Category Archives: News Bites

Short news items

Security News for the Week Ending September 17, 2021

LA Police Collected Social Media Account Info From People They Talked To

I’m sure they were just curious. The LA police watchdog says that officers were instructed to collect civilians’ social media details when they interviewed them. An Email from the Chief dating back to 2015. He said it could be beneficial to investigations and possibly even future outreach programs. These are people who are neither arrested or cited. I am sure that using people’s email addresses for social outreach is far more effective than, say, Twitter, Facebook or even the 6:00 News. Not. For harassing and scaring people, yes. Credit: MSN

Germany Admits Police Used NSO Group Pegasus Spyware

Germany’s Federal Police admitted that they used the Pegasus Spyware, which can totally own a mobile phone and all the data on it, when testifying before Parliament. They said that some features were disabled due to German law. What features and how many people were not revealed. Likely they are not alone – they just got caught at it Credit: Security Week

Taliban and China Are Reportedly in Bed Together

China has reportedly sent its best (?) cyber spies to Kabul to help the Taliban hack land lines and mobile calls, monitor the Internet and mine social media. While all governments, including ours, does this, the Taliban is not likely to put any controls on what gets monitored. China has been, US intelligence sources say, wooing the Taliban for years getting ready for this. One can only assume that the Taliban will reciprocate, like by giving China access to stuff we left behind. CreditL Mirror

FTC Says Health Apps Must Notify Consumers About Breaches

The FTC warned apps and devices that collect personal health information that they must notify consumers if their data is breached in a 3-2 vote, with the two Republicans voting against it. This is designed to specifically address the gap that apps are not considered covered entities for the most part, hence they are not covered by HIPAA. The two Trump appointees who voted against it are not necessarily against having app makers tell users that their data has been compromised, but would prefer to drag the decision out for a few more years as the government does its normal bureaucratic rulemaking process. Credit: FTC

Cop Instructed to Play Loud Music to Disrupt Public Filming of Their Activities

Police – or at least some police – do not like being filmed while performing their job. One Illinois police department officially came up with an interesting tactic. While it doesn’t stop people from filming them, it MIGHT cause the videos to be taken down from social media, which seems to be the goal. When they detect someone filming them, they turn on copyrighted music to be included in the recording. Most social media have been sued enough that they have tech that detects at least popular copyrighted music and if detects it, it removes the post so they don’t get sued. I think it is pretty simple to distort the music a little bit so the filter won’t work while still allowing a listener to hear the interaction with the police. My guess is that if a case like this came to court over copyright, the court would rule in favor of the person filming, but we are talking about the law here, so who knows. Credit: Vice

Security News for the Week Ending September 10, 2021

Signal Provides Customer IP Address to Swiss Police

While police all over the world complain about the universe going dark on them, that is only true to an extent. Proton maintains no logs, but they can capture data in real time. In this case they received an order from the Swiss Federal Department of Justice, which they complied with. I don’t have a lot of heartburn over this. If people break the law they should assume that cloud providers will not ignore that fact and pretend everything is okay. Note that they cannot provide any content in this case, so really it is a person’s IP address that was exposed. Smart crooks might access their mail via changing VPNs or Tor, but apparently, in this case, they were not smart enough to do that. One positive thing is that the suspects were required to be notified of the data being turned over, unlike in most countries. Credit: Proton Reddit

McDonalds in El Salvador (and Everyone Else) Now Accept Bitcoin

El Salvador’s Bitcoin law went into effect this week, requiring all businesses and government agencies to accept Bitcoin. Of course everyone needs to figure out how to do that. For large companies that can afford to spend millions, that can be done, even if it is clunky. For small business, that is a different story. That doesn’t protect any company from the huge swings in Bitcoin price. In one direction, the company is okay; in the other, not so much. We shall see if this is a trend, but I doubt it. Tesla was accepting Bitcoin for cars, but stopped after realizing that they might sell a car for $30,000 but only recover $20,000 when they cashed in the Bitcoin. Credit: Vice

Corporate Execs Fear That SEC Investigation Will Uncover Other Breaches They “Forgot” to Report

As the SEC investigates the reach of the SolarWinds attack, it is asking companies to turn over “any other” data breach or ransomware attack information since the start of the SolarWinds attack in 2019. This will likely turn over rocks that companies would prefer remain right side up. Companies could lie and say they don’t have anything, but if a whistleblower informs the SEC of the truth, or the SEC figures out the truth by itself, now companies have really big problems. A consultant working with some of these companies says that “most” companies have had unreported breaches and they don’t know how the SEC might deal with that. The SEC said that companies would not be penalized if they shared data about the SolarWinds attack voluntarily, but they didn’t say they would give companies amnesty for other breaches that they should have reported. Credit: Reuters

