Cyber Security: Ready or Not – You Decide

Critical infrastructure isn't ready yet to face China's cyber threat
If China-backed hackers were to take down U.S. critical infrastructure and hit a pipeline or water utility, officials have long said that would be considered an act of war.
https://www.axios.com/2024/02/02/china-hacking-threat-government-warning

U.S. Can Respond Decisively to Cyber Threat Posed by China

"And in terms of the way that we communicate it, we communicate it in many different ways—from our policymakers who have these discussions to the exercises that we conduct to the real-world examples that, that we do with a series of different partners." 
https://www.defense.gov/News/News-Stories/Article/Article/3663799/us-can-respond-decisively-to-cyber-threat-posed-by-china/

The ToothBots Are Coming

According to a recent report published by the Aargauer Zeitung (h/t Golem.de), around three million smart toothbrushes have been infected by hackers and enslaved into botnets...

In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet. more

UPDATE: Okay, stop laughing. The report of a massive denial of service attack by smart toothbrushes was a misreported story from mainstream sources. A hypothetical that was mistranslated.

Warning As 26 Billion Records Leak: Dropbox, LinkedIn, Twitter Named

via Rob Kleeger, Digital4nx Group, Ltd.

Hold on tight because we've got some major news for you. Brace yourselves for the 'Mother of all breaches' (MOAB) - a breach so massive it's making waves in the cybersecurity world!

Security researchers have just uncovered a mind-boggling database with over 26 billion records, compromising billions of accounts worldwide. Yep, you read that right! This treasure trove of data has been collected from big shots like LinkedIn, Twitter, Adobe, and many more.

Can you believe it? This jaw-dropping database is made up of a whopping 3,800 folders, which means these records were gathered over time to create a mind-blowing 12 Terabyte database. Talk about a digital goldmine! 

Now, here's the important part: some major players have been affected, including Twitter/X (281 million records), LinkedIn (251 million records), Evite (179 million records), and Adobe (153 million records). It's a serious situation, folks.

We don't want you to panic, but it's crucial to take immediate action to protect yourself. 

Here's what you need to do:
1️⃣ Change your passwords for ALL online accounts, especially those linked to the affected organizations.
2️⃣ Enable two-factor authentication wherever possible. Double the security, double the peace of mind! 
3️⃣ Stay on high alert for any suspicious emails, messages, or calls asking for personal information. Don't fall for their tricks!
4️⃣ Keep a close eye on your financial accounts and credit reports. If you spot any unauthorized activity, act fast!
The breach reminds me of this movie clip for some reason... 

How To Turn On Apple iPhone’s New Anti-Theft Feature

Apple's 'Stolen Device Protection' tool aims to deter cases of phone theft, but you need to enable it first.

Apple's new ‘stolen device protection' tool, was launched as part of its iOS 17.3 release, and plans to squash instances of phone theft by ramping up security requirements and limiting the amount of data thieves have access to...

Activating Apple's new security mechanism is very straightforward. First you need to enable two-factor authentication for your Apple AI and set up a device passcode, Face ID or Touch ID, Find My, and Significant Locations (under Location Services).

Once you have these up, you need to: 

• Go to Settings
• Tap ‘Face ID & PassCode'
• Enter your device passcode
• Tap to turn Stolen Device Protection on

more  video

Ivanti Attacks Part of Deliberate Espionage Operation

Researchers warn the previously unknown actor has developed custom malware designed to maintain persistent access on targeted networks and evade detection.

The threat actor behind the monthlong exploitation of Ivanti Connect Secure VPN is conducting an espionage campaign using custom malware with the goal of maintaining continued access to the appliances, according to research released Thursday by Google Cloud’s Mandiant unit. 

Multiple suspected APT actors have used similar methods with appliance-specific malware in order to engage in post-exploitation threat activity and evade detection. However, Mandiant researchers said, at the moment, this exact activity is not linked to a known actor and they don’t have enough information yet to pinpoint the origin. more

Smart Device Eavesdropping: The Santa Clause

Fact,  fiction, or prediction. You decide.
Marketer sparks panic with claims it uses smart devices to eavesdrop on people...

Makers of microphone-equipped electronics sometimes admit to selling voice data to third parties (advertisers). But that's usually voice data accumulated after a user has prompted their device to start listening to them...

But a marketing company called CMG Local Solutions sparked panic recently by alluding that it has access to people's private conversations by tapping into data gathered by the microphones on their phones, TVs, and other personal electronics, as first reported by 404 Media on Thursday. The marketing firm had said it uses these personal conversations for ad targeting.

