Discussions/Announcements/General IT Security related News for week ending 2020 05 19Forum ↗

General IT Security related News for week ending 2020 05 19

Announcements1 posts273 viewsLast activity May 2020
RP
rpsOP
May 2020

DE: Court Curbs German Spies’ Foreign Internet Surveillance

AFP: Germany’s foreign intelligence service (BND) violated the constitution by spying on internet data from foreigners abroad, the nation’s top court ruled Tuesday in a victory for overseas journalists who brought the case.

The BND agency’s surveillance violates "the fundamental right to privacy of telecommunications’’ and freedom of the press, judges at the Constitutional Court in Karlsruhe said in their verdict. But given the “great importance” of foreign surveillance to German security, the court gave the BND until the end of 2021 to change its practices and comply with the law. The ruling marked the first time the Constitutional Court clearly stated that the BND must respect fundamental rights accorded by Germany’s Basic Law constitution even when operating abroad.

US: DoJ Again Asks for Encryption Backdoors After Hacking US Naval Base Shooter’s iPhones

Eduard Kovacs for SecurityWeek: The U.S. Department of Justice (DoJ) announced on Monday that the FBI managed to gain access to the data stored on two iPhones belonging to an individual who last year killed and wounded several people at a United States naval base. Attorney General William Barr took the opportunity to highlight that Apple was asked for assistance in accessing the information on the two iPhones, but “the company declined to do so.”

"Thanks to the great work of the FBI – and no thanks to Apple – we were able to unlock Alshamrani’s phones,” Barr stated. “The trove of information found on these phones has proven to be invaluable to this ongoing investigation and critical to the security of the American people. However, if not for our FBI’s ingenuity, some luck, and hours upon hours of time and resources, this information would have remained undiscovered. The bottom line: our national security cannot remain in the hands of big corporations who put dollars over lawful access and public safety. The time has come for a legislative solution.”

Apple has denied refusing to assist the FBI and says the government’s false claims are an “…excuse to weaken encryption and other security measures. It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers,” Apple stated. “There is no such thing as a backdoor just for the good guys, and the American people do not have to choose between weakening encryption and effective investigations.”

UK: Sports retailer Paramo website compromised for nearly 8 months.

London-based Páramo told customers last week that it had discovered a “small piece of computer code covertly installed within our website. This code copied card details entered, destined for PayPal and additionally sent them on to the attacker’s server. The data transferred was name, address, card number and CVV code.”

At least 3,743 people’s full card details – including all data points necessary to make online purchases elsewhere – have been stolen between July 2019 and March this year.

“The hackers’ method used a PHP file which modified out IFRAME src so that it still loaded the PayPal code, but also loaded an external JavaScript file.” The JS file, named gcore.js, was externally hosted on an unremarkable third-party URL.

This was part of the infamous Magecart card skimmer malware that has been observed in the wild since summer 2019. And who can forget the Magecart attack that stole 380,000 peoples’ card details from British Airways a couple years back?

FR: France defends ‘centralized’ coronavirus tracing app, insists privacy held sacred.

The concept is “track and trace” – ask citizens to download a mobile application, and if they are experiencing COVID-19 symptoms, they can flag themselves as potential cases. Individuals they have come into contact with will then be alerted, and vice versa.

Asking millions of people to download and use tracking apps is a challenge and it has been estimated that at minimum 60-80% of the population would need to comply in order for the tracing app to be even vaguely effective.

A UK survey published last week, suggested that half of respondents knew of at least one person who did not have a smartphone or means to download the UK’s NHSX app, and almost half – 48% – cited a lack of trust in the government to safeguard the information collected by the app. We think you might find similar results for France.

US/ NG: The Nigerian Fraudsters Ripping Off the US Unemployment System

Lily Newman for Wired: On Thursday, the Secret Service issued an alert about a massive operation to file fraudulent unemployment claims in states around the country, like Washington and Massachusetts. Officials attributed the activity to Nigerian scammers and said millions of dollars had already been stolen. New research is now shedding light on one of the actors tied to the scams—and the other pandemic hustles they have going.

The email security firm Agari today will release findings that an actor within the Nigerian cybercriminal group “Scattered Canary” is filing fraudulent unemployment claims and receiving benefits from multiple states, while also receiving CARES payouts from the Internal Revenue Service. So far this has netted hundreds of thousands of dollars in scam payments. Regular unemployment, the extra $600 per week that out-of-work Americans can claim during the pandemic, plus the one-time $1,200 payment eligible adults are receiving under the CARES Act are all vulnerable targets for cybercriminals. In the midst of a pandemic and critical economic downturn, though, the theft of those benefits could have particularly dire consequences. The Secret Service warns that hundreds of millions of dollars could be lost to such scams just as states are running out of money to fund unemployment on their own.

The personal data fraudsters are using right now, like home addresses and Social Security numbers, may come not only from countless recent data breaches, but from a spike in payroll data theft in March and April. When scammers claim unemployment benefits in someone’s name, they are either getting the money before the victim has a chance to, or are filing on behalf of people who haven’t actually lost their jobs. Of 82 cases the research firm tracked from the Nigerian group, 30 were accepted by the IRS. Ouch!

UK: EasyJet reveals cyber-attack exposed 9m customers’ details

The Guardian: Of the 9 million people affected, 2,208 had credit card details stolen, easyJet told the stock market. No passport details were uncovered. Those customers whose credit card details were taken have been contacted, while everyone else affected will be contacted by 26 May. EasyJet did not immediately give details of how the breach occurred, but said it had “closed off this unauthorized access” and reported the incident to the National Cyber Security Centre and the Information Commissioner’s Office (ICO), the data regulator.

