Table of Contents

  1. Breaches
    1. Netzsch Group based in Germany allegedly breached by Clop Ransomware Operators
    2. Intel leak: 20GB of source code and internal docs, backdoors mentioned
    3. Capital One fined $80 million for 2019 hack
    4. 2.3 Million+ USA Doctor Records Allegedly Leaked on Darkweb for Free
    5. British Dental Association data leaked on Darkweb
    6. Indian Fintech Start-up, Slice Pay, Suffers Massive Data Breach
    7. Corporate Renaissance Group Allegedly Struck by Netwalker
    8. Netwalker allegedly breached The Center for Fertility and Gynecology
    9. User Records of UberEATS Leaked on Darkweb
    10. Canon suffers ransomware attack, Maze claims responsibility
    11. Cyber attack affects Hudson ISD website
    12. Second Data Breach at Kentucky Unemployment System
    13. Lafayette pays $45,000 in ransom after cyber-attack disabled computer system
    14. The Central Depository and two other organisations fined for data privacy breach
    15. Metrolinx investigating privacy breach after 2K email addresses of fined riders revealed
    16. More than 200 people affected by privacy breaches at Nova Scotia Health
    17. Class action proposed for victims of Central Health privacy breach
    18. Hospital investigating possible confidentiality breach
    19. Leaky S3 buckets have gotten so common that they’re being found by the thousands now, with lots of buried secrets
    20. ProctorU - 444,453 breached accounts
    21. Hacker leaks passwords for 900+ enterprise VPN servers
  2. Misc
    1. FBI issues warning over Windows 7 end-of-life
    2. CPR Anti-Debug Encyclopedia: The Check Point Anti-Debug Techniques Repository
    3. DEF CON: New tool brings back 'domain fronting' as 'domain hiding'
    4. I'm Open Sourcing the Have I Been Pwned Code Base
    5. ProtonVPN: US servers downed in warzone for Call of Duty updates
    6. Microsoft adds Windows 10 DNS over HTTPS settings section
    7. Internet connectivity in Lebanon impacted following blast
    8. Twitter, TikTok Have Held Preliminary Talks About Possible Combination
    9. The quest to liberate $300k of Bitcoin from an old ZIP file
  3. Politics
    1. Can Trump ban TikTok? What the executive order means
    2. US shares info on election interference tied to Russia, China, Iran
    3. Hackers are defacing Reddit with pro-Trump messages
    4. Google banned 2500+ Chinese YouTube channels for disinformation
    5. Liam Fox faces growing scrutiny over Russian hack of personal email
    6. China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI
  4. Vulnerabilities
    1. Don’t be silly – it’s only a lightbulb
    2. Exploiting Android Messengers with WebRTC (part 2 and 3)
    3. TeamViewer fixes bug that lets attackers access your PC
    4. Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks
    5. Beyond KrØØk: Even more Wi‑Fi chips vulnerable to eavesdropping
    6. Security bugs let these car hackers remotely control a Mercedes-Benz
    7. Nearly 50% of all smartphones affected by Qualcomm Snapdragon bugs
    8. A crash course on hacking satellites
    9. Firefox gets fix for evil cursor attack
    10. Smart locks opened with nothing more than a MAC address
    11. Abus alarm system switched off remotely
    12. Hackers can remotely hijack enterprise, healthcare Temi robots
    13. Web Cache Entanglement: Novel Pathways to Poisoning
    14. Samsung rolls out Android updates fixing critical vulnerabilities
    15. Twitter patches Android app to prevent exploitation of bug that can grant access to DMs
    16. How your pacemaker could become an insider threat to national security
    17. New EtherOops attack takes advantage of faulty Ethernet cables
    18. Ex-NSA Hacker Finds a Way to Hack Mac Users via Microsoft Office
    19. Facebook plugin bug lets hackers hijack WordPress sites’ chat
    20. Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder
    21. Vulnerable perimeter devices: a huge attack surface
    22. MMS Exploit Part 4: MMS Primer, Completing the ASLR Oracle
    23. Bugs in HDL Automation expose IoT devices to remote hijacking
  5. Crime
    1. Bulgarian police arrest hacker Instakilla
    2. Toronto woman’s CERB payments on hold after fraudster makes EI claim in her name
    3. Hackers are using skeleton keys to target chip vendors
    4. Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims
    5. When penetration testing earns you a felony arrest record
    6. Porn Clip Disrupts Virtual Court Hearing for Alleged Twitter Hacker
    7. How hackers gain root access to SAP enterprise servers through SolMan
    8. FBI: Iranian hackers trying to exploit critical F5 BIG-IP flaw
    9. Hackers Could Use IoT Botnets To Manipulate Energy Markets
    10. Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)
    11. Cybercrime in the Age of COVID-19
  6. Malware
    1. Hackers can abuse Microsoft Teams updater to install malware
    2. Magecart group uses homoglyph attacks to fool you into visiting malicious websites
    3. Unpatched bug in Windows print spooler lets malware run as admin
    4. Fake security advisory used in clever cPanel phishing attack
    5. Cluster of 295 Chrome extensions caught hijacking Google and Bing search results
    6. WastedLocker ransomware abuses Windows feature to evade detection
  7. Privacy
    1. The NSA on the Risks of Exposing Location Data
    2. EPIC Obtains Records on White House COVID-19 Response, Location Data Tracking
    3. We just may have accidentally left Google Home devices recording your every word
    4. Twitter to be fined $250M for using 2FA numbers for ads
    5. Firefox adds protections against redirect tracking

Breaches

Netzsch Group based in Germany allegedly breached by Clop Ransomware Operators

CybleInc researchers during their monitoring of deepweb and darkweb came across a leak post in which the Clop ransomware operators claimed to have allegedly struck the Netzsch Group and got hold of their sensitive data. Founded in the year 1873, The NETZSCH Group is an owner-managed, international technology company with headquarters in Germany. With more than 3,700 employees in 36 countries and revenue of $661.8 Million (FY2019)

Intel leak: 20GB of source code and internal docs, backdoors mentioned

Classified and confidential documents from U.S. chipmaker Intel, allegedly resulting from a breach, have been uploaded earlier to a public file sharing service. The cache of secret information is 20GB large and comes from an unknown source. It was announced as the first part in a series of Intel leaks. According to Tillie Kottmann, a developer and reverse engineer who received the documents from an anonymous hacker, most of the information is supposed to be protected intellectual property. The developer was told that the information was stolen from Intel in a breach this year. "They were given to me by an Anonymous Source who breached them earlier this year, more details about this will be published soon," Kottmann says. "Most of the things here have NOT been published ANYWHERE before and are classified as confidential, under NDA or Intel Restricted Secret," the developer added. Those browsing firmware source code will find comments referring to backdoors, but that could mean anything and does not necessarily mean they can gain access to your computer:

Capital One fined $80 million for 2019 hack

The US top banking regulator fined US bank Capital One with $80 million for failing to secure customer data while hosted in the cloud, a security lapse that led to the bank's massive 2019 security breach that exposed the personal information of more than 100 million Americans. The fine was announced by the Office of the Comptroller of the Currency, an independent office and the top banking auditor in the US Department of Treasury. "The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner," the agency said in a press release today.

