17 hours ago

Phineas Fisher Launches ‘Bug Bounty’ Program to Pay Hacktivists Up to $100,000 for Politically Motivated Hacks, Also Claims to Have Hacked Cayman Bank and Trust Company

The infamous vigilante hacker known as Phineas Fisher, best known for their hits on surveillance companies, is launching a new kind of bug bounty to reward hacktivists who do public interest hacks and leaks. In a manifesto, Fisher is offering to pay hackers up to $100,000 in what they called the ‘Hacktivist Bug Hunting Program,” which entails payments in cryptocurrency to hackers who carry out politically motivated hacks against companies that could lead to the disclosure of documents in the public interest. Fisher offers up Israeli spyware vendor NSO Group, and oil company Halliburton as the kind of companies that would qualify for the bounties. In the manifesto, the hacker also says that in 2016, they hacked the Cayman Bank and Trust Company from the Isle of Man, an island between the UK and Northern Island. Fisher says they were able to steal money, documents, and emails from the bank. Documents from that heist are posted on leaking website Distributed Denial of Secrets, run by journalist and activist Emma Best. (Motherboard)
21 hours ago

Backup File Unprotected by Password Exposed Data for 452,000 Players of Magic: The Gathering

A security lapse exposed the data on 452,000 game players for the game Magic: The Gathering, the game maker Wizards of the Coast has confirmed. Wizards of the Coast said it had left a database backup file in a public Amazon Web Services storage bucket unprotected by a password exposing the users’ data, which was discovered by U.K. cybersecurity firm Fidus Information Security. The database included player names and usernames, email addresses, and the date and time of the account’s creation, with the data going back to 2012. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble, along with about 470 email addresses associated with Wizards’ staff. After TechCrunch reached out to the game maker, they pulled the storage bucket offline. (TechCrunch)
21 hours ago

Security Experts Warn of Dangers From Checkra1n iOS 13 Jailbreak, Particularly When Devices Must Be Handed Over at International Borders

Checkra1n, a working jailbreak for devices running Apple’s iOS 13 that leverages the checkm8 BootROM vulnerability, was released over a week ago, and security experts are urging mobile-device managers to watch out for the powerful new tool because of hackers and iPhone users who may recklessly use it. One key risk factor is users jailbreaking their own iOS devices, making them susceptible to rogue or unstable apps downloaded from outside of Apple’s curated App Store. The jailbreak, however, will not survive a reboot, although an attacker could persist on the device by sideloading an app on it. A third-party jailbreak needs access to an unlocked iPhone and then must tether it to a macOS computer running the exploit code. These kinds of attacks can occur when a device must be handed over for inspection while crossing international borders. (Threatpost)
22 hours ago

WhatsApp Quietly Patches Another Critical Vulnerability, Newly Discovered Flaw Can Allow Attacker to Execute Remote Code or Launch DoS Attack By Simply Sending MP4 File

On the heels of the recent revelation that Facebook-owned WhatsApp had a vulnerability that could be exploited by Israeli spyware company NSO Group, WhatsApp quietly patched yet another critical vulnerability in its app that could have allowed attackers to remotely compromise targeted devices and potentially steal secured chat messages and files stored on them. The vulnerability tracked as CVE-2019-11931 is a stack-based buffer overflow issue that resided in the way previous WhatsApp versions parse the elementary stream metadata of an MP4 file, resulting in denial-of-service or remote code execution attacks. All an attacker needs to have to exploit the flaw is the phone number of targeted users and then send them a maliciously crafted MP4 file over WhatsApp, which can be programmed to install spyware or a backdoor silently. WhatsApp confirmed the flaw and said it had no evidence it had been exploited in the wild. (The Hacker News)
23 hours ago

Microsoft Hires Eric Holder to Audit Facial Recognition Company AnyVision for Potential Violations of Its Ethical Principles in Israel’s West Bank

