom Wheeler in a Washington Post op-ed warning about the lack of security protections for upcoming 5G technology.

58 mins ago

California Family Terrorized with Fake Ballistic Missile Alert Were Victims of Hacker Using Stolen Credentials

An Orinda, California family was briefly terrorized when an emergency broadcast alert followed by a detailed warning of three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio was broadcast over their Nest camera system. The family was the victim of a hacker who had gained access to the WiFi-enabled home surveillance device using stolen credentials in third-party data breaches. Nest recommends all customers enable two-factor authentication and said it is actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials. (Mercury News)
9 hours ago

Alphabet’s Jigsaw Develops Quiz to Teach People How to Spot Phishing Emails

Alphabet subsidiary Jigsaw has developed a quiz with Google to teach people how to better spot malicious phishing emails. The quiz walks through eight examples of potentially malicious emails, allowing quiz-takers to customize the examples to make them more realistic. One of the emails is inspired by the emails that tricked Hillary Clinton campaign manager and veteran Republican politician Colin Powell to give their passwords to Russian hackers. (Motherboard)
9 hours ago

DHS Issues Rare Emergency Directive Ordering Federal Agencies to Audit All DNS Records Following Discovery of DNS Tampering of Executive Branch Domains

The U.S. Department of Homeland Security has issued a rare “emergency” directive ordering federal agencies to audit all DNS records within ten days after becoming aware of a series of incidents involving Domain Name System (DNS) infrastructure tampering that impacted multiple executive branch agency domains. The DNS translates a domain name to a valid IP address most users understand. The Emergency Directive requires agencies to add multi-factor authentication to their DNS accounts, change account passwords, audit their DNS records, and monitor certificate logs. The government shutdown could interfere with agencies’ ability to implement the directive. (Cyberscoop)
13 hours ago

Adobe Issues Unscheduled Security Updates for Experience Manager Platform to Patch Flaws That Can Lead to Information Disclosure

Adobe issued unscheduled security updates for its Experience Manager and Experience Manager Forms products that address several vulnerabilities that can lead to information disclosure. The updates patch a “moderate” rated cross-site scripting vulnerability and an “important” rated stored cross-site scripting vulnerability in Adobe Experience Manager version 6.0 through version 6.4 across all platforms. (SC Magazine)
15 hours ago

Microsoft Issues Second Round of Fixes for Windows 10 This Month Resolving Third-Party Hotspot Authentication Issues

Microsoft has released a second round of fixes for Windows 10 following the monthly Patch Tuesday security updates issued last week. The latest fixes cover the 1803, 1709 and 1703 releases of Windows 10. All three updates resolve an issue that cropped up during the January 8th patching releases which left third-party applications having difficulty authenticating hotspots. Microsoft also Microsoft also issued a patch for the current fast ring version of Windows 10 (aka 19H1) rather than simply issuing an entirely new build, fixing File Explorer getting too attached to USB drives and a GSOD (Green Screen of Death) problem the OS developed over the last couple of versions. (The Register)
22 hours ago

Exposed Communications on a Command Control Server Used by a Nation-State’s Attackers Show How Easy It Is for Countries to Buy Spyware

It’s easier than ever for countries to obtain high-grade spyware based on direct evidence of some of the deliberations that occur when a nation-state group is trying to develop a cyber surveillance program obtained by Andrew Blaich and Michael Flossman of Lookout Security.  The threat actor made several operational security missteps, which resulted in their discovery and allowed the Lookout researchers to gain long term visibility into their operations. In particular, the researchers uncovered communications found on a command and control server used by the nation-state attackers. The spyware vendors mentioned in the exposed communications included Expert Team, FinFisher, IPS, NSO Group, Ozeda Group, Palantir, Verint, Wintego, and Wolf Intelligence and the researchers were able to read their sales pitches on the exposed communications. This particular nation-state, which had a budget of $23 million. was looking for a WhatsApp exploit but chose after being pitched by the various vendors to build the exploit itself. (Cyberscoop)
23 hours ago

Supposed Indian Cybersecurity Expert Lobs Explosive Claims That India’s 2014 General Election Was Rigged Through Hacking

At a press conference organized in London by the Indian Journalists’ Association (Europe), a supposed cybersecurity expert from Hyderabad, Syed Shuja, claimed via Skype that India’s 2014 general election was “rigged” through the Electronic Voting Machines (EVMs), which, he says, can be hacked. Shuja supposedly worked for the ECIL Electronics Corporation of India Ltd, the maker of India’s EVMs from 2009-2014. He claimed that the late Union Minister Gopinath Munde knew about the rigging of elections and was considering going public with it, but was “murdered” before he could do that and that he officer probing Munde’s death, Tanzil Ahmed, also died while he was looking into Munde’s death and was planning to file an FIR regarding the same. (The Quint)
2 days ago

France’s Data Protection Watchdog Fines Google $57 Million for GDPR Violation

France’s data protection regulator, the Commission nationale de l’informatique et des libertés (CNIL), hit Google with a record €50 million (around $57 million) fine for breaching European privacy rules over ad targeting and transparency requirements on its Android mobile operating system, marking the first time Google has been fined under the EU’s GDPR (General Data Protection Regulation). In its announcement, CNIL said the “information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.” Two privacy groups, Max Schrems’ None Of Your Business (NYOB) and France’s La Quadrature du Net, had filed complaints to the CNIL in May, arguing that Google processed the personal data of their users for advertising purposes without a proper legal basis. (Politico EU)
2 days ago

