Happy birthday GDPR. You're awful; you're great

First American Leaks BIG: 885M Customer Files Exposed

SandboxEscaper Drops 4 Windows Zero-Days

Google admits to storing plaintext passwords

49 Million Instagram Users’ Private Data Leaked via AWS

$100M ‘GozNym’ Bank Trojan Gang: 6 Arrested, 5 at Large

Who Ya Gonna Call? Goz’busters

These five handsome specimens are wanted for an alleged conspiracy—to steal $100 million from bank accounts. Six others are in custody after a coordinated operation by European and U.S. law enforcement. All are said to be part of the GozNym malware network.

The perps allegedly have infected 41,000 PCs via phishy spam campaigns. They’re alleged to have extracted money in real time, as victims typed in their banking credentials.

It’s a win for international cooperation. In today’s SB Blogwatch, we can’t unsee those faces.


Read more: securityboulevard.com/2019/05/100m-goznym-bank-trojan-gang-6-arrested-5-at-large

Cisco clueless about security, apparently: Meet Thrangrycat

3x U+1F63E: pissed pussies

Hundreds of Cisco products are vulnerable to a secure-enclave takeover. Dubbed Thrangrycat, it permits an attacker to hide a persistent threat inside the Trust Anchor module (TAm) of any number of Cisco networking boxes.

The kicker: The software image loaded by the TAm—the “bitstream”—is not encrypted, nor verified. I mean, seriously, what’s the point of it all?

Shouldn’t we all just give up now? It’s tempting. In this week’s Security Blogwatch, we try to ignore the researchers’ stupid, stupid use of emoji to name a vuln.


Read more: techbeacon.com/security/cisco-clueless-about-security-apparently-meet-thrangrycat

WhatsApp Zero-Day let NSO Spyware Pwn Phones

Oh No, NSO

A buffer-overflow vulnerability in WhatsApp is being exploited to remotely take over victims’ devices. All it took was a missed call to infect the app on iOS and Android.

The payload seems to have been the NSO Group’s Pegasus commercial spyware. This Israeli nasty is known for use against journalists, activists, lawyers, etc.—basically anyone certain governments want to spy on.

The patch is now available. In today’s SB Blogwatch, we scramble to update.


Read more: securityboulevard.com/2019/05/whatsapp-zero-day-let-nso-spyware-pwn-phones

Russia’s ‘Fake News’ Swirls in U.S. and Europe

Vlad Mad Bro?

Here come yet more stories of Russia interfering in elections, Moscow-sponsored attempts to sow discord and Putin-led conspiracy-theory spreading. But it has to be said: These tales are suspiciously thinly sourced.

This time, it’s happening in the theater of European Parliament elections. But there’s also a renewed effort to convince Americans that 5G will kill their children. Or something.

Sure, there could be a there there—but where? In today’s SB Blogwatch, we break out the popcorn.


Read more: securityboulevard.com/2019/05/russias-fake-news-swirls-in-u-s-and-europe

Photo App Pivots to Violating Its Users’ Privacy

MFW I Learned: WTF?

Ever AI is accused of playing fast and loose with user privacy. An investigation alleges it’s been using billions of private photos from millions of users to train an AI facial-recognition product—aimed at enterprises, police forces and the military.

The app, formerly known as EverRoll, doesn’t get informed consent from its users, say critics. Since the story broke, the company has updated its privacy policy a little, but that’s hardly the point.

On the face of it, this isn’t a good look for Ever. In today’s SB Blogwatch, we go live in a cave, forever.


Read more: securityboulevard.com/2019/05/photo-app-pivots-to-violating-its-users-privacy

China eats NSA's lunch, uses its zero-days for a year

NOBUS? NOPE.

Chinese state-sponsored hackers have been making fools of the US National Security Agency. It turns out that Shadow Brokers weren’t the first to steal the NSA’s secret exploits.

“NObody But US”—NOBUS, the NSA doctrine of not reporting vulnerabilities so it can keep them for itself—is once again under fire. It’s now believed that China has been using the NSA’s own spy tools since early 2016—months before any previously known leak.

You gotta be kidding me! Nope. In this week’s Security Blogwatch, we jest not.


