News Items

In a new study, researchers analyzed data traffic from ten popular Android apps (which are also all available on iPhones). The ten apps researched include Grindr, OkCupid, Tinder, Clue, MyDays, Perfect365, My Talking Tom 2, Qibla Finder, Happn, and Wave Keyboard. The researchers chose these apps because the apps were likely to have access to highly personal information. The ten analyzed apps transmit user data to at least 135 different third parties involved in advertising and/or behavioral profiling. The researchers also discovered that all but one of the apps share data beyond the device advertising ID, including a user's IP address and GPS position, personal attributes such as gender and age, and app activities such as GUI events.

Naked Security: "Apps are Sharing More of Your Data With Ad Industry Than you may Think"

Lawmakers are asking the Federal Communications Commission (FCC) to use the regulatory agency's authority over wireless carriers to enforce better protection for consumers from SIM swap scams. Fraudsters perform these scams by persuading wireless carriers to transfer control over a mobile account to them, allowing the hijacking of credentials. Using these attacks, scammers can hijack login credentials, bypass two-factor authentication (2FA), and commit crimes such as emptying a victim's bank account. Consumers are often unaware of the existing options they have to protect their wireless accounts until they fall victim to these forms of attacks. Additionally, available options are limited. Therefore, consumers have to depend on phone companies to protect them. A letter written by Sen. Ron Wyden, D-Ore., and signed by five House and Senate members calls on the FCC to hold mobile carriers responsible for securing their systems. This article continues to discuss the request to the FCC to protect consumers from phone hijackers and rise in SIM swap attacks.

NextGov reports "Lawmakers Ask FCC to Protect Consumers from Phone Hijackers"

Researchers believe that API security is going to be a significant threat surface in 2020. The increase of using container ecosystem and the popularity of mobile apps that connect to backend services have pushed the microservices architecture to the forefront. A variety of information, such as airline ticketing to online ordering, can be exposed through insecure APIs. Researchers also believe that IoT devices will be a primary target of adversaries in 2020. As the number of connected devices that individuals and companies use increases, the attack surface area must be monitored.

Help Net Security reports: "2020 Forecast: Attackers Will Target Non-Traditional Systems"

Researchers from INRIA in France and the Nanyan Technological University in Singapore developed a proof-of-concept attack that is capable of breaking the Secure Hash Algorithm-1 (SHA-1) code-signing encryption. The exploit developed by Gaetan Leurent and Thomas Peyrin is said to be less complicated and expensive than previous PoC attacks on SHA-1, lowering the level of complexity for attackers. The attack leaves users of GnuPG, OpenSSL, and GIT in danger as they still support SHA-1 in some way. This article continues to discuss the continued use of SHA-1 despite efforts to phase the cryptographic function out and the latest PoC attack on SHA-1.

Threatpost reports "Exploit Fully Breaks SHA-1, Lowers the Attack Bar"

Security researchers from the Germany-based security firm Greenbone Networks discovered the exposure of a billion medical images online. The exposure of these images is the result of hospitals, medical offices, and imaging centers using unprotected servers. The insecure servers expose patients' personal health information in addition to medical images, with almost half belonging to patients in the United States. Medical practitioners use the DICOM (Digital Imaging and Communications in Medicine) standard to store, retrieve, and transmit medical images to other medical practices. DICOM images can be viewed using any free-to-use apps and are usually stored in a PACS server, which is a picture archiving and communications system. However, medical offices often overlook security, connecting the PACS server to the internet without a password. This article continues to discuss the exposure of over 1 billion medical images, the research behind this discovery, and how medical organizations have responded.

TechCrunch reports "A Billion Medical Images Are Exposed Online, As Doctors Ignore Warnings"

The growth in connected vehicles creates opportunities for cyberattacks that pose a significant threat to the safety of drivers. The cybersecurity firm, GuardKnox, highlighted the danger in a demonstration at the recent Consumer Electronics Show in Las Vegas. Researchers demonstrated the potential impact of cyberattacks on connected vehicles in a Formula 1 driving simulation, which showed the compromise of a steering wheel by a hacker to remove its control over a speeding car. The scenario could become a real incident soon as new cars increase in connection to computer chips, sensors, and mobile technology. These elements will increasingly be abused by hackers to disrupt the operations of a vehicle. This article continues to discuss the hacked driving simulation demonstrated by GaurdKnox and the expected rise in attacks on connected cars.