WhatsApp Sets Limit of Forwarded Messages to Five to Counter ‘Misinformation and Rumors’

Facebook-owned WhatsApp messaging platform is now limiting the number of recipients allowed on forwarded messages to five to limit what it calls misinformation and rumors, down from the previous limit of 20 individuals or groups. WhatsApp says it is trying to clamp down on the spread of fake news, manipulated photos, videos without context, and audio hoaxes, particularly in Asian countries. WhatsApp has been testing the lowered number of recipients in India since July following a series of violent lynchings in that country following the spread of fake news. (Venture Beat)
2 days ago

Ex-Employee Blamed for Hack of Popular WordPress Translation Plug-In WPML, Left Backdoor on Server and Spammed Site Users

A popular WordPress plugin, WPML (or WP MultiLingual), which, with over 600,000 paying customers, is the most popular WordPress plugin for translating and serving WordPress sites in multiple languages, was hacked over the weekend after a hacker defaced its website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. The developers blamed an ex-employee for the hack, who they claim left a backdoor on the website. In the spam message, the attacker claimed to be a security researcher who reported several vulnerabilities to the WPML team, which were ignored and recommended site owners “triple-enforce” security on websites using WPML. The company says it is now rebuilding its server from scratch to remove the backdoor. (ZDNet)
3 days ago

Portuguese Man Who Allegedly Ran Football Leaks Website Arrested in Hungary, Faces Extradition and Ten Years in Prison

Portuguese man Rui Pinto was arrested in Hungary on suspicion of extortion and hacking charges related to the infamous Football Leaks website, which has been publishing hacked documents regarding powerful soccer clubs and organizations since 2015. Rui, the alleged owner of Football Leaks, was outraged by the “criminality” of the sport, according to one of his attorneys, William Bourdon, who previously represented NSA whistleblower Edward Snowden and Assange. Pinto is the main suspect in the hacking of emails from Portuguese clubs Benfica, Sporting and Porto, among other hacks, including multiple on the FIFA database. Between 2016 and 2018, Football Leaks leaked over 70 million documents, according to the European Investigative Collaborations. Pinto is being held in Budapest where he faces extradition to Portugal and could face up to ten years in prison if convicted. (Deadspin)
4 days ago

Malicious Apps in Google Play Store Activate Banking Malware Payloads Only When Motion is Detected to Avoid Getting Caught, Trend Micro

Malicious apps hosted in the Google Play store activate Anubis banking malware payloads only when motion is detected first in order to avoid emulators used by security researchers, Trend Micro reports. Trend Micro found the motion-activated dropper in two apps, BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Once one of the apps installed Anubis on a device, the dropper also used requests and responses over Twitter and Telegram to locate the required command and control server. Google has removed the apps from the Play Store. (Ars Technica)
4 days ago

Austrian Privacy Watchdog Files Privacy Complaints Against Amazon, Apple, Netflix and Other Tech Companies for Violating GDPR Rules

European privacy campaigner Max Schrems has filed new GDPR complaints regarding tech giants, including Amazon, Apple, Netflix, Spotify and YouTube, via his nonprofit privacy and digital rights organization, noyb. The complaints contend that the tech firms are structurally violating the right of access to the data held by the firms as stipulated under Article 15 of Europe’s General Data Protection Regulation (GDPR). The organization contends that the tech giants have built automated systems to respond to data access requests which, after being tested by noyb, failed to provide the user with all the relevant information to which they are legally entitled. noyb said it tested eight firms and all have failed their tests. and it has filed formal complaints with the Austrian Data Protection Authority against the eight, which also include music and podcast platform SoundCloud; sports streaming service DAZN; and video on-demand platform Flimmit. (TechCrunch)
4 days ago

Facebook Could Be Facing Record-Setting Fine for Violating Its 2011 FTC Consent Decree, Sources

The Federal Trade Commission is contemplating a record-setting fine against Facebook for violating a 2011 privacy consent decree, according to three sources, a penalty that is expected to be much larger than the $22.5 million fine the agency imposed on Google in 2012. The 2011 decree requires Facebook to notify users, and seek their permission before data is shared with third parties in a way that differs from existing privacy settings and obtain users’ affirmative permission before sharing their data with third parties. The decree further requires Facebook to tell the FTC in cases where others misuse that information. Privacy advocates have maintained that Facebook violated the decree in its relationship with Cambridge Analytica, under which researchers collected names, locations, interests and other data from those who played a Facebook quiz, as well as from their friends. Since then, Facebook has been embroiled in a host of other privacy-related troubles. (Washington Post)
5 days ago

DNC Says Russia’s Cozy Bear Hacking Group Targeted Dozens of Its Email Addresses in Phishing Campaign Days After 2018 Midterm Elections

In an amended complaint filed in the U.S. District Court for the Southern District of New York, the Democratic National Committee (DNC) says it was the intended victims of a widespread cyber attack that was detected days after the 2018 midterm elections. “On November 14, 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although there is no evidence that the attack was successful,” the DNC wrote in the amended complaint, part of an ongoing lawsuit against the Russian government, the 2016 Donald Trump campaign and others. The DNC said that the content of the emails and the timestamps were consistent with a spearphishing campaign that cybersecurity experts have tied to the Russian intelligence-controlled hacking group known as Cozy Bear, or APT 29. (ABC News)