Security related News for week ending 2020 06 23

We start this update with a couple of Apple stories, move through a protest by advertisers against hate on Facebook, expose a couple more accounts you should not be transferring Bitcoin to before finally ending with a great reason to wear plain t-shirts if you are going to set cars on fire.

Please find the Brute Force explanation if you don’t understand what it means, and consider the suggestions we added in. We are always happy to have your security suggestions here through this forum!

Apple Announces New Privacy Features at WWDC 2020

By Eduard Kovacs: Apple kicked off its 2020 Worldwide Developers Conference (WWDC) on Monday — a virtual event due to the current coronavirus pandemic — and announced several new privacy features coming to its products.

The new iOS 14 will allow iPhone users to only share an approximate location with the apps they are using rather than giving them access to precise location data.

iPhone users will also see an indicator in the status bar — a yellow dot — whenever their microphone or camera is recording, and the Control Center will allow them to see which apps used the mic or camera recently.

Apple has also announced improvements to tracking control. The company believes tracking should be transparent and under the user’s control so App Store policy will require apps to ask for permission before tracking users across third-party applications and websites.

Another improvement made to app-related privacy is that applications will be required to display a summary of their privacy practices on their page in the App Store so that users can see it before downloading. Developers will have to specify how much data they collect and what type of data they share with others for tracking purposes.

As for security, Apple informed users that Safari — on both iOS and macOS — will include a password monitoring feature that alerts them if their saved passwords have been compromised in a data breach, and helps them change the exposed password.

Apple Suddenly Confirms Hidden iPhone Problem Impacting All Users

Zak Doffman: Any data copied to the clipboard on an iOS device could be read by any active app. There is no notification, no setting to restrict an app’s ability to access user information; the vulnerability is hidden—users have no way to tell when an app might be stealing their data. Worse, “the Universal Clipboard can also be affected by this vulnerability to eavesdrop on what users copy.” What this means is that if you copy something on your Mac, it can be read by an app on your iPhone. And given we tend to use copy and paste more on a desktop or laptop than on a phone, this makes the issue much more serious in the real world.

The issue was reported to Apple back in January. “After analyzing the submission,” the researchers explained, “Apple informed us that they don’t see an issue with this vulnerability.” In essence, Apple’s view seemed to be that this was its clipboard function working as planned. There was no issue to fix—nothing to see here.

Researchers released a follow-up, showcasing the way in which apps such as TikTok, which has raised plenty of its own security concerns, “read the content of the clipboard whenever it is opened.” And although the researchers acknowledged that “we can’t say for sure what TikTok is doing with the data it has read,” this was clearly a concern. For its part, TikTok told me it was an issue with a Google Ads SDK and was being fixed. That said, Apple should not have let it happen in the first place.

Apple should include a privacy setting, app by app, enabling or disabling access to the clipboard. And, at the very least, it should flash a notification on screen when an app does access the clipboard, “to prevent apps from exploiting the pasteboard,” the researchers said back in February, “Apple must act.”

Well, despite denying this is not a problem, it was serious enough for a specific fix in iOS 14. “Even though Apple informed us that it wasn’t an issue when we reported it earlier this year, I think Apple listened to the demands and reconsidered their initial thoughts about the issue—they fixed it the exact way we recommended in our article.” the notification “is different from normal iOS banners—this shows Apple specifically designed this for clipboard access.”

Well done Apple!

Risk assessments reveal businesses remain deficient in security compliance, training

Bradley Barth: InfoSec World 2020 – An analysis of more than 100 risk self-assessments conducted by business organizations across a cross-section of industries revealed that over 65 percent admitted to achieving zero-to-minimal compliance of U.S. state data privacy and security regulations, including myriad breach laws and the California Consumer Privacy Act.

“We find that companies are not providing additional focus training to people that have access to PII, PHI or other sensitive information,” said said Kevin Ricci, principal at accounting and business consulting services firm Citrin Cooperman, which developed the self-assessment tool, called SCORE (Score Compliance Operations Risk Evaluation). “They’re a little bit more of a target, if you will, than a typical employee and the data that they’re handing is much more sensitive typically.”

