My Weekly RoundUp #118

This week i was very busy at work, so i wasn’t able to collect a lot of news.
However, the few news i’ve read are really juicy stuff: for example, E.T. is back!

So, let’s talk about Mixcloud, Signal, unsecure smartwatches, a new malware called CStealer, some troubles for Virgil Griffith, Magento and NYPD.

Then, the new Kali release and a proposal for “fix the web” from the internet’s founder Tim Berners-Lee.

Finally, some details about The Simpsons‘ alleged deletion.

Privacy

Mixcloud data breach exposes over 20 million user records

A data breach at Mixcloud,  a U.K.-based audio streaming platform, has left more than 20 million user accounts exposed after the data was put on sale on the dark web.

The data breach happened earlier in November, according to a dark web seller who supplied a portion of the data to TechCrunch, allowing us to examine and verify the authenticity of the data.

The data contained usernames, email addresses, and passwords that appear to be scrambled with the SHA-2 algorithm, making the passwords near impossible to unscramble. The data also contained account sign-up dates and the last-login date. It also included the country from which the user signed up, their internet (IP) address, and links to profile photos.

We verified a portion of the data by validating emails against the site’s sign-up feature, though Mixcloud does not require users to verify their email addresses.

Techcrunch

Signal’s secure iOS messenger now supports iPads

The latest update for Signal comes with a dedicated version for iPads and gives you the ability to set up your tablet as a linked device. Similar to Signal for desktop, the iPad version of the secure messaging app works seamlessly with your phone, allowing you to send and receive messages on either device. The updated application now also has a new interface designed for a tablet’s screen, featuring more room without the artificial zoom that makes elements look janky. It can even show your conversations with a horizontal layout in landscape mode whenever you’re viewing them on an iPad.

engadget

Cheap kids smartwatch exposes the location of 5,000+ children

A cheap $35 kids’ smartwatch made in China was caught exposing the personal details and location information for more than 5,000 children and their parents.

In a report published today by the Internet of Things testing division of AV-TEST, researchers said they found egregious security measures put in place to protect the backend and mobile app of the M2 smartwatch, made by Chinese company SMA.

“The Chinese SMA-WATCH-M2 tops the security failures of other manufacturers by far,” said Maik Morgenstern, CEO and the Technical Director of AV-TEST, whose team has been testing kids smartwatches for more than two years.

ZDNet

Cybersecurity

New Chrome Password Stealer, ‘CStealer’ Sends Stolen Data to a MongoDB Database

The information collected by the Chrome browser including passwords, usernames, and other user credentials is being exposed to heavy risk as a new trojan known as CStealer attempts to steal the confidential data stored onto Google’s Chrome browser.

Password stealer trojans include applications that tend to run in the background and silently gather sensitive information about the system such as connected users and network activity. It attempts to steal confidential information stored onto the system and the browsers like usernames, passwords and other credentials which once being stolen are sent to a specified destination by the attacker.

While the idea behind this info-stealing trojan is just like many others- which is to steal user credentials saved onto the browser’s password manager, however, the fact that CStealer uses a remote MongoDB database to store the stolen data is what makes this case unprecedented and interesting.

The malware which was discovered by MalwareHunterTeam and was later analyzed by James does not compile and send the stolen data to a C2 under the author’s command, rather, it is programmed to directly connect to a remote MongoDB data and utilize it to keep the stolen passwords stored, according to the findings.

E Hacking News

Cryptocurrency research scientist arrested for ‘aiding North Korea’

An American research who works for Ethereum, the second largest cryptocurrency, has been arrested for giving a talk on how to use blockchain technology to evade sanctions in North Korea. 

Virgil Griffith is accused of violating the International Emergency Economic Powers Act, which has a maximum 20 year sentence, after travelling to Pyonyang to talk at the regime’s annual blockchain event, despite warnings from the US government. 

He was arrested in Los Angeles airport on Thursday and appeared in court on Friday, according to a statement published by the FBI. 

The charge sheet alleges that Griffith asked permission to travel to the Pyongyang Blockchain and Cryptocurrency Conference. When he was refused, the Korean embassy prepared a visa that did not need to be affixed to his passport. On April 18, it alleges he travelled to North Korea through China.

Griffith had been cooperating with FBI agents, including an interview in early November in which he discussed his attendance and allowing a search of his phone.

