1 week ago

Ronan Farrow: Black Cube Installed Spyware on My Phone to Keep Track of My Location During Weinstein Investigation

In an excerpt from his new book “Catch and Kill,” Ronan Farrow outlines how Harvey Weinstein purportedly paid Israeli spies to hack his cellphone during his investigation into the sexual assault allegations against the now-disgraced movie mogul. Farrow reports that Weinstein hired notorious Israeli spy firm Black Cube to conduct surveillance on his accusers and reporters investigating Weinstein’s assaults. A private investigator hired by Black Cube, Russian-American agent Roman Khaykin, claims that one of Black Cube’s spies installed cell phone tracking malware on Farrow’s phone to keep track of his whereabouts. Black Cube contends that it was not aware of or authorize any cell phone tracking of Farrow. (New Yorker)
1 week ago

Criticism of DNS-over-HTTPS as a Privacy Panacea Is Mounting, Some Experts Argue for Better Ways to Encrypt DNS Traffic

Some networking and cybersecurity experts argue that the DNS-over-HTTPS (DoH) protocol is somewhat useless and causes more problems than it fixes and is no privacy panacea. Criticism has been mounting against DoH, with some experts arguing that the focus should be on efforts to implement better ways to encrypt DNS traffic, such as DNS-over-TLS. Some experts maintain that despite common claims, DNS-over-HTTPS won’t block ISPs from viewing a user’s DNS requests and DoH is a method for bypassing enterprise filters to access content that’s normally blocked at workplaces. The protocol also upends hundreds of cyber-security solutions, which will become useless once users begin using DoH inside their browsers. Although helpful to bypassing DNS-based blocklists implemented by dictatorial regimes, DOH also bypasses DNS-based blocklists put in place for legitimate reasons, like those against accessing child abuse websites, terrorism content, and sites with stolen copyrighted material. Finally, DOH adds unnecessary additional parties, creating another, useless layer of DoH resolvers, which then sits on top of the existing DNS layer, critics say. (ZDNet)
1 week ago

U.S. Signs Cybersecurity Cooperation Pact With Lithuania, Latvia, and Estonia to Protect Baltic Energy Grid From Russian Cyberattacks

The United States and Baltic states agreed to beef up cooperation to protect the Baltic energy grid from cyber attacks as they disconnect from the Russian electricity grid, a pact that US Energy Secretary Rick Perry and his Lithuanian, Latvian and Estonian counterparts termed “a critical moment for the Baltic States in strengthening cybersecurity” in strategic energy infrastructure. Lithuania is seeking US technology firms to help it modernize software used to control energy systems to prevent attacks by Russian hackers that could disrupt energy supplies. The Baltic ministers also agreed with Perry to set up a cooperation platform for cybersecurity experts from all four countries within the next six months. (AFP)
1 week ago

Magecart Is Now So Ubiquitous That It’s Flooding the Internet, Almost Two Million Instances With Over 18,000 Hosts Breached

Digital card-skimming collective Magecart is now so ubiquitous that its infrastructure is flooding the internet according to a paper presented at Virus Bulletin 2019 by Jordan Herman and Yonathan Klijnsma of RiskIQ. The researchers say there are now 573 known C2 domains for the group, with close to 10,000 hosts actively loading those domains. In total, they detected almost 2 million (2,086,529) instances of Magecart’s javaScript binaries, with over 18,000 hosts directly breached. (Threatpost)
1 week ago

Russian Hacking Group Uses ‘Reductor’ Trojan to Modify Chrome and Firefox Browsers to Hijack HTTPS Connections

Russian hackers operating as part of what is believed to be the state-sponsored Turla group are infecting victims with a remote access trojan named Reductor, through which they are modifying Chrome and Firefox, researchers at Kaspersky Lab said. The goal of the modifications is to alter the way the two browsers set up HTTPS connections, and add a per-victim fingerprint for the TLS-encrypted web traffic that originates from the infected computers. In the first step of the process, the hackers install their own digital certificates to each infected host to intercept any TLS traffic originating from the host. Then they modify the Chrome and Firefox installation to patch their pseudo-random number generation (PRNG) functions needed for the process of negotiating and establishing new TLS handshakes for HTTPS connections. It’s unclear why the hackers are doing this although it’s possible they want to be in a position to passively observe HTTPS traffic across the web. (ZDNet)
2 weeks ago