Asked what they would do if they were attacked with ransomware, a whopping 93 percent of organizations said they would wipe their infected systems and restore from backups, while a mere seven percent admitted they’d pay the ransom. However, this may have been wishful thinking. Ricci noted that 11 percent said they actually don’t perform any offsite backups, “which is pretty terrifying because all your eggs are in one basket, and if things go wrong it could mean the end of your data."

VirusTotal Adds Cynet’s Artificial Intelligence-Based Malware Detection

The Hacker News: VirusTotal, the famous multi-antivirus scanning service owned by Google, recently announced new threat detection capabilities it added with the help of an Israeli cybersecurity firm.

VirusTotal provides a free online service that analyzes suspicious files and URLs to detect malware and automatically shares them with the security community. With the onslaught of new malware types and samples, researchers rely on the rapid discovery and sharing provided by VirusTotal to keep their companies safe from attacks.

VirusTotal relies on a continuous stream of new malware discoveries to protect its members from significant damage.

Brute-force attacks explained, and why they are on the rise

Dan Swingde: A brute-force attack sees an attacker repeatedly and systematically submitting different usernames and passwords in an attempt to eventually guess credentials correctly. This simple but resources-intensive, trial-and-error approach is usually done using automated tools, scripts or bots cycling through every possible combination until access is granted.

“Brute-force attacks are often used to target devices on remote networks to obtain personal information such as passwords, passphrases, usernames and personal identification numbers (PINs).” However, the longer the password and the stronger the encryption on the saved credentials, the amount of time and computing power needed, so it is possible for organizations to decrease the efficiency of the attack to the point is almost impossible for attackers to execute successfully.

Our advice: Never use the same password across different accounts. Always use 2FA where available and if you register with an e-mail address, don’t use one with your name … create a generic one like this: “Tru3G!ft” and remember if it’s a g-mail account you can add a + and site name reference that would even make that e-mail unique to the site you are using it on. E.g.: Tru3G! <everything after the + is disregarded by gmail>. That with a unique password and 2FA everywhere you can use it, should keep you pretty safe for now. Tru3G!ft is now taken by the way.

Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards

Ravie Lakshmanan: Researchers reported on Monday that hackers are now exploiting Google’s Analytics service to stealthily pilfer credit card information from infected e-commerce sites.

According to several independent reports from PerimeterX, Kaspersky, and Sansec, threat actors are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them exfiltrate payment information entered by users even in conditions where content security policies are enforced for maximum web security.

“Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics,” Kaspersky said in a report published yesterday. “As a result, the attackers could access the stolen data in their Google Analytics account.”

The cybersecurity firm said it found about two dozen infected websites across Europe and North and South America that specialized in selling digital equipment, cosmetics, food products, and spare parts.

The source of the problem is that the CSP rule system isn’t granular enough," PerimeterX’s VP of research Amir Shaked said. “Recognizing and stopping malicious JavaScript request requires advanced visibility solutions that can detect the access and exfiltration of sensitive user data.”

To harvest data using this technique, all that is needed is a small piece of JavaScript code that transmits the collected details like credentials and payment information through an event and other parameters that Google Analytics uses to uniquely identify different actions performed on a site.

“Administrators write * into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources,” Kaspersky noted.

To make the attacks more covert, the attackers also ascertain if developer mode — a feature that’s often used to spot network requests and security errors, among other things — is enabled in the visitor’s browser, and proceed only if the result of that check is negative.

In a separate report released yesterday, Netherlands-based Sansec, which tracks digital skimming attacks, uncovered a similar campaign since March 17 that delivered the malicious code on several stores using JavaScript code that’s hosted on Google’s Firebase. For obfuscation, the actor behind the operation created a temporary iFrame to load an attacker-controlled Google Analytics account. The credit card data entered on payment forms is then encrypted and sent to the analytics console from where it’s recovered using the encryption key earlier used. Given the widespread use of Google Analytics in these attacks, countermeasures like CSP will not work if attackers take advantage of an already allowed domain to hijack sensitive information.

