News Items

Security researchers have discovered that it is possible to hack a computer through the use of a malicious tool, called the O.MG Cable, which is a modified Apple lightning cable. According to researchers, the O.MG cable appears legitimate because it performs the same expected functions as a regular cable. However, this cable has been modified to contain additional components that could allow hackers to remotely hijack a victim's computer, run malicious payloads, and more. This article continues to discuss the creation and possible activities that can be performed by hackers via the use of the O.MG cable.

Motherboard reports "These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer"

It has been discovered that between 2012 and 2017, an individual recruited AT&T employees at the company's call center in Bothell, Washington, to plant malware and misuse the company's computer networks to illegally unlock phones. To do that, the insiders who were bribed disabled proprietary software that locked AT&T phones and prevented them from being used on other carriers' systems. When people slip out of the proprietary locking software, they're also slipping out of the long-term service contracts that bind them to AT&T's wireless network.

It has been dicovered that it is becoming harder for organizatioins to detect malware. Many modern malware tools are now incorporating features for evading antivirus or other threat detection measures, but cyber adversaries are becoming more sophisticated in their obfuscation and anti-analysis practices to avoid detection. With the growing use of anti-analysis and broader evasion tactics, companies should make sure to have a multi-layered defenses and behavior-based threat detection systems in place.

Help Net Security reports: "Attackers' Growing use of Anti-Analysis, Evasion Tactics Pose a Challenge to Enterprises"

The LeapPad Ultimate is a tablet designed for children between the ages of 3 and 6 that has recently been discovered by researchers from Checkmarx to be vulnerable to hacking. According to researchers, the tablet contains flaws that could be exploited by attackers to perform a number of malicious activities such as executing man-in-the-middle attacks, tracking devices, and sending messages to children. This article continues to discuss the security vulnerabilities found in the LeapPad Ultimate, what the exploitation of these security flaws could allow malicious actors to do, LeapFrog's response to these findings, and other discoveries of vulnerabilities in children's products.

CNET reports "Tablet for Kids Had Flaws That Exposed Info, Location"

Three U.S. utility companies were the targets of a spear phishing campaign in which new malware, called LookBack, was used. The spear phishing emails sent to these companies appeared to be from a U.S.-based engineering licensing board. However, once the malicious attachment in these emails were opened, the remote access Trojan, LookBack, would be executed. According to researchers at Proofpoint, LookBack would allow attackers delete files, execute commands, take screenshots, and more, on infected systems. This article continues to discuss the spear phishing campaign in regard to its targets, techniques, and malware in addition to the suspected perpetrators behind the launch of this attack.

TechRadar reports "U.S. Utility Firms Hit by State-Sponsored Spear-Phishing Attack"

A mock hospital, called the Medical Device Village, will be set up at the 2019 DefCon hacking conference. The model hospital will consist of various medical devices, including pacemakers, insulin pumps, and other gadgets that one would find in an actual medical facility. In order to increase interest in bolstering the security of medical devices, researchers are encouraged to hack the devices in the model hospital. In addition to the mock hospital, there will be a formal capture the flag hacking competition and an opportunity for participants to get a more hands-on hacking experience. This article continues to discuss the Medical Device Village in relation to its purpose, pervious versions, and support, along with the importance of implementing security in the design of medical devices.

Wired reports "A Model Hospital Where the Devices Get Hacked--on Purpose"

The National Security Agency is currently taking applications for internships in the summer 2020 for its Summer Program in Science of Security. Applications are being accepted until October 15, 2019.

Consumer Watchdog (CW) has released a new report, titled Kill Switch: Why Connected Cars Can be Killing Machines and How to Turn Them Off, which highlights the threat posed by connected vehicles to national security. While connected vehicle technologies offer unique benefits, they also introduce significant security risks, which have the potential to cause loss of life. Connected cars are more vulnerable to being hacked, manipulated, and disabled. According to the report, as the use of connected cars increases, the possibility of a large-scale hack on such vehicles that could lead to fatalities grows. This article continues to discuss the growing number of connected cars on the road, the threat posed by connected cars, automotive cybersecurity, and recommendations to improve the security of connected vehicles.

Security Week reports "Connected Cars Could be a Threat to National Security, Group Claims"

A new report, titled Online Discoverability and Vulnerabilities of ICS/SCADA Devices in the Netherlands, recommends that vital infrastructure is protected differently as a result of the significant consequences that could occur when hackers attack such infrastructure. Research conducted by the University of Twente for the Scientific Research and Documentation Centre (WODC) of the Dutch Ministry of Justice and Security highlights the possibility of hackers disrupting critical infrastructures' operations and proper functions. This article continues to discuss the threats posed to critical infrastructure by hackers, cases in which hackers have targeted vital systems in different countries, and key findings of the report.