CMG's Active Listening website starts with a banner promoting an accurate but worrisome statement, "It's true. Your devices are listening to you." more

ChatGPT Is Apparently a Great Surveillance Tool

This week, Forbes reported that a Russian spyware company called Social Links had begun using ChatGPT to conduct sentiment analysis. The creepy field by which cops and spies collect and analyze social media data to understand how web users feel about stuff, sentiment analysis is one of the sketchier use-cases for the little chatbot to yet emerge.

Social Links, which was previously kicked off Meta’s platforms for alleged surveillance of users, showed off its unconventional use of ChatGPT at a security conference in Paris this week. The company was able to weaponize the chatbot’s ability for text summarization and analysis to troll through large chunks of data, digesting it quickly. 

In a demonstration, the company fed data collected by its own proprietary tool into ChatGPT; the data, which related to online posts about a recent controversy in Spain, was then analyzed by the chatbot, which rated them “as positive, negative or neutral, displaying the results in an interactive graph,” Forbes writes.

Obviously, privacy advocates have found this more than a little disturbing... more

How an Indian Startup Hacked the World

Appin was a leading Indian cyberespionage firm that few people even knew existed. 

A Reuters investigation found that the company grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe. 

Appin alumni went on to form other firms that are still active...

Chuck Randall was on the verge of unveiling an ambitious real estate deal he hoped would give his small Native American tribe a bigger cut of a potentially lucrative casino project.

A well-timed leak derailed it all.

In July of 2012, printed excerpts from Randall’s private emails were hand-distributed across the Shinnecock Nation’s square-mile reservation, a wooded peninsula hanging off the South Fork of Long Island...  more

Why You Really Need a Technical Information Security Consultant

The non-existence of a trade secret asset: ‘confidential’ information
by R. Mark Halligan 

FisherBroyles LLP

For years, there has been a debate whether “confidential” information is analogous to a “trade secret.” It is not. Information is either protected as a “trade secret” or not protected as a “trade secret.” Any other characterization of “confidential” information undermines the protection of trade secret assets and interferes with lawful and fair business competition.

There is no such thing as non-trade secret “confidential” information.

There is no such thing as “confidential” information that does not rise to the level of a trade secret.

There is no middle ground: Either the information is a “trade secret” (and protectable) or not a trade secret (and not protectable).

A “trade secret” is an intellectual property asset that requires reasonable measures to protect the information as a “trade secret” and proof that such information derives an actual or potential economic advantage from the secrecy of the information. more

Your business is based on information and conversations considered confidential, sensitive, or intellectual property. These create your competitive advantage. No less important than trade secrets, and yet, not protected under trade secret law. 

So, what protection do you have? 

Start by adding a Technical Information Security Consultant to your team. Their proactive surveys can spot espionage issues like electronic eavesdropping, information security risks, and employee compliance with information security policies—before they become losses.

Shady Things You Can Do With a Flipper Zero

Since it’s evil week at Lifehacker, let’s take a look at a gadget that can be used for mild evil: the Flipper Zero. Despite its toy-like looks, this pocket-friendly multitool can be used for all kinds of hacking and penetration testing. 

It gives anyone, even newbs, an easy-to-understand way to interact with the invisible waves that surround us, whether they’re RFID, NFC, Bluetooth, wifi, or radio. It’s a like a hacker Swiss army knife that you can buy for less than $200.

You can use a Flipper Zero to control your TV, cheat your Nintendo, replace your work ID, open your hotel room door, and more. I’m sure you could see where the “evil” part could comes in. But on the other hand, it’s just a tool, and its ability to commit crimes is... more

Flipper Zero – Corporate Security Threat

Yet Another USB Cautionary Tale

Duped with a malicious USB...

Mr Burgess (ASIO Director General Mike Burgess) referenced an unnamed Australian company that found global success making a product "similar to a motion detector" before their sales suddenly dropped.

"A little while later, their product started being returned to the factory because they were broken," he said.

"When they opened their branded products, they discovered they weren't their branded products, because the components were inferior, they were exact knock-offs."

The problem was eventually traced to an international conference, where someone had offered to share information with one of the company's employees by plugging a USB into their laptop.

"That USB downloaded malware onto that laptop, which later on, when they were connected back to their corporate network, was used to steal their intellectual property," he said.

"That intellectual property was passed from the intelligence services to state-owned enterprise that mass-produced the goods and sold them on the market that undercut them." more

More USB Security Information...