Primary Health Organization in New Zealand Finds Evidence of Breaches Dating Back to 2016, Health Records for Nearly a Million People Could Be Affected

A primary health organization (PHO) in New Zealand, Tu Ora Compass Health, which experienced a data breach in August, found evidence of earlier attacks dating back to 2016 following an investigation launched by the National Cyber Security Centre, Ministry of Health, police and other agencies. The organization is responsible for collecting and analyzing data from medical centers involving disease screening and treatment for conditions, including diabetes. It holds health data for the greater Wellington, Wairarapa, and Manawatu regions, so nearly a million people in the lower North Island could be affected. An attacker or attackers known as Vanda the God claimed in a tweet, without evidence, to be behind the attack. (Radio New Zealand)
2 weeks ago

UAB Medicine Says That Nearly 20,000 Patients’ Personal and Medical Data Exposed in August Breach Including Diagnosis and Treatment Information

The largest medical center in the state of Alabama, University of Alabama (UAB) Medicine, announced that 19,557 patients might have had personal information breached after a data breach in August. The exposed data varied but could have included the patient’s name and medical record number, birth date, dates of service, location of service, diagnosis, and treatment information. Some patients’ social security numbers may have been exposed, too, and the medical center has specifically notified those patients. Investigators say the hackers were trying to divert employees’ automatic payroll deposits to another account controlled by the suspects and were not specifically targeting the personal information. Affected accounts were secured upon identification, and passwords for those accounts were reset. The university is providing one year of free credit monitoring and reporting services available to all affected patients. (AL.com)
2 weeks ago

Chinese State-Sponsored Hackers APT5 Are Targeting Unpatched VPN Servers From Fortinet and Pulse Secure

A group of Chinese state-sponsored hackers known as APT5 or Manganese is targeting enterprise VPN servers from Fortinet and Pulse Secure to steal files storing password information or VPN session data after details about security flaws in both products became public knowledge last month, according to researchers at FireEye. The broad threat group has been active since 2007 and has targeted or breached organizations across multiple industries. Its focus, however, appears to be on telecommunications and technology companies primarily, and it has taken a particular interest in satellite communications firms. The VPN server vulnerabilities (CVE-2018-13379 for Fortinet and CVE-2019-11510 for Pulse Secure) are so-called “pre-auth file reads,” which allow an attacker to retrieve files from the VPN server without needing to authenticate. Both vendors patched the vulnerabilities with the utmost urgency in April and May, but affected owners appear to have not installed them. (ZDNet)
2 weeks ago

Attempted Hack Into Voting Mobile App Voatz in West Virginia May Have Been University of Michigan Student’s Attempt to Research Security Vulnerabilities

An attempted hack into a mobile voting app called Voatz used in West Virginia during the 2018 midterm elections may have been by an attempt by a student as a part of a University of Michigan election security course to research security vulnerabilities rather than an attempt to alter any votes, three people familiar with the matter told CNN. The app has been used in the state since 2018 to allow overseas and military voters to vote via smartphone. Mike Stuart, the US attorney for the Southern District of West Virginia, revealed at a press conference last week that an FBI investigation “is currently ongoing.” The office of West Virginia Secretary of State Mac Warner had previously communicated to Stuart that suspicious activity against the Voatz app came from IP addresses associated with the University of Michigan, a person familiar with the matter said. West Virginia is the only state that currently uses the Voatz system. (CNN)
2 weeks ago

Barr’s Request for Facebook to Postpone End-To-End Messaging Encryption, New Data-Sharing Pact With UK Revive Encryption Backdoor Fight

Reigniting a long-standing fight between the government and the tech community, U.S. Attorney General William Barr has asked Facebook to hold off on plans to add encryption throughout its messaging services until it figures out a way to provide government access to the services for investigative purposes. Barr also signed an agreement with the U.K. that would make it quicker for British police to request data from internet companies by circumventing the Justice Department and going to firms directly. Both of these moves promise another high-stakes clash over encryption, a battleground that has been relatively calm since James Comey high-stakes fight with Apple’s refusal to decrypt an iPhone used by the San Bernardino shooter in 2016. Tech companies have long argued that any technique that would give the government access to encryption systems would undermine their overall security. The government says that as more criminals flock to encrypted communications, law enforcement is in the dark regarding criminal activities. (Wall Street Journal)
2 weeks ago