US: AT&T tracked its own sales team using GPS and then secretly Charged Them For It, lawsuit claims.

Daniel Gunther has sued the American telecom giant and hopes to lead a class-action lawsuit against it in California, where he is based. He alleges the cellular network used the GPS in its cars to keep tabs on sales reps. and then withhold an unagreed $85 to $135 a month from his payroll for use of the car as one of a fleet of “In-home experts”. “In-home experts” make up to 33% of their pay in upselling existing cable and phone customers, but ATT has classed them as exempt sales reps.

Although ATT didn’t classify him as an employee, it may be hard to make a case that workers like Gunther are independent when they have to use its cars, are under constant surveillance, and spend much of their time supporting existing sales.

Given that Uber and Lyft just lost similar cases in Cali. we would not bet on ATT.

US: Criminal forum trading stolen data suffers ironic data breach

John Dunn: There is a certain irony when hackers’ data gets hacked. It now appears that when the FBI seized WeLeakInfo(dot)com … another website called WeLeakData(dot)com also went dark. Now it seems that some of the owner’s data has been found for sale on the dark web. This data turns out to contain nuggets such as email addresses of account holders, their usernames, hashed passwords, and IP addresses – pretty much what would be part of any data breach. The haul also contained private messages between the criminal members.

These details could be of big interest to law enforcement and rival criminals.

US: Illinois blames ‘glitch’ for exposure of Pandemic Unemployment Assistance (PUA) applicant Social Security numbers, private data

Charlie Osborne: The Illinois Department of Employment Security (IDES) has acknowledged a security lapse that exposed the private information of independent contractors and the self-employed. Names, Social Security numbers, and other data points – including phone numbers and addresses – related to unemployment claims were leaked through the scheme’s website, which has been set up to give gig workers access to funds if they have lost their jobs due to the COVID-19 pandemic. Over 44,000 applicants opened a claim within the first 24 hours. IDES’ data leak was uncovered by a business owner who applied for benefits and realized she was able to view information belonging to others.

U.S. Restriction on Chipmakers Deals Critical Blow to Huawei

AP: Huawei Technologies Ltd. is one of the biggest makers of smartphones and network equipment, but that $123 billion-a-year business is in jeopardy after Washington announced further restrictions on use of American technology by foreign companies that make its processor chips. The conflict is politically explosive because Huawei is more than just China’s most successful private company. It is a national champion among industries the ruling Communist Party is promoting in hopes of transforming China into a global competitor in profitable technologies. On Monday, China’s Ministry of Commerce warned it will protect “the legitimate rights and interests of Chinese enterprises,” but gave no details of potential retaliation. Beijing has threatened in the past to issue an “unreliable entities list” that might restrict operations of dozens of American companies in China.

UK: Crypto-Miners Take Out Supercomputers Working on #COVID19

Supercomputers across Europe appear to have been targeted by cryptocurrency miners over the past few days, forcing offline key IT resources working on COVID-19 research. One of the first to report problems was the University of Edinburgh’s Archer supercomputer, which was taken offline last Monday after “a security exploitation on the Archer login nodes.” Working with the National Cyber Security Centre (NCSC), the institution has been forced to rewrite all existing passwords and SSH keys. It is still down 2020 05 18.

UK: Face masks prompt London police to consider pause in rollout of facial recognition cameras

The United Kingdom has been a keen adopter of surveillance technology including facial recognition cameras in recent years, despite concerns that widespread spying erodes citizen rights to privacy. In two recent Live Facial Recognition LFR deployments, in which over 13,000 faces were scanned, six individuals were stopped – and five of the six were misidentified.

Results like that did not stop the Metropolitan police, but it seems a pandemic may do so. The police force is reportedly considering a pause on the scheme as so many in the capital are now wearing face masks.

NZ: Woman stalked by sandwich server via her COVID-19 contact tracing info

A woman in Auckland New Zealand told the local news outlet: Newshub that Subway required her to put her contact details on a contact-tracing form so as to place her food order. She didn’t think anything about it: we all want to stop the spread of the pandemic, after all. The form asked for her name, home address, email address and phone number, all of which she put down. Subsequently, she was contacted by a Subway employee on Facebook, Instagram, Messenger and via Text.

She complained and the worker has since been fired, but she has been left with a feeling of unease that she is having a hard time getting over.

Last Tuesday’s Windows update

…Patched 111 different things, with 16 rated as “Critical”. You could look at that as “Great, Microsoft are getting everything patched, after the 115 patches in March” or, “Gee whiz, there’s a lot wrong there!”

Whatever the case, if you or anyone you know has a Windows machine, it really does need to have the latest updates applied!

AU: And finally following on from last week’s Non-Security story: Australia wins AI 'Eurovision Song Contest’

Jane Wakefield for the BBC: An Australian team has won a competition to write a hit Eurovision song using artificial intelligence.

An editor for Dutch broadcaster VPRO had the idea, after the Netherlands won last year’s Eurovision Song Contest. And it grew into an international effort after this year’s contest was cancelled because of the coronavirus pandemic. The winning song, Beautiful the World, was inspired by nature’s recovery from the bushfires earlier this year.

A total of 13 teams took part, from the Netherlands, Australia, Sweden, Belgium, the UK, France, Germany and Switzerland. The Australian team, called Uncanny Valley in a nod to how humans and robots may one day merge, was made up of maths, computer-science and social-anthropology students, as well as music producers.

The melody and lyrics were written by an AI system, trained with audio samples of koalas, kookaburras and Tasmanian devils.

Looks like another winning pick for Digital Asset!

← Back to Discussions