The Iranian government has attempted to hack into hundreds of Office 365 email accounts belonging to politicians, government officials and journalists last month, Microsoft has warned.

“We’ve recently seen significant cyber activity by a threat group we call Phosphorous, which we believe originates from Iran and is linked to the Iranian government,” Microsoft’s vice president of customer security and trust Tom Burt said in a blog post on Friday.

Redmond’s bit wranglers observed more than 2,700 attempts to hack into 241 different accounts, according to the software giant. It noted that those accounts “are associated with a US presidential campaign, current and former US government officials, journalists covering global politics and prominent Iranians living outside Iran.”

Microsoft says that only four of the 241 accounts were compromised and none of them were connected to government officials or presidential campaigns. It says the accounts are now secure the owners are aware of the activity.

Notably, Microsoft says the hacking efforts were “not technically sophisticated” but used personal information gathered elsewhere to try to prompt password reset or account recovery in an effort to get into the accounts.

“For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account,” Microsoft explained.

It also appears that the hackers attempted to bypass two-factor authentication. “In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets,” the company said. It described the attackers as “highly motivated and willing to invest significant time and resources.”

Instead Microsoft proposes that people used its Authenticator app, which provides a login code that changes every 30 seconds in order to access their accounts.

How come Iran?

The company did not go into any detail over why it believes the Iranian government is behind the hacks beyond noting that those targeted included “prominent Iranians living outside Iran.” Presumably, it was able to identify the same pattern of hacking efforts with other accounts not directly connected with Iran and extrapolated from that.

Source: Iran tried to hack hundreds of politicians, journalists email accounts last month, warns Microsoft • The Register

Over the past few days, a massive wave of account hijacks has hit YouTube users, and especially creators in the auto-tuning and car review community, a ZDNet investigation discovered following a tip from one of our readers.

Several high-profile accounts from the YouTube creators car community have fallen victim to these attacks already. The list includes channels such as Built [Instagram post, YouTube channel], Troy Sowers [Instagram post, YouTube channel], MaxtChekVids [YouTube channel], PURE Function [Instagram post, YouTube Support post, YouTube channel], and Musafir [Instagram post, YouTube channel].

But the YouTube car community wasn’t the only one targeted. Other YouTube creatorss also reported having their accounts hijacked last week, and especially over the weekend, with tens of complaints flooding Twitter [1, 2, 3, 4, 5, 6, 7, 8, 9, and many more] and the YouTube support forum [1, 2, 3, 4, 5, 6, 7, 8, 9, and many more].

Coordinated campaign bypassed 2FA

The account hacks are the result of a coordinated campaign that consisted of messages luring users to phishing sites, where hackers logged account credentials.

According to a channel owner who managed to recover their account before this article’s publication and received additional information from YouTube’s staff, we got some insight into how the full attack chain might have gone down.

• Hackers use phishing emails to lure victims on fake Google login pages, where they collect users’ account credentials
• Hackers break into Google accounts
• Hackers re-assign popular channels to new owners
• Hackers change the channel’s vanity URL, giving the original account owner and his followers the impression that their account had been deleted.

Some users reported receiving individual emails, while others said they received email chains that included the addresses of multiple YouTube creators, usually from the same community or niche.

This is what appears to have happened with the phishing attacks that targeted the YouTube creators car community, according to a YouTube video from Life of Palos, uploaded over the weekend — see 01:50 video mark.

The same Life of Palos also reported that hackers were capable of bypassing two-factor authentication on users’ accounts. He suggested that hackers might have used Modlishka, a reverse proxy-based phishing toolkit that can also intercept 2FA SMS codes.

However, this is only hearsay, and there is no actual evidence to confirm that hackers used Modlishka specifically. There are plenty of reverse proxy-based phishing toolkits around that can do the same.

Nevertheless, Ryan Scott, the owner of the PURE Function YouTube channel confirmed he used two-factor authentication on his account, validating that hackers did bypass 2FA on some of the hacked accounts.

Source: Massive wave of account hijacks hits YouTube creators | ZDNet

Online merchant fragrancedirect.co.uk has confirmed a miscreant broke into its systems and made off with a raft of customers’ personal data, including payment card details.

