My Weekly RoundUp #85
Nokia, what are you doing?
Hacking smart car alarm systems
Information security specialists at Pen Test Partners have hijacked a car — using its alarm. What is more, the security systems that the researchers hacked — Pandora and Viper SmartStart — are widely used: Researchers estimate that about 3 million cars have them installed.https://www.kaspersky.com/blog/hacking-smart-car-alarm-systems/26014/
A security expert has discovered a vulnerability in the NSA Ghidra platform that could be exploited to execute code remotely
A security expert who goes online with the handle of sghctoma has discovered a vulnerability in Ghidra platform recently released by the US NSA, the issue could be exploited to execute code remotely.https://securityaffairs.co/wordpress/82693/breaking-news/ghidra-xxe-flaw.html
GHIDRA is a multi-platform reverse engineering framework that runs on major OSs (Windows, macOS, and Linux).
The framework was first mentioned in the CIA Vault 7 dump that was leaked in 2017. WikiLeaks obtained thousands of files allegedly originating from a CIA high-security network that details CIA hacking techniques, tools, and capabilities. Digging in the huge trove of files, it is possible to find also information about the GHIDRA, a Java-based engineering tool
Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/
Nokia phones caught mysteriously sending data to Chinese servers
A Reuters report says that Finland will investigate the HMD phones, looking at whether they breached data rules. It all started with Norwegian public broadcaster NRK, which reported the breach on Thursday. A Nokia 7 Plus owner was told that his phone contacted a particular server, sending data packages in an unencrypted format.
According to NRK, Nokia had admitted that “an unspecified number of Nokia 7 Plus phones had sent data to the Chinese server,” without disclosing who owned the server.https://bgr.com/2019/03/21/nokia-data-breach-nokia-7-plus-sent-data-to-chinese-servers/
“We can confirm that no personally identifiable information has been shared with any third party,” HMD told Reuters. “An error in software packaging process in a single batch of one device model” caused the issue.
“Such data was never processed and no person could have been identified based on this data,” HMD added, saying that the error was fixed in February and nearly all devices had installed the update. It’s still unclear what kind of data was sent to the server, and why it happened in the first place. Finland’s ombudsman Reijo Aarnio told Reuters he would investigate whether the breaches involved “personal information and if there has been a legal justification for this.”
HMD admits the Nokia 7 Plus was sending personal data to China
HMD is in hot water following a report from Norwegian site NRKbeta, which found that HMD’s Nokia 7 Plus was sending users’ personal information to a server in China. HMD responded to the report, admitting, “Our device activation client meant for another country was mistakenly included in the software package of a single batch of Nokia 7 Plus.”
NRKbeta’s investigation found the Nokia 7 Plus was sending the IMEI, MAC ID, and the SIM ICCID, all of which are unique hardware or SIM card identifiers that could be used to track an individual. There was also rough location information, as the device sent the ID of the nearest cell tower. NRKbeta’s article is in Norwegian, but through Google Translate the site claims this data was sent every time the phone was switched on and that the phone was sending this data for several months.
HMD admits this data ended up on “a third-party server” but claims the data “was never processed.” The company identifies the information sent as “activation data” and then says that “no person could have been identified based on this data.” HMD’s claim here is a bit strange, considering the entire point of “activation data” is to identify someone so they can be billed for cellular access.https://arstechnica.com/gadgets/2019/03/hmd-admits-the-nokia-7-plus-was-sending-personal-data-to-china/
Facebook password crisis – what to do?
Facebook has just admitted to years of problems with password hygiene by leaking plaintext passwords into logfiles by mistake.https://nakedsecurity.sophos.com/2019/03/23/facebook-password-crisis-what-to-do-video/
Watch this special edition of Naked Security Live…
…we answer the questions lots of people have been asking us since we first wrote about this issue:
– What happened?
– Was this a blunder or was Facebook being deliberately sneaky?
– Should I close my account because of this?
– Is this issue connected to Facebook’s recent outage?
– What steps should I take right now?
Debian 10 (Buster) – Release Date and Features
This release comes with over 51687 packages, 20% more than Debian 9 (Stretch) and about 57% of packages have been updated. Linux kernel v4.19 will be the default kernel in Debian 10.https://www.itzgeek.com/how-tos/linux/debian/debian-10-buster-release-date-and-features.html
As usual, Debian 10 includes the desktop environments GNOME 3.22, KDE Plasma 5.8, LXDE, LXQt 0.11, MATE 1.16, and Xfce 4.12.
– AppArmor enabled per default
– Wayland by default with GNOME 3
– Improved man pages for German-speaking users
– nftables framework becomes the default network filter framework
– Cryptsetup defaults to on-disk LUKS2 format
– LibreOffice is upgraded to version 6.1
– Calligra is upgraded to 3.1
– GNUcash is upgraded to 3.4
George R.R. Martin Says Captain Marvel Could Eat Iron Man for Lunch and Have Thor for Dessert
The movie is hugely entertaining. I look forward to seeing how the Marvel teams uses the captain in the forthcoming Avengers movie. Once she comes fully into her powers, she is far and away the most powerful character in the MCU. She could eat Iron Man for lunch and have Thor for dessert, with a side of Dr. Strange. Thanos is in trouble now.
Emilia Clarke, of “Game of Thrones,” on Surviving Two Life-Threatening Aneurysms
I had just finished filming Season 1 of “Game of Thrones.” Then I was struck with the first of two aneurysms.
Just when all my childhood dreams seemed to have come true, I nearly lost my mind and then my life. I’ve never told this story publicly, but now it’s time.https://www.newyorker.com/culture/personal-history/emilia-clarke-a-battle-for-my-life-brain-aneurysm-surgery-game-of-thrones