2.3 Million+ USA Doctor Records Allegedly Leaked on Darkweb for Free

The Cyble Research Team identified two threat actors who leaked in total 2,267,453 records of doctors operating in the United States. The leaked records contain the details of doctors specializing in multiple fields such as clinical social worker, dermatology, nurse practitioner, optometry, etc but among these records, more than 11,400 records are of doctors with the primary specialty as Chiropractic.

British Dental Association data leaked on Darkweb

Recently, BBC News stated that the British Dental Association (BDA) got struck by a cyberattack on 30 July 2020. This cyberattack impacted BDA's multiple servers after which they were taken offline and below message was shared on their website. After that on August 04, the Cyble Research Team came across a post in which a threat actor claimed to be in possession of staff profiles of the British Dental Association and was sharing it for free.

Indian Fintech Start-up, Slice Pay, Suffers Massive Data Breach

Cyble's researchers identified an actor who was selling 56GB of data, comprising of 21,000+ students Aadhar Card, their university IDs, their photo and full Signature with other details. The breach allegedly is attributed to a FinTech company, Slicepay.

Corporate Renaissance Group Allegedly Struck by Netwalker

Recently, CybleInc researchers identified a leak post in which the Netwalker ransomware operators claimed to have breached Corporate Renaissance Group (CRGroup) -- Founded in the year 1989, and since then the CRGroup has been assisting businesses in leveraging technology and improving performance across the entire organization. Currently, the CRGroup is Canada's Capital Region's #1 Partner for Microsoft Business Solutions and has over 4500 clients worldwide.

Netwalker allegedly breached The Center for Fertility and Gynecology

The Cyble Research Team came across the post in which the Netwalker ransomware operators claimed to have breached The Center for Fertility and Gynecology -- Established in the year 1987, and since then they have been offering a range of comprehensive fertility services to help you fulfill people's dreams of parenthood. They are counted as one of the premier fertility centers on the West Coast of the United States.

User Records of UberEATS Leaked on Darkweb

The Cyble Research Team came across a threat actor who leaked user records of UberEATS -- a well-known American online food ordering and delivery platform launched by Uber in the year 2014 and based in San Francisco, California. This online food ordering platform has been earning annual revenue of around $1.46 billion.

Canon suffers ransomware attack, Maze claims responsibility

As reported by BleepingComputer, a six-day outage beginning July 30 on the image.canon website, a service for uploading and storing photos through Canon's mobile applications, led to suspicions that a cyberattack may have taken place. While now service has resumed, in the website's last status update, Canon revealed that an issue "involving 10GB of data storage" was under investigation, leading to the temporary suspension of related mobile apps and the online platform. Canon said that "some of the photo and image files" saved prior to June 16 were "lost," but in the same breath, insisted that there "was no leak of image data." "Currently, the still image thumbnails of these lost image files can be viewed but not downloaded or transferred," the company said. "If a user tries to download or transfer a still image thumbnail file, an error may be received." This, in itself, may suggest nothing more than a technical issue with back-end servers. However, at the same time, an internal memo obtained by the publication warned employees of "company-wide" IT issues, including apps, Microsoft Teams, and email.

Cyber attack affects Hudson ISD website

Hudson ISD's website was down throughout the weekend and Monday after a cyber attack affected the website's host. "The Hudson ISD website is hosted remotely by a third party, Gabbart, in the AWS cloud," Superintendent Donny Webb said. "The sites hosted by our vendor have been under attack by a distributed denial of service (DDoS) attack causing them to be inaccessible. Our host has been in constant contact with us and the FBI and other federal agents are involved in the investigation." The attacks were off and on for about a week increasing in size, he said.

Second Data Breach at Kentucky Unemployment System

Kentucky's unemployment system appears to have suffered its second data breach in four months after a claimant reported being able to view another claimant's personal data. The reporter of the alleged breach logged on to the Office of Unemployment Insurance's (OUI) online system on July 27 to work on their unemployment application. While trying to enter their own details, the claimant was able to view information about another claimant's former employer and health.

Lafayette pays $45,000 in ransom after cyber-attack disabled computer system

The mayor of Lafayette posted a video Tuesday, saying the City has paid a $45,000 ransom after a cyber attack affected city computer and phone systems. "The City was coerced into paying a $45,000 ransom to retrieve a 'key' to unlock encrypted data," officials said.

The Central Depository and two other organisations fined for data privacy breach

The Central Depository (CDP) and two other organisations have been fined a total of $47,000 for breaching data privacy laws. CDP received the biggest fine of $32,000 after it mailed dividend cheques to outdated addresses, putting more than 200 account holders at risk of having their personal data disclosed. According to a written decision by the Personal Data Protection Commission (PDPC) published on its website on Monday, the CDP had mailed the cheques containing personal information such as names and NRIC numbers to outdated addresses after it migrated its software system in December 2018.

Metrolinx investigating privacy breach after 2K email addresses of fined riders revealed

Metrolinx, the transit organization that oversees GO Transit and UP Express, officials say they are investigating a privacy breach that saw more than 2,000 email addresses of riders who were fined publicly revealed in a mass email.

More than 200 people affected by privacy breaches at Nova Scotia Health

Another privacy breach at Nova Scotia Health has affected more than 200 people. In a release Tuesday, the province's health authority said they are contacting 211 people by letter whose personal health information was "inappropriately accessed" in two unrelated incidents. The breaches took place at the Aberdeen Hospital in New Glasgow, and the Valley Regional Hospital in Kentville. They were flagged by a routine privacy audit which triggered two internal investigations.