Microsoft has hired former United States Attorney General Eric Holder to conduct an audit of Israeli-headquartered facial recognition company AnyVision to determine whether it complies with Microsoft’s ethical principles on how the biometric surveillance technology should be used. Microsoft invested $74 million in AnyVision in a Series A round in June. It stipulated at that time that it had to comply with its six ethical principles to guide its facial recognition work: fairness, transparency, accountability, non-discrimination, notice and consent, and lawful surveillance. However, AnyVision’s technology has become a source of controversy in Israel for powering a secret military surveillance project that has monitored Palestinians in the West Bank, which human rights activists say is incompatible with Microsoft’s ethical principles. (NBC News)
23 hours ago

Bipartisan Bill Would Require Law Enforcement to Obtain Warrant Before Using Facial Recognition to Track Americans

A bipartisan bill, the Facial Recognition Technology Warrant Act, was introduced that would force law enforcement agencies to obtain a warrant before using facial recognition software to track American citizens. Sponsored by Senators. Chris Coons, (D-DE) and Mike Lee (R-UT), the bill would require law enforcement agencies to prove probable cause and obtain a warrant before using facial recognition systems to surveil suspects, mirroring the legal procedures used to authorize other intrusive activities like cell phone searches, wiretaps, and geotracking. The requirement would apply to any surveillance lasting more than 72 hours, although urgent exceptions would apply. (NextGov)
23 hours ago

Knightscope’s Automated Security Robots Collect Mounds of Data Using Facial Recognition, License Plate Scanning, Wireless Device Detection and Tracking

A previously unreported Knightscope presentation shows just how much data automated security robots made by the company can collect. The slides, presented to the city council of Huntington Park, CA, in June 2019, which had signed a $240,000 contract to lease a Knightscope robot for three years in November 2018, detail the software used by police to control the Knightscope robot, and how the company analyzes the collected data. According to the presentation, the company can, using facial recognition, surface a known person’s name, the similarity of the person’s face compared to a known image, and a log of other identities that the robot has seen. The notes attached to the person’s face indicate such things as “person of interest,” “Causes Trouble,” or “Sketchy Dude.” The robot can also conduct license plate recognition, alerting for blacklisted plates.  It can further scan an area using cameras, lidar, and optional thermal imaging, Knightscope robots also scan for wireless devices and discreetly track individuals regardless of whether it has recognized their faces. (OneZero)
24 hours ago

Digital Rights Activists Showcased the Threat of Harmful Consequences from Facial Recognition Technology By Scanning Nearly 14,000 Face Outside the Halls of Congress

Digital rights activists Fight for the Future used Amazon’s commercially available facial scanning technology, Rekognition, to scan the faces of thousands of DC residents outside the halls of Congress and inside the city’s busiest metro stations to showcase the harmful consequences of facial recognition surveillance. In a few hours, the activists’ scanners processed nearly 14,000 faces, identifying one congressperson, seven reporters, and 25 lobbyists. The technology also claimed to spot long-dead singer Roy Orbison. (Vice News)
2 days ago

Hacked Disney+ User Accounts Are Now Offered on Hacking Forums, Prices Range From Free to $11

Thousands of hacked Disney+ user accounts hours are now offered for free on hacking forums, or available for sale for prices varying from $3 to $11, just days after the now-hugely popular service was launched. Disney+, which garnered more than ten million subscribers on its first day of launch in the U.S., Canada, and The Netherlands, was flooded with technical complaints at the outset, among them reports from subscribers that hackers were accessing their accounts and changing their passwords. Although some users’ emails and passwords could have been obtained from previous data breaches, other users could have been infected with keylogging or info-stealing malware. Several lists offer usernames and cleartext credentials that subscribers admitted were accurate and still active. Users are advised to use strong, unique passwords for Disney+ and all other Internet accounts. (ZDNet)
2 days ago

Lizard Squad Takes Credit for DDoS Attacks Against Labour Party, Claims Attacks Against Corbyn and Family, Vows More Attacks

