Thursday, 30 May 2019
Wednesday, 29 May 2019
Thursday, 23 May 2019
Tuesday, 21 May 2019
Friday, 17 May 2019
Who Ya Gonna Call? Goz’busters
These five handsome specimens are wanted for an alleged conspiracy—to steal $100 million from bank accounts. Six others are in custody after a coordinated operation by European and U.S. law enforcement. All are said to be part of the GozNym malware network.
The perps allegedly have infected 41,000 PCs via phishy spam campaigns. They’re alleged to have extracted money in real time, as victims typed in their banking credentials.
It’s a win for international cooperation. In today’s SB Blogwatch, we can’t unsee those faces.
Read more: securityboulevard.com/2019/05/100m-goznym-bank-trojan-gang-6-arrested-5-at-large
Thursday, 16 May 2019
3x U+1F63E: pissed pussies
Hundreds of Cisco products are vulnerable to a secure-enclave takeover. Dubbed Thrangrycat, it permits an attacker to hide a persistent threat inside the Trust Anchor module (TAm) of any number of Cisco networking boxes.
The kicker: The software image loaded by the TAm—the “bitstream”—is not encrypted, nor verified. I mean, seriously, what’s the point of it all?
Shouldn’t we all just give up now? It’s tempting. In this week’s Security Blogwatch, we try to ignore the researchers’ stupid, stupid use of emoji to name a vuln.
Read more: techbeacon.com/security/cisco-clueless-about-security-apparently-meet-thrangrycat
Tuesday, 14 May 2019
Oh No, NSO
A buffer-overflow vulnerability in WhatsApp is being exploited to remotely take over victims’ devices. All it took was a missed call to infect the app on iOS and Android.
The payload seems to have been the NSO Group’s Pegasus commercial spyware. This Israeli nasty is known for use against journalists, activists, lawyers, etc.—basically anyone certain governments want to spy on.
The patch is now available. In today’s SB Blogwatch, we scramble to update.
Read more: securityboulevard.com/2019/05/whatsapp-zero-day-let-nso-spyware-pwn-phones
Monday, 13 May 2019
Vlad Mad Bro?
Here come yet more stories of Russia interfering in elections, Moscow-sponsored attempts to sow discord and Putin-led conspiracy-theory spreading. But it has to be said: These tales are suspiciously thinly sourced.
This time, it’s happening in the theater of European Parliament elections. But there’s also a renewed effort to convince Americans that 5G will kill their children. Or something.
Sure, there could be a there there—but where? In today’s SB Blogwatch, we break out the popcorn.
Read more: securityboulevard.com/2019/05/russias-fake-news-swirls-in-u-s-and-europe
Friday, 10 May 2019
MFW I Learned: WTF?
Ever AI is accused of playing fast and loose with user privacy. An investigation alleges it’s been using billions of private photos from millions of users to train an AI facial-recognition product—aimed at enterprises, police forces and the military.
On the face of it, this isn’t a good look for Ever. In today’s SB Blogwatch, we go live in a cave, forever.
Read more: securityboulevard.com/2019/05/photo-app-pivots-to-violating-its-users-privacy
Thursday, 9 May 2019
Chinese state-sponsored hackers have been making fools of the US National Security Agency. It turns out that Shadow Brokers weren’t the first to steal the NSA’s secret exploits.
“NObody But US”—NOBUS, the NSA doctrine of not reporting vulnerabilities so it can keep them for itself—is once again under fire. It’s now believed that China has been using the NSA’s own spy tools since early 2016—months before any previously known leak.
You gotta be kidding me! Nope. In this week’s Security Blogwatch, we jest not.
Read more: techbeacon.com/security/china-eats-nsas-lunch-uses-its-zero-days-year
Monday, 6 May 2019
Many private Git repositories are at risk of being leaked to the public. Anonymous hackers have wiped victims’ code and are demanding Bitcoin.