Class action proposed for victims of Central Health privacy breach

St. John's lawyers Bob Buckingham and Eli Baker say they will launch a class-action lawsuit in relation to a recent privacy breach by a former employee of Central Health. Last week, officials with the health authority said an employee had inappropriately accessed the health records of 240 people online over a two-year span. Central Health was informed of a potential privacy breach July 14 and immediately undertook an investigation, they said.

Hospital investigating possible confidentiality breach

Personal details about women who have had a stillbirth appear to have mistakenly been published online by the trust which runs Basingstoke hospital. Three reviews were published in two different documents in June and July, providing details including the date and time of the stillbirth, the women's age and BMI, the gender and weight of their baby, and detailed medical history including previous miscarriages and pregnancy terminations, as well as an in-depth report of their pregnancy and birth.

Leaky S3 buckets have gotten so common that they’re being found by the thousands now, with lots of buried secrets

The massive amounts of exposed data on misconfigured AWS S3 storage buckets is a catastrophic network breach just waiting to happen, say experts. The team at Truffle Security says its automated search tools were able to stumble across some 4,000 open Amazon S3 buckets that included data companies would not want public, things like login credentials, security keys, and API keys.

ProctorU - 444,453 breached accounts

In June 2020, the online exam service ProctorU suffered a data breach which was subsequently shared extensively across online hacking communities. The breach contained 444k user records including names, email and physical addresses, phones numbers and passwords stored as bcrypt hashes.

Hacker leaks passwords for 900+ enterprise VPN servers

A hacker has published a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers. ZDNet, which obtained a copy of this list with the help of threat intelligence firm KELA, verified its authenticity with multiple sources in the cyber-security community.

Misc

FBI issues warning over Windows 7 end-of-life

The Federal Bureau of Investigation has sent a private industry notification (PIN) on Monday to partners in the US private sector about the dangers of continuing to use Windows 7 after the operating system reached its official end-of-life (EOL) earlier this year. "The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status," the agency said. "Continuing to use Windows 7 within an enterprise may provide cyber criminals access in to computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered. "With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target," the FBI warned.

CPR Anti-Debug Encyclopedia: The Check Point Anti-Debug Techniques Repository

Debugging is the essential part of malware analysis. Debuggers interfere with the debugged process in a way that usually produces side-effects. These side-effects are often used by malicious programs to verify if they are executed under debugging. This encyclopedia contains the description of anti-debug tricks which work on the latest Windows releases with the most popular debuggers (such as OllyDbg, WinDbg, x64dbg).

DEF CON: New tool brings back 'domain fronting' as 'domain hiding'

At the DEF CON 28 security conference this week, a security researcher has released a new tool that can help the makers of sensitive applications evade censorship and bypass firewalls to keep services up inside problematic areas of the globe. The new tool, named Noctilucent, was developed by Erik Hunstad, Chief Technical Officer at cyber-security firm SixGen. According to Hunstad, Noctilucent comes to fill a role left void by cloud providers like Amazon and Google blocking "domain fronting" on their infrastructure. Hunstad said he used the new TLS 1.3 protocol to revive domain fronting (sort of) as an anti-censorship technique, but in a new format, the researcher calls "domain hiding." Domain fronting is a technique that has been made popular by mobile app developers in the 2010s and has been used to allow apps to bypass censorship attempts in oppressive countries. The domain fronting technique allows clients (apps) to connect to a "front" domain, which then forwards the connection to the aapp maker's real infrastructure.

I'm Open Sourcing the Have I Been Pwned Code Base

Troy Hunt is going to open source the Have I Been Pwned code base. The decision has been a while coming and it took a failed M&A process to get here, but the code will be turned over to the public for the betterment of the project and frankly, for the betterment of everyone who uses it.

ProtonVPN: US servers downed in warzone for Call of Duty updates

Most of the U.S. ProtonVPN servers are under high load as users worldwide battle to be the first to download the latest Call of Duty: Warzone update. A highly anticipated update for Call of Duty: Warzone Season 5 was released, and it has caused VPN servers located in the USA to go under heavy load as users from other countries download the update.

Microsoft adds Windows 10 DNS over HTTPS settings section

Microsoft has announced that Windows 10 customers can now configure DNS over HTTPS (DoH) directly from the Settings app starting with the release of Windows 10 Insider Preview Build 20185 to Windows Insiders in the Dev Channel. The addition of support for the DoH protocol in a future Windows 10 release was announced by Microsoft in November 2018, the inclusion of DNS over TLS (DoT) support also being left on the table. DoH allows DNS resolution over encrypted HTTPS connections, while DoT encrypts DNS queries via the Transport Layer Security (TLS) protocol, instead of using plain text DNS lookups.

Internet connectivity in Lebanon impacted following blast

Network data from the NetBlocks internet observatory confirm that internet connectivity in Lebanon has significantly fallen following reports of an explosion on Tuesday 4 August 2020, with the outage ongoing as of 1:00 p.m. UTC Wednesday. The incident may impact communications with victims and eyewitnesses on location.

Twitter, TikTok Have Held Preliminary Talks About Possible Combination

Twitter Inc. has had preliminary talks about a potential combination with TikTok, the popular video-sharing app that the Trump administration has declared a national-security threat due to its Chinese ownership, according to people familiar with the matter. It is unclear whether Twitter will pursue a deal with TikTok, which would face significant challenges. A deal would involve TikTok's U.S. operations, the people said.

The quest to liberate $300k of Bitcoin from an old ZIP file

In October, Michael Stay got a weird message on LinkedIn. A total stranger had lost access to his bitcoin private keys - and wanted Stay's help getting his $300,000 back. It wasn't a total surprise that The Guy, as Stay calls him, had found the former Google security engineer. Nineteen years ago, Stay published a paper detailing a technique for breaking into encrypted zip files. The Guy had bought around $10,000 worth of bitcoin in January 2016, well before the boom. He had encrypted the private keys in a zip file and had forgotten the password. He was hoping Stay could help him break in. In a talk at the Defcon security conference this week, Stay details the epic attempt that ensued.

Politics

Can Trump ban TikTok? What the executive order means

On Thursday, Donald Trump issued two executive orders aimed at banning TikTok and WeChat, saying the US must take "aggressive action" against the China-based social media platforms in the interest of national security. The move would effectively require TikTok and WeChat to shut down in the US or find new owners within 45 days. Trump claims the apps are a security concern because they are based in China and thus prone to data requests from the Chinese government. Microsoft is already reportedly in talks to purchase TikTok for billions.

