Table of Contents

  1. Crime
    1. How a Fake Murder-For-Hire Site Led To Real Convictions
    2. Berlin police office stores data illegally
    3. Kanagawa Prefectural Government retrieves all unencrypted disk drives lost in auction
    4. PayPal Phishing Attack Promises to Secure Accounts, Steals Everything
    5. Hedge Funds Hacked into Bank of England Briefings to Gain Financial Advantage
    6. Wawa Announces Data Breach Potentially Affecting More Than 850 Stores
    7. Apple Blackmailed for $100K in iTunes Cards to Avoid 'Data Leak'
    8. GozNym Gang Members Behind $100 Million Damages Sentenced
    9. Tokyo 2020 Staff Warns of Phishing Disguised As Official Emails
    10. 'Spiderman' Hacker Daniel Kaye Took Down Liberia’s Internet
  2. Privacy
    1. DNS Over HTTPS: Not As Private As Some Think
    2. How Much Are Cars Spying On Their Owners?
    3. Brookline Votes To Ban Face Surveillance
    4. Russia presses Apple to install Kremlin-approved apps
  3. Politics
    1. U.S. Navy bans TikTok from government-issued mobile devices
    2. Twitter Removes Nearly 6,000 Saudi-Backed Accounts For Platform Manipulation
    3. Fake Faces: People Who Do Not Exist Invade Facebook To Influence 2020 Elections
  4. Linux
    1. Many Security-Critical Military Systems Are Now Using Linux
  5. Vulnerabilities
    1. Dropbox Zero-Day Vulnerability Gets Temporary Fix
    2. Twitter for Android Security Issue
    3. Cisco ASA DoS bug attacked in wild
    4. Using WebRTC ICE Servers for Port Scanning in Chrome
  6. OSINT
    1. People tracker on the Internet: OSINT analysis and research tool by Jose Pino
    2. Hunt down social media accounts by username across social networks

Crime

How a Fake Murder-For-Hire Site Led To Real Convictions

Interesting article by Brian Merchant about the dark web scams of hiring hitmans for few thousands dollars. It turns out, even though most of those people never get killed, some still do, and the requests to kill someone on the dark web has real world consequences.

Berlin police office stores data illegally

Data protection authority has discovered that the Berlin police department hasn't deleted any data since 2013, and employees could have accessed the data on suspects, victims, and witnesses without authorization.

Kanagawa Prefectural Government retrieves all unencrypted disk drives lost in auction

Kanagawa Prefectural Government said Saturday that it has collected all 18 of the hard disk drives containing government administrative data that were sold online after being fraudulently taken. Earlier this month, Tokyo’s Metropolitan Police Department arrested the former Broadlink employee for fraudulently taking the HDDs.

PayPal Phishing Attack Promises to Secure Accounts, Steals Everything

An ongoing phishing campaign is targeting PayPal customers with emails camouflaged as 'unusual activity' alerts warning them of suspicious logins from unknown devices and attempting to squeeze them dry of all their credentials and financial info.

Hedge Funds Hacked into Bank of England Briefings to Gain Financial Advantage

High-speed traders could have received a vital advantage over the rest of the market by listening to the audio of the Bank of England’s press conferences a few seconds before the official broadcast. Following an internal investigation, the Bank confirmed that a third party supplier “misused” an audio feed of certain of the Bank press conferences since earlier this year. The audio was installed to serve as a back-up in case the video failed.

Wawa Announces Data Breach Potentially Affecting More Than 850 Stores

Wawa, a convenience store and gas station chain, notified customers Thursday of a data breach that collected debit and credit card information at potentially all of its more than 850 locations along the East Coast. It is now offering free credit monitoring and identity theft protection to those affected. Sensitive data was being collected as early as March 4, the company said, adding that the malware was contained by Dec. 12.

Apple Blackmailed for $100K in iTunes Cards to Avoid 'Data Leak'

22-year old Londoner Kerem Albayrak was sentenced today after attempting to blackmail Apple by threatening to factory reset 319 million iCloud accounts and selling the users' data.

GozNym Gang Members Behind $100 Million Damages Sentenced

Three members of a cybercrime group that used the GozNym banking Trojan to steal millions from U.S. businesses were sentenced in parallel and multi-national prosecutions in Pittsburgh and Tbilisi, Georgia.

Tokyo 2020 Staff Warns of Phishing Disguised As Official Emails

Tokyo 2020 Summer Olympics staff published a warning alerting of an ongoing phishing campaign delivering emails designed to look like they're coming from the Tokyo Organizing Committee of the Olympic and Paralympic Games. Attack is suspected to originate from China.

