Security related News for week to 2020 05 26

We have a few stories this week where someone got “caught” doing naughty things, move through a potpourri of companies giving away user data, and then a malware “vulnerability scan” service (hey why not?).

Next: Are you are a Discord user who plays Call of Duty: Warzone? We have two stories for you.

Finally, we end with the UK joining the US-China trade war escalation. Expect it all to get worse before it gets better … and all in the name of security.

Why is eBay Port Scanning me?

Charlie Belmer for NullSweep: I was given the example of eBay as a site that includes port scanning, but when I initially navigated there I didn’t see any suspicious behavior. I thought they might use some heuristics to determine who to scan, so I tried a few different browsers and spoofed settings, without any luck.

I thought it might be because I run Linux, so I created a new Windows VM and sure enough, I saw the port scan occurring in the browser tools from the eBay home page: Looking at the list of ports they are scanning, they are looking for VNC services being run on the host, which is the same thing that was reported for bank sites. I marked out the ports and what they are known for (with a few blanks for ones I am unfamiliar with):
5900: VNC
5901: VNC port 2
5902: VNC port 3
5903: VNC port 4
3389: Windows remote desktop / RDP
5931: Ammy Admin remote desktop
5950: WinVNC
6039: X window system
6040: X window system
63333: TrippLite power alert UPS
7070: RealAudio
I verified this for myself with both Google Chrome and Mozilla Firefox browsers running on a Windows 10 machine and can confirm that the scanning took place. You can check yourself by hitting F12 in your web browser, clicking on the “network” tab, and then connecting to the eBay site. Those connections to, the localhost, or your computer, if you prefer, are the ones being scanned.

Security expert John Opdenakker agrees. “I don’t expect a website to start scanning on my local computer,” he says, “and sharing my data with third parties without consent.” That third-party would, in this case, be LexisNexis Risk Solutions via the ThreatMetrix product. “Implementing this kind of behavior by default,” Opdenakker says, “without users being clearly informed and having a choice to opt-out to me seems like a serious infringement of privacy regulations.”

How can you prevent eBay from running a port scan of your computer?

There are several ways that you can prevent this kind of port scanning of your computer if you are a Windows user. You could try switching to the Brave web browser for connecting to eBay which blocks the port scanning according to users who have tweeted about this. Alternatively, installing the uBlock Origin and NoScript extensions for Chrome and Firefox will also prevent this behavior.

Gamers Beware: Stealthy Malware Steals Your Discord Password And Attacks Your Friends

Lee Mathews: In just five short years, Discord’s popularity with gamers has soared. Today, Discord has 250 million registered users, and around 15 million of them active on any given day… which is why it’s become a popular target for cybercriminals.

One persistent threat that has plagued Discord for some time is AnarchyGrabber. It’s a particularly stealthy trojan that can steal users’ credentials and authentication tokens. It can now steal unencrypted passwords and send them back to the attacker. It also actively seeks new victims by targeting a user’s friends on Discord.

The malware is fairly good at avoiding detection, too. AnarchyGrabber works by modifying JavaScript code that the Discord client loads when it starts up. Once that code is modified, the malware itself more or less vanishes. Making matters worse, its creators have made the AnarchyGrabber code freely available and tutorials are easy to find on streaming video sites. That makes it trivial for even relatively unskilled hackers to launch attacks.

To clean your endpoint; look for a file called index.js. Open the file and search for the text “module.exports.” If there’s more than a single line in the file, uninstall Discord and reinstall it using the link from the official download page.

70 percent of mobile and desktop applications are affected at least by one security flaw present in open-source libraries.

Veracode released its new “State of Software Security” Open Source edition where the experts analyzed over 85,000 applications and related imported libraries, accounting for over 351,000 unique external libraries.

“The number of external libraries found in any given application varies quite a bit depending on the language in which the application is being developed.” reads the report.

The use of open-source libraries is quite common, for example most JavaScript applications contain hundreds of libraries.

