Pete Recommends – Weekly highlights on cyber security issues, August 21, 2021

Subject: Bugs in Managed DNS Services Cloud Let Attackers Spy On DNS Traffic (The Hacker News)
Source: The Hacker News via The RISKS Digest – geoff goodfellow <[email protected]>

Cybersecurity researchers have disclosed a new class of vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to exfiltrate sensitive information from corporate networks. “We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google,” researchers Shir Tamari and Ami Luttwak from infrastructure security firm Wiz said, <> Calling it a “bottomless well of valuable intel,” the treasure trove of information contains internal and external IP addresses, computer names, employee names and locations, and details about organizations’ web domains. The findings were presented at the Black Hat USA 2021 security conference last week. …

Subject: How Hackers Use Power LEDs To Spy On Conversations 100 Feet Away
Source: Forbes

If you thought hackers being able to make use of any ordinary light bulb to spy on your conversations from 80 feet away was ingenious, wait until you see what they have come up with now.Hackers exploit new passive attack method to eavesdrop from a distance

Security researchers from the cyber unit at the Ben-Gurion University of the Negev in Israel have a good track record of leftfield thinking regarding eavesdropping on your conversations. Forget breaching your privacy by compromising passwords to access your networks, or the use of vulnerabilities in your software or operating system. And if you thought that physical access to your smart speakers, or most any speaker, was required to listen in to the audio being transmitted, you’d be wrong there as well.

A new twist on an old spying technique – As first reported by Ars Technica, these hackers have developed a new twist on the old military technique, known by the National Security Agency codename of TEMPEST, of spying through the use of leaking emanations. Of these, the ability to eavesdrop by way of a laser microphone beamed onto a window as used during the Cold War era is perhaps the most well-reported.

This has the drawback of being an active attack, with that laser beam having to illuminate the surface and so being open to easy detection. The newly reported surveillance methodology, however, is passive in nature.

How does a Glowworm spy attack work?

Subject: For smartphone makers, security is a matter of economics
Source: GCN

The Pegasus Project, a recent reporting effort to go behind the scenes of NSO Group’s infamous mobile spyware, has opened many peoples’ eyes to the potential for smartphones to be compromised and weaponized against their users. Reports have confirmed that individuals within government, from heads of state to diplomats, are particularly vulnerable to this threat given the value they represent to spies. In the wake of the Pegasus Project, much of the attention has turned to Apple, whose sterling security reputation is seemingly at odds with the ability of Pegasus operators to remotely and surreptitiously take total control of a targeted individual’s iPhone — in many cases without any interaction required from the victim.To understand why smartphone makers provide adequate security for the majority of users but struggle to contain the latest and greatest threats facing government users and other high-risk individuals at the hands of nation-state actors and cyber-arms dealers like NSO Group, it’s important to realize that smartphones are primarily commercial products. With any commercial device, manufacturers weigh security decisions against factors like usability, user preferences, implementation costs and reputational risk. In other words, security is viewed through an economic lens.


Subject: How hackers can use message mirroring apps to see all your SMS texts — and bypass 2FA security
Source: GCN

It’s now well known that usernames and passwords aren’t enough to securely access online services. A recent study highlighted more than 80% of all hacking-related breaches happen due to compromised and weak credentials, with three billion username/password combinations stolen in 2016 alone.As such, the implementation of two-factor authentication (2FA) has become a necessity. Generally, 2FA aims to provide an additional layer of security to the relatively vulnerable username/password system.

It works too. Figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks. But as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.

In addition to these existing vulnerabilities, our team has found additional vulnerabilities in SMS-based 2FA. One particular attack exploits a feature provided on the Google Play Store to automatically install apps from the web to your android device.

We also recommend you limit the use of SMS as a 2FA method if you can. You can instead use app-based one-time codes, such as through Google Authenticator. In this case the code is generated within the Google Authenticator app on your device itself, rather than being sent to you.

Subject: Which Social Media Platforms Are Banning the Taliban?
Source: Gizmodo

Social media platforms are about as disorganized as the Pentagon when it comes to deciding what to do about Afghanistan’s new government.The Taliban have swept through Afghanistan, re-taking the country from the feeble local government that America’s military has propped up for the better part of two decades.

As tumult has engulfed the nation, U.S. social media companies have rushed to respond to the situation. However, not all of them have established clear, transparent rules about how they will treat content and accounts related to the radical Islamist group—who now serve as the de facto political rulers of the country.


Subject: Microsoft unwraps top secret cloud
Source: GN

Microsoft announced its top secret, air-gapped Azure Government cloud has received authorization to operate and is “generally available” for national security workloads.Azure Government Top Secret offers multiple geographically separate regions, providing “multiple options for data residency,” and is launching with more than 60 services with more set to come online, Tom Keane, Microsoft’s corporate vice president for Azure Global, wrote in an Aug. 16 blog post.

Among the initial Azure Government Top Secret services are Azure Data Lake, Azure Cosmos DB, Azure HDInsight, Azure Cognitive Services and advanced analytics functions designed to “help human analysts more rapidly extract intelligence, identify trends and anomalies, broaden perspectives, and find new insights,” while also supporting interoperability with other cloud services, Keane said.

