Table of Contents

  1. Leaks
    1. Records of around 14,800 patients stolen from clinic in Berlin
    2. Wawa Breach May Have Compromised More Than 30 Million Payment Cards
    3. LabCorp security lapse exposed thousands of medical documents
  2. Vulnerabilities
    1. Magento 2.3.4 addresses three critical Code execution flaws
    2. 7 Years Later, Emergency Alert Systems Still Unpatched, Vulnerable
    3. LPE and RCE in OpenBSD OpenSMTPD
  3. Privacy
    1. US colleges are trying to install location tracking apps on students’ phones
    2. De-Anonymization via Clickjacking in 2019
    3. Clearview AI Is Struggling To Address Complaints As Its Legal Issues Mount
    4. Italian Spyware Company Execs Arrested After Company Employees Spied On Innocent Citizens
    5. Apple iOS 13.3.1 Released With Fix for Location Tracking
    6. Off-Facebook Activity Is a Welcome but Incomplete Move
  4. Digital rights
    1. India, the World's Largest Democracy, Shuts Down the Internet
    2. New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator
    3. Huawei denies German report it colluded with Chinese intelligence
    4. Russia blocks encrypted email service ProtonMail
  5. Ransomware
    1. Ransomware Linked to Iran, Targets Industrial Controls
    2. Ransomware Bitcoin Wallet Frozen by UK Court to Recover Ransom
  6. Malware
    1. Predator the Thief

Leaks

Records of around 14,800 patients stolen from clinic in Berlin

A hard drive with data records from around 14,800 patients has been stolen in a Berlin clinic. It is mostly identity data and sometimes also information on diagnosis and / or clinical picture, according to a statement by Vivantes. At first the "Berliner Morgenpost" reported about it. The break-in in a locked office of the Urology Clinic in the Vivantes Auguste-Viktoria Clinic occurred in mid-November, according to Vivantes. The password-protected external hard drive was stolen. It contained a backup copy with around 18,000 data records.

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Wawa said the breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card). "We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," Wawa said in a statement released to KrebsOnSecurity. According to Gemini, Joker's Stash has so far released only a small portion of the claimed 30 million. Either way, Wawa could be facing steep fines for failing to protect customer card data traversing its internal payment card networks.

LabCorp security lapse exposed thousands of medical documents

A security flaw in LabCorp's website exposed thousands of medical documents, like test results containing sensitive health data. It's the second incident in the past year after LabCorp said in June that 7.7 million patients had been affected by a credit card data breach of a third-party payments' processor. That breach also hit several other laboratory testing companies, including Quest Diagnostics. This latest security lapse was caused by a vulnerability on a part of LabCorp's website, understood to host the company's internal customer relationship management system. Although the system appeared to be protected with a password, the part of the website designed to pull patient files from the back-end system was left exposed. That unprotected web address was visible to search engines and was later cached by Google making it accessible to anyone who knew where to look. The cached search result only returned one document --- a document containing a patient's health information. But changing and incrementing the document number in the web address made it possible to access other documents.

Vulnerabilities

Magento 2.3.4 addresses three critical Code execution flaws

Magento has released version 2.3.4 to address multiple vulnerabilities, some of them are critical code execution issues. Magento version 2.3.4 has addressed several vulnerabilities in its e-commerce platform, come of them are critical code execution issues. "Successful exploitation could lead to arbitrary code execution." reads the security advisory. Magento version 2.3.4 fixes a total of 6 vulnerabilities, three of them rated as critical severity, the remaining rated as important. One of the three critical issues, tracked as CVE-2020-3719, is an SQL injection flaw and could be exploited by attackers to leak sensitive information.

7 Years Later, Emergency Alert Systems Still Unpatched, Vulnerable

Two years after a false EAS alert about an incoming ICBM sowed terror in Hawaii, and seven years after security researchers warned about insecure, Internet connected Emergency Alert System (EAS) hardware, scores of the devices across the U.S. remain un-patched and vulnerable to cyberattack, according to security experts. In February 2013, for example, unknown hackers compromised EAS systems at television stations in the U.S. and broadcast a bogus emergency alert claiming that the "dead were rising from their graves" and attacking people. Digital Alert Systems is calling and emailing affected customers that turned up in the Shodan search to urge them to update their systems, Czarnecki told The Security Ledger.

