Facebook
Users are complaining that the phone number they used for
two-factor authentication is publicly associated with their user
profile, so anyone can look it up. Facebook’s default setting
allows everyone with or without an account to look up a user based
on the phone number added to their account. There is no apparent
way to disable the feature. To read more: https://techcrunch.com/2019/03/03/facebook-phone-number-look-up/
GitHub accounts
A security researcher found a ring of malicious GitHub accounts
promoting over 300 backdoored Windows, Mac and Linux applications.
The malicious apps download a Java-based malware called Supreme NYC
Blaze Bot. The malware is a “sneaker bot” that infects a system in
order to participate in online auctions for limited-edition
sneakers. To read more: https://www.zdnet.com/article/researchers-uncover-ring-of-github-accounts-promoting-300-backdoored-apps/
Sharpshooter cyberattack
Security researchers linked a global cyber-espionage campaign to a
North Korean Advanced Persistent Threat (APT) hacking group. The
campaign targets government, defense, nuclear, energy and financial
organizations around the world. To read more: https://thehackernews.com/2019/03/north-korea-hacking.html
Zerodium
Zerodium is willing to pay up to half a million dollars for
zero-days in popular cloud technologies like Hyper-V and VMware’s
vSphere. These are hypervisors that let a single host server create
and run virtual guest operating systems. To read more: https://www.zdnet.com/article/hide-yo-kids-hide-yo-clouds-zerodium-offering-big-bucks-for-cloud-zero-days/
Chinese surveillance data
A security researcher found 18 accessible MongoDB databases filled
with personal information generated by accounts from several online
social services in China. The data appears to belong to a
countrywide surveillance program. The researcher could not identify
all the messaging services by their commercial names, but published
a list that others are connecting to companies. To read more:
https://www.bleepingcomputer.com/news/security/open-mongodb-databases-expose-chinese-surveillance-data/
Rush System for Health
Rush System for Health, a network for healthcare providers, said
that personal information for 45,000 patients was compromised in a
data breach. The breach exposed names, addresses, birthdays, social
security numbers and health-insurance information. The company
claims that none of the data has been misused. To read more:
https://www.sfchronicle.com/news/article/Rush-health-system-reports-data-breach-affecting-13661696.php
GHIDRA
The NSA released GHIDRA version 9.0 for free during the RSA
conference. GHIDRA is a classified reverse-engineering tool that
the agency uses to find security bugs in software and applications.
WikiLeaks first confirmed the existence of the toolset in one of
its data releases. To read more: https://thehackernews.com/2019/03/ghidra-reverse-engineering-tool.html
QuadrigaCX
Millions of dollars went missing when the CEO of QuadrigaCX, a
cryptocurrency exchange, died late last year. The CEO was thought
to have sole access to the $137M in cryptocurrency, but
investigators have since discovered that the money is gone. By
examining the public blockchain, investigators determined that the
money was actually emptied in April of 2018, eight months before
his death. To read more: https://markets.businessinsider.com/currencies/news/crypto-ceo-died-with-passwords-to-137-million-but-the-money-is-gone-2019-3-1028009684
800 million emails
A security researcher found a 150GB MongoDB instance open on the
internet. The database contained 808m records that were split into
four separate collections. This is an entirely unique data set that
was not part of the “Package 1–3” breaches. To read more: https://securitydiscovery.com/800-million-emails-leaked-online-by-email-verification-service/
Citrix
On Friday Citrix disclosed that hackers had accessed the company’s
internal network and downloaded business documents. Citrix was
unable to identify which specific documents were stolen at the time
of the breach announcement. To read more: https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/
Oberlin College
Hackers targeted a database controlled by the Office of Admissions
and Financial Aid at Ohio’s Oberlin College. The attackers
collected information about prospective, current and former
students who enrolled after fall 2014. They exploited a flaw in the
“reset your password” function on OCPass, which was run by a
third-party software-management company. The breach appears to be
part of a coordinated set of attacks targeting colleges across the
United States. To read more: https://oberlinreview.org/18231/news/cyber-attackers-breach-admissions-database/
MyEquifax.com
After the Equifax hack, many people froze their credit files and
were given a PIN which is required to lift the freeze. However,
unless you have an account at the new myEquifax portal, it may be
simple for identity thieves to lift an existing credit freeze and
bypass the PIN using your name, social-security number and
birthday. Read Brian Kreb’s in-depth account on how he set up his
myEquifax.com account and the security holes he found in the
system. To read more: https://krebsonsecurity.com/2019/03/myequifax-com-bypasses-credit-freeze-pin/
Check out Have I Been Pwnedto see if any of your accounts have been exposed by the above breaches.
MacOS Kernel
A security researcher at Google publicly disclosed a
proof-of-concept exploit for a vulnerability in the macOS operating
system that Apple did not patch within 90 days of being notified.
The vulnerability is in the way the XNU kernel can be exploited by
an attacker to manipulate filesystem images without informing the
operating system. To read more: https://thehackernews.com/2019/03/cybersecurity-macos-hacking.html
Intel Spoiler attack
Researchers discovered a new flaw impacting all Intel chips that
abuses speculative execution. Unlike Spectre and Meltdown, Spoiler
targets the Memory Order Buffer, which is used to manage memory
operations. To read more: https://www.zdnet.com/article/all-intel-chips-open-to-new-spoiler-non-spectre-attack-dont-expect-a-quick-fix/
Google Chrome
A security researcher discovered a high-severity vulnerability in
Chrome that could enable an attacker to execute arbitrary code and
take full control of the computers. The vulnerability is a zero-day
that is being actively exploited in the wild by hackers. It affects
all major operating systems including Windows, macOS, and Linux. To
read more: https://thehackernews.com/2019/03/update-google-chrome-hack.html
Pandora Car Alarm System
Cybersecurity researchers published a report detailing the security
drawbacks of smart car alarms. The team could unlock the car,
disable the alarm, and steal the owner’s details. In some cases, a
cyberattack could result in the engine being turned off during use.
Pandora’s marketing materials claimed that the smart alarm systems
were unhackable. To read more: https://www.zdnet.com/article/smart-car-alarms-opened-the-doors-of-3-million-vehicles-to-hackers/
Hard Disk Drives
Researchers found that hard disk drives can be turned into
listening devices using malicious firmware and signal-processing
calculations. An acoustic side-channel can be accessed by measuring
how sound waves make hard disk parts vibrate. The research will be
presented at the 2019 IEEE Symposium on Security and Privacy. To
read more: https://www.theregister.co.uk/2019/03/07/hard_drive_eavesdropping/
Android VPNs
John Mason from TheBestVPN.com analyzed 81 Android VPN apps
available on the Google Play Store. He determined that 50 of the 81
available request access to “dangerous” user permissions that a
standard VPN app would have no use for. Some of these include
read/write permission for external device storage, precise location
data, and access to call logs. To read more: https://www.zdnet.com/article/some-android-vpn-apps-request-access-to-sensitive-permissions-they-dont-need/
Sign up below and receive these reports and more, directly in your inbox.