From Docker Hub hack to Facebook's burglar-friendly API to phone fingerprint bypasses...

...let us bring you up to date on infosec bits and bytes

Roundup Here's your quick-fire summary of recent computer security news.

Docker: Someone broke into a database holding Docker Hub account information, and managed to siphon off non-financial records on 190,000 users before the exfiltration was, presumably, detected and stopped.

The intrusion happened on Thursday, April 25, though Docker emailed people late on Friday alerting them to the security breach. Less than five per cent of Hub users were affected, according to the biz.

The swiped information included "usernames and hashed passwords for a small percentage of these users, as well as GitHub and Bitbucket tokens for Docker autobuilds," we're told. Hub account passwords should be changed, and snatched tokens have been revoked. Crucially, no hosted Dockerfiles were touched, we're assured.

This cyber-break-in is not great news for Docker and its Hub users, but it could have been a lot worse. Docker Hub lets people share container configurations with the world; if miscreants had been able to maliciously tamper with hosted Docker containers, and these were fetched and installed by others on their machines, the damage could have been catastrophic.

Facebook: Online yard sale Facebook Marketplace was caught leaking the precise location data of advertisers, allowing burglars to know exactly what to nick from where. The info was included in JSON data from a Facebook API.

After some prodding, we're told, the antisocial network finally tweaked its interface to remove these exact GPS coordinates.

Shadowhammer: More details have emerged about the espionage effort to infect targets via Asus system updates. It turns out other software downloads were tampered with: downloads from a videogame company, a conglomerate holding company, and a pharmaceutical biz, all based in South Korea.

Nokia: Nokia 9 PureView phones can be unlocked by sticks of gum or previously unseen fingers, when pressed against their fingerprint scanners, following a firmware update this month. The software was supposed to improve the tech, but in fact made it worse. Until Nokia fixes this, try using some other form of authentication.

SIM swapper: Joel Ortiz, 21, was sent down down for 10 years after siphoning Bitcoin from wallets hijacked using SIM swapping – that's where you transfer the ownership of a cellphone number from a victim's SIM to your own, and then use that to reset passwords, via SMS-based two-factor authentication, until you're able to access the mark's crypto-currency.

DDoS: Users of the Electrum Bitcoin wallet are being slammed by a botnet of 152,000 infected devices.

Not singing in the rain

FYI: Someone left 24GB of personal info on 80m US households exposed to the public internet

READ MORE

Qualcomm: Malware with root access on Qualcomm-powered Android devices can steal hardware-protected private keys that not even privileged software should be allowed to touch. This requires exploiting a vulnerability that was patched earlier this month, though obviously not every device gets these fixes in a timely fashion.

Alexa: Amazon staff debugging people's queries to its voice-controlled Alexa personal assistant have access to location data, allowing them to trace some folks down to their home addresses.

Passwords: If you've ever wondered how miscreants steal user passwords from one website to log into accounts in other websites where passwords are reused – so-called credential stuffing attacks – then look no further than this.

Cryptocurrency: People are using easily guessable private keys to secure their Ethereum wallets, and a crook dubbed the Blockchain Bandit is exploiting this to drain them of crypto-cash.

Backdoors and framworks: The source code to the Carbanak backdoor leaked onto VirusTotal and FireEye has been poring over the blueprints and analyzing how the thing works. Meanwhile, Kaspersky Lab has detailed an interesting hacking framework dubbed Project TajMahal.

Russiagate: After the Mueller Report landed, some 5,000 Twitter bots that previously organized to back the Saudi Arabia were spotted pushing the message that allegations President Trump colluded with Russia were a hoax.

Islamic State: A woman used hacked Facebook accounts to share instructions for producing explosives and poison, according to prosecutors. Now she and one other person have pleaded guilty to crimes related to providing support for the Islamic State.

Ransomware: Manufacturing giant Aebi Schmidt was hit by file-scrambling ransomware that disrupted its operations.

LinkedIn: Databases containing 60 million profiles scraped from LinkedIn, including email addresses, were found facing the public internet.

Port scans: Mass port scans of internet-facing IP addresses using spoofed source addresses – mainly of banks and other financial institutions – have been detected. It's thought these were launched by miscreants trying to cause trouble by tricking outfits like Spamhaus, which have put spoofed source IP addresses on block lists, into black listing legit organizations.

Chrome: Standby for a Chrome for iOS security update after bad ads were spotted bypassing its pop-up blocker on iThings.

Filtering: Some in the UK ISP industry are upset [PDF] that web browsers using DNS-over-HTTPS will be able to bypass filters that block bad stuff on the internet.

Fitness: Bodybuilding.com detected an intruder on its network who may have swiped people's personal information. ®




Biting the hand that feeds IT © 1998–2019