LPE and RCE in OpenBSD OpenSMTPD

A vulnerability in OpenSMTPD, OpenBSD's mail server allows an attacker to execute arbitrary shell commands, and enables remote code execution or local privilege escalation on vulnerable machines.

Privacy

US colleges are trying to install location tracking apps on students’ phones

US colleges are already testing out a location tracking app, which students are now apparently expected to install on their phones. "Apparently" because there's some confusion over whether the schools are actually forcing this on their students. What the reports do agree on: the app uses local Bluetooth signals, not GPS, so it's probably not going to be very useful to track students outside of school. "No GPS tracking is enabled, meaning the technology cannot locate the students once they leave class," reads part of the university's statement. It's not unthinkable that future apps might tell schools more about students' behavior, and that it may become harder to say no.

De-Anonymization via Clickjacking in 2019

This blog post is about the current practice of de-anonymization via the clickjacking technique whereby a malicious website is able to uncover the identity of a visitor, including his full name and possibly other personal information.

Clearview AI Is Struggling To Address Complaints As Its Legal Issues Mount

"Clearview exists to help law enforcement agencies solve the toughest cases, and our technology comes with strict guidelines and safeguards to ensure investigators use it for its intended purpose only," the post stated. But in a November email, a company representative encouraged a police officer to use the software on himself and his acquaintances. "Have you tried taking a selfie with Clearview yet?" the email read. "It's the best way to quickly see the power of Clearview in real time. Try your friends or family. Or a celebrity like Joe Montana or George Clooney. Your Clearview account has unlimited searches. So feel free to run wild with your searches." These troubles come after news reports exposed its questionable data practices and misleading statements about working with law enforcement. Clearview has also tried to allay concerns that its technology could be abused or used outside the scope of police investigations.

Italian Spyware Company Execs Arrested After Company Employees Spied On Innocent Citizens

Law enforcement databases are routinely misused by government employees. The perfect storm of illicit surveillance and snooping comes from companies that sell spy tools to law enforcement but retain control of the servers where the personal data and communications are stored. An Italian developer, Diego Fasano, followed up his successful medical records app with something far more troubling: law enforcement spyware deployed with the aid of service providers. The app would also allow Fasano's company, eSurv, to give law enforcement access to a device's microphone, camera, stored files and encrypted messages. This meant eSurv employees -- at least the "Black Team" running eSurv's "Exodus" project -- could also access these recordings.

Apple iOS 13.3.1 Released With Fix for Location Tracking

Apple has released iOS 13.3.1 with numerous bug fixes including a new setting that allows you to disable the constant location checks being performed by the iPhone 11 U1 chip. In December 2019, Brian Krebs reported that even with location services disabled for all system services and applications, the new iPhone 11 would still occasionally check for a user's location. In a statement to TechCrunch, Apple stated that this is caused by the new U1 ultra-wideband (UWB) that needs to be turned off in certain locations due to international regulatory requirements. Due to this, iOS will use Location Services to determine if the phone is in a prohibited location, and if it is, will disable ultra-wideband.

Off-Facebook Activity Is a Welcome but Incomplete Move

Today Facebook announced the roll-out of its Off-Facebook Activity tool (initially introduced as "Clear History" nearly two years ago). It also gives you options to "clear" or "disconnect" the identifiable information they have linked to your account. This is a good step for Facebook to take, and we hope it pushes other companies who talk a big game about transparency to follow suit. If even Facebook can give people this level of transparency and control around a particular data stream, other adtech players should be able to get their act together. That said, it's an incomplete measure, not least because we know that most users are unlikely to dig into and change their settings. In the U.S., for example, three-quarters of adults don't even know that Facebook's "ad preferences" page exists. On top of that, this tool doesn't come close to covering all the ways Facebook collects and monetizes data about you. For starters, there's no way to opt out of Custom Audiences, one of Facebook's most powerful targeted advertising services. As long as the burden is on users to carefully manage multiple sets of labyrinthine privacy settings, the privacy-invasive norms of targeted advertising will remain. That's why we need a strong federal privacy law in the U.S. and stronger interpretation of existing privacy laws globally.