The e-retailer, based in Macclesfield, England, wrote to punters this week to inform them of the digital burglary and the subsequent data leakage.

“We recently discovered that some of our user data may have been compromised as a result of unauthorised access to our website by a malicious third party,” the email states.

The online store then launched an investigation and “quickly identified the root cause and have taken the necessary steps to address the issue”, the note continues.

It added that “Fragrance Direct Username and Password”, along with “Name, Address and Phone Number”, and “Credit and Debit Card Details” spilled into the wrong hands.

Source: What’s that smell? Perfume merchant senses the scent of a digital burglary • The Register

Doordash is the latest of the “services you probably use, or at least have an account with” companies to suffer a large data breach. And while your passwords likely haven’t been compromised, it’s possible that your physical address is floating around in the Internet somewhere, among other identifying information.

As Doordash wrote yesterday, an unknown individual accessed data they shouldn’t have on May 4. Among the information that was compromised included:

“Profile information including names, email addresses, delivery addresses, order history, phone numbers, as well as hashed, salted passwords — a form of rendering the actual password indecipherable to third parties.”

Approximately 4.9 million Doordash customers were affected by the breach, but only those who joined the site prior to April 5, 2018. If you signed up for Doordash after that, you’re in the clear.

However, the leaked information doesn’t stop with emails, phone numbers, and names—to name a few. For a subset of those affected, the attacker was able to access the last four digits of their stored credit card, their bank account number, or their drivers’ license numbers.

Doordash is currently reaching out to those whose data might have been compromised; if you haven’t received an email yet, you might be in the clear, but it’s also taking the company a bit of time to send these, so it’s OK to be slightly anxious.

Source: Doordash’s Latest Data Breach: How to Protect Yourself

Eurojust, the European Union agency that facilitates cooperation between EU prosectuors, had extended the invitation for a working meeting, the focus of which was on the probes into findings from Football Leaks, the largest data leak in history. But the meeting produced more controversy than expected.

Ten countries have expressed interest in the gigantic trove of data. Under the leadership of French authorities, the working meeting in The Hague had been set up to determine who and under what circumstances authorities would be permitted to work with the millions of files of data from the heart of the football industry. Investigators are hoping the information will provide evidence of serious tax evasion, collective fraud, embezzlement, corruption and money laundering.

[…]

Cluny was present as Portugal’s Eurojust representative at the press conference. And the fact that he didn’t disclose a personal conflict of interest in the course of these proceedings has been the source of significant irritation among his colleagues. Furthermore, it confirms the fears of the whistleblower who gathered the Football Leaks data. Because there are now suspicions Cluny may not be impartial.

But first things first.

Football Leaks is a raft of data that sheds light on the dirty side of the professional football business. The documents offer insights into the inner workings of numerous companies whose revenues end up taking circuitous routes through offshore countries. Financial authorities in Europe have often been kept in the dark about the nested corporate structures, but the documents reveal everything: articles of incorporation, ownership structures, payment flows, wire transfers and bank account numbers.

A source named “John” has been providing DER SPIEGEL with the data since the beginning of 2016. The newsmagazine shared more than 70 million documents with the journalist network European Investigative Collaborations (EIC) and those documents have provided the basis for more than 800 investigative articles over the past three years. The publication of the articles has led to numerous investigations and trials. Among others, Cristiano Ronaldo and José Mourinho were slapped with suspended sentences and fines for tax fraud.

But the whistleblower behind Football Leaks is facing his own trouble with the law following his arrest in mid-January. He has since discarded his pseudonym John and revealed his real name to the public: Rui Pinto. The 30-year-old Portuguese national is now under house arrest in Budapest after Portuguese investigators issued an arrest warrant against him on suspicion of attempted extortion and cybercrime. They are demanding Pinto’s extradition to Portugal. Pinto denies the accusations and is waging a legal fight to prevent his deportation.

Antonio Cluny, the inconspicuous man at the press conference in The Hague, used to be the deputy prosecutor general of Portugal and has been representing his country’s interests at Eurojust since 2014. He said at the press conference that Portugal is also interested in analyzing the data gathered by Pinto, but he also stressed that his country would continue to insist on Pinto’s extradition.

[…]

s it turns out, Cluny did not, in fact, share critical information that has now cast doubt on his independence.

