AirDrop Flaw Still Not Fixed After Two years

· Andrew Orr · News

airdrop on iPhone

A team of researchers at TU Darmstadt discovered a flaw in AirDrop that could leak personal data. They notified Apple in May 2019.

Here’s How Signal Broke Into Cellebrite’s Hacking Device

· Andrew Orr · Link

Cellebrite package

Moxie Marlinspike of Signal wrote on Wednesday how he was able hack into a Cellebrite device. These devices are used by entities like law enforcement to brute force their way into devices like iPhones.

Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

A fascinating write-up. One can only imagine the thrill of taking a walk, seeing a package fall out of a truck, and finding out that it’s a Cellebrite device.

Geico Data Breach Exposed Driver’s Licenses in Early 2021

· Andrew Orr · Link

Image containing the words “data breach”

Geico revealed a data breach that occurred on its systems and hackers accessed driver’s licenses.

The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver’s license numbers between January 21 and March 1. Companies are required to alert the state’s attorney general’s office when more than 500 state residents are affected by a security incident.

Geico said it had “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

Malvertising Campaign ‘Tag Barnakle’ Infected 120 Ad Servers

· Andrew Orr · Link

iPad security computer coder

First discovered a year ago, malvertising campaign Tag Barnakle has infected over 120 ad servers to insert malicious code into ads.

Stein says that while last year Tag Barnakle had targeted users of desktop browsers with redirects to malware download sites, over the past year, the gang has switched to going after mobile users and redirecting them to online scams peddling various scammy products.

‘The New Oil’ Website is a Resource for Privacy

· Andrew Orr · Link

User data privacy

The creator of The New Oil shared his website that gives people resources on privacy. But it’s not just a list of private tools to use. Instead the goal is to give people context and explain concepts like data breaches, why strong passwords matter, encryption, and more.

Most of us are not strangers to the concept of surveillance capitalism and targeted advertising. Most of us don’t particularly care, either. After all, who wouldn’t want relevant ads for movies or products that might actually appeal to you or improve your life? The thing is, most of us don’t understand the aggressive measures these companies go to to create those marketing profiles, or the devastating effects they can have on people.

Investigative Report Reveals the Untold Story of the SolarWinds Cyberattack

· Andrew Orr · Link

Solarwinds hack

We have a bit more news about the SolarWinds hack this week. NPR has wrapped up an investigation and reveals the “behind-the-scenes” story.

“Imagine those Reese’s Peanut Butter Cups going into the package and just before the machine comes down and seals the package, some other thing comes in and slides a razor blade into your Reese’s Peanut Butter Cup,” he said. Instead of a razor blade, the hackers swapped the files so “the package gets sealed and it goes out the door to the store.”

Reddit Announces Public Bug Bounty Program

· Andrew Orr · Link

reddit icon

For the past three years Reddit has maintained a privacy bug bounty program for cybersecurity researchers with HackerOne. On Thursday the company announced a public program.

With our continued growth and visibility, we’re now ready to make the program public and expand the participation to anyone wanting to make a meaningful security impact on Reddit. As we scale the program, our priority will remain focused on protecting the privacy of our user data and identities. We know each security researcher has their own skills and perspective that they bring to the program, and we encourage anyone to submit a report that shows security impact. We’re super excited to hit this milestone and have prepared our team for what’s to come.

Security Firm Behind iPhone Unlocking Finally Discovered

· Andrew Orr · Link

iPhone 12 Pro Max next to Apple Magic Keyboard

The security firm that unlocked the iPhone of the San Bernardino shooter has been unveiled, and it’s an Australian company called Azimuth.

Azimuth is a poster child for “white hat” hacking, experts say, which is good-guy cybersecurity research that aims to disclose flaws and disavows authoritarian governments. Two Azimuth hackers teamed up to break into the San Bernardino iPhone, according to the people familiar with the matter, who like others quoted in this article, spoke on the condition of anonymity to discuss sensitive matters.

An interesting story, especially with the connection to Corellium.

The Hitchhiker’s Guide to Online Anonymity Version 9

· Andrew Orr · Cool Stuff Found

The Hitchhiker’s Guide to Online Anonymity is an open source, non-profit guide on how to be anonymous online. It covers multiple platforms like Windows, Linux, macOS, Whonix, TAILS, Qubes, and more. Its creator announced an update to the guide, version 9. This version adds bug fixes, more topics, and its own Tor Mirror. You can find the online guide here, and the PDF guide here. The creator’s post on Reddit includes many variations on these guides.

The Hitchhiker’s Guide to Online Anonymity Version 9

Clubhouse API Open to Scraping Public User Data

· Andrew Orr · Link

Generic image of data

On Saturday, a SQL database containing data of 1.3 million Clubhouse users was posted on a hacker forum. The data included names, user IDs, social media profile names, and other details.

While the data associated with the Clubhouse user base was not acquired as a result of a breach, allowing ‘anyone with an API’ to download public Clubhouse profile information on a mass scale can backfire. For example, data scraping is often used by spammers and phishers to find new victims: they aggregate public contact details and use them for spam lists, robocalls, or social engineering attacks.

It’s not sensitive data but it can be combined with other data hoards that may have sensitive data. Every little scrap of data, while innocent on their own, can be potentially used against you, whether from advertisers or hackers.

Safari Exploit Revealed at Pwn2Own 2021

· Andrew Orr · News

Pwn2own 2021

Jack Dates found an exploit in Safari which won him US$100,000 along with 10 Master of Pwn points at Pwn2Own 2021.

LinkedIn Data Leak of 500 Million People Sold Online

· Andrew Orr · Link

LinkedIn data leak information

Just days after a Facebook data leak was discovered, security researchers found another one, this time involving LinkedIn. It affects a similar amount of users, 500 million, with data being sold on a “popular hacker forum.”

The leaked files appear to only contain LinkedIn profile information – we did not find any deeply sensitive data like credit card details or legal documents in the sample posted by the threat actor. With that said, even an email address can be enough for a competent cybercriminal to cause real damage.