Microsoft Says ‘Phosphorous’ Threat Group Linked to Iranian Government Targeted Unnamed 2020 U.S. Presidential Candidate’s Email Account Along With 2,700 Other Email Accounts

Microsoft said that it has seen a threat group linked to the Iranian government, which it calls Phosphorous but is also known as APT 35, target an unnamed 2020 U.S. presidential candidate. In a 30-day period between August and September of this year, Phosphorous made more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers that are “associated” with a presidential campaign, current and former U.S. government officials, journalists and prominent Iranians living outside the country. Four of the accounts not associated with the U.S. presidential campaign or current and former U.S. government officials were compromised in the effort. The attacks, which Microsoft described as not sophisticated, attempted to use a “significant amount of personal information” to game password reset or account recovery features and try to take over some targeted accounts. Some of the attacks entailed gathering and targeting user phone numbers. (TechCrunch)
2 weeks ago

Cheap After-Market Gel Protector Allows Anyone to Access Locked Samsung Galaxy S10 Phones Using Fingerprint Reader

Owners of Samsung’s flagship Galaxy S10 devices are being warned about a serious potential security issue with the phone’s innovative in-display fingerprint reader when certain accessories are attached. The flaw allows anyone to access the device, defeating the fingerprint security, opening the device and all its data to an unauthorized user. The problem kicks in when a protector is positioned over the Qualcomm ultrasonic fingerprint reader in the device, with the adhesive creating a skinny gap that is just thin enough to throw off the ultrasonic scanner, barring the ultrasonic waves from obtaining an accurate reading. A manufacturer of cheap after-market accessories is selling a $3 gel protector that seems to record user fingerprints to ensure the device unlocks each time. Instead, it allows anyone to access the S10 device with the protector attached. (Forbes)
2 weeks ago

Zero-Day Local Privilege Escalation Vulnerability in Google’s Android Mobile Operating System Exploited by NSO Group, Google Project Zero

Attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, Project Zero member Maddie Stone said in a post. The vulnerability is actively being exploited by notorious Israeli exploit developer NSO Group or one of its customers, although NSO Group denies any such exploitation. The bug, a local privilege escalation vulnerability, can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content. The vulnerability is scheduled to be patched in the October Android security update. (Ars Technica)
2 weeks ago

Google Will Block Insecure Content on Websites That Have Not Fully Migrated to HTTPS

Google Chrome will begin clamping down on websites that have not fully migrated to HTTPS and are still loading some page resources, such as images, audio, video, or scripts, via unencrypted HTTP. Starting with Chrome 79, Chrome will gradually start ensuring that https:// pages can only load secure https:// subresources. To minimize breakage, Google will auto-upgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://. Browsers have ignored the problem of mixed content, as long as the primary domain loads via HTTPS. Users will be able to enable a setting to opt-out of mixed content blocking on particular websites, Google says. By the time Chrome 81 rolls out in February 2020, mixed images will be auto-upgraded to https://, and Chrome will block them by default if they fail to load over https://. Google warns that developers should migrate their mixed content to https:// immediately to avoid warnings and breakage. (ZDNet)
2 weeks ago

Nigerian National Pleads Not Guilty in Scheme That Stole Government Employee Credentials to Buy $1 Million in Office Products

A Nigerian national extradited from Canada, Olumide Ogunremi, aka “Tony Williams,” pleaded not guilty to one count of conspiracy to commit wire fraud in federal court on charges for his alleged role in a scheme that defrauded vendors of office products valued at nearly $1 million by phishing e-mail login information from government employees. According to the indictment, Ogunremi and other conspirators employed phishing attacks in 2013 to trick some employees at the Environmental Protection Agency and the Commerce Department into providing their usernames and passwords.  According to the indictment, the hacking ring used the stolen credentials “to place fraudulent orders for office products,” often everyday items such as printing cartridges, from vendors authorized to do business under the General Services Administration. Vendors delivered the items to New Jersey to facilities Ogunremi controlled where they were repackaged, shipped overseas to Nigeria, and sold on the black market for profit. The wire fraud conspiracy carries a maximum potential penalty of 20 years in prison and a maximum $250,000 fine. (NextGov)