WhatsApp Promises End to End Encrypted Backups on iCloud

Apple’s backups on iCloud are readable by Apple and that fact has allowed Apple to turn over data to police and was the core of the Apple spying service that they recently postposed. Facebook (WhatsApp) says that they are about to roll out end to end encrypted WhatsApp backups to iCloud for iPhone users and Google Drive for Android users. Assuming they are correct, this is the first time that someone offered fully encrypted backups for two billion users. Credit: The Register

Security News for the Week Ending September 3, 2021

Apple Offers Fixes For Broken iPhone 12s

While not exactly a security issue, Apple is offering to fix defective iPhone 12s that were made between October 2020 and April 2021 and which have a defective receiver module component. That is mighty kind of them since every single one of them is still under warranty and if you can’t hear sound on your phone, it is of lesser usefulness. Still, we are talking about Apple. Owners can take them to an Apple store or authorized repair center. Apple says you might want to back up your data first in case something bad happens. Credit: Bleeping Computer

Teslas on Autopilot Crash into Cop Cars

I don’t think it is intentional, but on more than one occasion, Teslas on autopilot have crashed into police cars. At night. On autopilot When they have their lights flashing. Those high intensity lights have occasionally blinded me at night so it doesn’t seem like much of a stretch that it could also bother Tesla’s cameras also. Right now they are investigating about a dozen of these crashes. Credit: Vice

Federal Departments Ordered to Improve System Logging to Respond to Incidents

As a result of the recent executive order on cybersecurity, the OMB has ordered federal agencies to begin outlining the steps they plan to take to improve their incident logging capabilities, including log retention and log management. You should assume this will flow down to you, even if you aren’t an agency and don’t sell to one. It is just good practice. Credit: Data Breach Today.

Teamsters Are Coming for Amazon’s Tax Breaks

This is not directly a security issue, but it does point out that there are many different forms of attacks and if one doesn’t work then the attackers might try a different one – as happens all the time with cyber attacks. I will let you read the details if you are interested, but the Teamsters have not been successful at winning union elections so they are changing tactics. When Amazon comes to a local government to ask for a tax break to add, according to the union, dangerous, depressed wage jobs, they launch a campaign asking the voters to explain why the city should give a tax break to one of the wealthiest companies in the country just so that they can create more dangerous, low paying jobs that will be automated out of existence as soon as Amazon can do it. Interesting tactic. Credit: Motherboard Vice

Industrial Control Systems Bugs Out of Control

In just the first six months of 2021 there were 637 bugs in products of 76 vendors affecting Industrial Control Systems. More than 70% of them are rated critical. Three quarters of the bugs do not require any privileges and two thirds can be exploited without any user involvement. Given all the attacks we have seen and the fact that ICS owners are very slow to deploy patches, expect hackers to start exploiting these and taking down factories, utilities and critical infrastructure. Credit: Security Week

Security News for the Week Ending August 27, 2021

Third Party Risk – You Can Ignore it, But It Won’t Ignore You

DataBreaches.net is reporting that a hacker claimed to have hacked an HVAC vendor and remotely accessed systems at the vendor’s customers. One of those customers is reported to be Boston Children’s Hospital. The HVAC vendor is reported to be ENE Systems in Canton, Mass. The hacker showed the reporter schematics and wiring diagrams that the hacker claimed were taken at Children’s Hospital. The hacker attempted to extort ENE after the breach. Hopefully, the affected hospitals, including Mass General, did a good job of isolating the affected systems from the rest of the network, but if so, that would be unusual. I’m hoping. Credit: Info Risk Today

Samsung Can Turn Off Any Samsung TV Worldwide Remotely

Samsung admitted/announced that they can turn off any of their TVs worldwide remotely. The idea is to kill the market for stolen TVs. The TV checks if it is on a stolen TV list and if it is, they shut it down. However, if they turn it off by mistake, you better hope you kept your receipt. They say if you can prove you bought it legally and have a valid TV license (whatever that is), they can turn your TV back on in as little as 48 hours. Otherwise, you have a really expensive paperweight. Of course, if you are like me and think the only smart TV is one that is not connected to the Internet, their solution doesn’t work. On the other hand, I wonder what happens when they get hacked. Now that it is known, hackers might choose to have fun at Samsung’s expense. Credit: Bleeping Computer

Ransomware Gang Targets Specific File Types

Researchers found a Powershell script used by the Pysa ransomware gang that shows exactly what sort of file names they are looking to steal. Those include tax files like 941, 1040, 1099, insurance files, scans, payroll, Pwd and others. See a more complete list here.