US shares info on election interference tied to Russia, China, Iran

NCSC Director William Evanina said that foreign governments' each have their own agenda when it comes to who gets nominated as POTUS after 2020's U.S. presidential elections. As Evanina said, Russian actors are acting as part of what US intelligence sees as a concerted effort on both Russian television and media to support President Trump's candidacy in 2020. Meanwhile, China would want for President Trump to lose this year's presidential elections since it considers him unpredictable. Iran's influence efforts are also targeted against President Trump's reelection seeing that his return to the White House would keep the current U.S. pressure for a change of regime in the Middle Eastern country. The US Department of State announced rewards of up to $10 million for any information leading to the identification of any person who works with or for a foreign government for the purpose of interfering with US elections through "illegal cyber activities." This includes attacks against US election officials, US election infrastructure, voting machines, but also candidates and their staff.

Hackers are defacing Reddit with pro-Trump messages

A massive hack has hit Reddit after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump's reelection campaign. The hacks are still ongoing at the time of writing, but we were told Reddit's security team is aware of the issue and has already begun restoring defaced channels. A partial list of impacted channels includes Reddit channels for the NFL, many TV shows, The Pirate Bay, Disneyland, Disney's Avengers, several city channels, and more. Combined, the channels have tens of millions of subscribers.

Google banned 2500+ Chinese YouTube channels for disinformation

Google says that it took down multiple coordinated influence operation campaigns linked to China, Russia, Iran, and Tunisia by terminating thousands of YouTube channels and several AdSense, Play Developer, and advertising accounts. According to the Threat Analysis Group (TAG) Q2 2020 bulletin, a Google team of security experts that identify, report, and stop government-backed attacks, the disinformation campaigns were also identified using leads coming from researchers from other companies including Graphika and FireEye. In all, Google says that it banned 2,596 YouTube channels used in coordinated influence operations coordinated by Chinese actors, 86 YouTube channels linked to Russian disinformation campaigns, and 19 channels involved in Iranian influence ops.

Liam Fox faces growing scrutiny over Russian hack of personal email

Liam Fox is facing questions from opposition politicians, former civil servants and campaigners about how Russian hackers were apparently able to obtain government documents marked "official sensitive [UK eyes only]" from his personal email last year. The former minister's account is believed to have been accessed repeatedly between July and October, and 451 pages of emails and policy documents were subsequently posted on Reddit, prompting questions as to whether the dossier had come directly from Fox's personal email. Labour has accused ministers of misjudging the threat posed by Russia and called on the government to provide a full and public explanation of the extraordinary affair, and the extent to which Fox himself was at fault over the hack.

China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI

The Chinese government has deployed an update to its national censorship tool, known as the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using modern, interception-proof protocols and technologies. The ban has been in place for at least a week, since the end of July, according to a joint report published this week by three organizations tracking Chinese censorship - iYouPort, the University of Maryland, and the Great Firewall Report.

Vulnerabilities

Don’t be silly – it’s only a lightbulb

The smart lightbulb management is done over WiFi or even ZigBee, a low bandwidth radio protocol. A few years ago, a team of academic researchers showed how they can take over and control smart lightbulbs, and how this in turn allows them to create a chain reaction that can spread throughout a modern city. Their research brought up an interesting question: aside from triggering a blackout (and maybe a few epilepsy seizures), could these lightbulbs pose a serious risk to our network security? Could attackers somehow bridge the gap between the physical IoT network (the lightbulbs) and even more appealing targets, such as the computer network in our homes, offices or even our smart cities? Continuing from where the previous research left off, CheckPoint researchers go right to the core: the smart hub that acts as a bridge between the IP network and the ZigBee network. By masquerading as a legitimate ZigBee lightbulb, they were able to exploit vulnerabilities we found in the bridge, which enabled them to infiltrate the lucrative IP network using a remote over-the-air ZigBee exploit.

Exploiting Android Messengers with WebRTC (part 2 and 3)

This is a three-part series from Google Project Zero on exploiting messenger applications using vulnerabilities in WebRTC. This series highlights what can go wrong when applications don't apply WebRTC patches and when the communication and notification of security issues breaks down.

TeamViewer fixes bug that lets attackers access your PC

Popular remote access and troubleshooting app, TeamViewer has patched a vulnerability that could let attackers quietly establish a connection to your computer and further exploit the system. When successfully exploited, this bug would let an unauthenticated, remote actor execute code on your Windows PC, or obtain password hashes (e.g., for cracking via brute-force). Assigned CVE-2020-13699, the high severity bug falls under a special category of security vulnerabilities, dubbed Unquoted Search Path or Element (CWE-428). These take advantage of the fact, arguments being passed to a program are not "quoted."

Intel, ARM, IBM, AMD Processors Vulnerable to New Side-Channel Attacks

Since 2016, multiple microarchitectural attacks have exploited an effect that is attributed to prefetching. These works observe that certain user-space operations can fetch kernel addresses into the cache. Fetching user-inaccessible data into the cache enables KASLR breaks and assists various Meltdown-type attacks, especially Foreshadow. This paper provides a systematic analysis of the root cause of this prefetching effect. While confirming the empirical results of previous papers, researchers show that the attribution to a prefetching mechanism is fundamentally incorrect in all previous papers describing or exploiting this effect. In particular, neither the prefetch instruction nor other user-space instructions actually prefetch kernel addresses into the cache, leading to incorrect conclusions and ineffectiveness of proposed defenses. The effect exploited in all of these papers is, in fact, caused by speculative dereferencing of user-space registers in the kernel. Hence, mitigation techniques such as KAISER do not eliminate this leakage as previously believed. These dereferencing effects exist even on the most recent Intel CPUs with the latest hardware mitigations, and on CPUs previously believed to be unaffected, i.e., ARM, IBM, and AMD CPUs.

Beyond KrØØk: Even more Wi‑Fi chips vulnerable to eavesdropping

KrØØk (formally CVE-2019-15126) is a vulnerability in Broadcom and Cypress Wi-Fi chips that allows unauthorized decryption of some WPA2-encrypted traffic. Specifically, the bug has led to wireless network data being encrypted with a WPA2 pairwise session key that is all zeros instead of the proper session key that had previously been established in the 4-way handshake. This undesirable state occurs on vulnerable Broadcom and Cypress chips following a Wi-Fi disassociation.