Or else? Or else they’ll open-source it for you. And then everyone will be able to see your soopah-sekrit sores, bruh.
But how? The way they broke in is making many scratch their head: It seems people had been publishing their GitHub, GitLab or BitBucket credentials on the web.
FAIL! You could say that. In today’s SB Blogwatch, we furiously facepalm.
Read more: securityboulevard.com/2019/05/git-code-repos-held-to-ransom-thousands-hacked
Friday, 3 May 2019
Every Dell endpoint running Microsoft Windows has a nasty remote-code execution vulnerability. The security hole is in the SupportAssist module.
Amazingly, Dell figured it would be great to allow a web page to take full control of a PC—admin privileges and all. Bypassing the tool’s minimal checks turns out to be trivial.
To top it off, it took Dell six months to fix this vulnerability. In today’s SB Blogwatch, we rush to install the patch.
Read more: securityboulevard.com/2019/05/dell-hell-gets-hotter-via-bad-bug-in-every-pc-laptop
Thursday, 2 May 2019
Azure ’ad enough yet?
Yet another cloud database with no security. And this one’s enormous.
This time, Microsoft was discovered hosting an 80 million-row, open database of US adults aged over 40. We still don’t know who owns the data, but some speculate shadow IT is to blame.
Obviously, Microsoft bears no responsibility whatsoever for this fantastic faux pas. The unprotected dataset is stuffed full of PII, and represents about 65% of US households.
Let that sink in for a moment: sixty-five percent. In this week’s Security Blogwatch, we’re fed up with feeling déjà vu.
Read more: techbeacon.com/security/huge-us-data-leak-microsoft-cloud-65-households-risk
Tuesday, 30 April 2019
Useful Idiots are Useful
Today’s revelation that Huawei put backdoors into telecom equipment is perfectly shocking. But is the story all that it seems?
Yes, it’s Bloomberg again, trying to sound authoritative about security. But, some say, failing spectacularly.
Remember last year’s hilarious “spy chip” story? In today’s SB Blogwatch, we don’t forget.
Read more: securityboulevard.com/2019/04/did-huawei-hide-backdoors-in-telco-kit-or-is-this-more-bloomberg-bs
Friday, 26 April 2019
Amazon’s Alleged Artifice
Amazon whistleblowers say thousands of Alexa team members supposedly can see your precise location. But just two weeks ago, didn’t the company pinky-swear they couldn’t?
Oh, and these teams include many employees and contractors in low-wage, overseas economies. Which might raise further questions of trust and safety.
Well, duh. In today’s SB Blogwatch, we pull the plug on the Echo and its ilk.
Read more: securityboulevard.com/2019/04/alexa-why-are-you-stalking-me-did-amazon-lie/
Thursday, 25 April 2019
Brexit starts to sound sane?
The 28 countries of the European Union each has its own biometrics databases of citizen IDs, residents, immigration, etc. The Common Identity Repository (CIR) project wants to centralize all that, with one enormous JOIN command.
I know what you’re thinking: “What a great idea! When CIR is up and running, law enforcement will be able to do a much better job of keeping EU citizens safe from all those bad people. I mean, I’m not a bad person, so CIR is a great thing, right?”
But what of the unintended consequences? And what about false positives? And how do we know the data won’t be misused—or hacked? In this week’s Security Blogwatch, we go off grid.
Read more: techbeacon.com/security/eu-merges-giant-biometrics-database-what-could-possibly-go-wrong
Tuesday, 23 April 2019
PSK APK FAIL
A widely used Android app for finding free Wi-Fi passwords was horribly insecure. It’s been sitting on an unsecured database, open to the internet.
And the developer is nowhere to be found. Who knew that this modern version of warchalking could be so dangerous?
It gives a whole new meaning to Pre-Shared Key. In today’s SB Blogwatch, we put a tinfoil hat on your AP.