Digital rights

India, the World's Largest Democracy, Shuts Down the Internet

News reports state that India's government has restored Internet access to the Kashmir region, though residents there can currently only browse 301 websites approved by the government and still cannot use social media. Mobile Internet is only available at very low speeds, according to a report from The Wire. The Jammu and Kashmir (J&K) administration on Friday said that it would reinstate mobile data services for the whole union territory starting on January 25 (Saturday), in what marks restoration of a limited form of online connectivity for the region since the abrogation of Article 370 but the ban on social media of all kinds will remain. Broadband access through fixed line will be allowed as per previous orders, which includes institutions that provide essential services (hospitals) and travel establishments (hotels etc). A number of key restrictions still stay in the place though. "Access shall be limited to whitelisted sites and not to any social media applications allowing peer to peer communication and Virtual Private Network Application," the order notes.

New York Times Journalist Targeted by Saudi-linked Pegasus Spyware Operator

Hubbard is among a growing group of journalists targeted with Pegasus spyware. Several reports by Citizen Lab and Amnesty International in 2018 showed that a Saudi-linked Pegasus operator that we call KINGDOM was targeting dissidents and regime critics. On October 1, 2018, Citizen Lab reported that Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with Pegasus. Academic research on journalist security show that journalists do not share the same digital security practices and perceptions across the profession. Yet, not all targeted journalists are working on a topic where the risk of surveillance may be so obvious.

Huawei denies German report it colluded with Chinese intelligence

Huawei, the leading maker of telecoms network equipment, denied a newspaper report on Wednesday that alleged the German government was in possession of evidence that it had cooperated with Chinese intelligence. "Huawei Technologies has never, and will never, do anything to compromise the security of networks and data of its customers," the Chinese company said in response to the report in the Handelsblatt business daily. "The Handelsblatt article repeats old, unfounded allegations without providing any concrete evidence whatsoever."

Russia blocks encrypted email service ProtonMail

Russia said on Wednesday it had blocked the Swiss email service ProtonMail, popular among journalists and activists for its focus on user privacy and high level of encryption. Russian communications watchdog Roskomnadzor said ProtonMail, which uses end-to-end encryption to protect user data had been used to send fake, anonymous bomb threats. Such threats have frequently led to mass evacuations of public buildings across Russia. Roskomnadzor said that ProtonMail had refused to provide Russian authorities with information on the owners of email accounts allegedly associated with fake bomb threats.

Ransomware

Ransomware Linked to Iran, Targets Industrial Controls

OTORIO researchers flag an Iranian connection in a new strain of ransomware aimed at disrupting the activity of Industrial Control Systems (ICS). Like most ransomware, Snake encrypts programs and documents on infected machines. Then, to prevent recovering the encrypted files from archives, Snake removes all file copies from infected stations, leaving the victims no choice but to pay the ransom or lose the data. Lastly -- and most important, Snake searches for hundreds of specific programs, including various Industrial Control Systems oriented processes, in order to terminate them and allow it to encrypt their files.

Ransomware Bitcoin Wallet Frozen by UK Court to Recover Ransom

A victim's insurance company convinced the UK courts to freeze a bitcoin wallet containing over $800K worth of a ransomware payment. In October 2019, a Canadian insurance company was hacked by the Bitpaymer Ransomware operators who encrypted 1,000 computers and 20 servers. After making the ransom payment, the insurance carrier did something very smart. In a private hearing with UK courts, the insurance carrier requested that this wallet be frozen and that Bitfinex turn over information about the owners of the wallet.

Malware

Predator the Thief

Predator the Thief is a sophisticated malicious stealer which has been on the scene for around one and a half years. What started as coding experiments in malware development later evolved into a full-fledged menace to be reckoned with. Current versions of Predator use various anti-debugging and anti-analysis techniques to complicate analysis on the part of researchers while still smoothly performing data stealing.