Inside Security - November 22nd, 2019

Inside Security (Nov 22nd, 2019)

Subscribe | View in browser

1. The Federal Communications Commission (FCC) has voted to block U.S. telecommunications firms from using federal subsidies to buy equipment and services from vendors who pose national security risks, such as Chinese-owned Huawei and ZTE. "Given the threats posed by Huawei and ZTE to America's security and our 5G future, this FCC will not sit idly by and hope for the best," FCC Chairman Ajit Pai was quoted by The Verge as saying. The Trump administration has already taken action to ban Huawei products from the U.S. market, a ban that is now scheduled to take effect next February. Both Huawei and ZTE have denied putting backdoors in their equipment that could enable the Chinese government to conduct industrial espionage. -- THE VERGE

2. Google is daring white hat hackers to breach its Titan M security chip used on Pixel devices by offering $1.5 million to anyone who can do it. The offer is part of an expansion of Google's bug bounty program, which includes increased payouts for its Android Security Awards program. For example, Google is offering up to $500,000 for the discovery of Android vulnerabilities involving data exfiltration and lockscreen bypass. Over the four years the program has been in place, the company has doled out more than $4 million for 1,800 bug reports. -- THREATPOST

3. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has teamed with VotingWorks to develop an open-source post-election auditing tool called Arlo. The free web-based app is designed for U.S. voting machines that tally votes electronically. Arlo determines how many ballots to audit, selects random ballots for auditing, compares audited to tabulated votes, and informs officials and observers when the audit is finished. Arlo is being offered to state and local election officials, well as private sector election contractors, for free. -- DARK READING

4. The U.S. Army is conducting a security assessment of the Chinese-owned TikTok app. The move comes after Sen. Chuck Schumer (D-NY) asked Army Secretary Ryan McCarthy to investigate the risk of the U.S. military's using the social media app. In a letter to McCarthy, Schumer warned about the national security risks from TikTok's handling of data, particularly given Chinese ownership of the app and Chinese laws requiring domestic companies "to support and cooperate with intelligence work controlled by the Chinese Communist Party." -- REUTERS

5. As smart cities increasingly deploy 5G, this could open wireless infrastructure and services to security risks, cautioned researchers at Kaspersky Lab. The growing number of connected devices used by smart cities will expand the attack surface for cybercriminals and nation-state actors. The 5G risks include protocol weaknesses and large-scale vulnerability exploitation, severe distributed denial of service (DDoS) attacks, BYOD threats, data security and privacy threats, terrorism and corporate espionage/sabotage attacks, and critical infrastructure and public safety threats. The researchers stress that "government and industry leaders need to combine their efforts to promote secure and safe 5G technology projects to enhance the services and quality of life for citizens of smart cities." -- SECURELIST

6. A hacker may have accessed the personal information of T-Mobile's prepaid customers, the wireless carrier admitted recently. T-Mobile said it discovered unauthorized access to prepaid wireless accounts, which store information about customer names, billing addresses, phone numbers, account numbers, mobile plans, and features. The wireless carrier stressed that the hacker did not have access to financial information, social security numbers, or passwords. Those affected are urged to change their PIN on their T-Mobile account. -- SECURITYWEEK

7. A 34-year-old Russian man has been sentenced to four years in prison for creating and using the Neverquest banking trojan. He was also ordered to forfeit $50,000 and pay restitution of more than $480,000. Stanislav Vitaliyevich Lisov, who was arrested in Spain earlier in the year, led a scheme that attempted to steal at least $4.4 million from victims' bank accounts and succeeded in stealing around $855,000, according to court documents quoted by Hacker News. The Neverquest banking trojan infects victims' computers through social media websites, phishing emails, and malicious file transfers. Once inside the computer, it can steal login information for online banking accounts and use that data to steal money out of victims' accounts. -- HACKER NEWS

8. The Singapore Accountancy Commission (SAC) mistakenly sent email messages with a folder attachment containing personal information on 6,541 accountants to 22 organizations. Information exposed included accountants' names, national identification numbers, dates of birth, and employment data. The error was detected when SAC implemented a new data protection filter recommended by the Public Sector Data Security Review Committee. The SAC contacted the organizations that received the folder and asked them to delete it, which they subsequently did. However, SAC could not say how many other parties might have received or accessed the data. -- ZDNET

9. Google could be taking its Android operating system back to the mainstream Linux kernel in an effort to simplify security updates and other changes, explained John Dunn in a Naked Security post. The current development model for how Android uses the Linux kernel creates complexity that slows updates and increases costs. As a result of customization by phone manufacturers and chip makers, the Linux kernel can be different for every Android device make and model. Google's new approach appears to be reducing the need for Android kernel modifications by focusing on the mainstream Linux kernel. Each generation of Android devices would use the same Linux kernel supplied by Google with modules applied on top for any modifications. -- NAKED SECURITY

10. AccorHotels' Gekko Group hotel booking unit exposed more than 1 terabyte of data on customers, clients, and partners on an unsecured server, researchers at vpnMentor found. Exposed data included full names and addresses of clients, unencrypted payment data from travel agents and customers, and plaintext passwords for Gekko accounts. The data also included external websites and platforms that communicate with the Gekko systems, such as A week after being informed of the breach, Gekko confirmed that it had secured the information on the server. -- INFOSECURITY

Fred Donovan is a professional writer, editor, and content specialist with decades of experience, most recently in the areas of information technology and cybersecurity. He has written for such publications as, FierceITSecurity, InfoSecurity Magazine, Report on Patient Privacy, TechGenix, and NetDefense. Fred has a B.A. from Harvard University in government and an M.S. in national security from Georgetown University.

Copyright © 2020, All rights reserved.

Our mailing address is:
767 Bryant St. #203
San Francisco, CA 94107

Did someone forward this email to you? Head over to to get your very own free subscription!

You received this email because you subscribed to Inside Security. Click here to unsubscribe from Inside Security list or manage your subscriptions.

Subscribe to Inside Security