What Cluny shared neither publicly nor with his colleagues at Eurojust is that he’s the father of João Lima Cluny, a top lawyer at the Portuguese law firm Morais Leitão. The firm represents Cristiano Ronaldo, José Mourinho and many other big names in the football world who ran into trouble with the judiciary following the publication of Football Leaks documents. In his private messages, Ronaldo affectionately calls one of the firm’s partners, Carlos Osório de Castro, “father.” Osório de Castro has served as Ronaldo’s legal adviser since the beginning of the football player’s career and the Porto-based lawyer has also coordinated Ronaldo’s defense strategy for the rape allegations that have been leveled against him.

Source: Football Leaks: Possible Interest Conflict Dogs Probe – SPIEGEL ONLINE

I didn’t know about the whole football leaks thing!

Der Spiegel’s site and reporting on the leaks content

The Football leaks data site. You can download player contracts, see how much agents make, what kind of sponsorships there are and much much much more!

The potential impact of the latest attack on iPhones is massive, not to mention hugely concerning for every user of Apple’s famous smartphone.

That simply visiting a website can lead to your iPhone being hacked silently by some unknown party is worrying enough. But given that, according to Google researchers, it’s possible for the hackers to access encrypted messages on WhatsApp, iMessage, Telegram and others, the attacks undermine the security promised by those apps. It’s a stark reminder that should Apple’s iOS be compromised by hidden malware, encryption can be entirely undone. Own the operating system, own everything inside.

Among the trove of data released by Google researcher Ian Beer on the attacks was detail on the “monitoring implant” hackers installed on the iPhone. He noted that it had access to all the database files on the victim’s phone used by those end-to-end encrypted apps. Those databases “contain the unencrypted, plain-text of the messages sent and received using the apps.”

Today In: Innovation

The implant would also enable hackers to snoop on Gmail and Google Hangouts, contacts and photos. The hackers could also watch where users were going with a live GPS location tracker. And the malware stole the “keychain” where passwords, such as those for all remembered Wi-Fi points, are stored.

Shockingly, according to Beer, the hackers didn’t even bother encrypting the data they were stealing, making a further mockery of encrypted apps. “Everything is in the clear. If you’re connected to an unencrypted Wi-Fi network, this information is being broadcast to everyone around you, to your network operator and any intermediate network hops to the command and control server,” the Google researcher wrote. “This means that not only is the end-point of the end-to-end encryption offered by messaging apps compromised; the attackers then send all the contents of the end-to-end encrypted messages in plain text over the network to their server.”

Beer’s ultimate assessment is sobering: “The implant has access to almost all of the personal information available on the device, which it is able to upload, unencrypted, to the attacker’s server.”

And, Beer added, even once the iPhone has been cleaned of infection (which would happen on a device restart or with the patch applied), the information the hackers pilfered could be used to maintain access to people’s accounts. “Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.

Iphone users should upgrade to the latest iOS as soon as they can to get a patch for the flaw, which was fixed earlier this year. Apple did not comment.

[…]

Avraham said he’d analyzed many cases of attacks on iPhones and iPads. He said he wouldn’t be surprised if the number of remotely infected iOS devices was anywhere between 0.1% and 2% of all 1 billion iPhones in use. That’d be either 1 million or 20 million.

“The only way to fight back is to patch vulnerabilities used as part of exploit chains while strategic mitigations are developed. This cannot be done effectively solely by Apple without the help of the security community,” Avraham added.

“Unfortunately the security community cannot help much due to Apple’s own restrictions. The current sandbox policies do not allow security analysts to extract malware from the device even if the device is compromised.”

Source: Apple iPhone Hack Exposed By Google Breaks WhatsApp Encryption

Luscious is a niche pornographic image site focused primarily on animated, user-uploaded content. Based on the research carried out by our team, the site has over 1 million registered users. Each user has a profile, the details of which could be accessed through our research.

Private profiles allow users to upload, share, comment on, and discuss content on Luscious. All of this is understandably done while keeping their identity hidden behind usernames.

The data breach our team discovered compromises this anonymity by potentially allowing hackers to access the personal details of users, including their personal email address. The highly sensitive and private nature of Luscious’ content makes users incredibly vulnerable to a range of attacks and exploitation by malicious hackers.

