NSO Group’s ‘Pegasus’ Spyware Targets Journalists and Activists

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

Spyware known as Pegasus from NSO Group was used to hack 37 smartphones belonging to journalists, activists, and business executives around the world.

The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.

Firefox 90 Update Introduces SmartBlock 2.0 for Tracking Protection

· Andrew Orr · Link

Smartblock 2.0 in Firefox 90

Mozilla released Firefox 90 recently and it comes with an improved version of its tracking protection called SmartBlock 2.0.

The newest version of Mozilla’s built-in SmartBlock privacy feature makes it easier for users to keep their tracking protection settings cranked up, without breaking individual websites. The updated version seems to especially target Facebook login, which is increasingly used around the web as a third-party authentication and login tool.

Image credit: ArsTechnica

Google Adds Tool to Quickly Delete Your Last 15 Minutes of Searches

· Andrew Orr · Link

Delete 15 minutes of google search history

Google is adding new protections for your search history like quick deletion, requiring verification to access the My Activity section, and more.

You can also try out a new way to quickly delete your last 15 minutes of saved Search history with the single tap of a button. This feature is available in the Google app for iOS, and is coming to the Android Google app later this year.

You could also just turn disable your search history altogether, too.

‘SolarWinds’ Hackers Used iOS Zero Day Against Government Officials

· Andrew Orr · Link

Solarwinds hack

The Russian hackers behind the SolarWinds attack used an iOS zero day to steal credentials from Western European governments.

Attacks targeting CVE-2021-1879, as the zero-day is tracked, redirected users to domains that installed malicious payloads on fully updated iPhones. The attacks coincided with a campaign by the same hackers who delivered malware to Windows users, the researchers said.

Google published a blog post about zero-days here, and you can read coverage from Ars Technica at the link below.

Over 170 Android Cryptocurrency Apps are Scams

· Andrew Orr · Link

Crypto scam apps on android

A recent report shows that Android has a cryptocurrency scam problem. These apps claim to help you mine Bitcoin “in the cloud.”

The apps work by offering a virtual dashboard that lets you monitor the cryptocurrency mining rate. The same dashboard shows you how much virtual coin has been generated. However, Lookout examined the computer code in the apps along with the network traffic, and found the coin balance displayed was actually fictitious.

Kaspersky’s Password Manager Created Weak Passwords

· Andrew Orr · Link

generic password icon

Kaspersky Password Manager was caught creating weak passwords that were easy to brute force attack.

We will first see an example of a good password generation method, to explain after why the method used by Kaspersky was flawed, and how we exploited it. As we will see, passwords generated by this tool can be bruteforced in seconds.

After a bit less than two years, this vulnerability has been patched on all versions of KPM. Vulnerability has been assigned CVE-2020-27020.

New Ransomware ‘Tsunami’ Destroying Supply Chains

· Andrew Orr · Link

Alert symbol of an exclamation point inside triangle

The REvil hacking team is back with new malware. Brand new, still developing, but their ransomware called “Tsunami” is wreaking havoc.

The software in question, Kaseya VSA, is popular among so-called managed service providers, which provide IT infrastructure for companies that would rather outsource that sort of thing than run it themselves. Which means that if you successfully hack an MSP, you suddenly have access to its customers. It’s the difference between cracking safety deposit boxes one at a time and stealing the bank manager’s skeleton key.

Russian Spies Abuse VPNs to Target Organizations

· Andrew Orr · Link

Russian hacker in front of Russian flag

On Thursday, U.S. and British authorities said that Russia’s military spy agency is using VPNs and Tor to attack governments and private sector targets.

The advisory did not identify any of the targets by name, saying only that they were mainly in the United States and Europe and included government offices, political parties, energy companies, law firms and media organizations.

The Russian Embassy in Washington did not immediately return a message seeking comment. Russian officials routinely reject allegations that they employ hackers to spy on rival nations.

Twitter Lets You Use a Security Key as Only 2FA Option

· Andrew Orr · Link

Twitter 2FA security keys

Twitter announced on Wednesday that it will let people use a security key as their only form of two-factor authentication.

Today, we’re adding the option to use security keys as your sole 2FA method — meaning you can enroll one or more security keys as the only form of 2FA on your Twitter account without a backup 2FA method. We know this is important to people because not everyone is able to have a backup 2FA method or wants to share their phone number with us.

Hackers Sell Personal LinkedIn Data From Leak Affecting 700M Users

· Andrew Orr · Link

linkedin data leak

Hackers are selling the personal information of over 700 million LinkedIn users. Here are the data types that were leaked:

Email Addresses; Full names; Phone numbers; Physical addresses; Geolocation records; LinkedIn username and profile URL; Personal and professional experience/background; Genders; Other social media accounts and usernames

On June 22nd, a user of a popular hacker forum advertised data from 700 Million LinkedIn users for sale. The user of the forum posted a sample of the data that includes 1 million LinkedIn users.

How Can You Tell if a URL is Safe to Click?

· Andrew Orr · Cool Stuff Found

Kelly and I always try to include at least one practical security tip for Security Friday. In the latest episode of the podcast The Really Useful Podcast, hosts Christian Cawley and Ian Buckley discuss a few such tips, like how to figure out if a link is safe to click on. From the description: “This week’s Really Useful Podcast looks at link checkers and other easy, “soft” online security tips that you can use to develop safer habits and behaviors online. In this week’s show we used the following articles: How to Spot a Phishing Email, Sites to Help You Check if Links Are Safe, and How to Safely Use Your Pet’s Name as a Secure Password.” Check out the link below to listen to the episode on Spotify.

How Can You Tell if a URL is Safe to Click?

Web Hosting Service 'DreamHost' Leaked 814 Million Records of Customer Data

· Andrew Orr · Link

data security hacker

A database owned by Dreamhost was found unsecured and publicly accessible online. It contained 814 million entries of exposed usernames, display names, and emails for WordPress accounts.

The exposed log files contained what appears to be 3 years of records that range from 3/24/2018 to 4/16/2021 and each contained information about WordPress accounts hosted or installed on DreamHost’s server and their users. On May 4th a DreamHost representative acknowledged the discovery and informed us that the finding was being passed on to their legal team.

Update: DreamHost reached out to say that none of those records contain data that would have allowed access to DreamHost accounts. They consist entirely of entries that include object update records, error reports, and log entries. Data from just 21 individual websites were involved. More information can be found on its website.