Security bugs let these car hackers remotely control a Mercedes-Benz

This year's at Black Hat security conference security researchers from the Sky-Go Team, the car hacking unit at Qihoo 360, found more than a dozen vulnerabilities in a Mercedes-Benz E-Class car that allowed them to remotely open its doors and start the engine. Most modern cars are equipped with an internet connection, giving passengers access to in-car entertainment, navigation and directions, and more radio stations than you can choose from. But hooking up a car to the internet puts it at greater risk of remote attacks --- precisely how Miller and Valasek hijacked that Jeep, which ended up in a ditch.

Nearly 50% of all smartphones affected by Qualcomm Snapdragon bugs

Several security vulnerabilities found: in Qualcomm's Snapdragon chip Digital Signal Processor (DSP) chip could allow attackers to take control of more than 40% of all smartphones without user interaction, spy on their users, and create un-removable malware capable of evading detection. DSPs are system-on-chip units are used for audio signal and digital image processing, and telecommunications, in consumer electronics including TVs and mobile devices. The vulnerable DSP chip "can be found in nearly every Android phone on the planet, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more," according to Check Point researchers who found these vulnerabilities. Apple's iPhone smartphone line is not affected by the security issues discovered and disclosed by Check Point in their report.

A crash course on hacking satellites

Hack-A-Sat team has released a crash course on hacking satellites.

Firefox gets fix for evil cursor attack

Firefox fixed last week a bug that was being abused in the wild by tech support scammers to create artificial mouse cursors and prevent users from easily leaving malicious sites. The bug was discovered being abused online by UK cyber-security firm Sophos and reported to Mozilla earlier this year. The bug is a classic "evil cursor" attack and works because modern browsers allow site owners to modify how the mouse cursor looks while users are navigating their websites. This type of customization might look useless, but it's often used for browser-based games, browser augmented reality, or browser virtual reality experiences. However, custom cursors have been a major problem for the regular web. In evil cursor attacks, malicious websites tamper with cursor settings in order to modify where the actual cursor is visible on screen, and where the actual click area is.

Smart locks opened with nothing more than a MAC address

Smart locks have slowly been adopted as an intelligent, Internet of Things (IoT) alternative to traditional lock-and-key methods to securing a property. While convenience is king, such connectivity can also create a new set of security problems. Several years ago, for example, a botched firmware update caused chaos for LockState customers who took to Twitter in their droves to complain they were unable to remotely control their smart locks - and, therefore, access their properties. Now, lockpicks are being replaced with network sniffers and vulnerability exploits, and in the case of the U-Tec UltraLoq, Tripwire researchers have disclosed a misconfiguration error and other security issues, now resolved, that leaked data and allowed attackers to steal unlock tokens with nothing more than a MAC address.

Abus alarm system switched off remotely

An extension module for the Secvest alarm system from Abus provides more range and more functions by wirelessly connecting wired devices such as motion detectors to the alarm system. However, the wireless connection lacks basic security functions, which means that the entire alarm system can be deactivated remotely. The pentesting company Syss has now published the third security hole that Abus has not fixed within a period of 90 days. The vulnerability (CVE-2020-14158) was discovered by security researchers Michael Rüttgers and Thomas Detert.

Hackers can remotely hijack enterprise, healthcare Temi robots

On Thursday at Black Hat USA, McAfee's Advanced Threat Research (ATR) team disclosed new research into the robots, in which remotely-exploitable vulnerabilities were uncovered, potentially leading to mobile, audio, and video tampering on the hospital floor. The robot in question is Robotemi Global's Temi, a "personal robot" that uses a range of sensors, artificial intelligence (AI) and machine learning (ML) technologies, as well as modern voice activation and mobile connectivity to perform functions including personal assistance tasks, answering Internet queries, and facilitating remote video calls. Available for both personal and business use, Temi has found itself put to work in the enterprise, as well as in senior living and healthcare facilities. All it takes to set up is for a mobile device to scan the robot's QR code, in order to become Temi's administrator. Teams of contacts can also be set up that are able to call the robot, a useful feature for medical professionals and family members alike.

Web Cache Entanglement: Novel Pathways to Poisoning

Caches are woven into websites throughout the net, discreetly juggling data between users, and yet they are rarely scrutinized in any depth. This paper, shows how to remotely probe through the inner workings of caches to find subtle inconsistencies, and combine these with gadgets to build majestic exploit chains. These flaws pervade all layers of caching - from sprawling CDNs, through caching web servers and frameworks, all the way down to fragment-level internal template caches. Building on my prior cache poisoning research, I'll demonstrate how misguided transformations, naive normalization, and optimistic assumptions let me perform numerous attacks, including persistently poisoning every page on an online newspaper, compromising the administration interface on an internal DoD intelligence website, and disabling Firefox updates globally.

Samsung rolls out Android updates fixing critical vulnerabilities

Samsung has started rolling out Android's August security updates to mobile devices to fix critical security vulnerabilities in the operating system. All vulnerabilities in this update have a rating of either either 'High' or 'Critical' severity, making this update a requirement for Android users so that their devices remain protected. Of all the patches, the winning candidate is a fix for CVE-2020-0240, a remote code execution vulnerability caused by an "integer overflow" bug in the Android operating system. "The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process," explained the advisory bulletin If successfully exploited, this vulnerability would allow a remote attacker to take full control over your device.

Twitter patches Android app to prevent exploitation of bug that can grant access to DMs

Twitter has started notifying users about a dangerous security issue that can allow malicious Android apps running on users' devices to access private Twitter data, including users' direct messages (DMs). According to a support document published today, Twitter said the bug existed because of an underlying vulnerability in the Android operating system itself. Twitter didn't specifically identify the Android OS bug, for safety reasons, but said the issue had been fixed since October 2018. According to Twitter, the Android OS bug only impacted users of Android 8 (Oreo) and Android 9 (Pie), but not those on Android 10.