The University of Twente reports "Vital Infrastructures in the Netherlands Vulnerable to Hackers"

Earlier this year, security researchers named Mathy Vanhoef and Eyal Ronen uncovered critical design flaws in the Wi-Fi security and authentication standard, Wi-Fi Protected Access 3 (WPA3), which they dubbed Dragonblood vulnerabilities. Vanhoef and Ronen have discovered two new Dragonblood vulnerabilities that impact the WPA3 Protocol. According to the researchers, the exploitation of these vulnerabilities could allow attackers to recover Wi-Fi passwords as well as leak information from the standard's cryptographic operations. The Wi-Fi Alliance is now updating WPA3 to prevent the attacks highlighted by researchers. However, researchers are calling for the Wi-Fi alliance to allow the open-source community to help bolster the security of the standard. This article continues to discuss the impacts of the new Dragonblood vulnerabilities, the response to this discovery, and Wi-Fi Alliance's closed standards development process.

ZDNet reports "New Dragonblood Vulnerabilities Found in Wi-Fi WPA3 Standard"

Internet-connected cars are more vulnerable to being hacked and disabled. A study conducted by a team of physicists at the Georgia Institute of Technology and Multiscale Systems Inc. looked into the effects that a large-scale hack on Internet-connected vehicles could have on traffic flow in a city. The study brings further attention to the physical consequences that could occur when cars are compromised by hackers. This article continues to discuss the study and its findings, along with some ideas as to how the potential damage inflicted by hacked connected cars could be reduced.

Homeland Security News Wire reports "Hacking Connected Cars to Gridlock Whole Cities"

A legal intervention campaign aimed at giving young first-time cybercrime offenders a second chance, called Hack_Right, has been created by police in the U.K. and the Netherlands. The effort is geared towards people between the ages of 12 and 23 who are suspected to have committed cybercrimes. These hackers would be pushed into doing community service in which they are required to complete 10 to 20 hours of ethical computer training. The program also puts participants in contact with professionals who can help them explore possible career paths and educational opportunities that would support their interests. This article continues to discuss the aim and structure of the Hack_Right program, as well as how European and American approaches to cybercriminal enforcement are different.

CyberScoop reports "Teenage Hackers Are Offered a Second Chance Under European Experiment"

An independent researcher has the discovered the exposure of an Amazon S3 bucket that contains data belonging to Bank of Cardiff. This data contains more than one million audio recordings of phone calls made by the bank's employees. Some of the phone conversations include the names and direct phone numbers of specific Bank of Cardiff employees. Other audio recordings include employees' calls to customers about loans, potential customers' discussions about their financial plans, and more. Based on the AWS folder directory, many of these recordings were made between 2015 and 2017. This article continues to discuss the exposure of Bank of Cardiff phone calls, the sensitive information revealed by these audio recordings, and the bank's response to this discovery.

Motherboard reports "One Million Bank Phone Calls Found in Exposed Server"

Academics from Plymouth's Center for Security, Communications, and Network (CSCAN) Research conducted a study in which they examined the effectiveness of phishing filters in different email providers. The majority of potential phishing messages used in this study successfully reached inboxes and were not labeled as spam or suspicious, which indicates the significant inadequacy of email providers' phishing filters. Findings of the study calls for technology companies to improve their efforts in protecting individuals and organizations against phishing threats. This article continues to discuss the study and its findings, as well as the rising number of phishing incidents, the different forms of phishing, and the importance of improving phishing detection.

Science Daily reports "Tech Companies Not Doing Enough to Protect Users from Phishing Scams"

It has been discovered that there are vulnerabilities in Apple Wireless Direct Link (AWDL), the wireless protocol that underpins Apple's AirPlay and AirDrop services. These vulnerabilities could allow attackers to track users in spite of MAC randomization, to intercept and modify transmitted files, and to prevent transmission or crash devices altogether. Apple has been notified of these vulnerabilities and has fixed one Denial of Service (DoS) bug, but to address the rest of the vulnerabilities discovered, they have to redesign some of their services.

Help Net Security reports: "AWDL Flaws Open Apple Users to Tracking, MitM, Malware Planting"

The U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an alert for small planes pertaining to the vulnerability of modern flight systems to hacking. According to the ICS Alert, a small device could be attached to an avionic CAN bus, allowing attackers to manipulate engine readings, compass data, altitude, and more, so that incorrect measurements are given to pilots. A pilot that is dependent on instrument readings could lose control of an aircraft if they are given false readings. Therefore, plane owners are urged to restrict physical access to their aircraft by unauthorized individuals. In addition, manufacturers of aircraft are encouraged to review the implementation of the CAN bus to limit the performance of such attacks. This article continues to discuss the vulnerability of small planes to being hacked and concerns surrounding aviation cybersecurity.