TechXplore reports "Connected Cars Moving Targets for Hackers"

Researchers have found a flaw in Firefox 72 just two days after it was released. The issue researchers identified is called CVE-2019-17026. CVE-2019-17026 is a type confusion bug affecting Firefox's IonMonkey JavaScript Just-in-Time (JIT) compiler. The JIT compiler takes JavaScript source code and converts it to executable computer code for the JavaScript to run directly inside Firefox as if it were a built-in part of the app. The problem is fixed, and Firefox urges users to download the newest update to fix the issue.

Naked Security reports: "Browser Zero Day: Update Your Firefox Right Now!"

A security researcher at Malwarebytes recently reported the discovery of the first payment card skimmer to use steganography to evade detection. There has been an increase in the use of steganography to hide and deliver malicious data. Digital steganography refers to the covert communication of data via unsuspected formats such as image files, video clips, and audio files. Steganography differs from cryptography because the method hides the communication of data in addition to the data itself. The skimmer found by the researcher used an image of a free shipping ribbon commonly seen on shopping sites to conceal malicious JavaScript code. According to the same security researcher, some digital attackers are now using the WebSockets communications protocol instead of HTML to exchange data with skimmers, using a single TCP connection. This article continues to discuss the discovery of a payment card skimmer and its use of steganography, as well as the increased use of new techniques for web skimmers and how security professionals can defend against evasive attacks.

Security Intelligence reports "Attackers Invent New Evasion Techniques to Conceal Web Skimmer Activity"

Security researchers at Check Point recently discovered several security vulnerabilities in the popular Chinese-owned platform used for short-form mobile videos, TikTok. According to researchers, one of the vulnerabilities found in the platform could be exploited by hackers to allow them to hijack parts of a user's TikTok account remotely. Hackers could perform activities such as upload or delete videos, as well as alter video settings to change videos from being hidden to being exposed to the public. The exploitation could also allow hackers to send an SMS invite message to a victim, making it possible to send links that redirect users to malicious websites. Another vulnerability could allow hackers to collect personal information belonging to users, such as their email addresses. This article continues to discuss the popularity of the video-sharing app, the vulnerabilities found in the app by researchers, and the response to these findings by TikTok.

Threatpost reports "TikTok Riddled With Security Flaws"

Researchers conducted new research on what mobile phone brands and smartphone applications got targeted the most, through the year of 2019 in the United Kingdom. The data got collected trough analyzing monthly Google search data in 2019 on how many British users were searching for methods to hack different apps and phone brands. The researchers found that iPhone was the most targeted phone brand (10,040 searches), and Samsung came a distant second (700 searches). At the same time, Instagram was the most targeted application (12,410 searches), followed by Snapchat (7,380 searches) and Whatsapp (7,100 searches). The researchers also discovered that owners with iPhones are 167 times more at risk of people trying to hack them than other phone brands. Instagram app is also 16 times more at risk of getting hacked than a Netflix application.

SC Media reports: "Smartphone Analysis & Sats: Personal Use Leaves Work Smartphones Hackable"

According to recent studies, ransomware attacks are growing in sophistication and cost. Organizations must go beyond the exploration of technicalities of ransomware to bolster their security posture against such attacks. Security experts encourage organizations to delve deeper into the psychological nature of ransomware attacks. Organizations should be examining the factors that lead users to opening emails, links, or attachments sent from unknown entities despite their awareness of attacks that can be performed via these mediums. There are psychological factors that hackers abuse in the execution of ransomware attacks, which include compassion, helplessness, humiliation, and responsibility. This article continues to discuss the rise in ransomware attacks and the psychological factors that have led to the success of these attacks.