How your pacemaker could become an insider threat to national security

When we think of pacemakers, insulin pumps, and other implanted medical devices (IMDs), what comes to mind is their benefit to users that rely on them to cope with various medical conditions or impairments. Over time, IMDs have evolved to become more refined and smarter with the introduction of wireless connectivity - linking themselves to online platforms, the cloud, and mobile apps with connections made via Bluetooth for maintenance, updates, and monitoring, all in order to improve patient care. According to Christopher Neal, CISO of Ramsay Health Care, many devices we use today are not built secure-by-design, and this is an issue likely to shadow medical equipment for decades to come. At Black Hat USA on Wednesday, Dr. Alan Michaels, Director of the Electronic Systems Lab at the Hume Center for National Security and Technology at the Virginia Polytechnic Institute and State University, echoed the same sentiment. Micheals outlined a whitepaper viewed by ZDNet and penned by the professor himself, alongside Zoe Chen, Paul O'Donnell, Eric Ottman, and Steven Trieu, that investigated how IMDs could compromise the security of secure spaces -- such as those used by military, security, and government agencies.

New EtherOops attack takes advantage of faulty Ethernet cables

At the Black Hat USA security conference, security researchers from IoT research outfit Armis are set to present details about a new technique that can be used to attack devices located inside internal corporate networks. The technique, named EtherOops, works only if the targeted network contains faulty Ethernet (networking) cables on the attacker's path to their victim. The EtherOops technique is only a theoretical attack scenario discovered in a laboratory setting by the Armis team and is not considered a widespread issue that impacts networks across the world in their default states. However, Armis warns that EtherOops could be weaponized in certain scenarios by "sophisticated attackers (such as nation-state actors)" and can't be discounted for now.

Ex-NSA Hacker Finds a Way to Hack Mac Users via Microsoft Office

A former NSA hacker Patrick Wardle will demonstrate how he was able to create a chain of exploits that would have allowed hackers to take control of a Mac by simply convincing the target to open a Microsoft Office file laden with a malicious macro. Creating Office files with malicious macros is an old trick that's been enjoying a second life lately for hackers interested in Windows targets. Wardle is now showing how macros - essentially small programs embedded in documents - could be exploited on MacOS as well. "Current MacOS attacks are very ineffective, kind of lame," Wardle told Motherboard in a phone call. "I basically said, could things be worse?" As it turns out, they could. Wardle published a blog post on Wednesday morning, and will demonstrate his findings during the Black Hat security conference on Wednesday, which is being held online this year due to the coronavirus pandemic.

Facebook plugin bug lets hackers hijack WordPress sites’ chat

A high severity bug found in Facebook's official chat plugin for WordPress websites with over 80,000 active installations could allow attackers to intercept messages sent by visitors to the vulnerable sites' owner. The Facebook Chat Plugin allows WordPress website owners to embed a chat pop-up to communicate with visitors in real-time through Facebook's messaging platform for Facebook Pages. The plugin also comes with support for chat transcripts and makes it easy to set up auto-replies and FAQs outside working hours to provide visitors with helpful information while the site owner can't reply.

Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

On July 23, 2020, WordFence Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.

Vulnerable perimeter devices: a huge attack surface

With the increase of critical gateway devices deployed to support off-premise work, companies across the world have to adapt to a new threat landscape where perimeter and remote access devices are now in the first line. Companies lack visibility into the growing network of internet-connected services and devices that support the new work paradigm; and the avalanche of vulnerabilities reported for edge devices makes tackling the new security challenge even more difficult. In research published recently, digital threat management company RiskIQ found hundreds of thousands of fringe network or remote access solutions from Cisco, Microsoft, Citrix, or IBM, where high and critical severity security vulnerabilities were discovered.

MMS Exploit Part 4: MMS Primer, Completing the ASLR Oracle

This post is the fourth of a multi-part series from Project Zero, capturing the journey from discovering a vulnerable little-known Samsung image codec, to completing a remote zero-click MMS attack that worked on the latest Samsung flagship devices.

Bugs in HDL Automation expose IoT devices to remote hijacking

A security researcher discovered vulnerabilities in an automation system for smart homes and buildings that allowed taking over accounts belonging to other users and control associated devices. In a presentation on Saturday at the IoT Village during the DEF CON hacker conference, Barak Sternberg shows how some weak spots in the HDL automation system could have been leveraged by attackers to fully compromise it. Looking at how a user can configure and control HDL components, the researcher noticed that registering a new account (email and password) on the mobile app automatically generates another account for applying the settings. This additional account has the string "debug" in the username (user-debug@email.com) and the same password defined by the user for their account. Its purpose is to apply the settings and send the configuration for the local devices to an external HDL server so that other authorized users can download it and control the smart home. Sternberg found that the password changing process allows defining a new password for the "debug" account while the one for the user remains the same. An attacker could register the email address for the "debug" username to receive the instructions for changing the password. Once the procedure completes, the attacker can control the components (lights, temperature, cameras, various sensors) in the HDL automated environment as well as configure them.

Crime

Bulgarian police arrest hacker Instakilla

Bulgarian law enforcement has arrested on Wednesday a local hacker going by the name of Instakilla on accusations of hacking, extorting companies, and selling hacked data online. Authorities raided two of the hacker's residences in Plovdiv, a city in central Bulgaria, and confiscated several computers, smartphones, flash drives, and cryptocurrency, according to a press release from the Ministry of Interior. The hacker was identified as a young Bulgarian male. His name was not released to the public, and he is currently detained on a three-day arrest warrant. Prior to his arrest this week, the hacker has been a staple on the underground hacking scene. He has been active since 2017 but has only recently risen to notoriety.

Toronto woman’s CERB payments on hold after fraudster makes EI claim in her name

A Toronto woman is one of hundreds of Canadians who've had their identity stolen and used to apply for government benefits over the course of the COVID-19 pandemic. The Canadian Anti-Fraud Centre says it has received more than 700 reports of identity fraud linked to CERB across the country. More than half of those reports came from Quebec, another 172 were from Ontario, and British Columbia rounds out the top three provinces with the most reports at 52.

Hackers are using skeleton keys to target chip vendors

At Black Hat USA on Thursday, CyCraft Technology researchers Chung-Kuan Chen and Inndy Lin described a set of attacks believed to have been conducted by the same Chinese APT group in the quest for semiconductor designs, source code, software development kits (SDKs), and other proprietary information. "If such documents are successfully stolen, the impact can be devastating," the researchers said. "The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals." According to the team, attacks have been launched on numerous semiconductor vendors located at the Hsinchu Science Industrial Park in Taiwan. To date, it is thought at least seven vendors - as well as their subsidiaries - have been attacked by the same APT group in what the team calls "precise and well-coordinated attacks." Dubbed Operation Chimera, also known as Skeleton, the APT launched a series of attacks throughout 2018 and 2019 with a variety of tools, including Cobalt Strike - a legitimate penetration testing tool that threat actors are known to abuse - and a custom skeleton key derived from code ripped from both Dumpert and Mimikatz.