Read more: securityboulevard.com/2019/04/popular-wifi-finder-app-leaks-2-million-passwords
Thursday, 18 April 2019
Book Another Facebook Farce
This story only gets worse for Facebook: Two weeks ago, I told you about how Zuckerberg’s firm was demanding some users enter their email passwords. But now, further revelations make the situation look much, much worse.
It appears Facebook was actually copying those users’ entire contact lists—without permission. The company says it was “unintentional.” So that’s alright then.
How many more straws can fit on this camel’s back? In today’s SB Blogwatch, we’ve lost count of all the Facebook scandals.
Read more: securityboulevard.com/2019/04/with-no-permission-facebook-slurped-up-hundreds-of-millions-of-email-contacts
Wipro PR go slow—oh no
IT outsourcing outfit Wipro is under fire this week. Sources say it got hacked months ago, and since then has been used as a jumping-off point to hack its customers. Possibly by a state actor.
If that weren’t bad enough, when Brian Krebs—the journalist who reported the hack—asked the Bengaluru firm about it, his questions were ignored. When Wipro PR finally made a buzzword-bingo statement, it was only sent to Indian media.
And then Wipro executives contradicted the statement. Said execs went on to publicly badmouth the reporter.
This is a terrible example of how to act on a breach report. In this week’s Security Blogwatch, we break out the popcorn.
Read more: techbeacon.com/security/wipro-customers-hacked-says-krebs-nothing-see-here-says-wipro
Tuesday, 16 April 2019
Face Meets Palm
Hackers have been able to read the email of Microsoft’s free cloud customers—no password required. Yes, you read that right.
Incredibly, the perps got away with it for almost three months, from early January to late March. It appears they stole a master “golden” support credential—presumably via social engineering.
But Microsoft “takes data protection very seriously.” So that’s OK then.
On the face of it, this is palm-worthy to the max. In today’s SB Blogwatch, we can’t believe what we read:
Read more: securityboulevard.com/2019/04/microsoft-cloud-breach-hackers-read-your-email-for-90-days
Friday, 12 April 2019
That story about the Chinese woman accused of unauthorized entry to Trump’s Mar-a-Lago? It gained a weird new twist this week.
The Feds protecting the President supposedly found a USB stick and did the last thing you should ever do with an untrusted device—they stuck it into a PC. A Secret Service agent testified the PC then behaved in a “very out-of-the-ordinary” way. It’s still unclear what Yujing Zhang was attempting to do at President Trump’s private club in Florida.
On the face of it, this is really appalling operational security. But in today’s SB Blogwatch, we dig a little deeper.
Read more: securityboulevard.com/2019/04/trump-secret-service-usb-opsec-fail-spy-story-gets-weirder
Thursday, 11 April 2019
Nero ignores conflagration
This is not fine. A white-hat researcher examined 30 financial apps, looking for information security issues—worryingly, all but one of them were insecure.
The failures were mind-numbingly familiar, and dead easy to find. It’s as if the industry has learned nothing and is walking around with a sign on its back, saying, “Rob me.”
Have we learned nothing? In this week’s Security Blogwatch, we’re full of despair.
Read more: techbeacon.com/security/fintech-fiddles-home-burns-97-apps-found-insecure
Tuesday, 9 April 2019
EU privacy regulator investigates Microsoft. Audits contracts with EU bodies for compliance.
EDPS (the European Data Protection Supervisor) wants to ensure GDPR (the General Data Protection Regulation) is being adhered to by Microsoft and its customers inside the institutions of the EU itself, such as the Parliament and the Commission. This comes after serious allegations that Microsoft Office’s telemetry features fell afoul of GDPR.
This could get expensive for Redmond. In today’s SB Blogwatch, we search under the couch cushions, in case Satya needs a hand.
Read more: securityboulevard.com/2019/04/does-microsoft-violate-gdpr-european-regulator-asks-tough-questions
Monday, 8 April 2019
Trigger warning: domestic abuse; stalking
The Electronic Frontier Foundation (EFF) is stepping up its fight against stalkerware. It’s asking for help from AV vendors, phone platform makers and law enforcement.