Read more: techbeacon.com/security/china-eats-nsas-lunch-uses-its-zero-days-year

Git Code Repos Held to Ransom – Thousands Hacked

Git Hit

Many private Git repositories are at risk of being leaked to the public. Anonymous hackers have wiped victims’ code and are demanding Bitcoin.

Or else? Or else they’ll open-source it for you. And then everyone will be able to see your soopah-sekrit sores, bruh.

But how? The way they broke in is making many scratch their head: It seems people had been publishing their GitHub, GitLab or BitBucket credentials on the web.

FAIL! You could say that. In today’s SB Blogwatch, we furiously facepalm.


Read more: securityboulevard.com/2019/05/git-code-repos-held-to-ransom-thousands-hacked

Dell Hell Gets Hotter via Bad Bug in Every PC, Laptop

RCE FAIL

Every Dell endpoint running Microsoft Windows has a nasty remote-code execution vulnerability. The security hole is in the SupportAssist module.

Amazingly, Dell figured it would be great to allow a web page to take full control of a PC—admin privileges and all. Bypassing the tool’s minimal checks turns out to be trivial.

To top it off, it took Dell six months to fix this vulnerability. In today’s SB Blogwatch, we rush to install the patch.


Read more: securityboulevard.com/2019/05/dell-hell-gets-hotter-via-bad-bug-in-every-pc-laptop

Huge US data leak from Microsoft cloud; 65% of households at risk

Azure ’ad enough yet?

Yet another cloud database with no security. And this one’s enormous.

This time, Microsoft was discovered hosting an 80 million-row, open database of US adults aged over 40. We still don’t know who owns the data, but some speculate shadow IT is to blame.

Obviously, Microsoft bears no responsibility whatsoever for this fantastic faux pas. The unprotected dataset is stuffed full of PII, and represents about 65% of US households.

Let that sink in for a moment: sixty-five percent. In this week’s Security Blogwatch, we’re fed up with feeling déjà vu.


Read more: techbeacon.com/security/huge-us-data-leak-microsoft-cloud-65-households-risk

Did Huawei Hide Backdoors in Telco Kit? Or Is This More Bloomberg BS?

Useful Idiots are Useful

Today’s revelation that Huawei put backdoors into telecom equipment is perfectly shocking. But is the story all that it seems?

Yes, it’s Bloomberg again, trying to sound authoritative about security. But, some say, failing spectacularly.

Remember last year’s hilarious “spy chip” story? In today’s SB Blogwatch, we don’t forget.


Read more: securityboulevard.com/2019/04/did-huawei-hide-backdoors-in-telco-kit-or-is-this-more-bloomberg-bs

Alexa! Why Are You Stalking Me? (Did Amazon Lie?)

Amazon’s Alleged Artifice

Amazon whistleblowers say thousands of Alexa team members supposedly can see your precise location. But just two weeks ago, didn’t the company pinky-swear they couldn’t?

Oh, and these teams include many employees and contractors in low-wage, overseas economies. Which might raise further questions of trust and safety.

Well, duh. In today’s SB Blogwatch, we pull the plug on the Echo and its ilk.


Read more: securityboulevard.com/2019/04/alexa-why-are-you-stalking-me-did-amazon-lie/

EU merges giant biometrics database. What could possibly go wrong?

Brexit starts to sound sane?

The 28 countries of the European Union each has its own biometrics databases of citizen IDs, residents, immigration, etc. The Common Identity Repository (CIR) project wants to centralize all that, with one enormous JOIN command.

I know what you’re thinking: “What a great idea! When CIR is up and running, law enforcement will be able to do a much better job of keeping EU citizens safe from all those bad people. I mean, I’m not a bad person, so CIR is a great thing, right?”

But what of the unintended consequences? And what about false positives? And how do we know the data won’t be misused—or hacked? In this week’s Security Blogwatch, we go off grid.


Read more: techbeacon.com/security/eu-merges-giant-biometrics-database-what-could-possibly-go-wrong

Popular ‘WiFi Finder’ App Leaks 2 Million+ Passwords

PSK APK FAIL

A widely used Android app for finding free Wi-Fi passwords was horribly insecure. It’s been sitting on an unsecured database, open to the internet.

And the developer is nowhere to be found. Who knew that this modern version of warchalking could be so dangerous?

It gives a whole new meaning to Pre-Shared Key. In today’s SB Blogwatch, we put a tinfoil hat on your AP.