What Not to Put in Checked Baggage

The TSA has a long list of things that you cannot legally put in checked baggage like fireworks, but then there are really stupid things to put in your checked luggage. An Alaska Airlines passenger checked their cell phone in their baggage and as the plane landed the phone caught fire, (possibly due to the change in altitude?). The Port of Seattle Fire Department responded, the 182 people on the plane were evacuated and this passenger will not get the information off their phone. Note that this is not illegal, just not smart. There were some injuries and everyone had to be bussed to the terminal. Credit: MSN

Security News for the Week Ending August 20, 2021

Well That Seems Like a Bit Over the Top

A pharmacist in Illinois faces up to 120 years in prison for selling dozens of (I assume blank) Covid vaccine cards. The pharmacist sold 134 cards to 11 buyers for roughly $1276. He is being charged with theft of government property. That seems like a stretch, but maybe. Mostly they want to make a point that if you want a fake vaccine card, you should create them on Photoshop yourself. Yes, it will take you a few hours, but it isn’t very hard. That makes it harder for the feds to discover that you did that. And don’t brag about it on social media. Mind you, just because you do make it yourself doesn’t mean you aren’t breaking the law. Falsely using a government seal, for example, is crime, but it probably won’t get you 120 years, which is why the came up with this creative charge. Just doing a quick Google search, I found blank cards online, so I have no idea why anyone would buy one. Blank cards were also for sale on Amazon for a while – 10 for $12.99. Credit: Bleeping Computer

Another Day, Another Cryptocurrency Hack

Last week a hacker stole $600 million in cryptocurrency for fun … and then gave it back. This week hackers stole $97 million from the crypto exchange ‘Liquid’. This time it doesn’t appear to be a joke. The exchanges are getting better at freezing the money when this happens because the have so much experience at it. That is probably not a good thing. For the hackers, that is. Credit: Data Breach Today

Blackberry Says Older Versions of it’s QNX OS Vulnerable

Blackberry sells a real time operating system used in cars, medical equipment and other embedded equipment. This includes 175 million cars (this number doesn’t include the tens of millions of other devices which could have been bought pre-fix and are still in use in factories, warehouses and many other places). But the cars are older cars – Blackberry says that they fixed the bugs in 2012 – after denying for months that they existed. That likely (maybe) means that products that were DESIGNED after 2013 or 2014 are not vulnerable, but that could be a design date and not a manufacture date or sale date. Blackberry has released patches to manufacturers, but that doesn’t mean that patches have been installed. Credit: The Register

Ransomware 4.0? Maybe

First there was ransomware. Just encrypt your files and demand money. Then ransomware 2.0 – steal your data and demand money to get it back. Next came ransomware 3.0. With this generation, the hackers go directly to the businesses’ customers (one example was a psychotherapy practice where the hackers threatened to release the therapists’ notes if the patients didn’t pay up). Now comes version 4. With V4, the hackers offer employees of the intended victim a cut of the action if they release the ransomware into their employer’s network. Wow. This is getting out of hand. Credit: Brian Krebs

Security News for the Week Ending August 13, 2021

Android Trojan Hits 140 Countries, 10,000 Victims Via Social Media Hijack

Security company Zimperium says they have found a new trojan they call Flytrap that has been around since March and compromises users’ phones who side load apps from third party app stores. Once the malicious app is on the user’s phone, it uses that user’s social media credibility to infect other users. They say the infected apps are still available for download on third party app stores. Credit: ZDNet

NY Police Department Bought Surveillance Gear Out of a Secret Slush Fund

While the police might not like my term for it, the fund is secret and not subject to oversight by anyone. Since 2007, the city has spent over $150 million this way for mobile x-ray vans, Stingrays and other stuff. The documents that were released were heavily redacted although transparency groups are still trying to get more information. Last year the city passed a law after heavy pressure outlawing the practice, but there are still a lot of gaps in the available information. Credit: Wired

U of Kentucky Had a Bad Day

The University of Kentucky has an active security program. As part of that program they conduct periodic penetration tests. This is a good thing. What made it a bad day is that the pentesters discovered that they weren’t the first people to hack the University. In fact, in January 2021, hackers broke in and stole the entire database of over 350,000 users. How/why did they get in? Two clues. First the university says that the platform was developed in the early 2000’s – long before we were worrying much about hackers. Second, they said they are moving the servers, after the breach, to its centralized server system. This likely means that this system was a second class citizen and protected accordingly. Credit: The Record

Amazon Stepping Up Employee Surveillance Due to Fraud

Data theft, insider threats and imposters accessing customer data at Amazon has gotten so bad that Amazon is considering using keystroke monitoring software to help identify who the good guys are. Credit: Threatpost

Hospitals In Way Over Their Heads on IoT

Phillips and CyberMDX released a new report on the state of IoT in hospitals. They split the survey between hospitals with more than 1,000 beds and those with less. A third of the respondents had less than 10,000 devices, almost a third had less than 25,000 devices and another 20% worked for hospitals with less than 50,000 devices. While most of the hospitals had an idea of the number of the devices on their network, 15% of the mid sized and 13% of the large hospitals did not even know how many devices were on their network. Almost half of the respondents said their staffing for IoT and medical device security was inadequate. The rest just don’t know that it is inadequate. The rest of the article is even more depressing. Credit: ZDNet