Also known as spouseware and creepware, this vile trade is responsible for enabling all manner of frightening and dangerous abuse, from stalking to serious sexual assault. It’s no laughing matter.
It’s time to put an end to it. In today’s SB Blogwatch, we’re truly horrified.
Read more: securityboulevard.com/2019/04/stalkerware-spouseware-creepware-just-call-it-horrific
Thursday, 4 April 2019
Android Angst; Government Gaffe
The sky is falling. At least, that’s what some conclude, after hearing about Exodus, a family of targeted malware discovered in the official Google Play app store.
By imitating legit apps, Exodus exfiltrates data from countless apps and Android services. It appears to be a lawful surveillance program that escaped from its tight, court-approved targeting of Italian suspects.
But Google says malware like this is vanishingly rare. In this week’s Security Blogwatch, we let my people go.
Read more: techbeacon.com/security/exodus-spyware-exposes-sorry-state-android-security
Wednesday, 3 April 2019
Here’s Facebook’s latest unbelievable scandal: The company has been demanding that some users enter their email passwords, so they can be “verified.”
That’s right, their email password. Facebook claims it’s all above board: It’s for security, y’see—people can totally trust us. But critics say it trains users to do dangerous things.
And Facebook is said to be harvesting the users’ contacts without permission. All this just a month after the company was caught red-handed misusing other security identifiers. Yikes.
Facebook also claims that users can instead verify their email an alternate way, but the UX for that seems to be a blackest-of-Vantablack “dark pattern.” In today’s SB Blogwatch, we can’t believe our eyes.
Read more: securityboulevard.com/2019/04/facebook-forces-users-to-give-email-password-wait-what
Tuesday, 2 April 2019
Feds win technical victory against an alleged nine-year plan to fool customers. The Federal Trade Commission (FTC) claims Office Depot and Support.com deliberately lied to consumers, saying their PCs were infected with malware.
However, the scanning tool they used didn’t actually scan anything, according to the FTC. It merely asked a few questions, such as, “Does your PC frequently crash?” And if the customer answered “Yes” to any question, they’d be told the PC needed a $300 fix.
The companies settled out of court for $35 million, without admitting liability. In today’s SB Blogwatch, we feel fine.
Read more: securityboulevard.com/2019/04/office-depot-and-support-com-to-pay-35m-for-fake-malware-scan-scam
Thursday, 28 March 2019
Microsoft has damaged a hacking group thought to be run by the Iranian military. APT35—also known as Charming Kitten, Ajax and Phosphorus—has now lost control of 99 internet domains it was using in spear-phishing attacks on journalists and activists.
Redmond’s finest had to ask a court to grant it control of the malicious Purr-sian domains, such as outlook-verify.net. Now it is able to prevent web users from being phished and can collect valuable intelligence on APT35’s naughty tactics.
Go back to sleep, tiny cat. In today’s SB Blogwatch, we destroy your furniture.
Read more: securityboulevard.com/2019/03/microsoft-hurts-charming-kitten-aka-the-apt35-iran-hacking-group
ASUS laptops infected by the “ShadowHammer” malware were targeted by the People’s Republic of China. At least, that’s the implication of a Kaspersky Labs’ researcher.
Mind you, Kaspersky is alleged to be rather close to a certain other state. So a pinch of salt might be indicated.
Whoever’s responsible, there are worrying implications for the future of state-sponsored cyber-ops. In this week’s Security Blogwatch, everything looks like a nail.
Read more: techbeacon.com/security/asus-shadowhammer-backdoor-was-china-blame
Tuesday, 26 March 2019
Apple Card is here. It boasts anti-fraud security features and interesting privacy promises.
But is there much that’s new here? Probably not: People are saying it’s just a glossy sheen on top of existing technologies, and the privacy aspect ain’t all that.