 • USB – Hacked Charging Cables

• USB – Malicious Spy Cable Detector Instructions

• USB – General Memory Stick Warning

• USB – Malicious Cables

• USB – NSA Type Cable Bug – $6.74

Extra USB Spy News - Government entities in the Asia-Pacific (APAC) region are the target of a long-running cyber espionage campaign dubbed TetrisPhantom. "The attacker covertly spied on and harvested sensitive data from APAC government entities by exploiting a particular type of secure USB drive, protected by hardware encryption to ensure the secure storage and transfer of data between computer systems," Kaspersky said in its APT trends report for Q3 2023. more

Smartphone Security: Delete These Apps

Smartphone owners have been urged to remove certain apps that could be spying on their activity.

Some of the most popular apps you love and have come to rely on could be posing more of a danger than they're worth. Here's what you need to know. ...some of those apps that you love and have come to rely on could actually be putting you at risk... We’ve (Reader's Digest) collected information about some of the worst offenders so that you can make an educated decision about which apps you trust with your privacy and which ones need to go...

CamScanner
Ana Bera is a cybersecurity expert with Safe at Last. She identified CamScanner, an app meant to imitate a scanner with your phone, as one of the apps consumers should be concerned about. “Cybersecurity experts have found a malicious component installed in the app that acts as a Trojan Downloader and keeps collecting infected files,” she explains. “This kind of app can seriously damage your phone and should be de-installed instantly. Luckily, once you remove it from your phone, it is highly unlikely that it will continue harming you.”

Weather apps
“Check your weather app,” says Shayne Sherman, CEO of TechLoris. “There have been several different weather apps out there that have been laced with Trojans or other malwares.” While the most benign of these claims to take your information purely for weather accuracy, he calls that questionable. “Watch your local forecast instead, and if you have Good Weather, delete it now,” he advises. “That one is especially dangerous.”

Facebook
Look, we all love our social networking apps. But cybersecurity expert Raffi Jafari, cofounder and creative director of Caveni Digital Solutions, says, “If you are looking for apps to delete to protect your information, the absolute worst culprit is Facebook. The sheer scale of their data collection is staggering, and it is often more intrusive than companies like Google. If you had to pick one app to remove to protect your data, it would be Facebook.”

WhatsApp
“This is a call to action for users who may be living under a rock and unaware of the vulnerabilities that were disclosed earlier this year,” says Michael Covington, VP of Product for mobile security leader Wandera. “The vulnerabilities with WhatsApp—both iOS and Android versions—allowed attackers to target users by simply sending a specially crafted message to their phone number. Once successfully exploited, the attackers would be granted access to the same things WhatsApp had access to, including the microphone, the camera, the contact list, and more.”

Instagram
Whatsapp and Instagram are both owned by Facebook, which is part of what makes them all a risk. Dave Salisbury, director of the University of Dayton Center for Cybersecurity and Data Intelligence, says that Instagram “requests several permissions that include but are not limited to modifying and reading contacts and the contents of your storage, locating your phone, reading your call log, modifying system settings, and having full network access.” Plus Nine More

How New Corporate Espionage Techniques Are Born, or... Their Next App Attack

In a university somewhere (guess where) students are working on this...

"Introduction: Snooping keystrokes (a.k.a., keystroke inference attacks) seriously threaten information security and privacy. 

By launching such an attack, an adversary has an opportunity to steal sensitive information such as accounts, passwords, credit card numbers, SSNs, and conidential (sic) documents[1, 15, 29, 30] from the victims when they are typing on a keyboard. 

Smartphone-based snooping [15, 18, 24] further eases the launching when an adversary could intentionally leave his own smartphone near the victim’s keyboard. 

Furthermore, an attacker could spread a malicious mobile app (e.g., in app markets) that pretends to be a normal audio playing and recording application but stealthily collects user’s keystroke data over the Internet. He may afect (sic) a large volume of smartphones and enable large-scale keystroke inference attacks as shown in Fig. 1..." more

Eavesdropping on the Sounds of Your Typing

New acoustic attack steals data from keystrokes with 95% accuracy

(a little background music, please)

A team of researchers from British universities has trained a deep learning model that can steal data from keyboard keystrokes recorded using a microphone with an accuracy of 95%.

When Zoom was used for training the sound classification algorithm, the prediction accuracy dropped to 93%, which is still dangerously high, and a record for that medium.

Such an attack severely affects the target's data security, as it could leak people's passwords, discussions, messages, or other sensitive information to malicious third parties. more

U.S. Blacklists 2 Firms - Built Meta, iOS and Android Spyware

The Commerce Department blacklisted two European cyber firms that build spyware software, the Commerce Department announced Tuesday, including technology hawked by both firms that was used to surveil Meta users and reportedly at least one Meta employee.

The software exploited vulnerabilities in Android and iOS software and deployed hundreds of spoof Meta accounts to surveil activists, politicians and journalists around the world.