Read more: securityboulevard.com/2019/04/popular-wifi-finder-app-leaks-2-million-passwords

With No Permission, Facebook Slurped up ‘Hundreds of Millions’ of Email Contacts

Book Another Facebook Farce

This story only gets worse for Facebook: Two weeks ago, I told you about how Zuckerberg’s firm was demanding some users enter their email passwords. But now, further revelations make the situation look much, much worse.

It appears Facebook was actually copying those users’ entire contact lists—without permission. The company says it was “unintentional.” So that’s alright then.

How many more straws can fit on this camel’s back? In today’s SB Blogwatch, we’ve lost count of all the Facebook scandals.


Read more: securityboulevard.com/2019/04/with-no-permission-facebook-slurped-up-hundreds-of-millions-of-email-contacts

Wipro customers hacked, says Krebs. Nothing to see here, says Wipro.

Wipro PR go slow—oh no

IT outsourcing outfit Wipro is under fire this week. Sources say it got hacked months ago, and since then has been used as a jumping-off point to hack its customers. Possibly by a state actor.

If that weren’t bad enough, when Brian Krebs—the journalist who reported the hack—asked the Bengaluru firm about it, his questions were ignored. When Wipro PR finally made a buzzword-bingo statement, it was only sent to Indian media.

And then Wipro executives contradicted the statement. Said execs went on to publicly badmouth the reporter.

This is a terrible example of how to act on a breach report. In this week’s Security Blogwatch, we break out the popcorn.


Read more: techbeacon.com/security/wipro-customers-hacked-says-krebs-nothing-see-here-says-wipro

Microsoft Cloud Breach: Hackers Read Your Email for 90 Days

Face Meets Palm

Hackers have been able to read the email of Microsoft’s free cloud customers—no password required. Yes, you read that right.

Incredibly, the perps got away with it for almost three months, from early January to late March. It appears they stole a master “golden” support credential—presumably via social engineering.

But Microsoft “takes data protection very seriously.” So that’s OK then.

On the face of it, this is palm-worthy to the max. In today’s SB Blogwatch, we can’t believe what we read:


Read more: securityboulevard.com/2019/04/microsoft-cloud-breach-hackers-read-your-email-for-90-days

Trump Secret Service USB OpSec FAIL: ‘Spy’ Story Gets Weirder

Mar-a-Lackadaisical

That story about the Chinese woman accused of unauthorized entry to Trump’s Mar-a-Lago? It gained a weird new twist this week.

The Feds protecting the President supposedly found a USB stick and did the last thing you should ever do with an untrusted device—they stuck it into a PC. A Secret Service agent testified the PC then behaved in a “very out-of-the-ordinary” way. It’s still unclear what Yujing Zhang was attempting to do at President Trump’s private club in Florida.

On the face of it, this is really appalling operational security. But in today’s SB Blogwatch, we dig a little deeper.


Read more: securityboulevard.com/2019/04/trump-secret-service-usb-opsec-fail-spy-story-gets-weirder

Fintech fiddles as home burns: 97% of apps lack basic security

Nero ignores conflagration

This is not fine. A white-hat researcher examined 30 financial apps, looking for information security issues—worryingly, all but one of them were insecure.

The failures were mind-numbingly familiar, and dead easy to find. It’s as if the industry has learned nothing and is walking around with a sign on its back, saying, “Rob me.”

Have we learned nothing? In this week’s Security Blogwatch, we’re full of despair.


Read more: techbeacon.com/security/fintech-fiddles-home-burns-97-apps-found-insecure

Does Microsoft Violate GDPR? European Regulator Asks Tough Questions

GDPR BadPR

EU privacy regulator investigates Microsoft. Audits contracts with EU bodies for compliance.

EDPS (the European Data Protection Supervisor) wants to ensure GDPR (the General Data Protection Regulation) is being adhered to by Microsoft and its customers inside the institutions of the EU itself, such as the Parliament and the Commission. This comes after serious allegations that Microsoft Office’s telemetry features fell afoul of GDPR.

This could get expensive for Redmond. In today’s SB Blogwatch, we search under the couch cushions, in case Satya needs a hand.


