Newsletters

Samsung Repair Mode: Samsung said last week that it developed a new security feature for its fleet of Android devices. Named "Repair Mode," the feature can be activated when users send their devices for repairs and works by locking down all personal data on the device to prevent rogue repair technicians from sifting through a user's personal information. Currently, the new Repair Mode is being trialed inside South Korea on Galaxy S21 devices; however, the feature is expected to be made available for more users internationally and to other devices.

Thousands of apps leak Twitter API keys: Cybersecurity firm CloudSEK said it identified 3,207 applications that leak Twitter API keys, exposing their users to situations where attackers can hijack their service and then their users' Twitter accounts.

DOJ investigating second court system breach: The US Department of Justice said it is investigating a security breach that impacted its court documents management system that appears to have taken place in early 2020. The incident is separate from the SolarWinds-related intrusion the DOJ disclosed last year.

Proxy service hack: The operators of the 911[.]re proxy network said they are shutting down in the aftermath of a data breach that destroyed key components of its business operation, Brian Krebs reported. The shutdown also comes days after the same Krebs published an in-depth look at the shady service earlier this month.

Russian Postal Service leak: Hackers published last week a data trove they claim to have stolen from the official Russian Postal Service. The data contains more than 10 million data points about past shipments. This includes sender and recipient names, addresses, and shipment details. In a statement to local media, Pochta denied the breach and said the hackers obtained the data from a third-party contractor. Russian delivery services have been at the center of several data leaks since Russia's invasion of Ukraine. Past leaks include Yandex Food, DeliveryClub, and CDEK.

OneTouchPoint breach: Marketing platform OneTouchPoint disclosed a security breach last week. The breach is the result of a ransomware attack that took place in April this year, and the company said that 34 healthcare organizations that used its platform had data compromised in the incident.

Newport, RI incident: The city of Newport, Rhode Island, disclosed a security breach that took place in early June 2022, when a threat actor gained access to one of its servers and accessed files with information on city employees.

Microleaves leak: Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database, Brian Krebs reported. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach showed otherwise.

Google delays cookie phase-out once more: Google said this week that it will get rid of support for third-party cookies—a way online advertisers use to track users online—in the Chrome web browser in 2024. This is the second time that Google has delayed the cookies phase-out plan after it initially planned to replace third-party cookies with its Privacy Sandbox API in 2022, only to push it back to 2023 and now to 2024.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

Commercial spyware providers such as NSO Group are now firmly in the political crosshairs.

On Wednesday this week the US House of Representatives Intelligence Committee held an open hearing into commercial cyber surveillance. And last week the Intelligence Authorisation Act (IAA), which includes several anti-spyware provisions, passed the House Intelligence Committee with bipartisan support. (The Washington Post and CyberScoop both have excellent reporting on this.)

While this is definitely good news, defenders shouldn't take it as an easy win, as even Labro doesn't rule out the possibility of finding new ways to attack Microsoft's PPL security mechanism.

"[T]his tool leveraged only one weakness of PPLs, but there is a couple of other userland issues we can probably still exploit. So, from my standpoint, it is also an opportunity to start working on another bypass," the researcher said.

Entrust incident: In an email sent to customers last week, security access software maker Entrust said it fell victim to a cyber-attack after a threat actor gained access to its IT network. [Additional coverage in SecurityWeek]

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation, and founding corporate sponsor Proofpoint.

The first ever Cyber Safety Review Board (CSRB) report has landed. It's an excellent deep dive on the Log4j event, but the broadness of its recommendations show just how far we have to go to make critical software safer.

First, the findings. The Board found that the Log4j vulnerability (as we covered here) was a bad one made worse by common practices in modern software development. It's likely that other just as bad vulnerabilities are still out there, so a whole lotta work needs to be done across the software and cyber security ecosystem to mitigate the risks.

As Mishaal Rahman, the former editor-in-chief at XDA Developers, points out in a Twitter thread, the change is a major shift in policy for the Google Team—for two reasons.

The first is that Google is moving away from a hard-to-understand list of technical permissions to something that's easier to understand by more of the laymen. An app using a weird permission doesn't always correlate in the app developer's collecting user data because of it. The permission might be needed for some banal on-device operation that might not be damaging to a user's privacy at all. Google's plan for the Data Safety section is to tell users what data is actually collected and how that data is being handled or shared by the app developer.

But here comes the second reason why this change is a big deal—namely, that the Data Safety section won't be automatically parsed from an app's manifest file and code, but it will be written by the app developer.

US senators propose crackdown on shady VPNs: Two Democrat senators have asked the FTC to look into the deceptive practices of VPN companies. The two want the FTC to look at how VPN companies use false or misleading claims about user anonymity in their ads, the sale of user traffic data to third parties, and if the companies disclose when they share user data with law enforcement agencies.

Iran puts the entire country in Safe Search mode: Several Iranian users reported on Wednesday that Iranian internet service providers started replying to DNS queries for the main Google.com domain with the Lock SafeSearch URL of forcesafesearch.google.com. This is a known feature of the Google search engine that's usually employed in controlled corporate environments, where companies prevent users from searching for inappropriate content. Apparently, this is also the second time the Iranian government has done this.

KillNet: Intel471 has a report out on the operations of pro-Russian hacktivist group KillNet and its recruitment, tactics, techniques, and procedures.

ETH researchers noted that installing these patches will have an impact on the CPU's performance metrics between 14% and 39%, and another issue they found in AMD processors that they named Phantom JMPs (CVE-2022-23825) might even come with a 209% performance overhead.

Concerns about this performance hit will most likely result in many people not installing the patches to protect themselves against "exotic attacks" that are unlikely to be seen in the wild, at least yet.

In some ways, this side channel research is similar to the first cryptography attacks from the 90s and early 2000s, all of which broke smaller pieces of various cryptographic operations, with each new research building on top of the previous work until. At a certain point, major cryptographic algorithms started falling.

More than 16,000 Yubikeys have been deployed to Ukrainian government executives, workers, and employees of private companies in Ukraine's critical sectors in the aftermath of Russia's invasion.

The initiative is spearheaded by Hideez, a Ukrainian security firm specializing in identity services and FIDO consultancy. Earlier this spring, the company secured a donation of 30,000 Yubikey security keys from hardware authentication device maker Yubico.

Since then, Hideez's staff has been working with Ukrainian government agencies like the Ministry of Digital Transformation, the National Security and Defense Council, and the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) to ensure the devices can be imported into the country, that government infrastructure is prepared for the keys' rollout, and that recipients receive the necessary training.