My Weekly RoundUp #124

Starting from this week, I’m going to start a recostructing of WeeklyRoundup (and also the whole blog): less images, more content! (…and, yes! Star Trek: Picard is awesome!)

Cybersecurity

Jeff Bezos hack: Amazon boss’s phone ‘hacked by Saudi crown prince’

The Amazon billionaire Jeff Bezos had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of the crown prince of Saudi Arabia, sources have told the Guardian.

The encrypted message from the number used by Mohammed bin Salman is believed to have included a malicious file that infiltrated the phone of the world’s richest man, according to the results of a digital forensic analysis.

The Guardian

Hackers Are Securing Citrix Servers, Backdoor Them for Access

An unknown threat actor is currently scanning for and securing vulnerable Citrix ADC servers against CVE-2019-19781 exploitation attempts, while also backdooring them for future access.

The actor deploys a payload dubbed NOTROBIN by FireEye researchers who discovered this campaign, an implant designed to clean the Citrix ADC appliances of malware strains known to target such devices and to mitigate the CVE-2019-19781 flaw to block subsequent exploitation efforts.

BleepingComputer

Cisco Webex Flaw Lets Unauthenticated Users Join Private Online Meetings

Cisco Systems has fixed a high-severity vulnerability in its popular Webex video conferencing platform, which could let strangers barge in on password-protected meetings – no authentication necessary.

A remote attacker would not need to be authenticated to exploit the flaw, according to Cisco. All an attacker would need is the meeting ID and a Webex mobile application for either iOS or Android. After the attackers input the meeting ID into their mobile Webex application, the browser then requests to launch the device’s Webex mobile application, allowing them to enter the meeting – sans a password.

“The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications,” said Cisco in a Friday advisory. “An unauthorized attendee could exploit this vulnerability by accessing a known meeting ID or meeting URL from the mobile device’s web browser.”

Threatpost

Project TajMahal – a sophisticated new APT framework

‘TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named ‘Tokyo’ and ‘Yokohama’. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we’ve ever seen for an APT toolset.

Just to highlight its capabilities, TajMahal is able to steal data from a CD burnt by a victim as well as from the printer queue. It can also request to steal a particular file from a previously seen USB stick; next time the USB is connected to the computer, the file will be stolen.

TajMahal has been developed and used for at least the past five years. The first known ‘legit’ sample timestamp is from August 2013, and the last one is from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is August 2014.

Securelist

DDoS Mitigation Firm Founder Admits to DDoS

A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others.

Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors.

Preston was featured in the 2016 KrebsOnSecurity story DDoS Mitigation Firm Has History of Hijacks, which detailed how the company he co-founded — BackConnect Security LLC — had developed the unusual habit of hijacking Internet address space it didn’t own in a bid to protect clients from attacks.

Krebs on Security

Italian Court Orders ISPs to Block IPTV Sites Over Serie A Piracy

An Italian court has ordered ‘preventative measures’ that requires the websites of 15 ‘pirate’ IPTV providers to be blocked in the country. The complaint was filed by top Italian soccer league Serie A after the IPTV providers reportedly broadcast live matches without permission. How effective the blocks will be remain to be seen, however.

TorrentFreak

Privacy

Apple dropped plan for encrypting backups after FBI complained

Apple Inc dropped plans to let iPhone users fully encrypt backups of their devices in the company’s iCloud service after the FBI complained that the move would harm investigations, six sources familiar with the matter told Reuters.

REUTERS

iCloud backups are not fully encrypted because the FBI complained

For the past years, Apple has painted itself as a champion of user privacy, as long as said user is also a customer. Its privacy advocacy has become so central to its message that it has, after decades of formal absence, attended CES but only as a panelist in a privacy roundtable. There will always be some who will doubt a for-profit’s ulterior motives and they may have just been given a smoking gun that implies Apple did secretly cave in to the US governments wishes to have easier access to iCloud users’ unencrypted backups.

SlashGear

LastPass stores passwords so securely, not even its users can access them

Password manager LastPass appears to have had a big night out on Friday, to the point where the service needed a lengthy lie down over the weekend. In fact, for some users it is still horizontal.

Social media is awash with customers unable to connect to the service either via the company’s website or through its various apps. For some, the problem has been going on for days.

The Register

Programming

Pock an awesome utility for the Mac Touchbar

Having said that, I came across a very interesting project a few weeks ago called Pock that lets you put the Dock into the touch bar. This combined with “permanently” hiding the Dock makes the touch bar more useful for me. If I’m honest, it’s just to see if I have a Slack notification, but that alone is worth it.

Just some dev

A New Decade Of Javascript Threats

Just a decade ago, the world’s Javascript was a nearly untapped wellspring of victims and cash for attackers, a new frontier for cybercrime that covered 95% of all websites on earth. It was ripe for the picking. 

Because they execute in the victim’s browser, Javascript threats were outside the corporate network and beyond the purview of traditional security controls. Realizing they were operating in a blind spot for security teams, innovative threat actors seized the opportunity and started picking apart the Javascript of websites worldwide. 

RiskIQ

Technology

Vodafone ditches Facebook’s ‘cryptocurrency’ to focus on M-Pesa

Vodafone has bailed on Facebook‘s cryptocurrency project, Libra, to focus on expanding its own solution for faster cross-border payments beyond Africa.

The telecommunications giant is the latest in a string of companies to have left the Libra Association, alongside Mastercard, Visa, Stripe, and Ebay, CoinDesk reports.

TNW

Entertainment

– But the Federation understood there were millions of lives at stake.
– Romulan lives.
– No. Lives.

‘Star Trek: Picard’ Review: The Great Beyond

“Engage.”

This was the simple command that Captain Jean-Luc Picard uttered so often throughout the seven-season run of Star Trek: The Next Generation — the final word before the starship Enterprise headed off on a new adventure. But engage is also what so many recent TV revivals fail to do. They don’t connect with the old material in any meaningful way so much as they strain to re-create it exactly as it was. They’re brand management more than they are storytelling — unapologetic bids for attention in an overcrowded TV landscape, little more.

Even Star Trek: Discovery, while a franchise extension rather than a revival, suffered from this problem when it debuted a couple of years back as the shiny lure for the new CBS All Access streaming service. Set a few years before the events of the original series(*), it boasted a strong cast and impressive production values, but didn’t seem to have a reason for existing beyond the theory that Trekkies would subscribe to All Access for new content. The second season improved a bit, mainly just by introducing its own take on characters from the Sixties series, like Spock and Christopher Pike.

Rolling Stone

Netflix snags international streaming rights to Studio Ghibli’s films

After years of keeping its movies to theatrical releases and DVDs, Studio Ghibli‘s apparently going all-in streaming. Today it revealed it’s partnering with Netflix to stream its films in just about every part of the world… except North America and Japan.

TNW

Disney+ is launching a week early in the UK and parts of Europe

Disney+ will now launch in the UK and other markets in Western Europe on March 24th, one week earlier than the March 31st release date that was originally announced. Pricing has also been officially confirmed as £5.99/€6.99 a month or £59.99/€69.99 a year. The service’s initial European roll out will cover the UK, Ireland, France, Germany, Italy, Spain, Austria, and Switzerland.

The news means that March 24th will be the first time much of Europe will be able to legally watch the original content that has debuted on Disney’s streaming service following its official launch in the US, Canada, Australia, New Zealand, and The Netherlands last year. These originals include the hit Star Wars TV show The Mandalorian, as well as High School Musical: The Musical: The Series, a live action version of Lady and the Tramp, and The World According to Jeff Goldblum.

The Verge

Marvel’s boss talked to Patrick Stewart about bringing the X-Men to the MCU

Patrick Stewart has revealed that his death in 2017’s Logan made him so emotional that he broke down a bit, right in the middle of a cinema where the veteran actor was watching the film along with Hugh Jackman. Both men were apparently so moved they actually took each others’ hands while they were watching the final moments of the film, one of the half a dozen X-Men-related titles that Stewart appeared in as Charles Xavier since its launch in 2000. 

Here’s the thing, though. In spite of the ending to the Professor’s story that’s shown in Logan — in which he appears to be suffering from whatever the mutant world’s version is of an Alzheimer’s-like disease — screenwriters have played with time before when it comes to this particular character. Which is something to keep in mind when considering the following: Stewart has reportedly had conversations in recent months with Marvel boss Kevin Feige about the character of Charles Xavier, conversations that have included “movies and suggestions.”

BGR

Related posts

  1. My Weekly RoundUp #125
  2. My Weekly RoundUp #123
  3. My Weekly RoundUp #122
  4. My Weekly RoundUp #121
  5. My Weekly RoundUp #120