[…]

The private personal user details we viewed included:

• Usernames
• Personal email addresses
• User activity logs (date joined, most recent log in)
• Country of residence/location
• Gender

Some users’ email addresses indicated their full names, increasing their vulnerability to exploitation and cybercrime.

It’s worth mentioning that we estimate 20% of emails on Luscious accounts use fake email addresses to sign up. This suggests that some Luscious users are actively taking extra steps to remain anonymous.

User Behaviours & Activities

The data breach also gave a complete overview of user activities. This allowed us to view things like:

• The number of image albums they had created
• Video uploads
• Comments
• Blog posts
• Favorites
• Followers and accounts followed
• Their User ID number – so we can know if they’re active or have been banned

Source: Report: Data Breach in Adult Site Compromises Privacy of All Users

Ouch – if you were on there, good luck and change your details immediately!

Jordan B. Peterson had his gmail account deactivated and I had the opportunity to inspect the bug report as a full-time employee. What I found was that Google had a technical vulnerability that, when exploited, would take any gmail account down. Certain unknown 3rd party actors are aware of this secret vulnerability and exploit it. This is how it worked: Take a target email address, change exactly one letter in that email address, and then create a new account with that changed email address. Malicious actors repeated this process over and over again until a network of spoof accounts for Jordan B. Peterson existed. Then these spoof accounts started generating spam emails. These email-spam blasts caught the attention of an AI system which fixed the problem by deactivating the spam accounts… and then ALSO the original account belonging to Jordan B. Peterson!

Source: Open Letter: Dear Attorney Representing Tulsi Gabbard, this is how Google is “accidentally” deactivating user accounts | Minds

The O.MG cable (or Offensive MG kit) from [MG] hides a backdoor inside the shell of a USB connector. Plug this cable into your computer and you’ll be the victim of remote attacks over WiFi.

You might be asking what’s inside this tiny USB cable to make it susceptible to such attacks. That’s the trick: inside the shell of the USB ‘A’ connector is a PCB loaded up with a WiFi microcontroller — the documentation doesn’t say which one — that will send payloads over the USB device. Think of it as a BadUSB device, like the USB Rubber Ducky from Hak5, but one that you can remote control. It is the ultimate way into a system, and all anyone has to do is plug a random USB cable into their computer.

In the years BadUSB — an exploit hidden in a device’s USB controller itself — was released upon the world, [MG] has been tirelessly working on making his own malicious USB device, and now it’s finally ready. The O.MG cable hides a backdoor inside the shell of a standard, off-the-shelf USB cable.

The construction of this device is quite impressive, in that it fits entirely inside a USB plug. But this isn’t a just a PCB from a random Chinese board house: [MG] spend 300 hours and $4000 in the last month putting this project together with a Bantam mill and created his own PCBs, with silk screen. That’s impressive no matter how you cut it.

Source: OMG Cable | Hackaday

http://mg.lol/blog/omg-cable/ The makers

Soft launch of the cable for USD 200

A hacker raided Capital One’s cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada.

The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we’re told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.

The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019. The info was siphoned between March this year and July 17, and Capital One learned of the intrusion on July 19.

Seattle software engineer Paige A. Thompson, aka “erratic,” aka 0xA3A97B6C on Twitter, was suspected of nicking the data, and was collared by the FBI at her home on Monday this week. The 33-year-old has already appeared in court, charged with violating the US Computer Fraud and Abuse Act. She will remain in custody until her next hearing on August 1.

According to the Feds in their court paperwork [PDF], Thompson broke into Capital One’s cloud-hosted storage, believed to be Amazon Web Services’ S3 buckets, and downloaded their contents.

The financial giant said the intruder exploited a “configuration vulnerability,” while the Feds said a “firewall misconfiguration permitted commands to reach and be executed” by Capital One’s cloud-based storage servers. US prosecutors said the thief slipped past a “misconfigured web application firewall.”

Source: Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants • The Register

Not so much a hack as poor security by Capital One then

After nearly a decade in court, Google has agreed to pay $13 million in a class-action lawsuit alleging its Street View program collected people’s private data over wifi from 2007 to 2010. In addition to the moolah, the settlement—filed Friday in San Francisco—also calls for Google to destroy all the collected data and teach people how to encrypt their wifi networks.