'Spiderman' Hacker Daniel Kaye Took Down Liberia’s Internet

Interesting story from Bloomberg about the attacker who took down Liberia's Internet and shut down Deutsche Telekom routers as a side effect using one of the Mirai's botnets.

Privacy

DNS Over HTTPS: Not As Private As Some Think

DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol. But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional padding option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access to.

How Much Are Cars Spying On Their Owners?

Washingtonpost has analyzed the computer systems on a modern Chevrolet car, to try and find out what kind of data it collects about the owner. It turns out they are like huge smartphones on wheels, generating up to 25GB of data per hour from many sensors. GM spokesman David Caldwell declined to offer specifics on Doug’s Chevy, but said the data GM collects generally falls into three categories: vehicle location, vehicle performance and driver behavior. "Much of this data is highly technical, not linkable to individuals and doesn’t leave the vehicle itself" he said.

Brookline Votes To Ban Face Surveillance

The town of Brookline, Massachusetts, became the fifth municipality in the nation to ban its government agencies from using face surveillance. This comes after a new study by NIST which found out the algorithms are biased against race, age, and ethnicity.

Russia presses Apple to install Kremlin-approved apps

On December 2nd Russia’s president signed a controversial law that will prohibit the sale within Russia of devices that do not come pre-loaded with locally produced applications.

Politics

U.S. Navy bans TikTok from government-issued mobile devices

United States Navy banned the social media app TikTok from government-issued mobile devices, saying the popular short video app represented a "cybersecurity threat". The Navy would not describe in detail what dangers the app presents, but Pentagon spokesman Lieutenant Colonel Uriah Orland said in a statement the order was part of an effort to "address existing and emerging threats".

Twitter Removes Nearly 6,000 Saudi-Backed Accounts For Platform Manipulation

Twitter announced Friday that has removed nearly 6,000 accounts for being part of a state-backed information operation originating in Saudi Arabia. The investigations have traced the source of the coordinated activity to Smaat, a social media marketing and management company based in Saudi Arabia.

Fake Faces: People Who Do Not Exist Invade Facebook To Influence 2020 Elections

AI-generated faces were used in a facebook campaign design to manipulate 2020 US elections. A detailed report was released. Last month, Snopes exposed links between TheBL and The Epoch Times. Facebook profiles were spreading political propaganda supporting Trump. The Epoch Times denies connection with TheBL, and asks Facebook to lift the ban.

Linux

Many Security-Critical Military Systems Are Now Using Linux

As Open Source has become increasingly mainstream and widely accepted for its numerous benefits, the use of Linux as a flexible, transparent and highly secure operating system has also increasingly become a prominent choice among corporations, educational institutions and government sectors alike. With national security concerns at an all time high heading into 2020, it appears that the implementation of Linux could effectively meet the United States government’s critical security needs for application development and installations.

Vulnerabilities

Dropbox Zero-Day Vulnerability Gets Temporary Fix

A zero-day vulnerability exists in Dropbox for Windows that allows attackers to gain permissions reserved to SYSTEM, the most privileged account on the operating system.

Twitter for Android Security Issue

Twitter has recently fixed a vulnerability within Twitter for Android that could allow a bad actor to see nonpublic account information or to control user account (i.e., send Tweets or Direct Messages). Prior to the fix, through a complicated process involving the insertion of malicious code into restricted storage areas of the Twitter app, it may have been possible for a bad actor to access information (e.g., Direct Messages, protected Tweets, location information) from the app.

Cisco ASA DoS bug attacked in wild

Cisco Talos has recently noticed a sudden spike in exploitation attempts against a specific vulnerability in our Cisco Adaptive Security Appliance (ASA) and Firepower Appliance.

Using WebRTC ICE Servers for Port Scanning in Chrome

Tenable discovered a way to run port scans using WebRTC servers from Chrome.

OSINT

People tracker on the Internet: OSINT analysis and research tool by Jose Pino

Trape is an interesting tool I discovered that makes it easy to track people on the internet. It can also recognize active sessions in the browser, thus it's possible to see what accounts is the user logged in using that browser. It's also got location tracking, similar to how seeker works. Unfortunately it's still written in python2, and the ngrok stuff doesn't work anymore, but with some tinkering around it can become a powerful addition to the OSINT toolset.

Hunt down social media accounts by username across social networks

Sherlock is a nice little tool that can be used to check the existence of a username on up to 245 websites.