Table of Contents

  1. Privacy
    1. FTC Advises Checking Smart Toy Features Before Buying
    2. ACLU sues Homeland Security over 'stingray' cell phone surveillance
    3. A technical look at Phone Extraction
    4. At least 10 police forces use face recognition in the EU, AlgorithmWatch reveals
    5. CEO of Avast has defended the company's sale of aggregated user data
  2. Digital rights
    1. Iran's internet freedom is on life support
  3. Crime
    1. Ransomware Hits Florida PRIDE On Saturday, Systems Still Down
    2. Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand
    3. Zeppelin Ransomware Targets Healthcare and IT Companies
    4. Lazarus Hackers Use TrickBot to Infect High-End Victims
    5. Vietnamese APT Group Targets BMW, Hyundai: Report
    6. Domain Takeover at Gunpoint Gets Influencer 14 Years in Jail
    7. Batch of 460,000+ Payment Cards Sold on Black Market Forum
    8. Five Charged in $722 Million Cryptomining Ponzi Scheme
    9. The Great $50M African IP Address Heist
  4. Malware
    1. Windows, Chrome Zero-Days Chained in Operation WizardOpium Attacks
    2. Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps
  5. Apple
    1. Apple Used the DMCA to Take Down a Tweet Containing an iPhone Encryption Key
  6. Windows
    1. Windows 7 to Show Full-Screen Windows 10 Upgrade Alerts
  7. Chrome
    1. Chrome warns when your password has been stolen
  8. Facebook
    1. Facebook Fired A Contractor Who Was Paid Thousands In Bribes To Reactivate Banned Ad Accounts
  9. Vulnerabilities
    1. Intel Chips Vulnerable to 'Plundervolt' Attack
  10. Password reuse
    1. Practical Pentest Labs doesn't let users change passwords

Privacy

FTC Advises Checking Smart Toy Features Before Buying

The FTC asks their customers to understand the smart toy features before deciding to purchase them for their kids.

ACLU sues Homeland Security over 'stingray' cell phone surveillance

The American Civil Liberties Union has filed a law suit against CBP (Customs and Border Protection) and ICE (Immigration and Customs Enforcement) after failing to learn more about the stingray devices usage by those agencies with the Freedom of Information Act request in 2017.

A technical look at Phone Extraction

Privacy international has released a detailed report documenting the techniques used by law enforcement and spy agencies to extract information from Android and iOS devices.

At least 10 police forces use face recognition in the EU, AlgorithmWatch reveals

Out of 25 member states in the European Union reviewed by AlgorithmWatch, at least ten have a police force that uses face recognition. What they all have in common is a lack of transparency and how the face detection algorithms work, and whether it can be misused. An analysis revealed misidentifications and false positives in the law enforcement face recognition systems.

CEO of Avast has defended the company's sale of aggregated user data

Avast doesn't just make money from protecting customers, it also profits partially because of users' Web browsing habits and has been doing so since 2013, and accounts for about 5% of overall revenue. This led to some of their tools being labeled as spyware. Both Mozilla and Opera removed Avast add-ons from their store. The CEO however claims that information cannot be tracked back to individual users, therefore there's no privacy scandal here.

Digital rights

Iran's internet freedom is on life support

The country's president wants a state-controlled intranet to replace the internet. Iran's intranet, known as the National Information Network, will be expanded so "people will not need foreign [networks] to meet their needs," effectively isolating the country from the rest of the world.

Crime

Ransomware Hits Florida PRIDE On Saturday, Systems Still Down

Prison Rehabilitative Industries and Diversified Enterprises Inc was hit by a ransomware attack, taking down most of their computing systems.

Maze Ransomware Behind Pensacola Cyberattack, $1M Ransom Demand

The operators behind the Maze Ransomware in Pensacola claimed they are not affiliated with the recent shooting at NAS Pensacola. They claim they purposely avoided attacking emergency services such as 911, and they will decrypt for free health care data or other socially vital objects they took down by mistake. Most landlines and email servers are back up, but the recovery process is still ongoing.

Zeppelin Ransomware Targets Healthcare and IT Companies

A new ransomware variant called Zeppelin has been spotted infecting US and European companies. It's not clear yet how it gets distributed, but it's likely through Remote Desktop servers publicly exposed on the internet. Like many Russian-based ransomware, it checks if the user is based in one of the Russian speaking countries, and terminates without damage if it is.