A quick refresher. Back when Google started deploying its little Street View cars around our neighborhoods, the company also ended up collecting about 600 GB of emails, passwords, and other payload data from unencrypted wifi networks in over 30 countries. In a 2010 blog, Google said the data collection was a “mistake” after a German data protection group asked to audit the data collected by the cars.

[…]

The basis for the class-action lawsuit was that Google was basically infringing on federal wiretapping laws. Google had argued in a separate case on the same issue, Joffe vs Google, that its “mistake” was legal, as unencrypted wifi are a form of radio communication and thereby, readily accessible by the general public. The courts did not agree, and in 2013 ruled Google’s defense was bunk. And despite Google claiming the collection was a “mistake,” according to CNN, in this particular class-action lawsuit, investigators found that Google engineers created the software and embedded them into Street View cars intentionally.

[…]

If you thought Google would pay out the nose for this particular brand of evil, you’d be mistaken. The class-action netted $13 million, with punitive payments only going to the original 22 plaintiffs—additional class members won’t get anything. The remaining money will be then distributed to eight data privacy and consumer protection organizations. Similarly, another case brought by 38 states on yet again, the same issue, only netted a $7 million settlement.

Source: Google Set to Pay $13 Million in Street View Class-Action Suit

“In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.”

Source: Evite Invites Over 100 Million People to Their Data Breach

It’s 2019 and people still store personal information in plain text?!

Search for them in your emailbox – you may have received evites from others instead of having made an account, in which case you are also in the data breach

Japan-based cryptocurrency exchange Bitpoint announced it lost 3.5 billion yen (roughly $32 million) worth of cryptocurrency assets after a hack that happened late yesterday, July 11.

The exchange suspended all deposits and withdrawals this morning to investigate the hack, it said in a press release.

Thoroughly compromised

In a more detailed document released by RemixPoint, the legal entity behind Bitpoint, the company said that hackers stole funds from both of its “hot” and “cold” wallets. This suggests the exchange’s network was thoroughly compromised.

Hot wallets are used to store funds for current transactions, while the cold wallets are offline devices storing emergency and long-term funds.

Bitpoint reported the attackers stole funds in five cryptocurrencies, including Bitcoin, Bitcoin Cash, Litecoin, Ripple, and Ethereal.

The exchange said it detected the hack because of errors related to the remittance of Ripple funds to customers. Twenty-seven minutes after detecting the errors, Bitpoint admins realized they had been hacked, and three hours later, they discovered thefts from other cryptocurrency assets.

Another three and a half hours later, after a meeting with management, the exchange shut down, and law enforcement notified.

Two-third of stolen funds belonged to customers

The exchange also said that 2.5 billion yen ($23 million) of the total 3.5 billion yen ($32 million) that were stolen were customer funds, while the rest were funds owned by the exchange itself, as reserve funds and profits from past activity.

Source: Bitpoint cryptocurrency exchange hacked for $32 million | ZDNet

In new research published Tuesday and shared with TechCrunch, Dardaman and Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock.

Smart home technology has come under increasing scrutiny in the past year. Although convenient to some, security experts have long warned that adding an internet connection to a device increases the attack surface, making the devices less secure than their traditional counterparts. The smart home hubs that control a home’s smart devices, like water meters and even the front door lock, can be abused to allow landlords entry to a tenant’s home whenever they like.

[…]

he researchers found they could extract the hub’s private SSH key for “root” — the user account with the highest level of access — from the memory card on the device. Anyone with the private key could access a device without needing a password, said Wheeler.

They later discovered that the private SSH key was hardcoded in every hub sold to customers — putting at risk every home with the same hub installed.

Using that private key, the researchers downloaded a file from the device containing scrambled passwords used to access the hub. They found that the smart hub uses a “pass-the-hash” authentication system, which doesn’t require knowing the user’s plaintext password, only the scrambled version. By taking the scrambled password and passing it to the smart hub, the researchers could trick the device into thinking they were the homeowner.

Source: Security flaws in a popular smart home hub let hackers unlock front doors | TechCrunch

Hackers infiltrated the networks of at least ten cellular telcos around the world, and remained hidden for years, as part of a long-running tightly targeted surveillance operation, The Register has learned. This espionage campaign is still ongoing, it is claimed.