AP reports "U.S. Issues Hacking Security Alert for Small Planes"

It has been discovered that Capital One, has been affected by a massive data breach, which allowed the attacker to retrieve information related to people who had applied for its credit card products and to Capital One credit card customers. Approximately 100 million individuals in the United States and approximately 6 million in Canada were affected by this breach. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: customer status data, for example: credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. The company also discovered that credit card account numbers or log-in credentials were not compromised, but that around 140,000 Social Security numbers of their credit card customers, around 80,000 linked bank account numbers of their secured credit card customers, and approximately 1 million Social Insurance Numbers of their Canadian credit card customers were. The individual responsible for this data breach has been arrested.

Help Net Security reports: "Capital One Breach: Info on 106 Million Customers Compromised, Hacker Arrested"

Blockchain technology has attracted much attention from leaders across different industries as this technology has the potential to improve upon security and privacy. It has been pointed out by researchers that the methods of blockchain technology could be applied to improve authentication for IoT device security, ensure the confidentiality and integrity of data, and much more. However, vulnerabilities that could allow a blockchain to be compromised by malicious actors still exist. A cybersecurity firm, named Kudelski Security, recently announced the release of an insecure blockchain, called FumbleChain, into the wild. Hackers' attempts at attacking this blockchain would be used to develop better methods to securing blockchains. This article continues to discuss Kudelski Security's FumbleChain in regard to its purpose and approach, as well as the security of blockchains.

TNW reports "Security Firm Releases Flawed Blockchain into the Wild to Help Educate Hackers"

Users of WhatsApp received a message stating that the app was giving away 1000 GB of internet data to celebrate its anniversary. This is a scam, the URL that comes with the message is not an official WhatsApp domain. When one clicked on the link the user would be taken to a page that invites them to answer a series of questions in the form of a survey - ranging from how you found the offer to your opinion on the app. While responding to the questionnaire, the site invites the user to pass along the offer to at least 30 more people in order to qualify for the big 'reward'. The goal of this scam is click fraud, which is a highly prevalent monetization scheme that relies on racking up bogus ad clicks that ultimately bring revenues for the operators of any given campaign. Even though in this case there was found no evidence that clicking the link led to the installation of malicious software or that there was any intention to phish for personal information, it doesn't mean that this cannot change at any time. Users need to be more aware and more cautious of clicking on links sent to them.

WeLiveSecurity reports: "Scam Impersonates WhatsApp, Offers 'Free Internet'"

Insiders could deliberately or inadvertently expose sensitive information, damage systems, and more, posing a significant threat to the security of organizations. According to the 2019 Insider Threat Report released by Nucleus Cyber, the frequency with which organizations face insider attacks has increased within the last 12 months. The types of inside threats that are most concerning to organizations include inadvertent data breaches or leaks, negligent data breaches, and malicious data breaches. The report also reveals that most organizations are struggling to determine the damage inflicted by each insider attack. This article continues to discuss findings of the report in relation to the rise in insider threats, which types of insider threats are raising the most concern among organizations, and the detection of insider attacks.

Help Net Security reports "Damaging Insider Threats Rise to New Highs in the past Year"

The National Security Agency (NSA) has announced the creation of a new unit aimed at defending the U.S. against foreign adversaries in cyberspace. NSA's Cybersecurity Directorate will be under the leadership of Anne Neuberger who was the agency's first Chief Risk Officer, Deputy Director of Operations, and leader of the NSA unit, called Russia Small Group. This article continues to discuss the NSA's Cybersecurity Directorate in relation to its leadership and mission, along with foreign nations' attempts at executing cyberattacks.

Infosecurity Magazine reports "NSA Launches New Unit to Tackle Foreign Threat"

A recent cyberattack trends report released by Check Point highlights that there has been a significant increase in mobile banking malware. Attackers can use banking malware to steal payment card data, credentials, and other financial information. The increased availability of malware-building kits to hackers in dark web forums has been cited as one of the reasons behind the rise in mobile banking malware. The report also brings further attention to the growing use of techniques and methods such as delaying execution and encrypting malicious payload in mobile attacks. This article continues to discuss the recent surge in mobile banking malware and other key findings on cyberattacks.

Computer Weekly reports "Mobile Banking Malware Surges in 2019"

Stock trading service Robinhood, has been storing some customers' passwords in cleartext. Once this was discovered they notified customers that they thought were impacted. There is no sign that any data had been seen by outside sources. To mitigate this problem from happening again users passwords are now being hashed using the Bcrypt algorithm. Storing passwords in cleartext is a huge security blunder; however, they are not the only company this year to store passwords in plain text. Facebook, Instagram, and Google have all also admitted to storing users passwords in cleartext. Businesses need to in the future make sure that no passwords are stored in clear text, and should encrypt all of users passwords.

ZDNet reports: "Robinhood Admits to Storing Some Passwords in Cleartext"