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims

A group of thieves thought to be responsible for collecting millions in fraudulent small business loans and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S. consumer data broker, KrebsOnSecurity has learned.

When penetration testing earns you a felony arrest record

When Coalfire inked a deal with the State Court Administration (SCA) to conduct security testing at the Dallas County Courthouse in Iowa, two of their team members being arrested at midnight and thrown behind bars was not quite what the company expected. The saga began in September last year when security experts, Coalfire Systems senior manager Gary Demercurio and senior security consultant Justin Wynn, set out to test the court's physical security. Known as penetration testing in the cybersecurity field, testing a company or organization's security posture can involve probing networks, apps, and websites to find vulnerabilities that need to be fixed before attackers find them and exploit them for nefarious purposes. However, penetration testing can also include physical elements. Speaking at Black Hat USA on Wednesday, Demercurio and Wynn said that after - hours testing, at night, was originally only what the client wanted - and this was then extended to day and evening testing.

Porn Clip Disrupts Virtual Court Hearing for Alleged Twitter Hacker

The incident occurred at a bond hearing held via the videoconferencing service Zoom by the Hillsborough County, Fla. criminal court in the case of Graham Clark. The 17-year-old from Tampa was arrested earlier this month on suspicion of social engineering his way into Twitter's internal computer systems and tweeting out a bitcoin scam through the accounts of high-profile Twitter users. Notice of the hearing was available via public records filed with the Florida state attorney's office. The notice specified the Zoom meeting time and ID number, essentially allowing anyone to participate in the proceeding. Even before the hearing officially began it was clear that the event would likely be "zoom bombed." That's because while participants were muted by default, they were free to unmute their microphones and transmit their own video streams to the channel. Sure enough, less than a minute had passed before one attendee not party to the case interrupted a discussion between Clark's attorney and the judge by streaming a live video of himself adjusting his face mask. Just a few minutes later, someone began interjecting loud music.

How hackers gain root access to SAP enterprise servers through SolMan

Speaking at Black Hat USA on Wednesday, Onapsis cybersecurity researchers Pablo Artuso and Yvan Genuer explained how the bugs were found in SAP Solution Manager (SolMan), a system comparable to Windows Active Directory. SolMan is a centralized application designed to manage IT solutions on-premise, in the cloud, or in hybrid environments. The integrated solution acts as a management tool for business-critical applications, including SAP and non-SAP software. According to the cybersecurity firm, the vulnerabilities found in SolMan - called the "technical heart of the SAP landscape" by Onapsis - could allow unauthenticated attackers to compromise "every system" connected to the platform, including SAP ERP, CRM, HR, and more. SolMan operates by linking to software agents on SAP servers via a function called SMDAgent, otherwise known as the SAP Solution Manager Diagnostic Agent. SMDAgent facilitates communication and instance monitoring and is generally installed on servers running SAP applications. SolMan itself can be accessed via its own server or the SAPGui. The team tested a SolMan setup and apps related to SMDAgent, and in total, roughly 60 applications were accounted for, and over 20 of them were accessible via HTTP GET, POST, or SOAP requests.

FBI: Iranian hackers trying to exploit critical F5 BIG-IP flaw

The FBI warns of Iranian hackers actively attempting to exploit an unauthenticated remote code execution flaw affecting F5 Big-IP application delivery controller (ADC) devices used by Fortune 500 firms, government agencies, and banks. F5 Networks (F5) released security updates to fix the critical 10/10 CVSSv3 rating F5 Big-IP ADC vulnerability tracked as CVE-2020-5902 on July 3, 2020. The U.S. domestic intelligence and security service says in a Private Industry Notification (PIN) issued earlier this week that the Iran-sponsored hacking group has been trying to compromise vulnerable Big-IP ADC devices since early July 2020.

Hackers Could Use IoT Botnets To Manipulate Energy Markets

At the Black Hat security conference on Wednesday, the researchers will present their findings, which suggest that high-wattage IoT botnets---made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats---could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both.

Iranian hacker group becomes first known APT to weaponize DNS-over-HTTPS (DoH)

An Iranian hacking group known as Oilrig has become the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks. Speaking in a webinar last week, Vincente Diaz, a malware analyst for antivirus maker Kaspersky, said the change happened in May this year when Oilrig added a new tool to its hacking arsenal. According to Diaz, Oilrig operators began using a new utility called DNSExfiltrator as part of their intrusions into hacked networks. DNSExfiltrator is an open-source project available on GitHub that creates covert communication channels by funneling data and hiding it inside non-standard protocols. As its name hints, the tool can transfer data between two points using classic DNS requests, but it can also use the newer DoH protocol.

Cybercrime in the Age of COVID-19

The Cambridge Cybercrime Centre has a series of papers on cybercrime during the coronavirus pandemic.

Malware

Hackers can abuse Microsoft Teams updater to install malware

Microsoft Teams can still double as a Living off the Land binary (LoLBin) and help attackers retrieve and execute malware from a remote location. Previous efforts from Microsoft to eliminate this hazard work to an extent but cannot stop attackers from abusing Teams to plant and run their payloads. A patch for the new method is unlikely to emerge, as Microsoft labeled this a design flaw, and a fix would impact some customers' operations. The original method was first disclosed last year and relies on using the 'update' command to run arbitrary binary code in the context of the current user. Before Microsoft introduced mitigations, an attacker could download malware from an external URL and deploy it on the system from a trusted (signed) executable. In a later variation discovered by reverse engineer Reegun Richard, an attacker could get to the same result using mock Microsoft Teams package with the app's genuine "Update.Exe," which executed anything from certain locations.

Magecart group uses homoglyph attacks to fool you into visiting malicious websites

A new credit card skimming campaign making use of homoglyph techniques has been connected to an existing Magecart threat group. For example, characters may be selected from a different language set or picked to look like another letter - such as swapping a capital "i" to appear like an "l". If a victim is sent to a fraudulent domain - let's take PayPal for example - the difference between "paypal.com" which uses a legitimate, lower-case "l" may not be apparent in comparison to "paypaI.com," which uses an upper-case "i" instead. Furthermore, this can instill trust in a domain as legitimate, whereas in fact malicious code, exploit kits, or credential skimmers may be operating. On Thursday, Malwarebytes researcher Jérôme Segura documented a recent homoglyph attack wave, in which fraudsters are using numerous domain names to load the Inter skimming kit inside of a favicon file.