Cyber-spy hunters at US security firm Cybereason told El Reg on Monday the miscreants responsible for the intrusions were, judging from their malware and skills, either part of the infamous Beijing-backed hacking crew dubbed APT10 – or someone operating just like them, perhaps deliberately so.

Whoever it was, the snoops apparently spent the past two or more years inside ten-plus cellphone networks dotted around the planet. In some cases, we’re told, the hackers were able to deploy their own VPN services on the telcos’ infrastructure to gain quick, persistent, and direct access to the carriers rather than hop through compromised internal servers and workstations. These VPN services were not detected by the telcos’ IT staff.

[…]

The undetected VPN deployments underscore just how deeply the hacker crew was able to drill into the unnamed telcos and compromise pretty much everything needed to get the job done. The gang sought access to hundreds of gigabytes of phone records, text messages, device and customer metadata, and location data on hundreds of millions of subscribers.

This was all done, we’re told, to spy on and gather the whereabouts of some 20 to 30 high-value targets – think politicians, diplomats, and foreign agents. The hackers and their masters would thus be able to figure out who their targets have talked to, where they work and stay, and so on.

[…]

To cover their tracks, the hackers would have long periods of inactivity.

“They come in, they do something, and they disappear for one to three months,” said Serper. “Then they come in again, disappear, and so forth.”

Source: What the cell…? Telcos around the world were so severely pwned, they didn’t notice the hackers setting up VPN points • The Register

Chris Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, issued a statement on June 22 following similar warnings from private American cybersecurity firms.

Krebs, whose recently renamed agency is tasked with protecting American critical infrastructure, said CISA is “aware of a recent rise in malicious cyber activity” against American companies and government agencies by Iranian actors.

CISA specifically warned about “wiper” attacks which, in addition to stealing data, then destroy it as well. It’s not clear who exactly was targeted.

American operators are targeting Iranians as well, Yahoo News reported on Friday. The news was confirmed by the Washington Post and the New York Times. Iranian officials said the attacks were unsuccessful, Americans deemed the attacks “very” effective.

The Americans say they hacked Iranian spies who were allegedly involved in several attacks against oil tankers in the Persian Gulf over recent weeks. The cyberattacks followed a U.S. spy drone being shot down over Iran last week.

Even though President Donald Trump called off a kinetic attack with just minutes to spare last week, there’s little reason to think the overall conflict is over. The U.S. is preparing more hacking plans to target Iran while American businesses are expecting that if tension continues, it’ll be them in the crosshairs.

Cyberwar has fundamentally changed some of the calculus of war. Two decades ago, when the U.S. invaded a pair of countries on the other side of the world, the conflict was largely confined to those countries. Hacking levels the playing field and allows a country like Iran — which would generally not be able to compete with the American military’s traditional superiority — to inflict damage inside the U.S. itself.

Source: U.S. and Iran’s Hackers Are Trading Blows

A member of the Facebook Wink Users Group discovered that after selling his Nest cam, he was still able to access images from his old camera—except it wasn’t a feed of his property. Instead, he was tapping into the feed of the new owner, via his Wink account. As the original owner, he had connected the Nest Cam to his Wink smart-home hub, and somehow, even after he reset it, the connection continued.

We decided to test this ourselves and found that, as it happened for the person on Facebook, images from our decommissioned Nest Cam Indoor were still viewable via a previously linked Wink hub account—although instead of a video stream, it was a series of still images snapped every several seconds.

Here’s the process we used to confirm it:

Our Nest cam had recently been signed up to Nest Aware, but the subscription was canceled in the past week. That Nest account was also linked to a Wink Hub 2. Per Nest’s instructions, we confirmed that our Aware subscription was not active, after which we removed our Nest cam from our Nest account—this is Nest’s guidance for a “factory reset” of this particular camera.

After that, we were unable to access the live stream with either the mobile Nest app or the desktop Nest app, as expected. We also couldn’t access the camera using the Wink app, because the camera was not online. We then created a new Nest account on a new (Android) device that had a new data connection. We followed the steps for adding the Nest Cam Indoor to that new Nest account, and we were able to view a live stream successfully through the Nest mobile app. However, going back to our Wink app, we were also able to view a stream of still images from the Nest cam, despite its being associated with a new Nest account.

