NSA foreign spying, biotech snooping, Hamas hackers bombed, airline cams, and much more from infosec land
Quick-fire summary of the past few days of news
Roundup Welcome back, Brits, from your three-day Bank Holiday week. Allow us to catch you up on recent infosec comings and goings.
'Hamas hackers' bombed: Israeli Defence Forces claim they destroyed a building in the Gaza Strip on Saturday said to be used by Hamas hackers. The Palestinian militants were targeted in the air strike in response to cyber-attacks against Israel, the IDF said in a tweet: "We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed."
A tentative ceasefire is now underway. It's thought to be the first publicly known kinetic response by a military to an ongoing digital offensive. We note that rogue Brit hacker Junaid Hussain was killed by a US drone strike in 2015, though that was probably because he was an ISIS recruiter in Syria at the time.
Internet of Things: The UK government announced a public consultation internet-of-things security as it mulls regulations on forcing manufacturers to proactively protect devices from attack. "We recognise the urgent need to move the expectation away from consumers securing their own devices and instead ensure that strong cyber security is built into these products by design," the civil servants thundered. Do let them know your thoughts, enlightened readers.
Office 365: Take a moment to secure your company Office 365 accounts. Barracuda claims: "A recent analysis of account-takeover attacks targeted at Barracuda customers found that 29 percent of organizations had their Office 365 accounts compromised by hackers in March 2019."
NSA transparency: Over in the US, the Office of the Director of National Intelligence's annual transparency report [PDF] into Uncle Sam's surveillance programs had mixed news on the privacy front.
On the one hand, the number of issued National Security Letters, used to investigate corporate data under a permanent gagging order, dropped in 2018 to 10,235, nearly half of the total five years ago. But on the other hand, the number of foreign individuals under communication surveillance rose 28 per cent to 164,770 and the number of Americans under similar watch rose from 7,512 in 2017 to 9,637 last year.
UK taxman falls foul of GDPR, agrees to wipe 5 million voice recordings used to make biometric IDsREAD MORE
Jenkins plugins: If you're using third-party plugins in your Jenkins installation, be aware NCC Group's Viktor Gazdag has found and reported security flaws in at least one hundred of them, and not all of them have been fixed. Now would be a good time to look over Gazdag's findings, and ensure you're not running vulnerable code.
Bitcoin scammers: A UK Channel Islands man from Jersey was scammed out of £1.2m ($1.5m) in Bitcoin after crooks convinced him to invest the sum in an online investment scheme. After being promised 15x returns, local media reports, the man then lost the lot and called the police, although he's unlikely to see the money again.
Extradition: Ukrainian Oleksii Petrovich Ivanov, 31, was extradited from the Netherlands to the US this month to face one charge of conspiracy to commit wire fraud, four charges of wire fraud, and one of computer fraud, over an alleged malvertising campaign. Millions of netizens were exposed to web adverts designed to infect their systems with malware, prosecutors claim.
Marcus Hutchins sentencing: It looks as though the Marcus Hutchins saga is coming to an end. After pleading guilty to two charges of creating and distributing malware earlier this month, his sentencing hearing has been set for July 26, nearly two years to the day after he was first arrested. There have been calls for a pardon, or community service rather than a custodial sentence, but that's up to the judge.
Ladders leak: An executive recruitment agency was left red-faced after accidentally exposing the personal information of more than 13 million people on its books. The New York-based Ladders agency left the data in an unsecured Amazon Elasticsearch database and it was found by GDI Foundation member Sanyam Jain. The data included names, job and salary histories, security clearances and work authorizations, and addresses, and while it doesn't appear to have been accessed by hackers, it's still highly unprofessional. The database has since been hidden from public.
Laboratory IP theft: A financial filing by American biotech biz Charles River Lab this week reports that "a highly sophisticated, well-resourced intruder," got onto its corporate servers and stole sensitive client information. The lab doesn't say exactly what was stolen beyond estimating one per cent of its files, suggesting a highly targeted attack.
Google wiping data: Google takes a lot of flack, sometimes deservedly so, for slurping too much info on us all. Now it's offering a tool to cut back on the tracking of location history and online activities. In a blog post it explains that netizens can now set up their Google accounts to auto-delete this data after three to 18 months. The new controls will be out in a few days or so.
China's Muslim spying: The level of surveillance undergone by Muslim inhabitants of China has been uncovered and revealed by Human Rights Watch. The non-profit reverse engineered a government app used by Chinese police to monitor and detain ethnic Uyghurs and other Turkic Muslims. Meanwhile, a Chinese smart city's face-recognizing surveillance system was caught leaking info all over the internet.
Hardcoded passwords: Gas stations, or petrol stations, or servo, depending on where you live, were found running insecure firmware on their fuel pumps – from hardcoded passwords to stack-based buffer overflows. Patches are available; affected equipment is mostly in the US.
US airlines cover cameras: United and Delta airlines in the US have reportedly said that will cover up passenger-facing cameras in their seats, with American Airlines planning to follow suit. The cameras, located in the premium and business class seats, were never used and just included with the in-flight entertainment hardware, the airlines insisted, but they made high-paying passengers nervous so they'll now be covered up. ®