Facebooker swatted, Kaspersky snares an NSA thief, NASA server exposed, and more

Plus, Vita boot ROM caper, TCL caught slinging Android malware, etc

People wearing biohazard suits after nuclear explosion

Roundup This week we saw a Huawei official cuffed (again), telcos caught selling tracking data (again) and Microsoft patching dozens of bugs (again).

Here are a few other notable security happenings.

Chaturbate rubbed raw by card cache bug

Adult webcam service Chaturbate has plugged a security hole that left some of its customers a little, er, exposed.

Researcher Imran Paray (via HackerOne) found that the Chaturbate website had been collecting and storing user's payment card details in the browser cache.

This meant that a person who had access to the machine could pull up their card number and details as plain text - a handy extra for burglars and thieves. This is bad enough on a regular site, but even more embarrassing as it happens through a service most users are accessing in a more… discreet… manner.

"This endpoint is allowing the credit card details to be stored in clear text into the browser caches," Paray explained.

Chaturbate was able to patch the bug with no indication that any user accounts had been exposed. For his work, Paray was given a $300 bounty payout.

Facebook exec swatted in Palo Alto

An unnamed Facebook executive was the victim of a swatting call earlier this week in Palo Alto.

The local Palo Alto Daily Post reports that police received a call on Wednesday night from someone claiming to be the unnamed cybersecurity exec. The person on the line claimed to have shot his wife and set up explosives around the house.

This prompted police to respond with multiple vehicles, surround the house, and briefly handcuff the man while the home was searched. The whole thing was eventually found to be a "prank" and everyone went on their way.

For anyone who still thinks swatting people is harmless fun we'd like to point out that a California man is facing 20 years in prison after a swatting call he made resulted in the shooting death of a Kansas man.

Researcher siphons PlayStation Vita boot ROM with 'voltage glitch' trick

A low-level electrical engineering trick has allowed a researcher to slurp the contents of the highly-protected boot ROM of the PS Vita.

Yifan Lu showed how (PDF) voltage glitching, a technique where the current to individual gates is modified to change their behavior, could be used to inject faults into the custom SoC the hand-held gaming platform uses.

From there, Lu was able to manipulate the chip into giving up the contents of its boot ROM, allowing access to memory that been protected from prying eyes.

While not the fastest or easiest way to crack a console, the process is very interesting from an academic perspective and the paper is well worth a read.

NSA catches data thief with help from *checks notes* Kaspersky Lab

The contractor who took home and hoarded 20 years' worth of American intelligence documents and files was nabbed with the help of Russia-based Kaspersky Lab.

This according to a report from Politico, who said that Harold Martin was only cuffed in 2016 after the Russian security lab reported to the NSA that the former contractor had been sending them cryptic messages regarding his unauthorized collection of intelligence files.

Martin would be arrested in 2016 and charged a year later with stealing confidential government documents and software for a period of more than 20 years. In early 2018, he said he intended to plead guilty to a single charge.

Kaspersky, meanwhile, would become persona non grata with the US government thanks to allegations the company operated as a back door for the Kremlin in a separate NSA data leak incident, a claim Kaspersky has long denied and for which there is no public evidence.

Perhaps these latest revelations will help the security vendor get back in Uncle Sam's good graces.

TCL phones found to contain shady software bundles

Chinese phone manufacturer TCL, whose clients include Blackberry and Alcatel, has been found bundling phones with a malicious weather application

This according to Upstream Systems' Secure-D team, who uncovered a number of Alcatel phones in Brazil exhibiting suspicious behavior.

"Over July and August 2018, through Secure-D, we observed a higher than usual number of transaction attempts in Brazil and Malaysia coming from a series of Alcatel Android smartphones (Pixi 4 and A3 Max models)," Upstream said.

"Those suspicious requests were initiated by the same application named com.tct.weather in both Brazil & Malaysia."

What they eventually found was that an app bundled on the phone, com.tct.weather, was not only spying on users and transmitting logs to China, but also using the phones to carry out click fraud and ad-injection attacks.

Aside from the bundled devices, the bogus weather app was also being offered on the Android Play Store and had racked up millions of installs. Since the report, Google has pulled the app from the store.

"Overall, whether pre-installed on Alcatel devices or downloaded from Google’s official Play Store, the application com.tct.weather has generated over 27m transaction attempts across 7 markets," Upstream said.

"Had they not been blocked by Secure-D these transactions would have translated into $1.5m unwanted charges to users’ airtime."

Don't panic, but Russia might be able to kill the US power grid

Or at least a sizable portion of it.

This according to a report from the Wall Street Journal , who cited government sources in reporting that a number of private contractors had been breached by Russian-backed hackers who then worked their way up the supply chain until they were in position to cripple parts of the power grid.

The report is yet another reminder of the big problem in securing critical infrastructure in the US: For every large carrier with a sizable security team, there are dozens of poorly-equipped subcontractors who know little about data security.

XTerm Javascript component patches up remote code bug

It's the three letters no developer wants to hear in connection to their product: RCE.

A remote code execution flaw was spotted in XTerm, a component for Javascript that lets developers create terminals within browser windows. In this case, said Google Security researcher Felix Wilhelm (one of the group credited with discovery), an exploit would have allowed the attacker to escape the terminal and cause further mayhem on the vulnerable machine.

Anyone using XTerm for their sites will want to use this script from Wilhelm to check if their version needs to be updated to patch up the bug.

Jira, we have had a problem

A bunch of internal NASA data, things like employee names and IDs, internal emails, and project details, were recently found to be exposed, and it will come as no surprise that the culprit was Atlassian's much-loathed Jira system.

Bug-hunter Avinash Jain found that a NASA Jira server had been improperly configured to allow "everyone" access, a setting that not only adds everyone within the organization but also those outside.

"I found that Jira instance used by NASA had a misconfigured setting where any anonymous user can access the user picker functionality (described as above) and pulls out the complete list of every NASA user’s username and email address," Jain explained.

Additionally, the server would let at an anonymous user access filters that could then be used to group users based on what projects they were working on. So someone who accessed the server anonymously could see a NASA employee's name, email address, and what specific projects they were involved in. You can see why this would be an extremely useful tool to anyone wanting to infiltrate the US space agency.

Fortunately, the bug was privately reported and fixed back in June. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019