The Telegraph

Adobe revealed that the Magento Marketplace was hacked

Adobe disclosed a security breach that affected the users of the Magento Marketplace portal, the security team discovered the incident on November 21. The Magento Marketplace is a website for buying and downloading themes and plugins for e-stores running the Magento CMS.

Magento is the most popular content management solution (CMS) for building e-commerce website, Adobe acquired the company for $1.68 billion in 2018.

According to the data breach notification sent via email by Adobe to its customers, the hackers exploited a vulnerability in the Marketplace website to access account information for registered users. The company did not disclose the number of impacted accounts.

Security Affairs

Latest Kali Linux OS Added Windows-Style Undercover Theme for Hackers

You can relate this:

While working on my laptop, I usually prefer sitting at a corner in the room from where no one should be able to easily stare at my screen, and if you’re a hacker, you must have more reasons to be paranoid.

Let’s go undercover:

If you’re in love with the Kali Linux operating system for hacking and penetration testing, here we have pretty awesome news for you.

Offensive Security today released a new and the final version of Kali Linux for 2019 that includes a special theme to transform your Xfce desktop environment into a Windows look-a-like desktop.

Dubbed ‘Kali Undercover,’ the theme has been designed for those who work in public places or office environments and don’t want people to spot that you’re working on Kali Linux, an operating system popular among hackers, penetration testers, and cybersecurity researchers.

The Hacker News

NYPD Fingerprint Database Taken Offline to Thwart Ransomware

The New York Police Department’s database of fingerprints was knocked offline over the weekend thanks to a ransomware scare, according to reports.

The malware was introduced to the network via a contractor who was installing a digital display, according to an article in the New York Post. To do the install, the person (the company has not been identified) plugged a NUC mini-PC into the network, which turned out to be infected with the malware. The installer was questioned but not charged with any crime – suggesting that the incident was inadvertent.

From there, the ransomware rapidly proliferated to 23 other machines connected to the LiveScan fingerprint-tracking system, the NYPD told the Post.

Threatpost

Malicious SDK banned from Facebook and Twitter

Twitter warned its users that a software development kit (SDK) developed by oneAudience could have allowed that company to obtain account information. Facebook also posted a notice concerning not only the oneAudience SDK, but also for fellow SDK maker Mobiburn. OneAudience confirmed the problem and then shut down the SDK along with its associated websites but said the data was never intended to be collected, never added to its database and never used.

IT Security Guru

Technology

The internet’s founder now wants to ‘fix the web’, but his proposal misses the mark

On March 12, the 30th anniversary of the World Wide Web, the internet’s founder Tim Berners-Lee said we needed to “fix the web”.
The statement attracted considerable interest.
However, a resulting manifesto released on Sunday, and dubbed the Contract for the Web, is a major disappointment.
Endorsed by more than 80 corporations and non-government organisations, the campaign seeks a return to the “open web” of the 1990s and early 2000s – one largely free of corporate control over content.
While appealing in theory, the contract glosses over several key challenges. It doesn’t account for the fact that most internet content is now accessed through a small number of digital platforms, such as Google and Facebook.
Known as the “platformisation of the internet”, it’s this phenomenon which has generated many of the problems the web now faces, and this is where the focus should be.

The Conversation

Entertainment

Comcast Brings ‘E.T.’ Back to Earth. He’s Doing an Ad, Not a Sequel

The new ad, crafted by Omnicom Group’s Goodby, Silverstein and Partners, shows E.T. back on Earth once more, in a grown Elliott’s front yard. He hangs out with the man’s family, who show him how to surf the web with Comcast’s Xfinity and use an Xfinity remote to call up holiday movies on a big-screen TV. He helps Elliott’s kids fly on their bicycles, a nod to one of the most memorable scenes in the original.  A graphic on-screen urges viewers to “Reconnect for the holidays.”

No, ‘The Simpsons’ hasn’t been canceled

One of the things to be thankful for this Thanksgiving holiday is that The Simpsons will not end after this season, which happens to be the 31st season of the highly acclaimed animated series. The reassurance that the show isn’t ending just yet comes directly from showrunner Al Jean, who took to Twitter on Thursday to debunk reports that claimed the end is near. However, there is one reason to worry about the future of the show, given that news of its end came directly from a person that should be in the know: The Simpsons theme composer Danny Elfman.

BGR

One comment

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.