SC Magazine reports "The Psychology of Ransomware"

Due to a lack of visibility into an organization's security posture, it is difficult for government leaders to make decisions as to how defenses are prioritized. Government leaders rely on audit results to prioritize defenses. However, a more proactive approach to measuring and prioritizing risk is needed to help defenders figure out which areas to focus on securing. Baselining is a method that establishes what is known about a network or system, allowing defenders to detect abnormalities possibly caused by an attempted attack quickly. Although most agencies recognize the importance of baselining as a security control, the attention commanded by other more basic controls such as vulnerability scanning, asset discovery, and more, hinders the practice of baselining. Also, security leaders often get distracted by emerging technologies. This article continues to discuss the concept of baselining, the importance of this practice, why most agencies fail to practice baselining, and how agencies can start to baseline effectively.

GCN reports "Is the Inability to Baseline Systems Crippling Cybersecurity Progress and Oversight?"

The number of automotive cybersecurity incidents has increased dramatically. Since 2016, the number of annual incidents against automobiles has increased by 605%, with incidents more than doubling in the last year alone. The top three attack vectors over the past 10 years include keyless entry systems (30%), backend servers (27%), and mobile apps (13%). The top three impacts of automotive cybersecurity incidents over the past ten years were car thefts/break-ins (31%), control over car systems (27%), and data/privacy breaches (23%). Most of the automotive cybersecurity incidents that occurred in 2019 were caused by remote attacks (82%).

Help Net Security reports: "Automotive Cybersecurity Incidents Doubled in 2019, up 605% Since 2016"

Cyber professionals should be prepared to address three major cybersecurity trends in 2020. These trends include the consideration of cyber risks by financial investors, the increase in blunt-force attacks, and the adoption of cyber insurance policies by more companies. Investors will pay closer attention to the security of companies before investing in them. More hackers will use less complicated strategies to perform attacks, such as infiltrating a network via a third-party instead of exploiting zero-day vulnerabilities. Cyber insurance plans will be a more significant part of their cyber plans as cyberattacks grow in frequency and impact. This article continues to discuss the critical security trends cyber professionals should be on the lookout for in order to alter their cybersecurity plans and operations accordingly.

Help Net Security reports "Planning for 2020? Here Are 3 Cybersecurity Trends to Look Out For"

The FBI is warning U.S. companies about a new series of ransomware attacks using Maze ransomware. The adversaries conducting the ransomware attacks, sometimes pose as government agencies. The adversaries steal data of companies and then encrypt the data and demand a ransom. The new ransomware Maze uses multiple methods for intrusion. Sometimes adversaries create malicious look-a-like cryptocurrency sites, and other times the adversaries conduct malspam campaigns, impersonating government agencies and well-known security vendors.

CyberScoop reports: "FBI Warns U.S. Companies About Maze Ransomware, Appeals for Victim Data"

Researchers have discovered a new set of SQLite vulnerabilities that can allow attackers to run malicious code inside Google Chrome remotely. There were 5 vulnerabilities found in total and were named Magellan 2.0. All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of "remote exploitation" is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome users to remote attacks. The vulnerabilities could allow a malicious website to run malicious code against its Chrome visitors. The researchers who discovered the vulnerabilities notified Google and the SQLite team of these issues. Google Chrome fixed the vulnerabilities with the new Google Chrome update, and the SQLite project fixed the vulnerabilities in a series of patches they completed.

ZDNet reports: "Google Chrome Impacted by New Magellan 2.0 Vulnerabilities"

Security experts expect deepfakes to pose a greater threat to cybersecurity in 2020. This expectation derives from the increasing implementation of biometrics to identify and authenticate a person. Deepfakes are fake, realistic-looking images, text, and video generated using a technique called a generative adversarial network (GAN). Researchers at McAfee stress that true facial recognition will be difficult to accomplish due to the continued advancement of deepfakes. According to researchers, improvements made to the execution of deepfakes will allow cybercriminals to more effectively perform activities such as impersonating a person to steal money, igniting information warfare, and more. This article continues to discuss the concept of deepfakes, the threat posed by deepfake attacks, the vulnerability of facial recognition systems, and the current limitations of deepfake technology.

