Over the weekend, a hacker gained unauthorized access to the Queensland EWN, or Early Warning Network, and used it to send a spam alert via SMS, landline, and email to the company’s subscribers.
EWN is a service offered by Australian company Aeeris that allows Australian councils, or local governments, to send emergency alerts regarding extreme weather, fires, evacuation information, or incident responses. The unauthorized alerts stated that “EWN has been hacked. Your personal data is not safe.” They then went on to tell recipients to email email@example.com to unsubscribe from the service.
A new hacking campaign is underway that is targeting Chromecast adapters, Smart TVs, and Google Home in order to play a YouTube video promoting PewDiePie’s YouTube channel.
Since the battle to have the most subscribers began between the YouTube channels of PewDiePie and T-Series, a hacker who goes by the name TheHackerGiraffe has been performing creative attacks that promote PewDiePie’s channel. First they sent print jobs promoting PewDiePie to Internet-connected printers. Now they are targeting Internet-connected devices that support Chromecast and forcing them to play a YouTube video.
Researchers from New York University and Michigan State University successfully generated what they call “DeepMasterPrints” earlier this year. These are machine-learning methods that act as a kind of “masterkey” which, the researchers claim, have the potential to unlock around one in three fingerprint-protected smartphones.
Read more about the artificial fingerprints that can be used to bypass fingerprint authentication on smartphones and other devices on CNBC.
Hardware based cryptocurrency wallets may not be as secure as promised. That’s the judgement of three security researchers who presented their research at a session at the 35c3 conference.”
The researchers demonstrated firmware, side-channel, microcontroller and supply-chain attacks that impact a range of wallets including Trezor One, Ledger Nano S, and Ledger Blue. Naturally, the manufacturers responded, claiming the research had holes and attacks were impractical and their hardware was safe to use. “The sad reality is there is just not a lot of security in cryptocurrency [development]. And that is painful to hear,” said one of the researchers.
Read more about the shortcomings of crypto wallet security on Threatpost.
A vulnerability in the Guardzilla All-In-One Video Security System, an IoT-enabled home video surveillance system, lets all users view one another’s saved surveillance footage due to the design and implementation of Amazon S3 credentials inside the camera’s firmware.
Security researchers found the bug (CVE-2018-5560) during an event held by 0DayAllDay and reported it to Rapid7 for coordinated disclosure. Rapid7 published the flaw 60 days after it first attempted to contact the vendor. Multiple coordination efforts received no response. This vulnerability is an issue of CWE-798: Use of Hard-coded Credentials, 0DayAllDay researchers report.
Read more about the unpatched IoT vulnerability on DarkReading.
Leading up to Nov. 6, 2018, anyone with a stake in American democracy was holding their breath. After a Russian effort leading up to 2016 to sow chaos and polarization, and to degrade confidence in American institutions, what sort of widespread cyberattack awaited the voting system in the first national election since? None, it seems.
“We didn’t see any coordinated effort or targeting that interrupted the elections process,” said Matt Masterson, a senior cybersecurity adviser at the Department of Homeland Security. “[Nothing] that prevented folks from voting or compromised election systems in any way … certainly nowhere close to what we saw in 2016.” Experts say that is not because U.S. election systems are hardened in a way that prevents such attacks.
When you see an attacker on your network, it’s understandable to want to give them a taste of their own medicine. But how can you effectively anger intruders when “hacking back” is illegal?
“There are times when I have really wanted to strike back, but you can’t and you don’t,” says Gene Fredriksen, chief information security strategy for PCSU. However, there are several steps you can take to anger attackers without actively targeting them in response. The idea is to get the bad guy to think twice, he explains, and let them know you’re serious.
Read about some of the most effective ways to frustrate, deceive, and annoy attackers without risking legal consequences, on DarkReading.
Thousands of hot tubs can be hacked and controlled remotely because of a hole in their online security, the BBC show Click has revealed. Researchers showed the TV programme how an attacker could make the tubs hotter or colder, or control the pumps and lights via a laptop or smartphone.
Vulnerable tubs are designed to let their owners control them with an app. But third-party wi-fi databases mean hackers can home in on specific tubs by using their GPS location data. Balboa Water Group (BWG), which runs the affected system, said the problem would be fixed by the end of February. Pen Test Partners – the UK security company that carried out the research – warned that hot tubs were not the only household items at risk.
Read more about this new example of poor IoT security on BBC.
Researchers playing with Twinkly IoT lights found security weaknesses that allowed them to display custom lighting effects and to remotely turn off their Christmas brilliance. They estimate that about 20,000 devices are reachable over the internet.
The LEDs in Twinkly lights can be controlled individually. Exploiting inherent security weaknesses related to authentication and the communication of commands, the researchers were able to use the curtain of lights to play Snake, the game made so popular by Nokia phones in the late 1990s.
Read more about the research, which provides a playful yet significant example of the problems with IoT security, on BleepingComputer.
The targets include Elena Khusyaynova, the primary accountant for the Project Lakhta influence campaign that included the Internet Research Agency. The sanctions also target associated entities like the Federal News Agency.
Read more about the US Treasury sanctions against Russians on Engadget.