What gives? In today’s SB Blogwatch, we wonder what all the fuss is about.
Read more: securityboulevard.com/2019/03/apple-credit-card-not-so-secure-nor-private
Friday, 22 March 2019
Implantable cardioverter defibrillators (ICDs) made by Medtronic are insecure, says the Department of Homeland Security’s CISA team. Exploitation is trivial, possible outcomes include the death of the patient.
And wouldn’t you know it, Medtronic knew about the problem for more than a year. Basically, wireless commands can completely reprogram the devices; there’s no authentication and no encryption.
“Are you serious?” you ask. In today’s SB Blogwatch, we’re as serious as a heart attack.
Read more: securityboulevard.com/2019/03/implanted-medical-devices-can-be-hacked-wirelessly-warns-u-s-govt
Thursday, 21 March 2019
“Ride sharing” company stands accused of using spyware to damage a competitor’s business: An Australian taxi startup says Uber poached its drivers by spying on their movements.
Uber blames one rogue employee. But some commentators allege it’s not the first time the company’s used dirty tricks to boost its business. For example, there was that time Uber was banned from operating anywhere in London, England.
So what really happened here? In today’s SB Blogwatch, we make educated guesses.
Read more: securityboulevard.com/2019/03/did-uber-spyware-on-rival-taxi-firm-yes-and-no
EHR is badly broken. That’s the conclusion of a too-long report into electronic health records in the US.
It’s dangerous, buggy, expensive, over-complicated, and encourages fraud. And that’s even before we start to think of the likely security issues.
Stop. You’re killing me. In this week’s Security Blogwatch, we smell no evil.
Read more: techbeacon.com/security/diagnosis-us-electronic-health-records-fatally-flawed
Tuesday, 19 March 2019
This hacker hacks the hackers. He reverse-engineers ransomware so that victims can decrypt their files without paying money to criminals.
But the polar bear-loving Fabian Wosar lives in hiding at an undisclosed location. It’s all thanks to the threats and abuse he receives from ransomware gangs, which he describes as “the Russian mob.”
Scary stuff. In today’s SB Blogwatch, we peek behind the curtain and marvel.
Read more: securityboulevard.com/2019/03/ransomware-fighter-lives-in-fear-for-his-life
Friday, 15 March 2019
Google’s Android smartphone platform is under fire again. Hundreds of “legitimate” apps have been infected with malicious third-party libraries—and not for the first time. These apps account for more than 320 million downloads.
The so-called SimBad and Operation Sheep SDKs are malicious, according to researchers. They’re able to phish, steal data and pop up ads over other apps.
Google keeps talking a grand talk, but is it proactive enough about nuking malware in the Play Store? In today’s SB Blogwatch, we avoid an Android army ambush.
Read more: securityboulevard.com/2019/03/android-security-is-a-hot-mess-yet-again
Thursday, 14 March 2019
Sir Tim Berners-Lee has been painting a slightly depressing picture of the web’s problems. But his recent open letter also celebrates the web’s extraordinary achievements.
So happy birthday, World Wide Web. It was 30 years ago when Sir Tim formally proposed Mesh, or Mine, or what we now know as the web.
As he super-tweeted in the 2012 Olympic Games, this is for everyone. But not everyone is on board the TBL-fanboi bus. In this week’s Security Blogwatch, we spin sticky silk.
Read more: techbeacon.com/security/30-years-web-sir-tim-vents-scams-hacks-hate
Tuesday, 12 March 2019
Citrix Systems’ networks were infested with hackers, who stole terabytes of data. So says a security service provider nobody’s heard of—and that seems to have popped out of nowhere.
It was Iran, alleges the dubitable company. And so the mainstream media rush to parrot the unfound finding. But where’s the evidence?
Neither Citrix nor the FBI are saying. In today’s SB Blogwatch, we feel like useful idiots.
