Newsletters

Airplane Accelerates leak: CyberNews says it found 626GB of customer data in an unsecured Elasticsearch server belonging to Airplane Accelerates, a free VPN service advertised to Chinese users. The data contained a staggering of 5.7 billion entries, including user IDs, what IP addresses users were connecting to and from, domain names, and timestamps, the news outlet reported.

Failed crypto-heist: Cryptocurrency bridge project Celer said it successfully fended off a cyber-attack after a threat actor attempted a DNS hijacking account against its frontend infrastructure.

Warning about in-app browsers: Privacy expert Felix Krause has published two write-ups over the past week warning about the dangers of using a mobile app's built-in browser as compared to standalone browsers. In a first report, Krause said he found that the Facebook and Instagram in-app browsers were tracking users on all the sites they visited, while in a second, he said he found key-logging code in TikTok's in-app browser, although he did not find any evidence that it was being actively used.

But one thing that came out of yesterday's misunderstanding is that the Twitter thread also helped surface another section in next year's NDAA, namely that the DOD can now issue funding for open-source projects and help them improve their security posture.

According to section 323 (k), the DOD will soon be able to issue grants to sponsor security audits in open-source projects, fund developers to patch certain vulnerabilities in their projects, and even fund FOSS infrastructure and code overhauls, such as "rewrites of open source software components in memory-safe programming languages." 😎

WestJet app leak: Canadian airline WestJet suffered a glitch in its mobile app that logged in users into its mobile app into different profiles, allowing them to view other people's personal details.

There has been some pushback on the sanctioning of Tornado Cash. One argument is that the specific type of sanction used — adding Tornado Cash to Treasury's Specifically Designated Nationals and Blocked Persons List — is inappropriate because a smart contract isn't a person that can be sanctioned.

A second argument — one we are more sympathetic to — is that the sanction affects innocent people. US citizens can no longer send or receive money from Tornado Cash without violating sanctions laws. Blockchain analysis company Chainalysis reports that Tornado Cash receives a lot of currency from illicit sources (almost 30% of funds received are stolen or have come from sanctioned entities), but that still leaves 70% that may be legal.

We think, however, that in this case punishing innocent people is not really a bug so much as a feature. For a mixer to be effective at obfuscating transactions it ideally has a large number of users all mixing similar amounts of cryptocurrency. By discouraging legal users, the US government is effectively shrinking that pool and also making it more likely that any Tornado Cash transaction is actually illicit. Additionally, Chainalysis’s Grauer says "cutting it off from compliant cryptocurrency businesses represents a huge blow for criminals looking to cash out".

Even if not a package repository in itself, GitHub is often used by the maintainers of various other libraries to host their code. GitHub knows this and the central role it plays in securing many open-source libraries and package repositories, many of which pull package releases straight off its platform.

Earlier this year, GitHub announced that all users who contribute code on any GitHub.com project will be required to enable one or more forms of MFA by the end of 2023.

Some developers might not be in the mood to solve MFA challenges when logging into their package accounts or when pushing some tiny code update via an API or CLI tool, but the writing is slowly starting to appear on the wall, and the writing says that MFA will soon become a de-facto login security standard for most package repositories and DevOps platforms.

Google fined in Australia: Australia's competition watchdog fined Google on Friday A$60 million (US$42.7 million) for misleading users on the collection of their personal location data through their Android devices. The Australian Competition & Consumer Commission (ACCC) said that approximately 1.3 million Google account users in Australia might have been affected.

China's early access to security bugs: DHS Under Secretary for Policy Robert Silvers said during the Black Hat cybersecurity conference in Las Vegas last week that the Chinese government appears to use its software vulnerability disclosure rules to preview dangerous zero-day flaws before tech companies can deploy fixes, Cyberscoop reported. The new rules have been a subject of controversy since they were passed last year, as they appear to allow the Chinese government to punish security researchers who don't inform government agencies of dangerous bugs even before vendors.

FTC on surveillance vendors: The FTC said last week that it was starting procedures to crack down on commercial surveillance vendors. The agency is asking for feedback from the private industry on how to address the problem of "commercial surveillance," which is a term the agency uses for large-scale data aggregators, like ad platforms, and not necessarily to spyware product vendors like NSO Group. More here.

"These new changes are fairly minor, but that is for the best," Claire Tills, senior research engineer, Tenable, told Risky Biz News this week.

"Refining the labels to have a little more utility without overcomplicating the standard allows organizations to continue using the standard without significant disruption."

"The Traffic Light Protocol is a useful standard for an industry that relies on both information sharing and discretion. Balancing transparency with defenders against keeping sensitive information away from bad actors is difficult, and the TLP acts as both a clear guide and a tool of trust for organizations sharing information. However, the TLP only works if everyone abides by the standards.

Your weekly dose of Seriously Risky Business news is written by Tom Uren, edited by Patrick Gray and supported by the Cyber Initiative at the Hewlett Foundation and founding corporate sponsor Proofpoint.

House Intelligence Committee chair Rep. Adam Schiff has vowed to tackle commercial spyware proliferation and "respond to this threat with urgency".

Last week we assessed the anti-spyware provisions added to the draft Intelligence Authorization Act (including the possibility of sanctions and an annual DNI assessment of the industry) and concluded that they were a good first step. But given increased interest in reigning in the industry, what more can be done?

Samsung Repair Mode: Samsung said last week that it developed a new security feature for its fleet of Android devices. Named "Repair Mode," the feature can be activated when users send their devices for repairs and works by locking down all personal data on the device to prevent rogue repair technicians from sifting through a user's personal information. Currently, the new Repair Mode is being trialed inside South Korea on Galaxy S21 devices; however, the feature is expected to be made available for more users internationally and to other devices.

Thousands of apps leak Twitter API keys: Cybersecurity firm CloudSEK said it identified 3,207 applications that leak Twitter API keys, exposing their users to situations where attackers can hijack their service and then their users' Twitter accounts.

DOJ investigating second court system breach: The US Department of Justice said it is investigating a security breach that impacted its court documents management system that appears to have taken place in early 2020. The incident is separate from the SolarWinds-related intrusion the DOJ disclosed last year.

Proxy service hack: The operators of the 911[.]re proxy network said they are shutting down in the aftermath of a data breach that destroyed key components of its business operation, Brian Krebs reported. The shutdown also comes days after the same Krebs published an in-depth look at the shady service earlier this month.

Russian Postal Service leak: Hackers published last week a data trove they claim to have stolen from the official Russian Postal Service. The data contains more than 10 million data points about past shipments. This includes sender and recipient names, addresses, and shipment details. In a statement to local media, Pochta denied the breach and said the hackers obtained the data from a third-party contractor. Russian delivery services have been at the center of several data leaks since Russia's invasion of Ukraine. Past leaks include Yandex Food, DeliveryClub, and CDEK.

OneTouchPoint breach: Marketing platform OneTouchPoint disclosed a security breach last week. The breach is the result of a ransomware attack that took place in April this year, and the company said that 34 healthcare organizations that used its platform had data compromised in the incident.

Newport, RI incident: The city of Newport, Rhode Island, disclosed a security breach that took place in early June 2022, when a threat actor gained access to one of its servers and accessed files with information on city employees.

Microleaves leak: Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database, Brian Krebs reported. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach showed otherwise.

Google delays cookie phase-out once more: Google said this week that it will get rid of support for third-party cookies—a way online advertisers use to track users online—in the Chrome web browser in 2024. This is the second time that Google has delayed the cookies phase-out plan after it initially planned to replace third-party cookies with its Privacy Sandbox API in 2022, only to push it back to 2023 and now to 2024.