Table of Contents

  1. Privacy
    1. Wifi deauthentication attacks and home security
    2. Amazon, Ring Face Class-Action Lawsuit Over Alleged Security Camera Hacks
    3. Colleges are turning students’ phones into surveillance machines
    4. UK Government Accidentally Doxxes Award Winners
  2. Surveillance
    1. Behind the One-Way Mirror: A Dive into the Technology of Corporate Surveillance
  3. Digital rights
    1. Turkey's block on Wikipedia violates rights, court rules
    2. Iran curbs internet before possible new protests: reports
  4. Vulnerabilities
    1. Mazda3 Bug Activates Emergency Brake System For No Reason
    2. Apache Log4j CVE-2019-17571 Deserialization Remote Code Execution Vulnerability
  5. Ransomware
    1. Ryuk Ransomware evolution avoid encrypting Linux folders
  6. Phishing
    1. Most cybercrime doesn't involve computer hacking
  7. Malware
    1. NPM lockfiles can be a security blindspot for injecting malicious modules in PRs
  8. OSINT
    1. Guide To Using Reverse Image Search For Investigations

Privacy

Wifi deauthentication attacks and home security

Wifi standard has some interesting design choices, so that it's possible for a device that isn't authenticated to the network to send deauthentication requests, so that clients will need to authenticate again. By sending multiple such requests, it's possible to shut down Ring cameras when walking nearby, and since they record when detecting motion, one can use this to avoid being recorded by those cameras.

Amazon, Ring Face Class-Action Lawsuit Over Alleged Security Camera Hacks

Alabama resident John Orange has filed a class-action lawsuit accusing Amazon and Ring of failing to do enough to secure their security systems against hacks, including Orange's. Engadget reports: He alleged that a stranger compromised his Ring outdoor camera and spooked his kids as a "direct and proximate" result of the company's inability to protect its devices "against cyber-attack." He pointed to other incidents to support the argument for a class action, including a highly publicized event in December where a remote intruder harassed a Mississippi girl.

Colleges are turning students’ phones into surveillance machines

Colleges are tracking students' location to enforce attendance, analyze their behavior and assess their mental health. One company calculates a student's "risk score" based on factors such as whether she is going to the library enough. Washington Post reports. Degree Analytics not only tracks attendance, but it also monitors students’ movements from dorms to dining halls to ostensibly identify unhealthy behavioural patterns (sleeping too much, not eating, avoiding student life programs).

UK Government Accidentally Doxxes Award Winners

More than 1,000 celebrities, government employees and politicians who have received honours had their home and work addresses posted on a government website. The accidental disclosure of the tranche of personal details is likely to be considered a significant security breach, particularly as senior police and Ministry of Defence staff were among those whose addresses were made public.

Surveillance

Behind the One-Way Mirror: A Dive into the Technology of Corporate Surveillance

Trackers are hiding in nearly every corner of today’s Internet, which is to say nearly every corner of modern life. The average web page shares data with dozens of third-parties. The average mobile app does the same, and many apps collect highly sensitive information like location and call records even when they’re not in use. Tracking also reaches into the physical world. Shopping centers use automatic license-plate readers to track traffic through their parking lots, then share that data with law enforcement. Businesses, concert organizers, and political campaigns use Bluetooth and WiFi beacons to perform passive monitoring of people in their area. Retail stores use face recognition to identify customers, screen for theft, and deliver targeted ads.

Digital rights

Turkey's block on Wikipedia violates rights, court rules

Turkey’s Constitutional Court ruled on Thursday that a more than two-year block on access to online encyclopaedia Wikipedia in the country is a violation of freedom of expression. The ruling opens the way for lifting the website ban, which has been in place since 2017 due to entries that accused Turkey of having links to terrorist organisations.

Iran curbs internet before possible new protests: reports

Iran’s authorities have restricted mobile internet access in several provinces, an Iranian news agency reported on Wednesday, a day before new protests were expected to kick off following calls for demonstrations on social media.

Vulnerabilities

Mazda3 Bug Activates Emergency Brake System For No Reason

Driver assists can help make our trips much safer, but integrating software decisions into the control of a vehicle could cause serious problems if the system glitches at the wrong time. According to Mazda, a "Incorrect programming" in its Smart Braking System (SBS) can make fourth-generation Mazda3 vehicles to falsely detect an object in their path while driving and automatically apply the brakes while driving. The problem affects 35,390 2019 and 2020 model year cars in the US, but Mazda says it is not aware of any injuries or deaths as a result of the defect.

Apache Log4j CVE-2019-17571 Deserialization Remote Code Execution Vulnerability

Apache Log4j is prone to remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. Apache Log4j versions through 1.2.17 are vulnerable.

Ransomware

Ryuk Ransomware evolution avoid encrypting Linux folders

Experts spotted a new strain of the Ryuk Ransomware that was developed to avoid encrypting folders commonly seen in *NIX operating systems. Recently the City of New Orleans was the victim of ransomware attack, researchers from the BleepingComputer community revealed that the malware that infected the City’s systems was the Ryuk Ransomware. The experts found on the infected systems an executable named v2.exe. The popular malware researcher Vitali Kremez that analyzed the sample involved in the attack discovered a new feature implemented in this new variant of malware. Kremez noticed that the ransomware doesn’t encrypt folders that are associated with *NIX operating systems.

Phishing

Most cybercrime doesn't involve computer hacking

If you thought cybercrime was mostly about skilled hackers finagling their way through complex firewalls, think again. Most scams involve people being manipulated or blackmailed into handing over their cash. CERT has received 5000 reports of cybercrime incidents this year, but those are the tip of the iceberg. The majority of attacks, successful or not, go unreported.

Malware

NPM lockfiles can be a security blindspot for injecting malicious modules in PRs

Liran Tal has written an article showing how easy it is to inject malicious packages using npm lockfiles because people rarely review them and it's a major threat on software supply-chain security.

OSINT

Guide To Using Reverse Image Search For Investigations

Bellingcat has a nice guide how to trace objects/locations using reverse image search, and why using just google images is not enough.