Subject: Researchers Devise Wi-Peep Drone That Can ‘See Through Walls’
Using a $20 off-the-shelf drone, researchers at the University of Waterloo in Ontario have created what is effectively an airborne scanning device that can triangulate the location of every WiFi-connected device in your house. Yikes. Researchers Ali Abedi and Deepak Vasisht, who recently presented their findings at the 28th Annual International Conference on Mobile Computing and Networking, call this contraption “Wi-Peep,” which is a deceptively cute name for a project with such horrifying implications. Wi-Peep engages in what researchers call a “location-revealing privacy attack” that can manipulate the data in WiFi networks and use it to “see through walls,” or, rather, approximate the location of devices via sneaky scanning.
Source: Help Net Security
Another week in-review abstracts…
Source: The Hill
Former top cybersecurity official Chris Krebs on Sunday said the paid subscription plan for a verification mark on Twitter will “create a very chaotic environment” because it would open the information space to foreign actors, election deniers and other potentially malign influencers.Krebs told moderator Margaret Brennan on CBS’s “Face the Nation” that being able to buy the “blue tick” for $8 a month goes against a long-standing policy of verifying authentic accounts.
“To have such a dramatic shift in that marker of trust [and] now you can buy it,” Krebs said. “It opens the information space to a broader community of influencers, clout chasers, election denialists and [foreign actors]. We’ve seen reports lately that Russia, China and Iran are back at their old tricks, and it is going to create a very chaotic environment.”
Twitter’s new owner, Elon Musk, launched the updated subscription service on Saturday, charging $7.99 for a verification mark as well as other features and benefits for Twitter Blue members, including seeing less advertisements.
There are also concerns about legitimate users who are unwilling to pay for the service who could be forced to compete against fake accounts impersonating them.
Uber’s former chief security officer (CSO), Joe Sullivan, was found guilty on Oct. 5 of obstruction of justice (18 U.S.C. § 1505) and misprision of a felony (18 U.S.C. § 4) based on what the Justice Department called his “attempted cover-up of a 2016 hack of Uber.”
In 2016, while the Federal Trade Commission (FTC) was investigating Uber for an earlier incident, Sullivan learned of another hacking incident that affected the Uber accounts of more than 57 million riders and drivers. In its prosecution of Sullivan, the government alleged that, rather than disclose the incident to the FTC, Uber’s former CSO took steps to hide it from the government, as well as from many of his colleagues at Uber. Most notably, in his alleged attempt to cover up the incident, Sullivan also arranged a $100,000 payment to the hackers through Uber’s “bug bounty” program in exchange for their signatures on a nondisclosure agreement (NDA) promising not to reveal the incident and falsely stating that they did not exfiltrate sensitive customer information.
This case—which marks the first time a company executive faced criminal prosecution over their response to a data incident—is troubling. Most notably, it blurs the line between “covering up” a data incident and merely declining to report it.
… Filed: https://www.lawfareblog.com/tagged/cyber-technology
Table of contents:
Social engineering is the very common practice of exploiting a human element to initiate and/or execute a cyberattack.
Human weakness and ignorance present such easy targets that fully 82% of the attacks in Verizon’s 2022 Data Breach Investigations Report were perpetrated, at least in part, via some form of social engineering.
In this article, we look at the forms of social engineering that are frequently used and best practices for limiting its effectiveness within the enterprise.
Source: Help Net Security
Android users are often advised to get mobile apps from Google Play, the company’s official app marketplace, to minimize the possibility of downloading malware. After all, Google analyzes apps before allowing them on the market. Unfortunately, time after time, we read about malware peddlers finding ways around that vetting process.“Distribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and unsuspecting audience. Although other distribution methods are also used depending on cybercriminals targets, resources, and motivation, droppers remain one of the best option on price-efforts-quality ratio, competing with SMiShing,” Threat Fabric researchers recently pointed out, after sharing their discovery of several apps on Google Play functioning as droppers for the Sharkbot and Vultur banking trojans.
Evasion techniques of malware droppers on Google Play – These trojanized, functional apps – usually file managers, file recovery tools, or security (2FA) authenticators – are crafted to conceal their malicious nature from Google Play Protect, antivirus solutions, researchers, and users: they provide the advertized functionality, request few common permissions that don’t raise suspicion, and don’t contain overtly malicious code.
An independent test suggests Apple collects data about you and your phone when its own settings promise to “disable the sharing of Device Analytics altogether.”For all of Apple’s talk about how private your iPhone is, the company vacuums up a lot of data about you. iPhones do have a privacy setting that is supposed to turn off that tracking. According to a new report by independent researchers, though, Apple collects extremely detailed information on you with its own apps even when you turn off tracking, an apparent direct contradiction of Apple’s own description of how the privacy protection works.
The iPhone Analytics setting makes an explicit promise. Turn it off, and Apple says that it will “disable the sharing of Device Analytics altogether.” However, Tommy Mysk and Talal Haj Bakry, two app developers and security researchers at the software company Mysk, took a look at the data collected by a number of Apple iPhone apps—the App Store, Apple Music, Apple TV, Books, and Stocks. They found the analytics control and other privacy settings had no obvious effect on Apple’s data collection—the tracking remained the same whether iPhone Analytics was switched on or off.
Hackers are conducting a massive black hat search engine optimization (SEO) campaign by compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums.The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress.
The researchers believe the threat actors’ goal is to generate enough indexed pages to increase the fake Q&A sites’ authority and thus rank better in search engines.
Sucuri couldn’t identify how the threat actors breached the websites used for redirections. However, it likely happens by exploiting a vulnerable plugin or brute-forcing the WordPress admin password.
Hence, the recommendation is to upgrade all WordPress plugins and website CMS to the latest version and activate two-factor authentication (2FA) on admin accounts.