Australia says state-based actor is behind surge of sophisticated cyber attacks

Australian Prime Minister Scott Morrison warned late last week that a sophisticated, state-sponsored cyber actor has been attacking the country’s government and corporate institutions, as well as critical infrastructure operators, with increasing regularity.

Morrison did not name-and-shame the specific country that is responsible for the alleged attacks. But inside sources told Reuters that China is the culprit, noting similarities between the recent attacks and past malicious activities that were also attributed to Beijing and were aimed at Australia’s national parliament and three largest political parties. A Chinese Foreign Ministry spokesman on Friday reportedly denied China was involved.

“Based on advice provided to the Government by our cyber experts, the Australian Cyber Security Centre (ACSC), Australian organizations are currently being targeted by a sophisticated state-based cyber actor,” reads an official statement issued by the offices of the Prime Minister, Minister for Home Affairs and Minister for Defense. “This activity is targeting Australian organizations across a range of sectors, including all levels of government, industry, political organizations, education, health, essential service providers, and operators of other critical infrastructure.”

“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used,” the statement continued.

North Face, Patagonia, REI join Facebook advertiser boycott

KATE COX: Several brands have agreed to suspend advertising on Facebook for the month of July and are calling for other companies to join them in boycotting the platform to protest its handling of racism and hate speech.

Patagonia, producer of high-end outerwear, on Sunday became the most recent company to say it was pulling all advertising from Facebook and Instagram for the time being. “For too long, Facebook has failed to take sufficient steps to stop the spread of hateful lies and dangerous propaganda on its platform,” company head of marketing Cory Bayers said in a written statement. “The stakes are too high to sit back and let the company continue to be complicit in spreading disinformation and fomenting fear and hatred.”

Patagonia followed employee placement firm Upwork and outdoor wear competitors REI and The North Face, which all confirmed on Friday they would join the boycott. North Face parent company VF Corp also told CNN its other apparel brands, including Dickies, Vans, and Timberland, were considering joining the protest.

The boycott campaign, Stop Hate for Profit, is spearheaded by a coalition of non-profit organizations including the NAACP, the Anti-Defamation League, and Color of Change, among others. The groups accuse Facebook of “allowing racist, violent, and verifiably false content to run rampant on its platform,” while “amplifying the messages of white supremacists, permitting incitement to violence, and failing to disrupt bad actors using the platform to do harm.”

Facebook, in a lengthy statement published Sunday, said it is “taking steps to review our policies, ensure diversity and transparency when making decisions on how we apply our policies, and advance racial justice and voter engagement on our platform.”

Leaders from three civil rights groups—Color of Change, The Leadership Conference on Civil and Human Rights, and the NAACP Legal Defense and Educational Fund—in early June held a conference call with Zuckerberg and Facebook COO Sheryl Sandberg about the decision. After the call, the groups expressed frustration with Facebook, saying in a statement they were “disappointed and stunned by Mark’s incomprehensible explanations” and adding, “[Zuckerberg] did not demonstrate understanding of historic or modern-day voter suppression and he refuses to acknowledge how Facebook is facilitating Trump’s call for violence against protesters.”

N.Zealand Freezes Assets of Alleged Russian Cyber Criminal

By AFP New Zealand police revealed Monday they had frozen NZ$140 million (US$90 million) in assets linked to a Russian man accused of laundering money for organised crime using cyber currency. Police said they acted after discovering funds belonging to Alexander Vinnik, who is in custody in France facing fraud charges, were being held in a New Zealand company. “These funds are likely to reflect the profit gained from the victimisation of thousands, if not hundreds of thousands, of people globally as a result of cybercrime and organised crime,” commissioner Andrew Coster said.