Read more: securityboulevard.com/2019/04/does-microsoft-violate-gdpr-european-regulator-asks-tough-questions

Stalkerware? Spouseware? Creepware? Just Call it Horrific

Trigger warning: domestic abuse; stalking

The Electronic Frontier Foundation (EFF) is stepping up its fight against stalkerware. It’s asking for help from AV vendors, phone platform makers and law enforcement.

Also known as spouseware and creepware, this vile trade is responsible for enabling all manner of frightening and dangerous abuse, from stalking to serious sexual assault. It’s no laughing matter.

It’s time to put an end to it. In today’s SB Blogwatch, we’re truly horrified.


Read more: securityboulevard.com/2019/04/stalkerware-spouseware-creepware-just-call-it-horrific

Exodus spyware exposes 'sorry' state of Android security

Android Angst; Government Gaffe

The sky is falling. At least, that’s what some conclude, after hearing about Exodus, a family of targeted malware discovered in the official Google Play app store.

By imitating legit apps, Exodus exfiltrates data from countless apps and Android services. It appears to be a lawful surveillance program that escaped from its tight, court-approved targeting of Italian suspects.

But Google says malware like this is vanishingly rare. In this week’s Security Blogwatch, we let my people go.


Read more: techbeacon.com/security/exodus-spyware-exposes-sorry-state-android-security

Facebook Forces Users to Give Email Password (wait, what?)

Here’s Facebook’s latest unbelievable scandal: The company has been demanding that some users enter their email passwords, so they can be “verified.”

That’s right, their email password. Facebook claims it’s all above board: It’s for security, y’see—people can totally trust us. But critics say it trains users to do dangerous things.

And Facebook is said to be harvesting the users’ contacts without permission. All this just a month after the company was caught red-handed misusing other security identifiers. Yikes.

Facebook also claims that users can instead verify their email an alternate way, but the UX for that seems to be a blackest-of-Vantablack “dark pattern.” In today’s SB Blogwatch, we can’t believe our eyes.


Read more: securityboulevard.com/2019/04/facebook-forces-users-to-give-email-password-wait-what

Office Depot and Support.com to Pay $35M for Fake Malware Scan ‘Scam’

Feds win technical victory against an alleged nine-year plan to fool customers. The Federal Trade Commission (FTC) claims Office Depot and Support.com deliberately lied to consumers, saying their PCs were infected with malware.

However, the scanning tool they used didn’t actually scan anything, according to the FTC. It merely asked a few questions, such as, “Does your PC frequently crash?” And if the customer answered “Yes” to any question, they’d be told the PC needed a $300 fix.

The companies settled out of court for $35 million, without admitting liability. In today’s SB Blogwatch, we feel fine.


Read more: securityboulevard.com/2019/04/office-depot-and-support-com-to-pay-35m-for-fake-malware-scan-scam

Microsoft Hurts Charming Kitten (aka the APT35 Iran Hacking Group)

Microsoft has damaged a hacking group thought to be run by the Iranian military. APT35—also known as Charming Kitten, Ajax and Phosphorus—has now lost control of 99 internet domains it was using in spear-phishing attacks on journalists and activists.

Redmond’s finest had to ask a court to grant it control of the malicious Purr-sian domains, such as outlook-verify.net. Now it is able to prevent web users from being phished and can collect valuable intelligence on APT35’s naughty tactics.

Go back to sleep, tiny cat. In today’s SB Blogwatch, we destroy your furniture.


Read more: securityboulevard.com/2019/03/microsoft-hurts-charming-kitten-aka-the-apt35-iran-hacking-group

ASUS ShadowHammer backdoor: Was China to blame?

ASUS laptops infected by the “ShadowHammer” malware were targeted by the People’s Republic of China. At least, that’s the implication of a Kaspersky Labs’ researcher.

Mind you, Kaspersky is alleged to be rather close to a certain other state. So a pinch of salt might be indicated.

Whoever’s responsible, there are worrying implications for the future of state-sponsored cyber-ops. In this week’s Security Blogwatch, everything looks like a nail.


Read more: techbeacon.com/security/asus-shadowhammer-backdoor-was-china-blame

Apple Credit Card: Not So Secure, nor Private

Apple Card is here. It boasts anti-fraud security features and interesting privacy promises.

But is there much that’s new here? Probably not: People are saying it’s just a glossy sheen on top of existing technologies, and the privacy aspect ain’t all that.