Azure Government Top Secret’s new services — Azure Kubernetes Service, Azure Functions, and Azure App Service – allow users working with highly sensitive data to take advantage of containerized applications, serverless workloads and web apps supported by built-in infrastructure maintenance and security patching.

[so no BYOD? /pmw1]

Microsoft was working toward a top secret classification as a key deliverable on the now-defunct $10 billion Joint Enterprise Defense Infrastructure contract with the Department of Defense. The JEDI solicitation stipulated that the winner be able to field secret and top secret cloud capacity within a specified time frame. While JEDI was cancelled, Microsoft is set to be one of the key vendors in its replacement contract vehicle, which has yet to be named or announced.

[how / where do they get system updatesv? pmw1]

Subject: How to protect digital citizen identities through identity management
Source: GCN

Securing digital citizen identities continues to be a top concern for the federal and state governments. Over the past year and a half, the COVID-19 pandemic reinforced the importance and need for secure authentication and credentials in a number of ways. Primarily, the pandemic necessitated a proliferation of digital identities, as citizens required increased access to online government services. Unfortunately, this growth also highlighted a lack of identity security, as seen with fraudulent unemployment insurance claims filed using stolen identities. With this spotlight on securing citizen identity while also maintaining citizen data privacy, federal and state governments must implement government-to-citizen identity and access management (IAM) solutions that not only provide security but also improve the user (i.e. citizen) experience while protecting their data.

What makes securing citizen identity unique 

Governments are now expected to offer citizens the same level of secure and seamless access as they experience in the consumer and corporate worlds. However, there are differences between workforce identity (i.e. identity for employees) and citizen identity — the latter is significantly more complex.

With workforce identity, employees are given a single identity to access applications, referred to as a single sign-on (SSO) solution. When it comes to citizen identity, users often create multiple different identities to access different services offered by the same government. For example, a citizen might have one login for renewing a vehicle registration and another for obtaining a state fishing license.

Subject: Census servers hacked in 2020
Source: FCW

Hackers targeted remote servers at the Census Bureau in January 2020, taking advantage of a publicly available and known exploit to gain access to government systems and create user accounts, according to a watchdog report released this week.The Inspector General at the Department of Commerce reported that hackers were in the Census system for more than two weeks before being detected, in part because an automated cybersecurity tool was not configured to deliver alerts to incident responders. The attackers were blocked from communicating from the Census servers to their own system due to the bureau’s firewalls. However, the bureau’s server logs may have delivered inaccurate information to security operations personnel that may have delayed a timely response, according to the report.

There were additional delays in communicating with the Cybersecurity and Infrastructure Security Agency, which is the lead agency for federal civilian government networks.

Other CyberSecurity articles:

Subject: 10 Ways to Protect Your Personal Information
Source: Social Security Matters blog

Fraudsters don’t go on vacation—so it’s necessary for you and your loved ones to stay vigilant year round. Identity theft affects millions of people each year and can cause serious financial and identity-related issues. Protect yourself by securing your personal information, understanding the threat of identity theft, and exercising caution. We have a list of 10 things you can start doing now to protect yourself and your loved ones….filed

Subject: Dozens of STARTTLS Related Flaws Found Affecting Popular Email Clients (The Hacker News)
Source: The RISKS Digest goodfellow <[email protected]>

Security researchers have disclosed as many as 40 different vulnerabilities associated with an opportunistic encryption mechanism in mail clients and servers that could open the door to targeted man-in-the-middle (MitM) attacks, permitting an intruder to forge mailbox content and steal credentials. The now-patched flaws, identified in various STARTTLS implementations, were *detailed* <> by a group of researchers Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian Schinzel at the 30th USENIX Security Symposium. In an Internet-wide scan conducted during the study, 320,000 email servers were found vulnerable to what’s called a command injection attack.

Some of the popular clients affected by the bugs include Apple Mail, Gmail, Mozilla Thunderbird, Claws Mail, Mutt, Evolution, Exim,, Samsung Email, Yandex, and KMail. The attacks require that the malicious party can tamper connections established between an email client and the email server of a provider and has login credentials for their own account on the same server. STARTTLS refers to a form of *opportunistic TLS* <> that enables email communication protocols such as SMTP, POP3, and IMAP to be transitioned or upgraded from a plain text connection to an encrypted connection instead of having to use a separate port for encrypted communication. […]

Subject: Protect Yourself From Abuse: How to Find and Remove Stalkerware on Your Phone and PC
Source: PCMag via beSpacific

PCMag: “What if your phone calls, texts, FaceTime sessions, and GPS locations were being logged without your consent? What if they were all being sent to a tech-savvy stalker—often a former romantic partner or an abusively controlling current partner—who had gotten malware onto your phones, tablets, and pcs, effectively bugging them? That’s the unsettling job of stalkerware, a type of commercially available software designed to spy on victims without being detected. Stalkerware can operate stealthily, so you probably wouldn’t know if your devices had it installed. According to a 2020 report from cybersecurity company Kaspersky, a majority of people with stalkerware on their devices don’t even know that the type of software exists, meaning they can’t protect themselves from it. We’ll help you understand what stalkerware is, how to remove it from your devices, and how to make sure stalkers can’t install it on your devices again, once they are clean…”–

Other PC mag Security articles –

Posted in: Cybercrime, Cybersecurity, Email Security, Privacy, Social Media, Viruses & Hoaxes