In simpler terms: If you buy and set up a used Nest indoor camera that has been paired with a Wink hub, the previous owner may have unfettered access to images from that camera. And we currently don’t know of any cure for this problem.

Source: Buyer Beware: Used Nest Cams Can Let People Spy on You: Reviews by Wirecutter | A New York Times Company

Updated: patch your nest to fix it!

Clinical lab testing titan Quest Diagnostics acknowledged in a press release on Monday that an “unauthorized user” had gained access to personal information on around 11.9 million customers, including some financial and medical data.

Per NBC News, news of the breach comes via way of a Securities and Exchange Commission filing in which Quest wrote that American Medical Collection Agency (AMCA), which provides billing collection services to Quest contractor Optum 360, had notified it of the breach in mid-May. NBC wrote that Quest said AMCA’s web payments page had possibly been compromised from Aug. 1, 2018 to March 30, 2019.

In its statement, Quest wrote that compromised information could include “certain financial data,” Social Security numbers, and some medical material—but not the results of laboratory tests on patients. It also wrote the extent of the breach remained unclear:

AMCA believes this information includes personal information, including certain financial data, Social Security numbers, and medical information, but not laboratory test results.

AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA.

Quest added that it had “suspended” sending collections requests to AMCA. According to the Wall Street Journal, a spokesperson for Optum360 parent company UnitedHealth said their Optum360 systems were unaffected by the breach.

Source: Lab Testing Giant Quest Diagnostics Says Data Breach May Have Hit Nearly 12 Million Patients

Owners of Supra Smart Cloud TVs are in danger of getting some unwanted programming: it’s possible for miscreants or malware on your Wi-Fi network to switch whatever you’re watching for video of their or its choosing.

Bug-hunter Dhiraj Mishra laid claim to CVE-2019-12477, a remote file inclusion zero-day vulnerability that allows anyone with local network access to specify their own video to display on the TV, overriding whatever is being shown, with no password necessary. As such it’s more likely to be used my mischievous family members than hackers.

Mishra told The Register the issue is due to a complete lack of any authentication or session management in the software controlling the Wi-Fi-connected telly. By crafting a malicious HTTP GET request, and sending it to the set over the network, an attacker would be able to provide whatever video URL they desired to the target, and have the stream played on the TV without any sort of security check.

Source: Supra smart TVs aren’t so super smart: Hole lets hackers go all Max Headroom on e-tellies • The Register

The Australian National University (ANU) today copped to a fresh breach in which intruders gained access to “significant amounts” of data stretching back 19 years.

The top-ranked Oz uni said it noticed about a fortnight ago that hackers had got their claws on staff, visitor and student data, including names, addresses, dates of birth, phone numbers, personal email addresses, emergency contact details, tax file numbers, payroll information, bank account details and passport details. It said the breach took place in “late 2018” – the same year it ‘fessed up to another lengthy attack.

Students will be miffed to find out that someone knows they had to retake second-year Statistics since academic records were also accessed.

The uni insisted: “The systems that store credit card details, travel information, medical records, police checks, workers’ compensation, vehicle registration numbers, and some performance records have not been affected.”

Source: Strewth: Hackers slurp 19 years of Oz student data in uni’s second breach within a year • The Register

why was this data not encrypted?

With about $600 and a few tools, hackers could fake the radio signals used by commercial airplanes to navigate and land safely, according to new research.

In a paper and demonstration from researchers at Northeastern University in Boston, a software defined radio — a non-traditional radio that uses software instead of hardware for many components — successfully tricks a simulated plane into thinking that the aircraft is traveling off-course. 

Through a process called ‘spoofing’ — a term also applied to scam and robo-callers who fake their numbers — researchers are able to deceive an aircraft’s course deviation indicator into thinking the plane is off-center.

This causes it to misalign or falsely ‘correct’ its trajectory and land adjacent to the runway.

Scroll down for video 

+3

With about $600 and a few tools, hackers could fake the radio signals used by commercial airplanes to navigate and land safely, according to new research. In a scary demonstrations, researchers were able to simulate an attack on the radio signals used by nearly all aircraft

As first reported by Ars Technica, the radio signals spoofed by their device, are the same signals used in almost every aircraft throughout the last 50 years, including those on-board large commercial jetliners.