What gives? In today’s SB Blogwatch, we wonder what all the fuss is about.


Read more: securityboulevard.com/2019/03/apple-credit-card-not-so-secure-nor-private

Implanted Medical Devices Can Be Hacked Wirelessly, Warns U.S. Gov’t

Implantable cardioverter defibrillators (ICDs) made by Medtronic are insecure, says the Department of Homeland Security’s CISA team. Exploitation is trivial, possible outcomes include the death of the patient.

And wouldn’t you know it, Medtronic knew about the problem for more than a year. Basically, wireless commands can completely reprogram the devices; there’s no authentication and no encryption.

“Are you serious?” you ask. In today’s SB Blogwatch, we’re as serious as a heart attack.


Read more: securityboulevard.com/2019/03/implanted-medical-devices-can-be-hacked-wirelessly-warns-u-s-govt

Did Uber Use Spyware on Rival Taxi Firm? Yes (and No)

“Ride sharing” company stands accused of using spyware to damage a competitor’s business: An Australian taxi startup says Uber poached its drivers by spying on their movements.

Uber blames one rogue employee. But some commentators allege it’s not the first time the company’s used dirty tricks to boost its business. For example, there was that time Uber was banned from operating anywhere in London, England.

So what really happened here? In today’s SB Blogwatch, we make educated guesses.


Read more: securityboulevard.com/2019/03/did-uber-spyware-on-rival-taxi-firm-yes-and-no

The diagnosis for US electronic health records: Fatally flawed

EHR is badly broken. That’s the conclusion of a too-long report into electronic health records in the US.

It’s dangerous, buggy, expensive, over-complicated, and encourages fraud. And that’s even before we start to think of the likely security issues.

Stop. You’re killing me. In this week’s Security Blogwatch, we smell no evil.


Read more: techbeacon.com/security/diagnosis-us-electronic-health-records-fatally-flawed

Ransomware Fighter Lives in Fear for his Life

This hacker hacks the hackers. He reverse-engineers ransomware so that victims can decrypt their files without paying money to criminals.

But the polar bear-loving Fabian Wosar lives in hiding at an undisclosed location. It’s all thanks to the threats and abuse he receives from ransomware gangs, which he describes as “the Russian mob.”

Scary stuff. In today’s SB Blogwatch, we peek behind the curtain and marvel.


Read more: securityboulevard.com/2019/03/ransomware-fighter-lives-in-fear-for-his-life

Android Security is a Hot Mess (yet Again)

Google’s Android smartphone platform is under fire again. Hundreds of “legitimate” apps have been infected with malicious third-party libraries—and not for the first time. These apps account for more than 320 million downloads.

The so-called SimBad and Operation Sheep SDKs are malicious, according to researchers. They’re able to phish, steal data and pop up ads over other apps.

Google keeps talking a grand talk, but is it proactive enough about nuking malware in the Play Store? In today’s SB Blogwatch, we avoid an Android army ambush.


Read more: securityboulevard.com/2019/03/android-security-is-a-hot-mess-yet-again

30 years into the web, Sir Tim vents on scams, hacks and hate

Sir Tim Berners-Lee has been painting a slightly depressing picture of the web’s problems. But his recent open letter also celebrates the web’s extraordinary achievements.

So happy birthday, World Wide Web. It was 30 years ago when Sir Tim formally proposed Mesh, or Mine, or what we now know as the web.

As he super-tweeted in the 2012 Olympic Games, this is for everyone. But not everyone is on board the TBL-fanboi bus. In this week’s Security Blogwatch, we spin sticky silk.


Read more: techbeacon.com/security/30-years-web-sir-tim-vents-scams-hacks-hate

Citrix Systems Breached ‘for 10 Years by Iran,’ Claims Unknown Infosec Firm

Citrix Systems’ networks were infested with hackers, who stole terabytes of data. So says a security service provider nobody’s heard of—and that seems to have popped out of nowhere.

It was Iran, alleges the dubitable company. And so the mainstream media rush to parrot the unfound finding. But where’s the evidence?

Neither Citrix nor the FBI are saying. In today’s SB Blogwatch, we feel like useful idiots.