“The report found that 70 percent of applications have a security flaw in an open-source library on the initial scan. Cross-Site Scripting is the most common vulnerability category found in open source libraries – present in 30 percent of libraries – followed by insecure deserialization (23.5 percent) and broken access control (20.3 percent).”

“In the good news department, addressing the security flaws in these libraries is most often not a significant job. Most library-introduced flaws (nearly 75 percent) in applications can be addressed with only a minor version update. Major library upgrades are not usually required!” concludes the report.

“This data point suggests that this problem is one of discovery and tracking, not huge refactoring of code.”

Contact-tracing app may become a permanent fixture in a major Chinese city

Robbie Harb: Officials in the city of Hangzhou, home to Alibaba and other Chinese tech concerns, said on Friday the local government wishes to create creating a permanent version of the country’s tracing app that was designed to help lift the country out of lockdown. The mandatory app gives users green, yellow, or red status based on their travel history and whether they have been in contact with known cases. The proposal put forward by Hangzhou’s Health Commission would assign users a health score ranging from 0 to 100 based on their medical records, physical examinations, as well as lifestyle factors, such as how many cigarettes they smoke, steps they walk, or hours they sleep daily. The country’s social credit system monitors citizen’s online behavior, such as social media posts and online shopping, to determine a “citizen score” that is used to reward and punish.

Apple’s operating system, iOS 13.5 released last week on the 20th.

IOS 13.5 comes with many vital features, including the ability to quickly unlock your iPhone while wearing a mask, by skipping Face ID quickly. The feature works on any Face ID-enabled iPhone without a home button, and using it is pretty simple. In iOS 13.5, the passcode field will automatically be presented after you swipe up from the bottom of the lock screen when you are wearing a face mask. According to the release notes, this “also works when authenticating with the App Store, Apple Books, Apple Pay, iTunes, and other apps that support signing in with Face ID.” That means you don’t have to put yourself at risk while paying for things or using your phone by touching the front of your mask.

Lots of iOS apps need updating?

If you have gone to the Appstore and found dozens of your apps need updating it may be caused by an issue relating to an expired certificate or similar credential used for app sharing. Apple might have had to reissue the updates with a valid certificate on each app affected by the bug to fix the problem impacting many of its users, which in turn explains the need to update the apps. So far Apple has stayed quiet on the issue.

UK: Easyjet slapped on the rudder with an £18bn class action claim in London’s High Court.

Article 82 of the EU General Data Protection Regulation (GDPR) grants customers the right to compensation for inconvenience, distress, annoyance, and loss of control of their data. The Luton-headquartered airline revealed last week that a “highly sophisticated” attack on its IT infrastructure had compromised email addresses and travel details of nine million passengers, as well as the credit card details of just over 2200.

Despite claiming that it had no evidence that any of the stolen info had been misused, the airline warned those affected about follow-on phishing attacks. Although it notified UK regulator the Information Commissioner’s Office (ICO) back in January, at around the time of the incident, it took several months for the firm to come clean to customers.

US: Ohio’s Unemployment Office contractor, Deloitte, is breached.

A data breach at the Ohio Department of Job and Family Services (ODJFS) has exposed the personal data of Pandemic Unemployment Assistance (PUA) claimants.

Personal information including names, Social Security numbers, home addresses, and claim receipts was exposed to other claimants due to a security vulnerability detected by Deloitte Consulting on May 15. Deloitte is the technology vendor for PUA systems in several states, including Ohio. ODJFS has not revealed how many of these claimants were affected by the data breach, but as a measure, Deloitte is providing every Ohio resident with free credit monitoring for a full year.

CISSP Qualification is Given Cert Status Equivalent to Master’s Degree Level

The Certified Information Systems Security Professional (CISSP) certification has been granted a qualification level equal to that of a master’s degree across Europe. The qualification was designated as comparable to Level 7 of the Regulated Qualifications Framework (RQF) by UK NARIC, the UK’s designated national agency responsible for providing information and expert guidance on qualifications from across the world.