Lazarus Hackers Use TrickBot to Infect High-End Victims

Researchers found links pointing the TrickBot attacks to the Lazarus group from North Korea. TrickBot was developed in 2016 as a banking malware, but has since evolved into a modular crimeware framework with all-in-one attack tools designed to attack enterprise environments. Full report.

Vietnamese APT Group Targets BMW, Hyundai: Report

New details emerged about the APT attacks on BMW and Hyundai. OceanLotus APT32 from Vietnam is behind those attacks. Earlier this year, Toyota was targeted by the same group, which likely means they hunt for proprietary information and technological secrets, feeding the local economy in Vietnam.

Domain Takeover at Gunpoint Gets Influencer 14 Years in Jail

After failing to get the domain doitforstate.com, a social media influencer has decided to physically assault the owner of the domain, and planned a home invasion with his cousin to get the domain rights transferred to him at gunpoint. His plan backfired, and he was sentenced to 14 years in jail.

Batch of 460,000+ Payment Cards Sold on Black Market Forum

Several databases with stolen credit cards from predominantly Turkey banks have been discovered for sale on the "dark web". The data contained in the database indicate it was most probably obtained through phishing attacks.

Five Charged in $722 Million Cryptomining Ponzi Scheme

The FBI arrested four men for operating a large Cryptomining Ponzi Scheme. The operators asked for a membership fee, and knowing that the cryptomining capabilities would not be profitable, they just took this money for themselves.

The Great $50M African IP Address Heist

IP address squatting is where someone has taken control of a block of addresses, but has left the core Whois registration details intact. AFRINIC was impacted by a scheme where large chunks of IP blocks were illegally sold or squatted by overseas network operators. An investigation is still ongoing.

Malware

Windows, Chrome Zero-Days Chained in Operation WizardOpium Attacks

A chain of two zero-day vulnerabilities in Chrome and Windows has enabled attackers to infect a Korean news website, and inject a malicious JavaScript that will consequently get system access on Windows machines on the clients visiting the website. The operation was code named WizardOpium. The vulnerabilities have since been fixed.

Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps

A new kind of phishing attack doesn't target usernames and passwords anymore, but instead trying to fool the users to authorize a malicious app in Office 365, thus obtaining full account permissions without harvesting any credentials.

Apple

Apple Used the DMCA to Take Down a Tweet Containing an iPhone Encryption Key

A security researcher has posted a Tweet containing an encryption key that could be used to reverse engineer Secure Enclave Processor in the iPhone. Apple has used the DMCA to take down the Tweet and related Reddit posts.

Windows

Windows 7 to Show Full-Screen Windows 10 Upgrade Alerts

With Windows 7 reaching the end of its life, Microsoft decided to warn users more aggressively, by showing full-screen ads stating that users should upgrade as soon as possible to Windows 10.

Chrome

Chrome warns when your password has been stolen

When you type your credentials into a website, Chrome will now warn
you if your username and password have been compromised in a data breach on some site or app. It will suggest that you change them
everywhere they were used. In addition, Google SafeBrowsing claims to protect users from phishing attacks, by refreshing the list of malicious websites every 30 minutes, providing near real-time phishing protection.

Facebook

Facebook Fired A Contractor Who Was Paid Thousands In Bribes To Reactivate Banned Ad Accounts

Scammy ads were reactivated by a bribed contractor at Facebook, that asked users to subscribe for an expensive monthly subscription that claimed to be free. Facebook declined to comment on whether it suspects helped others reactivate ads but said its investigation is ongoing.

Vulnerabilities

Intel Chips Vulnerable to 'Plundervolt' Attack

A new CPU attack named Plundervolt affects Intel CPUs, which uses voltage fluctuations to reveal secrets such as encryption keys. The attack uses the same interfaces gamers use to overclock processors. Intel has already released a patch. The paper can be found here.

Password reuse

Practical Pentest Labs doesn't let users change passwords

This one intrigued me, since it's kind of bizarre, but if you think about it, it kind of makes sense. I just doubt this is the right implementation. Basically, they don't let users change passwords, so no sensitive data is ever stored, and if they get breached, the credentials will be useless. The problem is that the credentials are stored unencrypted and sent by email in clear text. Even though the implementation is flawed, maybe we could think more about it, and find a way to do the same in a more secure way, by not storing the password on the server, but on the client's side.