Unpatched bug in Windows print spooler lets malware run as admin

Researchers found a way to bypass a patch Microsoft released to address a bug in the Windows printing services, which gives attackers a path to executing malicious code with elevated privileges. Tracked as CVE-2020-1048, the initial flaw received an initial fix in May and another one is coming with this month's rollout of security updates from Microsoft.

Fake security advisory used in clever cPanel phishing attack

A clever phishing scam is targeting cPanel users with a fake security advisory alerting them of critical vulnerabilities in their web hosting management panel. cPanel is administrative software commonly installed on shared web hosting services that allow website owners to easily administer their site through a graphical user interface. Starting on Wednesday, cPanel and WebHost Manager (WHM) users began reporting a targeted phishing email campaign with an email subject of "cPanel Urgent Update Request" that was pretending to be a security advisory from the company. This fake advisory stated that updates had been released to fix "security concerns" in cPanel and WHM software versions 88.0.3+, 86.0.21+, and 78.0.49+, and recommends all users install the updates.

Cluster of 295 Chrome extensions caught hijacking Google and Bing search results

More than 80 million Chrome users have installed one of 295 Chrome extensions that hijack and insert ads inside Google and Bing search results. The malicious extensions were discovered by AdGuard, a company that provides ad-blocking solutions, while the company's staff was looking into a series of fake ad-blocking extensions that were available on the official Chrome Web Store. A subsequent investigation into the fake ad blockers unearthed a larger group of malicious activity spreading across 295 extensions. Besides fake ad blockers, AdGuard said it also found extensions posing as weather forecast widgets and screenshot capture utilities.

WastedLocker ransomware abuses Windows feature to evade detection

The WastedLocker ransomware is abusing a Windows memory management feature to evade detection by security software. Over the past few weeks, the WastedLocker Ransomware has become notorious after being attributed to the sanctioned Evil Corp hacking group and used to attack Garmin. In a new report shared with BleepingComputer prior to release, Sophos security researchers explain how WastedLocker uses the Windows Cache Manager to evade detection. To increase Windows's performance, commonly used files or files specified by an application are read into and stored in the Windows Cache, which utilizes system memory. If a program needs to access a file, the operating system will check if it is in the cache, and if so, load it from there. As the data is cached in memory, it makes it much faster to access its contents than reading it from a disk drive. To bypass detection by anti-ransomware solutions, WastedLocker includes a routine that opens a file, reads it into the Windows Cache Manager, and then closes the original file.

Privacy

The NSA on the Risks of Exposing Location Data

The NSA has issued an advisory on the risks of location data. Mitigations reduce, but do not eliminate, location tracking risks in mobile devices. Most users rely on features disabled by such mitigations, making such safeguards impractical. Users should be aware of these risks and take action based on their specific situation and risk tolerance. When location exposure could be detrimental to a mission, users should prioritize mission risk and apply location tracking mitigations to the greatest extent possible. While the guidance in this document may be useful to a wide range of users, it is intended primarily for NSS/DoD system users.

EPIC Obtains Records on White House COVID-19 Response, Location Data Tracking

EPIC has obtained hundreds of pages of records from the Office of Science and Technology Policy about the White House's response to the COVID-19 pandemic and proposals to use location data for public health surveillance. The documents were produced in response to an EPIC Freedom of Information Act request. The records show that a tech sector task force closely aligned with the White House sought to aggregate "non-clinical location data" for "disease surveillance," including cell phone location data, Uber trip data, and Google search data. OSTP described the location tracking proposals as "certainly interesting" and sought to "establish a portal/clearinghouse" for such submissions, but also told the tech sector task force that it was "not engaged in any activities relating to location data." In one example from March, the executive director of the National Fusion Center Association proposed an automated contact tracing and notification" system to the White House. Fusion Centers are centralized systems that pool and analyze intelligence from federal, state, local, and private sector entities. EPIC has laid out numerous recommendations concerning privacy and the pandemic and has called on Congress to establish privacy safeguards for digital contact tracing.

We just may have accidentally left Google Home devices recording your every word

Your Google Home speaker may have been quietly recording sounds around your house without your permission or authorization, it was revealed this week. The Chocolate Factory admitted it had accidentally turned on a feature that allowed its voice-controlled AI-based assistant to activate and snoop on its surroundings. Normally, the device only starts actively listening in and making a note of what it hears after it has heard wake words, such as "Ok, Google" or "Hey, Google," for privacy reasons. Prior to waking, it's constantly listening out for those words, but is not supposed to keep a record of what it hears. Yet punters noticed their Google Homes had been recording random sounds, without any wake word uttered, when they started receiving notifications on their phone that showed the device had heard things like a smoke alarm beeping, or glass breaking in their homes -- all without giving their approval. Google said the feature had been accidentally turned on during a recent software update, and it has now been switched off, Protocol reported. It may be that this feature is or was intended to be used for home security at some point: imagine the assistant waking up whenever it hears a break in, for instance. Google just bought a $450m, or 6.6 per cent, stake in anti-burglary giant ADT.

Twitter to be fined $250M for using 2FA numbers for ads

There are many things that big internet companies do that the media have made out to be scandals that aren't - but one misuse of data that I think received too little attention was how both Facebook and later Twitter were caught using the phone numbers people gave it for two factor authentication, and later used them for notification/marketing purposes. In case you're somehow unaware, two-factor authentication is how you should protect your most important accounts. I know many people are too lazy to set it up, but please do so. It's not perfect (Twitter's recent big hack routed around 2FA protections), but it is many times better than just relying on a username and password. In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when you tried to login on a new machine (or after a certain interval of time), the service would have to text you a code that you would need to enter to prove that you were you.

Firefox adds protections against redirect tracking

With the release of Firefox 79 last week, Mozilla silently added a new feature to Enhanced Tracking Protection (ETP) - Firefox's internal component that blocks invasive user-tracking techniques. According to Mozilla, Firefox 79 can now block a new technique called "redirect tracking." Online advertisers and web analytics companies have recently begun adopting this new technique after Firefox, Chrome, Brave, and other browsers have recently included privacy protections inside their code to block user tracking and user fingerprinting scripts. More specifically, this technique was developed to circumvent browsers that prevent advertisers from using third-party cookies to track users.