The next president will face a cybercrisis in the first 100 days of their presidency, research firm Forrester predicts in a new report.The crisis could come as a result of hostile actions from another country or internal conflict over privacy and security legislation, said Forrester analyst Amy DeMartine, lead author of the firm’s top cybersecurity risks for 2017 report, due to be made public Tuesday.
- Your home’s online gadgets could be hacked by ultrasound. From New Scientist. This may have happened to you. You idly browse a pair of shoes online one morning, and for the rest of the week, those shoes follow you across the Internet, appearing in adverts across the websites you visit.
But what if those ads could pop out of your browser and hound you across different devices? This is the power of ultrasound technology, says Vasilios Mavroudis at University College London – and it offers a whole new way in for hacking attacks and privacy invasions. He and his colleagues will spell out their concerns at next week’s Black Hat cybersecurity conference in London.
- Bug Bounty Hunter Launches Accidental DDoS Attack on 911 Systems via iOS Bug. From Softpedia.
The Maricopa County Sheriff’s Office Cyber Crimes Unit arrested Meetkumar Hiteshbhai Desai, an 18-year-old teenager from the Phoenix area, for flooding the 911 emergency system with hang-up calls.
People accessing Desai’s link from their iPhones saw their phone automatically dial and redial 911.
- Red Cross Blood Service admits to personal data breach affecting half a million donors. From ABC.net.au.
The personal data of 550,000 blood donors that includes information about “at-risk sexual behaviour” has been leaked from the Red Cross Blood Service in what has been described as Australia’s largest security breach.
Data from blood donor registration form posted insecurely online
Leak included identifying information and “personal details” of 550,000 donors
All copies of the data believed to be destroyed
The organisation said it was told on Wednesday that a file containing donor information was placed on an “insecure computer environment” and “accessed by an unauthorised person”.
Dyn DNS DDoS likely the work of script kiddies, says FlashPoint. From TechCrunch.
Business risk intelligence firm FlashPoint has put out a preliminary analysis of last week’s massive denial of service attack against Dyn DNS, and its conclusion is it was likely the work of amateur hackers — rather than, as some had posited, state-sponsored actors perhaps funded by the Russian government.
The DDoS attack against Dyn’s domain name system impacted access to a range of sites in parts of the U.S. last Friday, including PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify and RuneScape.
Aside from suspicion falling on Russia, various entities have also claimed or implied responsibility for the attack, including a hacking group called the New World Hackers and — bizarrely — WikiLeaks, which put out a (perhaps joke) tweet suggesting some of its supporters might be involved.
- The Phone Hackers at Cellebrite Have Had Their Firmware Leaked Online. From Motherboard.
Cellebrite, an Israeli company that specialises in digital forensics, has dominated the market in helping law enforcement access mobile phones. But one apparent reseller of the company’s products is publicly distributing copies of Cellebrite firmware and software for anyone to download.
Although Cellebrite keeps it most sensitive capabilities in-house, the leak may still give researchers, or competitors, a chance to figure out how Cellebrite breaks into and analyzes phones by reverse-engineering the files.
The biggest lesson emerging from the recent recall of 3.2 million debit cards by various Indian banks is that most of the systems that the government and the country’s financial sector put in place to deal with a major cyber attack failed to detect the data breach that necessitated this recall.
As banks scramble to put together a root cause analysis of the events that led to the malware (malicious software) attack that led to one of the biggest security breaches in banks in India in September and October, there is a realisation that institutions failed to share information with each other, leading to cascading failures that permitted the breach to continue undetected for a while.
2. Data breach at Weebly affects 43 million users. From Graham Cluely.
A data breach at free website builder Weebly has compromised the personal information of over 43 million users.
News of the breach arrived on 20 October when LeakedSource.com published a database of 43,430,316 Weebly users’ information on its website. Those records contain a username, email address, password, and IP address.
Little information is known about how those responsible for the breach exfiltrated all of that data, but we do know that the breach occurred at the web-hosting service in February 2016 and that an anonymous source provided LeakedSource with the database.
American vigilante hacker sends Russia a warning. From KSAT.
An American vigilante hacker — who calls himself “The Jester” — has defaced the website of the Russian Ministry of Foreign Affairs in retaliation for attacks on American targets.
On Friday night, the Jester gained access to the Russian government ministry’s website. And he left a message: Stop attacking Americans.
“Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message,” he wrote. “Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed.”
- What IoT (and Security) Needs to Learn From the DeWalt Mitre Saw. From SANS Security Awareness Blog. I recently purchased my first power tool ever, a DeWalt Compound Mitre Saw, an intimidating piece of machinery that can not only rip through huge pieces of wood, but potentially chop your hand/arm clean off. As such I was very nervous when I received it, to include reading through the safety manual several times and numerous YouTube videos. Once I had reviewed everything and started playing with this tool, I came to an amazing realization. This device is so well designed from a safety perspective that I would have to try really hard to harm myself. Even better I did not have to really think about all the safety measures as they were built into the device, they were designed to work with me, not against me. I list some of the key safety features that impressed me at the bottom but something really else hit home for me. Why are we struggling so hard to do the same for security? Right now IoT is one of our biggest security challenges, with millions of IoT devices being used for DDoS attacks. The challenge? People are not changing the default passwords. Our communities response? Security professional around the world are lamenting why people are so stupid/lazy as not to change the default passwords.
Hacked Cameras, DVRs Powered Today’s Massive Internet Outage. From KrebsOnSecurity.
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.
Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. The attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.