Inside | Real news, curated by real humans
Inside Security

Inside Security (Aug 16th, 2019)

I will be reducing my publishing schedule for the next two weeks, publishing Mondays and my premium issue on Wednesdays. These will be my last regular issues of Inside Security, and I will have more to say about that before I leave at the end of the month. 

My last Follow Friday is about Haroon Meer, who is one of the founders behind the popular Canary breach detection product. See item #8.

The NY Times wrote about what happens when your cellphone number becomes well-known. A columnist asked an investigator to find out about him, and you might be as surprised as he was in what they found. 

Finally, publishers are moving beyond using simple web tracking cookies. This post explains a few new systems that allow for more discreet privacy controls and better ways that publishers can capture consent and identity.

-- David Strom

  • Email gray
  • Permalink gray

1. The biometric access platform BioStar 2 suffered a massive data leak of fingerprints and facial data from at least 1.5M different people in numerous countries. This data included unencrypted usernames and passwords, including those of admin accounts. What is worse is that many passwords were “ridiculously simple” and that many large businesses use these biometrics for access controls. This data was publicly available for more than a week while researchers tried to contact Suprema, the owner of the data, unsuccessfully. The potential for fraud and abuse is high, because once this data is stolen people can’t change their faces or fingers. -- VPN MENTOR

  • Email gray
  • Permalink gray

2. One of the websites of the European Central Bank was shut down yesterday after it was infected with malware. Some names and email addresses of newsletter subscribers may have been stolen. The malware had been running on a third-party server since last December. -- REUTERS

  • Email gray
  • Permalink gray

3. The Bluetooth encryption protocol has a major flaw and been assigned CVE-2019-9506. Called Key Negotiation of Bluetooth, the flaw could allow bad actors to intercept communications if they are close enough to both of the paired devices. The Bluetooth standards body issued this advisory, and this post links to various patches from vendors.  -- THE HACKER NEWS

  • Email gray
  • Permalink gray

4. Speaking of Bluetooth, there is a new tool in the arsenal to fight credit card skimmers that often use this protocol to transmit the stolen card data. It is called Bluetana and has been used by law enforcement to track criminals who install the skimmers, typically on gas pumps. Over a year more than a thousand skimmers were located all over the country. Here is a tip: avoid using debit cards when paying for gas. -- KREBS ON SECURITY

  • Email gray
  • Permalink gray

5. The hacking group known as Cloud Atlas is still active. This post dissects some of its recent spate of malware campaigns, including PowerShower (a PowerShell exploit) and a new polymorphic campaign called VBShower that accomplishes the same tasks only with more stealth. -- SECURELIST (KASPERSKY)

  • Email gray
  • Permalink gray

6. Microsoft Outlook has a major remote code execution vulnerability that has been assigned CVE-2019-1199. It has to do with create memory corruption conditions using specially crafted messages. It hasn’t yet been observed anywhere but users should apply the recent patches to prevent it from happening. -- LARES

  • Email gray
  • Permalink gray

7. Wirecutter magazine tested five different VPN services. It concluded that TunnelBear is the most transparent and trustworthy provider offering fast, secure connections and easy setup. They looked at numerous other providers and rejected them for various reasons. One of them is ProtonVPN, which I use and haven’t had any issues. -- WIRECUTTER

  • Email gray
  • Permalink gray

8. Follow Friday: Haroon Meer.

Haroon Meer was one of the founders of Thinkst, makers of Canary (a breach detection tool) and Phish5, a phishing awareness simulator. His Twitter account retweets goings-on about his company, what he sees at various infosec conferences, and what other security experts have discovered and is worth following. He is based in Johannesburg, South Africa. Here is a presentation from the 2017 Black Hat conference that describes the company and its origin story and is entitled, Fighting the Previous War.

  • Email gray
  • Permalink gray

9. This report describes “lateral phishing attacks” is presented in this phishing report from Barracuda. The notion is for a hacker to take control over a legit email account and send phishing lures from that account, thereby bypassing many protective measures. The typical subject lines involve sharing a document link or resets due to account errors. One in seven organizations has experienced such an attack recently. -- BARRACUDA (pdf., reg. req.)

  • Email gray
  • Permalink gray

10. Las Vegas wasn’t the only place for security conferences recently. Microsoft held its BlueHat conference in Shanghai. Slides and talks are available in both English and Mandarin. This talk (slides, video) by two Palo Alto Networks researchers talks about the state of container security and how to mitigate threats.

  • Email gray
  • Permalink gray

This newsletter is written and curated by David Strom. I live in St. Louis MO and have covered the infosec industry for decades. I also ran editorial operations for various B2B IT publications including Network Computing (USA), Tom’s Hardware and ReadWrite.com’s business websites. You can find me at @dstrom or my personal site. Finally, we note our editing team: Kim Lyons (Pittsburgh-based journalist and managing editor at Inside), David Stegon (senior editor at Inside, whose reporting experience includes cryptocurrency and technology), and Bobby Cherry (senior editor at Inside, who’s always on social media).

  • Email gray
  • Permalink gray

Subscribe to Inside Security