News Roundup for the 31st of July 2019

Capital One reported a data breach by a hacker in Seattle who goes by Erratic. The data breach occurred due to a faulty configuration on Capital One’s firewall which allowed Erratic to access full names, SSNs, physical addresses, bank account numbers, and more from 106 million people.

Sephora customers in New Zealand, Australia, Singapore, Malaysia, Indonesia, Thailand, Philippines, and Hong Kong SAR were affected in a data breach to their online services. Exposed information includes full name, date of birth, gender, email address, and encrypted passwords, plus beauty preferences. The company has sent out a password change email and data monitoring services are available.

Equifax has to pay $575 million as part of their settlement with the FTC and CFPB to consumers whose data was affected in the 2017 breach. Ironically, as part of the settlement, they are offering consumers their credit monitoring service, they very service that was breached in the first place. Time I feel for Equifax, and Experian (who has had their fair share of breaches) to improve their security. To find out if you were affected, and to find out how much you can claim, see the links below:

Marcus Hutchins, AKA MalwareTech, is done with his court case. Hutchins pleaded guilty to creating and distributing banking malware when he was much younger, and due to his recent years of service fighting against malware, the judge sentenced him to time served.

The BlueKeep flaw has been officially exploited in a penetration testing software platform called Canvas. Canvas is available for sale by an American company who contracts with the US government. This is bad for those businesses out there that have Windows Server 2008 connected on the internet and run RDP. Even worse though is that there is a Metasploit module available from a number of GIT repositories.

Russian made Monokle surveillanceware has been found in the wild being used to spy on Android devices. The malware modifies the Android trusted certificate store and C&C network that communicates over TCP, emails and more. It can read calendar, WhatsApp, Instagram, SMS and more messages. It can steal the PIN code off a phone, make outgoing calls, record calls and a whole slew more. It appears it was not available in the google play store, but as a third party download.

Ransomware hit Johannesburg in South Africa last week, infecting the electricity provider which in turn created blackouts for much of the residents. City Power was infected via the company’s database, internal network, official website and web apps.

According to reports, Apple uses a team of contractors to listen to recordings that are made via Siri to improve its accuracy. So basically any device that listens to your voice may be recording those for another human to listen to.

LibreOffice has a vulnerability that would allow an attacker to gain access to your system with malware just by opening a malicious document. It resides in LibreLogo, which is used for vector graphics. It was fixed but was later bypassed by a security researcher. A patch is not currently available but installing LibreOffice without macros can keep you safe.

If you use Androids native video player, you could put yourself at risk of being compromised with a remote code execution vulnerability. An attacker could send a specially crafted video to you that holds and hides malicious code, which can infect your device. Google released a patch earlier this month.

Facebook has been fined $5 billion by the FTC due to it’s collection of consumer data. This fine and agreement with the FTC does nothing to protect Facebook users from further collection of data. It doesn’t stop collection or sharing, or use for targeted advertising. Facebook made 16.9 billion in sales for the second quarter alone, so a $5 billion fine is pennies in their wallet.

ProFTPD, an open source FTP server, is vulnerable to attackers and would allow them to copy any file from a server via the FTP server without authorization. Unfortunately ProFTPD was alerted way back in September and did nothing to fix it, so Debian was eventually contacted as well. Once that happened, a backport to 1.3.6 was made available.

Privacy advocates are worried that satellite imagery will enable 24 hour surveillance. Over 140 imaging satellites are currently in orbit, many of which are privately owned. Creepy.

Senate Majority Leader Republican Mitch McConnell blocked some election security bills last week, calling them partisan legislation. Ironically, the voting machine hacking village at DEF CON received wide support last year for showing how most, almost all, voting machines are indeed vulnerable to ridiculously easy hacks.

Breaking encryption

In the never ending cycle of law enforcement vs tech sector, Attorney General William Barr is arguing again against consumer encryption on devices and online systems, stating that it seriously degrades LEO ability to prevent crimes before they happen. They love the idea of “responsible backdoors”, but he didn’t mention anything about currently used tools like GrayKey, that can bypass certain encryptions. He may not have to wait too long though since the Los Alamos National Laboratory is holding a Quantum Computer Summer School which teaches talented students about the future of computing. The sooner quantum computing is with us, the faster our current encryption techniques will be broken.

A unique steganography attack was found in the wild. An attack was implanting PHP code into JEPG file EXIF headers to get malware onto target websites. This is an old school way of hiding data inside image files, and while inherently illegal to put on websites you don’t own, is still pretty cool.

According to analysts at Sucuri, a cybersecurity company, typosquatting is being used to masquerade malicious card skimming domains as legitimate Google sites. Attackers are leveraging vulnerable Magento websites so admins should patch as soon as possible.

Amazon & Police

Amazon is working with five real estate companies to offer up to $5000 in Amazon credit including free Smart Home products for new home buyers. This includes Echo devices and Ring doorbell systems. Yikes.

Alongside this we’re still seeing reports about local law enforcement agencies working closely with Amazon to offer free Ring devices. LEOs are advertising the free Ring devices if residents download the Amazon surveillance app, Neighbors, which is basically a neighborhood watch app.

Comodo Antivirus software has a whole slew of vulnerabilities that could allow for sandbox escape and privilege escalation attacks on a system. A tenable research engineer released a Proof of Concept on the attack. These CVEs were resolved in a July 29th update.