The firms — Intellexa and Cytrox — were described jointly as traffickers of “exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide” in a Bureau of Industry and Security press release. more

Privacy Risks: Phones Purchased at Police Auctions

Law enforcement agencies nationwide regularly sell items that are seized in criminal investigations or are unclaimed from lost-and-found inventories. 

Many of these items—vehicles, jewelry, watches and electronic devices like cellphones—end up at online auction houses.

People looking for a bargain can bid on cellphones in bulk, snatching up dozens at rock bottom prices for parts or other uses. This ultimately provides revenue for the police agencies, making for a good deal for everyone involved. Or is it?

A recent study by University of Maryland security experts found that many of the phones sold at police property auction houses are not properly wiped of personal data. The study, conducted over two years with cellphones bought from the largest police auction house in the U.S., uncovered troves of personal information from previous owners that was easily accessible. more

Kevin Mitnick, Hacker Turned Security Consultant, Dies at 59

Kevin Mitnick, who became the country’s most famous cybercriminal after an FBI manhunt and later became a cybersecurity consultant, died on July 16.

Mitnick, who was 59, died of pancreatic cancer, said Kathy Wattman, a spokeswoman for KnowBe4, where Mitnick worked. Mitnick’s survivors include his wife, Kimberley, who is expecting a child this year.

“Mr. Mitnick branded himself the ‘world’s most famous hacker,’ as KnowBe4 called him in a Thursday statement. As the World Wide Web was slowly being adopted across the globe, he broke into the computer systems of companies such as Motorola, Nokia and Sun Microsystems, causing what prosecutors alleged was millions of dollars in damage,” Kelly writes.

“Before he was 30, Mr. Mitnick had already served a brief prison sentence for computer crimes. But his infamy as a hacker was cemented in 1995, when the FBI arrested him in the middle of the night at a North Carolina apartment in a highly publicized raid that capped a 24-hour stakeout outside his home and brought an end to his more than two years as a fugitive.”

Mitnick was a polarizing figure in the cybersecurity community after his release from prison in 2000. “He portrayed himself as a misunderstood ‘genius’ and pioneer, and some supporters said he was a victim of overzealous prosecution and overhyped media coverage,” Kelly writes.

“He became a cause célèbre for the internet,” former federal cybercrime prosecutor Mark Rasch, who investigated Mitnick, told Kelly. “There was this idea that he was liberating data, he was liberating information, and that he was just proving how hacking could be done,” he said. “You had a whole bunch of people in the hacker defense community who thought he was the worst thing in the world, and people in the hacker community who thought he was a demigod.” website

NJ Makes It Harder for Police to Snoop on Social Media

New Jersey is known for many things, from delicious bagels to the heated pork roll vs. Taylor ham debate... But the Garden State deserves a new accolade: defender of digital privacy rights.

In an important decision that has seemingly flown under the radar, late last month the Supreme Court of New Jersey decided Facebook Inc. v. State, which puts much-needed guardrails on police conduct in the state when it comes to law enforcement’s access to digital communications. more

Tasmanian Government Blocks Radio Network Eavesdropping

Australia - The days of people listening to the police scanner are numbered, with the Tasmanian Government officially launching their new ‘secure’ Government Radio Network today.

Telstra were contracted to commission the $763 million dollar initiative, which the State Government say is one of Tasmania’s largest infrastructure projects ever.

TasGRN has ‘been purpose-built’ and will be used all Government agencies – including Tasmania Police, Ambulance Tasmania, Tasmania Fire Service, Tasmania SES, Department of Natural Resources and Environment, Sustainable Timber Tasmania, TasNetworks and Hydro Tasmania.

Police & Emergency Services Minister Felix Ellis says the new network is “secure” and will allow Tasmania’s key organisations “to better serve the community with fully encrypted voice communications, limiting exposure to criminals covertly accessing the network”. more

From the What Goes Around Files: Phone Spy App Hacked

LetMeSpy, a phone tracking app spying on thousands, says it was hacked...

A data breach reveals the spyware is built by a Polish developer hacker has stolen the messages, call logs and locations intercepted by a widely used phone monitoring app called LetMeSpy, according to the company that makes the spyware.

The phone monitoring app, which is used to spy on thousands of people using Android phones around the world, said in a notice on its login page that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users​​.”

“As a result of the attack, the criminals gained access to e-mail addresses, telephone numbers and the content of messages collected on accounts,” the notice read.

LetMeSpy is a type of phone monitoring app that is marketed for parental control or employee monitoring. The app is also specifically designed to stay hidden on a phone’s home screen, making it difficult to detect and remove. Also known as stalkerware or spouseware, these kinds of phone monitoring apps are often planted by someone — such as spouses or domestic partners — with physical access to a person’s phone, without their consent or knowledge. more