Read more: securityboulevard.com/2019/03/citrix-systems-breached-for-10-years-by-iran-claims-unknown-infosec-firm

Chrome Zero-Day RCE: Exploit in the Wild – Patch Now

Google is warning Chrome users to update their browser installations immediately. Previous versions have a nasty security bug that allows remote code execution.

And it’s not theoretical: It turns out that this vulnerability was already being exploited before the patch was available. Google is being super-cagey about the exact nature of the flaw, but the company is being unusually insistent about how urgent this is.

So you know what to do and when to do it. In this week’s SB Blogwatch, we sit up and take notice.


Read more: securityboulevard.com/2019/03/chrome-zero-day-rce-exploit-in-the-wild-patch-now

RSAC 2019: Better, wetter—and weirder

It’s that time again: Another RSA Conference in a rain-lashed San Francisco. This year’s theme is “Better.”

RSAC is the big infosec bunfight for hawkish vendors, arm-wavy consultants, and harassed PR mavens. Some think it’s the place to see and be seen, but others can’t wait for it to be over for yet another year.

And what caught your humble blogwatcher’s eye this year? In Security Blogwatch, we scour the Moscone Center so you don’t have to.


Read more: techbeacon.com/security/rsac-2019-better-wetter-weirder

Uproar Over Facebook 2FA Privacy Violation

Facebook has been caught red-handed again, so say privacy wonks. They accuse Zuckerberg’s crew of misusing phone numbers given to it for use in two-factor authentication.

Said wonks say Facebook is sharing the data with Instagram and WhatsApp to secretly link your profiles together. And that it lets miscreants look you up by your phone number, subjecting your identity to stalking, social engineering and other malicious awfulness. Facebook is also accused of violating GDPR, for using the numbers without consent.

Yet Facebook spokesdroids are unrepentant. In this inaugural SB Blogwatch, we phone a friend.


Read more: securityboulevard.com/2019/03/uproar-over-facebook-2fa-privacy-violation

Google: 'Spectre can't be fixed.' Panic now?

Software alone can’t save us from Spectre-class vulnerabilities in modern CPUs. That’s the scary conclusion from a bone-dry research paper penned by Google engineers.

Be afraid. Be very afraid. Because there’s no evidence that CPU vendors are actually taking this thing seriously—even though they’ve known about it since June 2017 (perhaps even longer than that).

So all we have are code fixes that slow down our infrastructure without fixing the underlying problem. In this week’s Security Blogwatch, we run for the hills.


Read more: techbeacon.com/security/google-spectre-cant-be-fixed-panic-now

Richi edits another book

via Kristina Podnar:

This book, out in March 2019, lets you unleash the power of digital policy. You can sign up now to be the first to hear about the release:

kpodnar.com/book

Hackers love Docker: Container catastrophe in 3, 2, 1...

The day we all feared would come has come. Docker and Kubernetes #containers are revealed to be badly vulnerable—along with LXC, Mesos, and several other container flavors.

An easily exploited flaw means a container can escape its paper-thin walls and execute on the host system—as root. Time to audit your trust boundaries.

Happy Valentine’s Day, DevOps peeps. In this week’s Security Blogwatch, we drop everything and patch.


Read more: techbeacon.com/security/hackers-love-docker-container-catastrophe-3-2-1

FaceTime FauxPas: Sorry-not-sorry about the bug bounty boo-boo

Apple says sorry for the privacy-busting FaceTime bug we talked about last week.

But there’s no apology yet to the kid and his mother who tried their best to report the “FacePalm” bug to Apple, yet kept facing brick wall after brick wall. Although there is the vague suggestion the trillion-dollar company might pay him some money.

In trying to fix its PR fail, has Apple made things worse? In this week’s Security Blogwatch at TechBeacon, Richi Jennings is sorry.


Read more: techbeacon.com/security/facetime-fauxpas-sorry-not-sorry-about-bug-bounty-boo-boo

Remember me?

Hey, it's Richi. … Richi? … Jennings? … Yeah, that guy.

Thanks to the business geniuses at Surpass Hosting for quadrupling my hosting fee, and to the fine folks at Alphabet who are killing Google+, I'm resurrecting my old blog as a web presence.

Apologies in advance for dust and broken links. I'll get to fixing things up as soon as I can.

A lot's happened since my last post in 2011. Maybe I'll tell you about it sometime…