Indonesia Denies #COVID19 Test Data Breach

Sarah Coble: An alleged breach of COVID-19 test result data is being investigated by authorities in Indonesia. Posting on the database sharing and marketplace forum RaidForums on June 18, the alleged hacker claimed to have exfiltrated the test results and personal details of 230,000 people. Information the alleged hacker claimed to have accessed included names, addresses, phone numbers, ages, and nationalities. Also included were the private medical records of people who had been tested for COVID-19 at a number of different hospitals in well-known tourist hotspot, Bali.

AMD: Fixes For High-Severity SMM Callout Flaws Upcoming

Lindsey O’Donnell: “AMD is aware of new research related to a potential vulnerability in AMD software technology supplied to motherboard manufacturers for use in their Unified Extensible Firmware Interface (UEFI) infrastructure and plans to complete delivery of updated versions designed to mitigate the issue by the end of June 2020,” according to AMD.

The three vulnerabilities were reported by security researcher Danny Odler on April 2, who then went on to publish an analysis for the patched vulnerability earlier on June 13, after it was fixed. Odler told Threatpost, no further details are available on the other two flaws as of now because they are not yet fixed.

Odler said that the flaws exist on AMD’s Accelerated Processing Unit (APU) microprocessors, which are designed to act as both a CPU and GPU on a single die.

All three flaws exist on technology called System Management Mode (SMM). SMM is an operating mode that’s mainly responsible for CPU and chipset configurations, motherboard manufacturer code, and secured operations such as setting secure boot hashes, TPM (Trusted Platform Module) configurations and power management. SMM exists on microprocessors manufactured both by Intel and AMD. However, Odler confirmed to Threatpost that Intel NUC (which leverages SMM) is not exploitable for the same vulnerability.

The root cause of the SMM vulnerability is a lack of checks on the destination buffer address when calling SmmGetVariable() in the SMI (System Management Interrupt) handler 0xEF. The SMI 0xEF handler implements a wrapper logic for getting data to and from the UEFI variables, which then provide a way to store data that is shared between platform firmware and operating systems or UEFI applications. The SmmGetVariable function uses the ArgsStruct values to find the correct variable, read its data and store the data in a buffer – however, these ArgsStruct values are used directly “as is” without any validation, said Odler.

“AMD recommends following the security best practice of keeping devices up-to-date with the latest patches,” said AMD. “End users with questions about whether their system is running on these latest versions should contact their motherboard or original equipment/system manufacturer.”

Scam uses Elon Musk’s name to trick people out of US$2 million in bitcoin

Amer Owaida: Cryptocurrency giveaway scams – including those impersonating Tesla and SpaceX boss Elon Musk – have been making the rounds for quite a few years now. The newest trick up the fraudsters’ sleeves involves name-dropping Musk into the Bitcoin address itself, which has helped them fleece victims out of more than US$2 million worth of bitcoin over the past two months.

In order to make their ruse seem more trustworthy, con artists use Bitcoin vanity addresses that incorporate a custom element or word into the address itself. In this case, it’s the name of the South African-born tech titan: “1MuskSEYstWetqTFn5Au4m4GFg7xJaNVN2” or “1ELonMUskSEYstWetqTFn5Au4m4GFg7xJaNVN2”

The crooks then ask people to send digital cash to a bitcoin address under the promise of doubling the sum as part of a giveaway.

67 people have fallen for the ruse moving 215 Bitcoin or US$2.03 million to these addresses.


US: BlueLeaks’ Exposes Files from Hundreds of Police Departments

Brian Krebs: Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals.

The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data. DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”

The dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.

“Additionally, the data dump contains emails and associated attachments,” the alert reads. “Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports.”

Moroccan journalist targeted with network injection attacks using NSO Group ‘s spyware

In October 2019, security experts at Amnesty International’s Security Lab uncovered targeted attacks against Moroccan human rights defenders Maati Monjib and Abdessadak El Bouchattaoui that employed NSO Group surveillance tools.

The researchers are still investigating the attacks and found similar evidence of the attacks on Omar Radi, a prominent activist, and journalist from Morocco.