Because of the technology’s age, radio signals used in Instrument Landing Systems (ILS), are not encrypted or authenticated like other digitally transferred data, they say.

While the tools used by researchers in the demonstration aren’t necessarily new, Ars Technica notes that the cost of such devices have come down, making the type of attack more feasible for hackers than ever before.

Researchers note that an attack using their method is possible, but in many cases, misaligned planes can swiftly be corrected by adept pilots who are able to see their positioning in clear conditions and either adjust or perform a fly-around.

Source: Radio signals used to land planes can easily be HACKED using tools amounting to just $600 | Daily Mail Online

ASUS’ update mechanism has once again been abused to install malware that backdoors PCs, researchers from Eset reported earlier this week. The researchers, who continue to investigate the incident, said they believe the attacks are the result of router-level man-in-the-middle attacks that exploit insecure HTTP connections between end users and ASUS servers, along with incomplete code-signing to validate the authenticity of received files before they’re executed.

Plead, as the malware is known, is the work of espionage hackers Trend Micro calls the BlackTech Group, which targets government agencies and private organizations in Asia. Last year, the group used legitimate code-signing certificates stolen from router-maker D-Link to cryptographically authenticate itself as trustworthy. Before that, the BlackTech Group used spear-phishing emails and vulnerable routers to serve as command-and-control servers for its malware.

Source: Hackers abuse ASUS cloud service to install backdoor on users’ PCs | Ars Technica

Cryptocurrency trading hub Binance, one of the world’s largest, has confirmed it lost about 7,000 Bitcoins (around $40 million) to hackers after its so-called “hot wallet,” i.e. one connected to the internet and used to process transactions, was breached, Bloomberg reported on Tuesday.

The hot wallet in question contained about two percent of Binance’s holdings and was robbed in a single transaction, Bloomberg wrote. Binance wrote in a statement that they were aware the hackers involved “used a variety of techniques, including phishing, viruses and other attacks,” though the company was “still concluding all possible methods used” and there may be “additional affected accounts that have not been identified yet.”

[…]

Binance said that it would cover any losses in full using its Secure Asset Fund for Users, an insurance reserve set up for this type of situation, Bloomberg wrote. The news network added that Binance said automated systems triggered an alarm during the incident, though it was unable to prevent the attack’s success, and it estimates a security review and temporary halt to all deposits and withdrawals will take a week to complete:

Source: One of the World’s Largest Crypto Exchanges, Binance, Hacked to the Tune of $40 Million

Marcus Hutchins, the British security researcher who shot to fame after successfully halting the Wannacry ransomware epidemic, has pleaded guilty to crafting online bank-account-raiding malware.

For nearly two years now, Hutchins, 24, has been under house arrest in the US after being collared at Las Vegas airport by FBI agents acting on a tip-off. The Brit, who was at the time trying to fly back home to Blighty after attending the Black Hat and DEF CON security conferences, was accused of creating and selling the Kronos banking trojan, and denied any wrongdoing.

The US government subsequently piled on charges, and it now appears that the pressure has been too much: on Friday this week, Hutchins accepted a plea deal [PDF], and admitted two charges of malware development.

“I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security,” he said in a statement.

“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Each of the two counts carries a maximum penalty of five years behind bars, a $250,000 fine, and a year of probation. As with most plea deals, he’s likely to get less than that, though he may still spend some time in an American cooler.

While being held in jail after his arrest, Hutchins apparently admitted creating the software nasty. According to the Feds, the Brit at one point told an unnamed associate over a recorded telephone line: “I used to write malware, they picked me up on some old shit,” later adding: “I wrote code for a guy a while back who then incorporated it into a banking malware.”

Now the FBI have their guilty plea, and Hutchins – a professional malware reverse-engineer these days – is facing an uncertain future. But you have to wonder if it was all really worth it for the US authorities. After all, plenty of today’s cyber-security engineers and researchers have toyed with writing malware, even for research purposes. Thus, a stretch behind bars would be a very hard sentence for an offense committed when he was a teen.

Source: Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation