My Weekly RoundUp #129

Luckily, there’s more to life than coronavirus!

Cybersecurity

New Wi-Fi Encryption Vulnerability Affects Over A Billion Devices

Cybersecurity researchers today uncovered a new high-severity hardware vulnerability residing in the widely-used Wi-Fi chips manufactured by Broadcom and Cypress—apparently powering over a billion devices, including smartphones, tablets, laptops, routers, and IoT gadgets.

Dubbed ‘Kr00k‘ and tracked as CVE-2019-15126, the flaw could let nearby remote attackers intercept and decrypt some wireless network packets transmitted over-the-air by a vulnerable device.

The attacker does not need to be connected to the victim’s wireless network and the flaw works against vulnerable devices using WPA2-Personal or WPA2-Enterprise protocols, with AES-CCMP encryption, to protect their network traffic.

“Our tests confirmed some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to Kr00k,” ESET researchers said.

The Hacker News

Android malware can steal Google Authenticator 2FA codes

Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that’s used as a two-factor authentication (2FA) layer for many online accounts.

Google launched the Authenticator mobile app in 2010. The app works by generating six to eight-digits-long unique codes that users must enter in login forms while trying to access online accounts.

Google launched Authenticator as an alternative to SMS-based one-time passcodes. Because Google Authenticator codes are generated on a user’s smartphone and never travel through insecure mobile networks, online accounts who use Authenticator codes as 2FA layers are considered more secure than those protected by SMS-based codes.

ZDNet

Massive cyber attack on Greek government attributed to foreign spies.

Prime Minister’s office, the Ministry of Foreign Affairs, Intelligence Service – all pwned via DNS hijacking

According to verified sources, the unknown perpetrators were able to gain access to the internal networks of government agencies.

The attack was initially picked up on by officials from the prime minister’s cyber security team when an unusual email malfunction came to their attention. They immediately notified the Incident Response Team of the Foundation for Research and Technology – Hellas (FORTHcert) and the police cybercrime unit.

Ekathimerini.com

Privacy

Facebook sues SDK maker for secretly harvesting user data

Facebook filed today a federal lawsuit in a California court against OneAudience, a New Jersey-based data analytics firm.

The social networking giant claims that OneAudience paid app developers to install its Software Development Kit (SDK) in their apps, and later used the control it had over the SDK’s code to harvest data on Facebook users.

According to court documents obtained by ZDNet, the SDK was embedded in shopping, gaming, and utility-type apps, some of which were made available through the official Google Play Store.

ZDNet

49 Million Unique Emails Exposed Due to Mishandled Credentials

An Israeli marketing firm exposed 49 million unique email addresses after mishandling authentication credentials for an Elasticsearch database, that were sitting in plain text on an unprotected web server.

In a vaguely-worded notification this week, Straffic, a privately-held digital marketing company, informed that the incident was the result of a “security vulnerability” affecting one of its servers.

This is not the entire story, though, and this incident shows that huge databases are still at risk even when accessing them requires authentication.

Bleepingcomputer

Brave beats other browsers in privacy study

Users looking for a privacy-focused browser might want to consider Brave first, according to a study published this week.

Douglas Leith, professor of computer systems at Trinity University, examined six browsers for his report – Web Browser Privacy: What Do Browsers Say When They Phone Home? He found that Brave’s Chromium-based browser is the least likely to reveal unique identifying information about the computer using it.

The study examined six browsers: Chrome, Firefox, Safari, Brave, Edge, and Yandex. It used several tests to deduce whether the browser can track the user’s IP address over time, and whether it leaks details of web page visits. To do this, it looked at the data shared on startup after a fresh install, on a restart, and after both pasting and typing a URL into the address bar. It also explored what the browser did when it was idle.

Naked Security


Science

Pioneering NASA mathematician Katherine Johnson dies at 101

The celebrated NASA mathematician Katherine Johnson, who you may know from the book or film Hidden Figures, passed away today at the age of 101. Johnson is perhaps best known for helping NASA prepare for the orbital mission of John Glenn, but that was far from her only achievement or contribution to space exploration.

Engadget

Freeman Dyson, Visionary Technologist, Is Dead at 96

Freeman J. Dyson, a mathematical prodigy who left his mark on subatomic physics before turning to messier subjects like Earth’s environmental future and the morality of war, died on Friday at a hospital near Princeton, N.J. He was 96.

His daughter Mia Dyson confirmed the death. His son, George, said Dr. Dyson had fallen three days earlier in the cafeteria of the Institute for Advanced Study in Princeton, “his academic home for more than 60 years,” as the institute put it in a news release.

The New York Times

Hunting the coronavirus in the dark web

Recently I have received many questions from journalists and colleagues about the activity in the dark web related to the coronavirus epidemic, here you are what I have found digging in the major black marketplaces.

Immediately following the outbreak of the number of coronavirus infections worldwide, certain goods became victims of looting and financial speculation. Let’s think of the request for masks to avoid contagion and disinfectant products, both product categories soon became impossible to find in the markets and their prices online spiked.

I have visited some of the most prolific hacking communities and marketplaces (i.e. Dream Alt Market, Empire Market, Square Market), below some of the offers I have found in their listings.

Security Affairs

Technology

Video Game Console Startup Sequences From 1977 to 2020

Take a trip down video game memory lane and watch the startup sequences of most video game consoles from 1977 to 2020, including little-known consoles such as the Halcyon and Video Challenger

Geeks Are Sexy


SciFi

Captain Picard’s Entire Timeline Explained

Jean-Luc Picard is one of Star Trek’s most legendary captains, but the man has a long, complicated history with the USS Enterprise and its crew. If you want the lowdown on his story, then here’s Picard’s entire timeline explained.

Geeks Are Sexy

Related posts

  1. A brand-new attack hijack routers’ DNS to push malicious COVID-19 apps
  2. My Weekly RoundUp #132
  3. My Weekly RoundUp #131
  4. My Weekly RoundUp #130
  5. My Weekly RoundUp #128