Security Boulevard reports "Deepfakes Pose New Security Challenges"

Comparitech and security researcher, Bob Diachenko, discovered an unsecured Elasticsearch database online, which exposed sensitive information belonging to more than 267 million Facebook users, most of which reside in the US. The personal data exposed by the easily accessible database includes user IDs, phone numbers, and names. The internet service provider (ISP) managing the IP address of the server in which the database was stored, removed access to the data. However, researchers found that the data was already available to cybercriminals on a hacker forum as the database was exposed for two weeks prior to its removal. Evidence suggests that the data was collected as a part of an illegal scraping operation or through the abuse of the Facebook application programming interface (API). This article continues to discuss the discovery of an unprotected database that exposed information on over 267 million Facebook users, the type of information contained by the database, how cybercriminals may have stolen the data, and how this data can be used.

Security Week reports "267 Million Facebook Users Exposed in Accessible Database"

In 2019, ransomware wreaked havoc on governments, hospitals, schools, and more, causing significant disruptions to operations and impacting finances. The most notable ansomware incidents of 2019 include those faced by Baltimore, Louisiana state government agencies, 22 Texas cities, and the DCH Health System in Alabama. Some governments and hospitals decided to pay ransomware attackers due to the criticality of their services. However, federal authorities have suggested that victims of such attacks do not give in to hackers' demands for ransom payments, as it would encourage the execution of more ransomware attacks. This article continues to discuss the ransomware attack trends observed in 2019 and what security industry experts expect to see in 2020 in regard to ransomware, as well as other 2019 cybersecurity highlights.

GovTech reports "2019: The Year Ransomware Targeted State & Local Governments"

The company Wyze discovered that two databases between December 4th and December 27th were not appropriately secured. Information of 2.4 million customers with home security systems was exposed. User data relating to Wi-Fi service set identifiers, device information, body metrics, Alexa integration tokens, and email addresses were exposed. Passwords, government-issued identification, and financial information did not get exposed. Since discovering the databases, Wyze has secured those databases and is conducting an investigation.

PCMag reports: "Wyze: Data Leak Exposes 2.4 Million Customers"

US intelligence officials urge those that downloaded the social messaging app, ToTok, to uninstall the app immediately as it is supposedly a surveillance tool used by the government of the United Arab Emirates to collect data. In response to this discovery, Google and Apple have removed the app from its stores. However, if the app is already on a user's phone, it will continue functioning and possibly performing espionage for the UAE government. ToTok was ranked as the most popular app in many regions with 7.5 million downloads on Google Play and 2.3 million downloads on Apple's App Store. Patrick Wardle, a security researcher at Jamf, conducted a technical analysis of Totok, revealing that the app continuously runs in the background. With permission, the app also accesses users' microphones, location data, photos, contacts, and more. This article continues to discuss the ToTok messaging app's alleged use as an espionage tool, in addition to its features and supposed links.

Wired reports "Uninstall This Alleged Emirati Spy App From Your Phone Now"

An incident in which prison cameras were hacked is being investigated by authorities in Thailand. According to the Thai officials, a hacker was able to compromise the security camera system at Lang Suan Prison in the southern province of Chumphon and broadcast live surveillance video from the cameras, showing the prisoners performing different activities. The incident brings further attention to the importance of addressing the security vulnerabilities contained by Internet of Things (IoT) devices. This article continues to discuss the incident and how Thai officials have responded.

The New York Times report "Thai Officials Say Prison Cameras Were Hacked, Broadcast"

In a new survey of 1500 IT security professionals, researchers discovered that about half (54%) of organizations have a written policy on length and randomness for keys for machine identities, but 85% have a policy that governs password length for human identities. The researchers also found out that less than half (49%) of organizations audit the length and randomness of their keys, while 70% do so for passwords. Only 55% of organizations have a written policy stating how often certificates and private keys should be changed, while 79% have the equivalent policy for passwords. Out of the 1500 participants, only 42% of organizations they worked for automatically enforce the rotation of TLS certificates, compared with 79% that automatically enforce the rotation of passwords.

Help Net Security reports: "Only 54% of Security Pros Have a Written Policy on Length and Randomness for Keys for Machine Identities"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.