The change will enable cybersecurity professionals to use the CISSP certification towards higher education course credit and also open up new opportunities for roles that require or recognize master’s degrees. The new designation will apply both to the UK and across Europe.

The announcement followed the American Council on Education’s College Credit Recommendation Service’s (ACE CREDIT®) recognition of six (ISC)2 certifications as eligible for college credit.

In making their decision, the UK NARIC undertook an in-depth independent benchmarking study of the CISSP certification. This involved the review of core qualification components as well as a comparative analysis of the skills assessed during a candidate’s computer adaptive test (CAT) examination to the RQF. This analysis concluded that the CISSP qualification assessed the candidate’s knowledge and skills comparable to the RQF Level 7 standard. It noted CISSP required skills such as organizational problem solving and decision making and awareness and correct use of industrial standards, policy, and best practice.

IN: Data on 29 Million Indian Jobseekers Leaked

Phil Muncaster: The personal details of over 29 million Indian job seekers have been posted to a dark web site, free for anyone to access. The 2.3GB file includes email, phone, home address, qualification, work experience, current salary, employer, and other details on job-hunters from all over India. The vendor claimed that the leak had originated from a CV aggregation service which collected the data from legitimate job portal sites. An update over the weekend clarified that the data may have been initially exposed by an unprotected Elasticsearch instance, subsequently made inaccessible.

Wishbone Breach: 40 Million Records Leaked on Dark Web

A prolific dark web trader has leaked what they claim to be 40 million user records from Wishbone, an iOS and Android app which allows users to “compare anything.” Data includes usernames, email addresses, mobile numbers, gender, date-of-birth, Facebook and Twitter access tokens, MD5-hashed passwords, and more. This isn’t the first time Wishbone has been caught out. A 2016 breach affected 9.4 million records with 2.2 million unique email addresses.

RU: Turla hacker group steals antivirus logs to see if its malware was detected

Turla, one of Russia’s most advanced hacker groups, has created malware that gets its orders from email attachments sent to an arbitrary Gmail inbox. The ComRAT tool has seen several updates across the years, and just discovered is a variation of ComRAT v4 that includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.

The first of these features is the malware’s ability to collect antivirus logs from an infected host and upload it to one of its command and control servers. “These logs allow them to better understand if and which one of their malware samples was detected.”

The malware takes over the Gmail interface with a predefined cookie file, reads recent emails in the inbox, from where it downloads file attachments, and then reads the instructions contained within the file. The idea is that whenever Turla operators want to issue new commands to ComRAT instances running on infected hosts, the hackers merely have to send an email to the Gmail address.

This Service Helps Malware Authors Fix Flaws in their Code

Brian Krebs: It is not uncommon for crooks who sell malware-as-a-service offerings such as trojan horse programs and botnet control panels to include backdoors in their products that let them surreptitiously monitor the operations of their customers and siphon data stolen from victims. More commonly, however, the people writing malware simply make coding mistakes that render their creations vulnerable to compromise.

Malware testing services like the one operated by “RedBear,” the administrator of a Russian-language security site called Krober[.]biz, which frequently blogs about security weaknesses in popular malware tools. For the most part, the vulnerabilities detailed by Krober aren’t written about until they are patched by the malware’s author, who’s paid a small fee in advance for a code review that promises to unmask any backdoors and/or harden the security of the customer’s product.

UA: Hacker Behind Last Year’s ‘Collection#1’ Data Dump Arrested in Ukraine

Ukrainian authorities say they’ve arrested the hacker behind the “Collection #1” data dump, which grabbed headlines last year for exposing 773 million email addresses.

The Security Service of Ukraine (SBU) on Tuesday announced it had identified and detained the hacker, who went by the name Sanix. Authorities arrested the suspect after receiving information that Sanix was likely a Ukrainian citizen and based in the country’s Ivano-Frankivsk region.

