Table of Contents
Vulnerabilities
Tik or Tok? Is TikTok secure enough?
Researchers from CheckPoint security have analyzed and identified multiple vulnerabilities in the TikTok app, including sensitive data exposure, XSS attacks, and manipulating user account (adding, deleting videos, or changing the privacy settings).
SHA-1 chosen prefix collision
One more significant milestone was met in cracking SHA-1, and now it's possible to create a SHA-1 collision with a chosen prefix. As a side result, this shows that it now costs less than 100k USD to break cryptography with a security level of 64 bits (i.e. to compute 264 operations of symmetric cryptography).
Microsoft Windows VCF Card / Mailto Link Denial Of Service
Windows VCF cards do not properly sanitize email addresses allowing for HTML injection. A corrupt VCF card can cause all the users currently opened files and applications to be closed and their session to be terminated without requiring any accompanying attacker supplied code. This can be done by crafting the Mailto link to point to Windows "logoff.exe". The corrupt VCF card can then kill all users applications and also log the target off their computer, if the VCF card is opened in using Windows Contacts and the link is clicked.
Leaks
The Difficulty of Disclosure, Surebet247 and the Streisand Effect
Troy Hunt has published an article about his experience with disclosing breaches and how the company reacted, by choosing to actively ignore security experts and trying to take a legal action against them.
Medical Info of Roughly 50K Exposed in Minnesota Hospital Breach
Personal and medical information of 49,351 patients of Minnesota-based Alomere Health might have been exposed following the compromise of two employees’ email accounts. Alomere Health is a general medical and surgical hospital in Alexandria, MN, with 127 beds. It is accredited by the Healthcare Facilities Accreditation Program (HFAP), has a Level III trauma center and has twice been named as one of the Top 100 Hospitals by Thomson Reuters. Exposed data include names, addresses, dates of birth, medical record numbers, health insurance information and diagnosis and treatment details information. Attackers also accessed Social Security numbers and driver’s license numbers for some patients.
Ransomware
Travelex 'being held to ransom' by hackers said to be demanding $3m
The company first discovered the virus on New Year’s Eve, Travelex said in its statement. According to the company, there’s no indication personal or customer data had been compromised in the incident. “The company’s network of branches continues to provide foreign exchange services manually,” the statement said. The ransomware involved is particularly insidious, which Travelex has confirmed in a new statement to be Sodinokibi (it is also known as REvil). Sodinokibi almost acts like a software-as-a-service that allows criminals to customize it for their specific uses, according to an analysis by McAfee. The ransomware encrypted Travelex’s entire network, and the attackers gave Travelex a seven-day deadline to pay up. It is worth mentioning that the company was alerted of the critical Pulse Secure vulnerability used to spread the malware, but they did not react.
SNAKE Ransomware is targeting business networks
The SNAKE is a new ransomware that is threatening enterprises worldwide along with most popular ransomware families such as Ryuk, Maze, Sodinokibi, LockerGoga, BitPaymer, DoppelPaymer, MegaCortex, LockerGoga. The scary trend sees criminal organizations targeting enterprises, instead of single users, using the above malware to maximize their profits.
Google's new policy gives developers more time to address security flaws
Google's Project Zero disclosure program is supposed to encourage releases of security fixes in a timely fashion, but things haven't gone according to plan. Premature disclosures, half-hearted fixes and other issues have been a little too common. The company might address some of those problems in 2020, though. It recently revised its policies in a bid to encourage both more "thorough" security patches and wider adoption of those patches. Most notably, Google will wait 90 days to disclose a flaw even if it's fixed well ahead of that deadline. If developers act quickly, they'll have more time to both distribute patches and make sure that fixes address the root cause of a flaw.
Google Fixes Critical Android RCE Flaw
Google’s first security update of 2020 addressed seven high and critical severity Android flaws. Google kicked off its first Android Security Bulletin of 2020 patching a critical flaw in its Android operating system, which if exploited could allow a remote attacker to execute code. Compared to last year’s monthly tally, the number of CVEs patched this month were relatively few. “The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” according to Google in the bulletin.
Phishing
Microsoft Phishing Scam Exploits Iran Cyberattack Scare
An attacker is attempting to take advantage of the recent warnings about possible Iranian cyberattacks by using it as a theme for a phishing attack that tries to collect Microsoft login credentials. With the rising escalations between the United States and Iran, the U.S. government has been issuing warnings about possible cyberattacks by Iran and potential attacks on critical U.S. infrastructure. To take advantage of this increased tension, an attacker has created a phishing scam that pretends to be from 'Microsoft MSA' and has an email subject of 'Email users hit by Iran cyberattack' warning that Microsoft's servers were hit by a cyberattack from Iran.
Apple
Unable to unlock gunman’s iPhones, the FBI (once again) asks for Apple’s help
In a move that may signal another high-stakes clash over encryption, the FBI is asking Apple for help decrypting two iPhones believed to have belonged to Mohammed Saeed Alshamrani, the man suspected of carrying out a shooting attack that killed three people last month at the Naval Air Station in Pensacola, Florida.
Crime
MageCart gang compromised popular Focus Camera website
A new MageCart attack made the headlines, this time the gang compromised the website of popular Focus Camera. The hack took place last year, the hacker planted a software skimmer on the website to steal payment card data of users that purchased the products on the portal. To hide the malicious traffic, the attackers registered "zdsassets.com," a domain that resembles ZenDesk's legitimate "zdassets.com."