Hacktivist group Lizard Squad, which specializes in DDoS attacks, has taken credit for the large-scale DDoS attack on the UK’s Labour Party, saying in a tweet that “no terrorist-supporting government should be allowed to rule a country,” a reference to leader Jeremy Corbyn’s views on Northern Ireland. It has also threatened more attacks against the whole of the government and Labour websites and claims to have launched DDoS attacks against Jeremy Corbyn’s family members and their home. (Threatpost)
2 days ago

Elite Army Intelligence Unit Soldiers Revolted Against Use of Information App They Believe Exposes Their Data, Location to Foreign Adversaries, Others

Army Col. Deitra L. Trotter, the commander of Fort Hood’s 504th Military Intelligence Brigade, ordered soldiers in her intelligence unit with top-secret clearances to download an information app that many fear could expose their actions to foreign adversaries.  The app was developed by Straxis LLC based in Tulsa but with a subsidiary in southern India. The new app designed for the unit could provide weather updates, training changes, and other logistics but also required them to submit substantial amounts of personal data.  The app could also pull GPS location data, photos, contacts, and even rewrite memory cards. Concerns about the app circulated among the security-conscious soldiers on social media, and many deleted it from their devices in protest. Although the use of the app was at one point deemed mandatory, military brass has now downgraded it to “highly encouraged.” (Washington Post)
3 days ago

Google Nearly Posted More Than 100,000 Chest X-Ray Images Without Properly Vetting the Data for Privacy Concerns, Abruptly Canceled Project, Report

Two days before Google was set to publicly post more than 100,000 images of human chest X-rays, the National Institutes of Health informed the tech giant that some of them still contained details that could be used to identify the patients, a potential privacy and legal violation.  Google’s researchers didn’t obtain any legal agreements covering the privacy of patient information, according to a source who also said the company rushed toward publicly announcing the project without properly vetting the data for privacy concerns. Google quickly canceled the project shortly afterward. Google is currently under investigation by the Department of Health and Human Services for its mass collection of individuals’ health records through a partnership with health care company Ascension which may violate the Health Insurance Portability and Accountability Act, or HIPAA, the federal law that protects the privacy of some types of medical records. (Washington Post)
3 days ago

Activist Says He’s One of the People Targeted by Two Former Twitter Employees Who Spied for Saudi Arabia

Saudi activist Omar Abdulaziz, who counted murdered journalist Jamal Khashoggi as a friend and ally, says he was one of the individuals targeted by the two former Twitter employees who were spying for Saudi Arabia as part of a campaign of harassment by the Kingdom of Saudi Arabia. He said that more than 30 influencers told him that the Saudi government blackmailed them with material obtained by hacking their phones and were ordered to either Tweet propaganda or have their private content, including pictures, released on Twitter. (Washington Post)
3 days ago

Trail of Bits Launches iVerify Security Toolkit to Help Users Detect if Their iOS Devices Are Being Hacked

Security firm Trail of Bits launched iVerify, a user-friendly iPhone security toolkit to help users detect if their iOS device is being hacked. iVerify is one of the first-ever apps that promises to catch iPhone hacks to be approved to be on the official App Store. iVerify is designed to look for “side effects” or anomalies created by iPhone hacks or jailbreaks based on studying all existing past public jailbreaks and reverse-engineering of the iPhone’s operating system. iVerify also includes a series of detailed how-to guides that help users lock down their iPhone settings to improve their privacy and reduce the chances of getting hacked. (Motherboard)
3 days ago

GitHub Launches Security Lab to Protect Open-Source Code Projects, Tech Giants Partner to Help Spot Exploits

GitHub launched the GitHub Security Lab, an ongoing effort to protect open-source code projects by bringing together security researchers from partner organizations like Google, Microsoft, Mozilla, Oracle, Uber, and HackerOne. To power the lab, GitHub is open-sourcing CodeQL, variant analysis software from Semmle, a company it acquired in September to help GitHub better spot exploits in code. GitHub also launched Security Advisories to give security researchers a way to apply for Common Vulnerabilities and Exposures (CVE). (Venture Beat)