“After checking his devices for evidence of targeting, Amnesty International was able to confirm that Abdessadak El Bouchattaoui was indeed targeted repeatedly with malicious SMS messages that carried links to websites connected to NSO Group’s Pegasus spyware.”

Omar Radi is a Moroccan award-winning investigative journalist and activist who worked for several national and international media outlets.

“Amnesty International’s Security Lab performed a forensic analysis of Omar Radi’s phone and found traces suggesting he was subjected to the same network injection attacks we first observed against Maati Monjib and described in our earlier report.” reads the report published by Amnesty International. “Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted.”

On 26 December 2019, Moroccan authorities arrested Radi for a tweet he posted in April, that criticized the judicial system for upholding the verdict against protesters from the 2017 protest movement in Hirak el-Rif.

Stalker Online Breach: 1.3 Million User Records Stolen

Security researchers are warning players of a popular MMO game that over 1.3 million user records are being sold on dark web forums. Usernames, passwords, email addresses, phone numbers and IP addresses belonging to players of Stalker Online were found by researchers from CyberNews. Passwords were stored in MD5, which is one of the less secure encryption algorithms around.

Two databases were found on underground sites as part of a dark web monitoring project undertaken by the research outfit, one containing around 1.2 million records and another of 136,000 records. “Since Stalker Online is a free-to-play game that incorporates micro-transactions, malicious actors could also make a lot of money from selling hacked player accounts on the grey market,” the researchers said.

After confirming the data for sale was genuine, the researchers tried and failed to get in touch with Australian developer BigWorld Technology and its parent company, Cyprus-based

Over 100 New Chrome Browser Extensions Caught Spying On Users

Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a “massive global surveillance campaign” targeting oil and gas, finance, and healthcare sectors. The malicious browser add-ons were tied back to a single internet domain registrar, GalComm.

“The Chrome extensions took screenshots of the victim’s device, loaded malware, read the clipboard, and actively harvested tokens and user input.” The extensions were downloaded nearly 33 million times over the course of three months.

Earlier this February, Google removed 500 malware-ridden extensions after they were caught serving adware and sending users’ browsing activity to attacker-controlled servers. Then in April, the company yanked another set of 49 extensions that masqueraded as cryptocurrency wallets to steal Keystore information.

It’s recommended that users review extension permissions by visiting “chrome://extensions” on the Chrome browser, consider uninstalling those that are rarely used, or switch to other software alternatives that don’t require invasive access to browser activity.

US: ‘Anonymous’ takes down Atlanta Police Dept. site after police shooting

Following the fatal police shooting of Rayshard Brooks – a 27-year-old Black man who fell asleep in a fast-food drive-in lane in Atlanta and was shot while running from police who tried to tase him – hackers affiliating themselves with the Anonymous hacktivist collective may have briefly taken down the website for the city’s police department. According to the Atlanta Journal-Constitution, the APD’s site was down for about 3 hours.

US: Crypto founder admits $25 million ICO backed by celebrities was a scam

by Lisa Vaas: An ICO is an unregulated fundraising technique with a dodgy reputation that’s used by blockchain companies where cypto-currencies like Bitcoin and Ethereum are used to purchase “tokens” from a startup. If the company takes off, they’ll theoretically be worth something. Centra Tech took off, all right, but only because its founders lied through their teeth.

They concocted fictional executives with imaginary credentials. Their purported CEO, Michael Edwards, was as real as his imaginary MBA from Harvard and his 20+ years of banking industry experience.

Those partnerships with Bancorp, Visa, and Mastercard to issue Centra Cards licensed by Visa or Mastercard? Lies.

Centra Tech’s purported license to transmit money, among other licenses, in 38 states? Completely false.

Farkas – also known as RJ – pled guilty in Manhattan federal court on Tuesday to charges of conspiring to commit securities and wire fraud, according to the US Attorney’s Office for the Southern District of New York. Sentencing hasn’t been scheduled yet. Farkas, 33, pled guilty to two charges, each of which carries a maximum sentence of five years in prison. Maximum sentences are rarely handed out, but Farkas agreed to serve between 70 and 87 months and a fine of up to $250,000 in a plea deal.