Read more: securityboulevard.com/2019/03/citrix-systems-breached-for-10-years-by-iran-claims-unknown-infosec-firm
Friday, 8 March 2019
Google is warning Chrome users to update their browser installations immediately. Previous versions have a nasty security bug that allows remote code execution.
And it’s not theoretical: It turns out that this vulnerability was already being exploited before the patch was available. Google is being super-cagey about the exact nature of the flaw, but the company is being unusually insistent about how urgent this is.
So you know what to do and when to do it. In this week’s SB Blogwatch, we sit up and take notice.
Read more: securityboulevard.com/2019/03/chrome-zero-day-rce-exploit-in-the-wild-patch-now
Thursday, 7 March 2019
It’s that time again: Another RSA Conference in a rain-lashed San Francisco. This year’s theme is “Better.”
RSAC is the big infosec bunfight for hawkish vendors, arm-wavy consultants, and harassed PR mavens. Some think it’s the place to see and be seen, but others can’t wait for it to be over for yet another year.
And what caught your humble blogwatcher’s eye this year? In Security Blogwatch, we scour the Moscone Center so you don’t have to.
Read more: techbeacon.com/security/rsac-2019-better-wetter-weirder
Tuesday, 5 March 2019
Facebook has been caught red-handed again, so say privacy wonks. They accuse Zuckerberg’s crew of misusing phone numbers given to it for use in two-factor authentication.
Said wonks say Facebook is sharing the data with Instagram and WhatsApp to secretly link your profiles together. And that it lets miscreants look you up by your phone number, subjecting your identity to stalking, social engineering and other malicious awfulness. Facebook is also accused of violating GDPR, for using the numbers without consent.
Yet Facebook spokesdroids are unrepentant. In this inaugural SB Blogwatch, we phone a friend.
Read more: securityboulevard.com/2019/03/uproar-over-facebook-2fa-privacy-violation
Thursday, 28 February 2019
Software alone can’t save us from Spectre-class vulnerabilities in modern CPUs. That’s the scary conclusion from a bone-dry research paper penned by Google engineers.
Be afraid. Be very afraid. Because there’s no evidence that CPU vendors are actually taking this thing seriously—even though they’ve known about it since June 2017 (perhaps even longer than that).
So all we have are code fixes that slow down our infrastructure without fixing the underlying problem. In this week’s Security Blogwatch, we run for the hills.
Read more: techbeacon.com/security/google-spectre-cant-be-fixed-panic-now
Friday, 15 February 2019
Thursday, 14 February 2019
The day we all feared would come has come. Docker and Kubernetes #containers are revealed to be badly vulnerable—along with LXC, Mesos, and several other container flavors.
An easily exploited flaw means a container can escape its paper-thin walls and execute on the host system—as root. Time to audit your trust boundaries.
Happy Valentine’s Day, DevOps peeps. In this week’s Security Blogwatch, we drop everything and patch.
Read more: techbeacon.com/security/hackers-love-docker-container-catastrophe-3-2-1
Thursday, 7 February 2019
Apple says sorry for the privacy-busting FaceTime bug we talked about last week.
But there’s no apology yet to the kid and his mother who tried their best to report the “FacePalm” bug to Apple, yet kept facing brick wall after brick wall. Although there is the vague suggestion the trillion-dollar company might pay him some money.
In trying to fix its PR fail, has Apple made things worse? In this week’s Security Blogwatch at TechBeacon, Richi Jennings is sorry.
Read more: techbeacon.com/security/facetime-fauxpas-sorry-not-sorry-about-bug-bounty-boo-boo
Monday, 4 February 2019
Hey, it's Richi. … Richi? … Jennings? … Yeah, that guy.
Thanks to the business geniuses at Surpass Hosting for quadrupling my hosting fee, and to the fine folks at Alphabet who are killing Google+, I'm resurrecting my old blog as a web presence.
Apologies in advance for dust and broken links. I'll get to fixing things up as soon as I can.
A lot's happened since my last post in 2011. Maybe I'll tell you about it sometime…