<img src="https://secure.ruth8badb.com/159098.png" alt="" style="display:none;">

IT Security Newsletter - 9/5/2019

SHARE

Breaches_ITSEC-1

Leaky Server Exposes 419M Phone Numbers of Facebook Users

Phone numbers linked to the Facebook accounts of hundreds of millions of users has been found online on an insecure server in the latest privacy gaffe for the social media giant. The server, which lacked password protection, contained more than 419 million records over several databases of Facebook users across multiple geographies—including 133 million records of U.S.-based users–according to a published report.

Hacking_ITSEC

CEO voice deepfake blamed for scam that stole $243,000

So-called artificial intelligence apps like Zao had been stirring up controversy with their potential abusive use to beat facial recognition systems. The Chinese deepfake video app proved itself to be widely popular, but deepfake video isn’t the only area raising concerns. The ability to make convincing deepfake audio, mimicking the voice of real people, is also ringing alarm bells due to its potential for abuse by criminals and scammers.


Satori Botnet Man Pleads Guilty

A 21-year-old Washington man has pleaded guilty to charges related to his role in developing and deploying the infamous Satori IoT botnet. Kenneth Currin Schuchman, of Portland suburb Vancouver, pleaded guilty to one count of aiding and abetting computer intrusions. Between July 2017 and October 2018, he’s said to have participated with at least two others in a conspiracy to develop the botnet and use it to launch DDoS attacks against a range of targets. 

Software_ITSEC

Android Zero-Day Bug Does Not Make It on Google’s 'Fix' List

Google yesterday rolled out security patches for the Android mobile operating system but did not include the fix for at least one bug that enables increasing permissions to kernel level. Security flaws that enable privilege escalation can be exploited from a position with limited access to one with elevated access to critical files on the system. In order to utilize this, an attacker should have already compromised the device but have their actions restricted by insufficient permissions.


Twitter Suspends SMS-Based Tweeting After High-Profile Account Hacks

Twitter on Wednesday announced that it would turn off its Tweet via SMS feature for an unspecified period following abuses that led to hackers posting from at least two high-profile accounts. One of the victims was Twitter co-founder and CEO Jack Dorsey, whose feed got hijacked on Friday and posted racial slurs and even a fake bomb threat at the Twitter headquarters.

Exploits_ITSEC

Facebook loses control of key used to sign Android app

Android apps are digitally signed by their developers. Digital signatures are created using a private cryptographic key, and the word ‘private’ means just what it says – the value of the signature depends on keeping the signing key private. After all, if someone else gets hold of your private key then they can sign their own apps with it and pass them off as yours.


Critical Bugs Open Food-Safety Systems to Remote Attacks

Two critical vulnerabilities in a food-quality management software package would allow adversaries to completely compromise the system. The issues affect the AK-EM 800 product from SCADA vendor Danfoss. It’s an enterprise management solution for the food retail industry that provides a central architecture for alarm management, automatic data collection and food-quality reporting.


Android phones vulnerable to advanced SMS phishing attacks

Researchers have found a fundamental security flaw in modern Android phones that facilitates advanced SMS phishing attacks. Phones made by Huawei, LG, Samsung and Sony were all vulnerable to the attack, which involves an attacker tricking a user into accepting new phone settings that can reroute phone data back to the criminal. Check Point researchers showed how attackers could leverage over-the-air provisioning (OTA) used by the affected phones