North Korean #COVID19 Phishing Campaign Targets Six Countries

Phil Muncaster: Security researchers are warning of a multi-country North Korean phishing campaign designed to capitalize on government COVID-19 bail-out measures.

The operation is being undertaken by Pyongyang’s notorious Lazarus Group, and is “designed to impersonate government agencies, departments, and trade associations who are tasked to oversee the disbursement of the fiscal aid,” according to Cyfirma.

The Goldman Sachs-backed cybersecurity startup said that the campaign was slated to launch over the weekend in the US, UK, India, Japan, Singapore and South Korea.

First spotting evidence of the operation at the start of the month, the researchers claim to have found seven email templates impersonating government departments and institutions like the Bank of England, Singapore’s Ministry of Manpower, Japan’s Ministry of Finance and the US Department of Agriculture.

The group will apparently use millions of email addresses and business contact details to target their victims via these spoofed domains.

Singapore’s CERT has already issued an alert urging businesses and individuals to be vigilant and avoid clicking on links or opening attachments in unsolicited emails.

CN: Millions Of Huawei Users Suddenly Get New Mate 40 Upgrade Surprise

Millions of Huawei users planning to upgrade to the Mate 40—the next flagship, due this fall, are in for a surprising delay. At least according to the Nikkei Asian Review, which has exceptional sources in Huawei’s supplier base. Huawei, it says, has told a number of suppliers “to delay production… asking for halts to production of some components for its latest Mate series of phones, also trimming orders of parts for the coming quarters.”

What Is a Side Channel Attack?

Andy Greenberg for Wired: Side channel attacks take advantage of patterns in the information exhaust that computers constantly give off: the electric emissions from a computer’s monitor or hard drive, for instance, that emanate slightly differently depending on what information is crossing the screen or being read by the drive’s magnetic head. Or the fact that computer components draw different amounts of power when carrying out certain processes. Or that a keyboard’s click-clacking can reveal a user’s password through sound alone.

“Usually when we design an algorithm we think about inputs and outputs. We don’t think about anything else that happens when the program runs,” says Daniel Genkin, a computer scientist at the University of Michigan and a leading researcher in side channel attacks. “But computers don’t run on paper, they run on physics. When you shift from paper to physics, there are all sorts of physical effects that computation has: time, power, sound. A side channel exploits one of those effects to get more information and glean the secrets in the algorithm.”

For a sufficiently clever hacker, practically any accidental information leakage can be harvested to learn something they’re not supposed to. As computing gets more complicated over time, with components pushed to their physical limits and throwing off unintended information in all directions, side channel attacks are only becoming more plentiful and difficult to prevent. Look no further than the litany of bugs that Intel and AMD have struggled to patch over the last two years with names like Meltdown, Spectre, Fallout, RIDL, or Zombieload—all of which used side channel attacks as part of their secret-stealing techniques.

The most basic form of a side channel attack might be best illustrated by a burglar opening a safe with a stethoscope pressed to its front panel. The thief slowly turns the dial, listening for the telltale clicks or resistance that might hint at the inner workings of the safe’s gears and reveal its combination. The safe isn’t meant to give the user any feedback other than the numbers on the dial and the yes-or-no answer of whether the safe unlocks and opens. But those tiny tactile and acoustic clues produced by the safe’s mechanical physics are a side channel. The safecracker can sort through that accidental information to learn the combination.

Computers aren’t the only targets of side channel attacks, points out Ben Nassi, a security researcher at Ben Gurion University. They can be any secret process or communication that produces unintended but meaningful signals. Nassi points to eavesdropping methods like using the movement of gyroscopes in a hacked smartphone as microphones to pick up the sounds in a room, or a technique known as “visual microphone” that uses long-distance video of an object—say, a bag of chips or the leaves of a houseplant—to observe vibrations that reveal a conversation that happened nearby.