The hacker gained attention in January 2019 for circulating an 87GB database on the internet that contained 773 million email addresses, along with 21 million unique passwords. Sanix then distributed six other dumps, totaling in 1TB in size, which also contained phone numbers, payment card details, and Social Security numbers.

Chrome will start blocking resource-heavy ads in August

EMIL PROTALINSKI: Google recently announced that Chrome will start blocking resource-heavy ads. Examples include ads that mine cryptocurrency, is poorly programmed, or are unoptimized for network usage. Chrome will block these ads because they “drain battery life, saturate already strained networks, and cost money.” There are three possible thresholds an ad can hit to be blocked: 4MB of network data, 15 seconds of CPU usage in any 30-second period, or 60 seconds of total CPU usage. Google will be experimenting with this change “over the next several months” and will roll it out on Chrome stable “near the end of August.”

Not many are aware that the world’s most popular browser has a built-in adblocker. Two years ago, Google joined the Coalition for Better Ads, a group that specifies standards for how the industry should improve ads for consumers. Chrome blocks all ads (including those owned or served by Google) on websites that display non-compliant ads, as defined by the coalition. In addition to ads, Google has also used Chrome’s ad blocker to tackle “abusive experiences”. The tool is thus meant more to punish bad sites than to completely block ads.

‘Call of Duty: Warzone’ Cheaters Are Getting Owned by 2FA

Activision is forcing Warzone gamers to use their cellphone number to log in, and using it as a way to permaban cheaters. Last month, the developers of the hugely popular game banned more than 70,000 cheaters and promised to combat the game’s cheating problem.

“We are watching. We have zero-tolerance for cheaters,” tweeted the official account of Infinity Ward, the game’s developer.

Infinity Ward rolled out a new, basic security feature that appears to have had the bonus of locking out many cheaters: two-factor authentication. Infinity Ward announced that new Warzone players on PC will have to use SMS to login to the free version of the game, “as another step to provide an additional layer of security for players.”

IL: Israel linked to a disruptive cyberattack on Iranian port facility

Joby Warrick and Ellen Nakashima: On May 9, shipping traffic at Iran’s bustling Shahid Rajaee port terminal came to an abrupt and inexplicable halt. Computers that regulate the flow of vessels, trucks and goods all crashed at once, ­creating massive backups on waterways and roads leading to the facility.

After waiting a day, Iranian officials acknowledged that an unknown foreign hacker had briefly knocked the port’s computers offline. Now, more than a week later, a more complete explanation has come to light: The port was the victim of a substantial cyber attack that the U.S. and foreign government officials say appears to have originated with Iran’s archenemy, Israel.

The attack, which snarled traffic around the port for days, was carried out by Israeli operatives, presumably in retaliation for an earlier attempt to penetrate computers that operate rural water distribution systems in Israel, according to intelligence and cybersecurity officials familiar with the matter.

China Just Crossed A Dangerous New Line For Huawei, and Threatens ‘Retaliatory Responses’

Zak Doffman: And so a critical week for Huawei begins, as the implications of the latest U.S. action against the company begin to hit home. The ramp-up of U.S. sanctions, prohibiting the use of American technology in the development and contract manufacture of Huawei’s in-house chips, is a response to Huawei’s seeming ability to skirt around restrictions, maintaining its lock on 5G equipment sales around the world. Now, the U.S. has pressed its threatened kill switch.

On the smartphone front, the U.S. has destroyed billions in Huawei’s R&D investment in the silicon developed to keep pace with Apple and Samsung.

On the 5G front, all eyes are on the U.K. again. The view of China has changed. It now seems inconceivable that the Huawei decision can stand.

“Under mounting pressure from Washington,” the China Daily’s May 24 editorial says, “the ‘national security threat’ argument is rapidly poisoning Huawei’s international business environment. What the British government is allegedly planning comes as a further stab in the company’s back following the latest U.S. attempt to cut its supply lines.”

Huawei is now in trouble. In the meantime, China has made it clear that it will openly fight Huawei’s battles country by country as required.


TIL my browser can port scan me, that is absolutely insane.

1 Like