Cybersecurity Weekly: Securing open source apps, Facebook iPhone bug, multi-year breach

November 18, 2019 by Sam Fay

GitHub recruits a team of tech companies to help secure open source software. A new Facebook bug secretly enables the iPhone camera. A tech company discovers a years-long data breach only after an infected server runs out of drive space. All this, and more, in this week’s edition of Cybersecurity Weekly.

1. GitHub Security Lab aims to make open source software more secure

GitHub Security Lab is a new program aimed at researchers, maintainers and companies that want to contribute to the security of open source software. Current contributors include companies like Microsoft, Google, Intel and Mozilla. The team has already issued over 100 CVEs for security vulnerabilities it found.
Read more »

2. DDoS-for-Hire services operator sentenced to 13 months in prison

The defendant made hundreds of thousands of dollars by launching millions of DDoS attacks with his platforms from August 2015 to November 2017. In addition to the jail time, he was forced to forfeit dozens of servers and electronic equipment, as well as $542,925 in proceeds from his illegal scheme.
Read more »

3. Company detected years-long breach only after hacker maxed out servers’ storage

Utah-based tech company InfoTrax Systems was reportedly breached in May 2014 when the hacker exploited vulnerabilities to gain remote control of its server. The company discovered the breach several years later, when it began receiving alerts that one of its servers had reached its maximum capacity due to a massive data archive file created by the hacker.
Read more »

4. Silly phishing scam warns that your password will be changed

A phishing campaign is underway which states that your password will expire unless you login and confirm that you want to keep it the same. Once the victim clicks on the “Keep same password” link, they will be brought to a generic mail server login page. With these credentials, hackers can perform BEC scams or password reuse attacks.
Read more »

5. Facebook bug turns on iPhone camera in the background

In early November, several iPhone users started experiencing a glitch while using the Facebook app. This glitch causes the user to clearly see that the phone’s camera is active behind their timeline, which would normally be hidden from view. This can be prevented by revoking Facebook’s camera access in the iPhone’s settings.
Read more »

6. Phishing increasingly targets SaaS and webmail

According to the Anti-Phishing Working Group’s Phishing Activity Trends Report, phishing of SaaS and webmail services has surpassed phishing of payment services for the first time in 2019. SaaS and webmail are now the most targeted sectors, suffering 36% of phishing attacks compared to just 27% for payment services.
Read more »

7. Design flaw could open Bluetooth devices to hacking

The problem lies in the way Bluetooth devices communicate with the mobile apps that control them, stated a professor at Ohio State University. This vulnerability takes advantage of the way Bluetooth devices use a hard-coded unique identifier during the initial connection process. Researchers think that, despite the severity of the issue, there could be a simple fix.
Read more »

8. Web payment card skimmers add anti-forensics capabilities

Researchers have detected compromises on ecommerce sites with a new JavaScript-based payment card skimmer that uses anti-forensics techniques, including the ability to remove itself from the web page’s code after execution. An investigation uncovered 17 online merchant sites infected with this new skimmer.
Read more »

9. Two arrested for stealing $550,000 in cryptocurrency using sim swapping

U.S. authorities arrested two more alleged cybercriminals from Massachusetts this week, charging them with stealing $550,000 in cryptocurrency from at least 10 victims using SIM swapping between November 2015 and May 2018. The two defendants have also been charged for taking over social media accounts of their victims.
Read more »

10. U.S. Government asks consumers to be wary of holiday scams and malware

Consumers have been consistently targeted by attackers who take advantage of the holiday season to push themed scams via online advertisements, misleading sales calls and phishing emails. For instance, last year’s most popular phishing campaign featured an Amazon order confirmation email for holiday gifts.
Read more »

Posted: November 18, 2019
Sam Fay
View Profile