Nassi himself, along with a group of researchers at Ben Gurion, revealed a technique last week that can eavesdrop on conversations in a room in real time by using a telescope to observe the vibrations of a hanging light bulb inside. “I’d call it a side effect,” Nassi says of this broader definition of side channels that goes beyond computers or even machines. “It’s a method to compromise confidentiality by analyzing the side effects of a digital or physical process.”

(Oh, and for now, don’t worry about the lightbulb attack. The attacker has to have line of sight to the lightbulb and an absolutely enormous amount of computing on the back end to turn the data into anything even remotely useable!)

Sneaky Mac Malware Is Using a Fake Flash Installer to Spread

A new variant of the Shlayer trojan that plagues macOS has picked up some tricks, according to new research from security firm Intego. After it fools users into downloading it by posing as a Flash update—that part, not so new, oldest trick in the book—the malware guides victims through an installation process designed to get around protections Apple recently added to the macOS Gatekeeper feature. The trojan is being distributed through Google search results, so as always be careful what you click.

79 Netgear Devices All Have the Same Zero-Day Vulnerability

Another day, another router bug. This one’s a bit of a doozy though; researchers found a zero-day vulnerability affecting 79 Netgear models, affecting firmware dating back to 2007. Netgear is reportedly working on a patch, but it isn’t yet available, due in part, the company told CyberScoop, to complications from the Covid-19 pandemic. In the meantime, a whole lot of devices remain at risk of takeover.

The FBI used a Philly protester’s Etsy profile, LinkedIn, and other internet history to charge her with setting police cars ablaze

Jeremy Roebuck: As demonstrators shouted, fires burned outside City Hall, and Philadelphia convulsed with outrage over the death of George Floyd, television news helicopters captured footage of a masked woman with a peace sign tattoo and wearing a light blue T-shirt setting a police SUV ablaze.

More than two weeks after that climactic May 30 moment, federal authorities say they’ve identified the arsonist as 33-year-old Philadelphia massage therapist Lore Elisabeth Blumenthal by following the intricate trail of bread crumbs she left through her social media history and online shopping patterns over the years.

According to filings in Blumenthal’s case, FBI agents had little more to go on when they started their investigation than the news helicopter footage of the woman setting the police car ablaze as it was broadcast live May 30.

It showed the woman, in flame-retardant gloves, grabbing a burning piece of a police barricade that had already been used to set one squad car on fire and tossing it into the police SUV parked nearby. Within seconds, that car was also engulfed in flames.

Investigators discovered other images depicting the same scene on Instagram and the video sharing website Vimeo. Those allowed agents to zoom in and identify a stylized tattoo of a peace sign on the woman’s right forearm.

Scouring other images — including a cache of roughly 500 photos of the Philly protest shared by an amateur photographer — agents found shots of a woman with the same tattoo that gave a clear depiction of the slogan on her T-shirt.

“Keep the Immigrants,” it read, “Deport the Racists.”

That shirt, agents said, was found to have been sold only in one location: a shop on Etsy, the online marketplace for crafters, purveyors of custom-made clothing and jewelry, and other collectibles. The vendor: a New Castle, Del., dealer selling “screen printed and hand printed feminist wear.”

The top review on her page, dated just six days before the protest, was from a user identifying herself as “Xx Mv,” who listed her location as Philadelphia and her username as “alleycatlore.”

A Google search of that handle led agents to an account on Poshmark, the mobile fashion marketplace, with a user handle “lore-elisabeth.” And subsequent searches for that name turned up Blumenthal’s LinkedIn profile, where she identifies herself as a graduate of William Penn Charter School and several yoga and massage therapy training centers.

From there, they located Blumenthal’s Jenkintown massage studio and its website, which featured videos demonstrating her at work. On her forearm, agents discovered, was the same distinctive tattoo that investigators first identified on the arsonist in the original TV video.


As always great news @rps!

You are too kind. I humbly thank you from the bottom of my heart!

1 Like