Weekly Security Newsletter - 7/8/2019 (Patreon)

Here is your weekly security newsletter, exclusively available to TurboPanda patrons and up!

D-Link has settled a case with the FTC, by agreeing to implement a security program within the company and do audits every two years. They were forced to set up new security standards when the FTC sued then for having serious security flaws that threatened users including hard coded login creds, storing plain text credentials on mobile devices, implying their devices are secure, and failing tests and remediation measures.

https://thehackernews.com/2019/07/ftc-d-link-router-security.html

https://arstechnica.com/information-technology/2019/07/d-link-agrees-to-new-security-monitoring-to-settle-ftc-charges/

https://www.cnet.com/news/d-link-agrees-to-beef-up-smart-home-security-after-ftc-lawsuit/

https://www.cyberscoop.com/d-link-settlement-ftc/

DerpTroll, also known as Austin Thompson, 23, has been ordered to pay $95,000 for damages to Sony, as well as spend 27 months in prison for DDOSing Sony and other gaming companies in 2013 and 2014. This is the same hacker who took down the gaming servers during Christmas of 2013 and bragged about it on Twitter. Don't do illegal attacks, kids!:

https://thehackernews.com/2019/07/christmas-ddos-attacks.html

https://www.cyberscoop.com/derptrolling-austin-thompson-sentenced-prison/

Via psycho hex ghost on patreon: Canonical's github account was hacked on July 6, when credentials were compromised and an attacker created new repositories and created issues. The compromised account was removed and Ubuntu's source code was not affected.:

https://thehackernews.com/2019/07/canonical-ubuntu-github-hacked.html

https://www.zdnet.com/article/canonical-github-account-hacked-ubuntu-source-code-safe/

A couple of Firefox flaws hit the news this week. First, downloading an HTML file via the browser and opening it on your local computer may be a severe threat thanks to a 17 year old known issue that was used in a POC recently. This would allow an attacker to steal files stored on a victim's computer. There is no fix in the works. Mozilla also has no intention of enabling DNS-over-HTTPS, which is used to keep ISPs from sniffing some user traffic. In the UK, ISPs wanted to sniff user data to block them from accessing innapropriate sites. DNS-over-HTTPS adds an additional layer of security, and you can still enable it via the step by step guide linked here:

https://thehackernews.com/2019/07/firefox-same-origin-policy-hacking.html

https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/

https://www.zdnet.com/article/mozilla-no-plans-to-enable-dns-over-https-by-default-in-the-uk/

China border authorities are installing spyware on tourists’ phones when they cross into Xinjiang. The malware is used to find extremist Islamic files and data, but it also snoops on texts, emails, and phone logs. It's unknown what the Chinese government is using this data for, but we can make guesses based on their current surveillance state network in that region.:

https://thehackernews.com/2019/07/xinjiang-fengcai-spyware.html

https://www.nytimes.com/2019/07/02/technology/china-xinjiang-app.html

https://www.vice.com/en_us/article/7xgame/at-chinese-border-tourists-forced-to-install-a-text-stealing-piece-of-malware

https://www.theguardian.com/world/2019/jul/02/chinese-border-guards-surveillance-app-tourists-phones

https://www.cnet.com/news/china-is-reportedly-scanning-tourists-phones-with-malware/

Amazon echo transcripts and voice data are officially kept indefinitely, according to a letter from Amazon to a US state senator. The data can be deleted via the Alexa app or website, but transactions are kept forever. Amazon is very interested in how many pizzas you order, apparently.:

https://www.cnet.com/how-to/you-can-finally-delete-most-of-your-amazon-echo-transcripts-heres-how/

https://www.cnet.com/news/amazon-alexa-keeps-your-data-with-no-expiration-date-and-shares-it-too/

https://threatpost.com/amazon-admits-alexa-voice-recordings-saved-indefinitely/146225/

https://www.theverge.com/2019/7/3/20681423/amazon-alexa-echo-chris-coons-data-transcripts-recording-privacy

PGP has been targeted in attacks via the OpenPGP protocol GnuPG. The attacks hit the signature feature of GnuPG, and break the encryption validation for messages or updates using that protocol. Chances are this won't be fixed anytime soon.:

https://threatpost.com/pgp-ecosystem-targeted-in-poisoning-attacks/146240/

https://www.vice.com/en_us/article/8xzj45/someone-is-spamming-and-breaking-a-core-component-of-pgps-ecosystem

Superhuman is an invite only app for $30 a month, that allows users to see when and where their email recipients opened emails. That's creepy, especially for anyone who wants to collect and triangulate data about you. Superhuman wasn't informing recipiants of this, either. The app is using tracking pixels to do this, but in light of this controversy the app stated they'll stop tracking location and will delete existing location data. Read receipts will be off by default. Sometimes outrage can create change.

https://www.theverge.com/2019/7/3/20681655/superhuman-email-app-spying-controversy-policy-change-read-receipts

https://www.theverge.com/2019/7/3/20681508/tracking-pixel-email-spying-superhuman-web-beacon-open-tracking-read-receipts-location

Tor fixes a huge bug in 0.4.2 that was used for years to launch DDOS attacks against .onion sites. While some sites that were attacked were legitimate, lately the attacks have been targeting illegal marketplaces on the dark web. Tor devs are giving Onion site operators the option to enable an active defense against DDOS attacks.:

https://www.zdnet.com/article/tor-project-to-fix-bug-used-for-ddos-attacks-on-onion-sites-for-years/

Arlo Smart Home Cameras have serious flaws that affect customers, of which Netgear (owners of Arlo) state stream more than 100 million videos a day from security cameras. The flaw would allow an attacker to disable a video feed or manipulate the footage. Two announcements, one from Tenable and one from a pair of researchers, detail the flaw. Chanes are low that you'd be targeted in an attack as they require physical access. Patches from Arlo are now available.:

https://www.cyberscoop.com/smart-home-vulnerabilities-netgear-zipato/

Hackers stole $500,000 USD (about 55 million yen) from 900 customers of 7-Eleven Japan, after their new 7pay apps were used to make illegal charges. The app had a design flaw, in which a barcode was shown on the screen to pay whenever a customer checked out - BUT the app would allow anyone to request a password reset for any other account, and the password link would be sent to the attackers email address. Why the app allowed password reset links to be sent to any random email address is beyond me. 

https://www.zdnet.com/article/7-eleven-japanese-customers-lose-500000-due-to-mobile-app-flaw/