Voter info for millions of Indonesians shared on hacker forum

Bleeping Computer

A threat actor has shared the 2014 voter information for close to 2 million Indonesians on a well-known hacker forum and claims they will release a total of 200 million at a later date.

In the forum post, the threat actor states that the voter records are stored in individual PDF files that they took from the KPU, the general election commission of Indonesia.

Full article

Our conclution

What is stored in network connected computers not only can but will be leaked at some point!

EasyJet hacked: data breach affects 9 million customers

Bleeping Computer

Markus Mainka / Shutterstock.com

EasyJet, the UK’s largest airline, has disclosed that they were hacked and that the email addresses and travel information for 9 million customers were exposed. For some of these customers, credit card details were also accessed by the attackers.

In a data breach notification disclosed today, EasyJet states that they have suffered a cyberattack, and an unauthorized third-party was able to gain access to their systems.

During this attack, the threat actors were able to access the email addresses and travel information for nine million customers. For approximately 2,208 customers, credit card details were also exposed.

Full article

Israel Cyber Attack on Iran Port and Texas Transport Ransomware Attack

Cybersecurity Insiders

On May 9th of this year, computer systems at Iran’s Port of Shahid Rajaee were cyber-attacked disrupting the operations of the port for hours blocking down vessels and creating a traffic jam on the way to the port as thousands of goods delivery trucks were stranded in confusion.

At that time, the Foreign Ministry of Iran said that the digital invasion was caused by a hacking group funded by a foreign nation, but did not name the country in specific.

Now, after 10 days, a statement released by Mohammad Rastad, Managing Director of the Ports and Maritime Organizations says that Israel could have launched the attack in retaliation to Iran’s cyberattack launched on the water distribution and utilities of Israel on April 24th, 2020.

Meanwhile, the Texas Department of Transportation (TxDOT) has stated that a ransomware cyberattack has disrupted its systems on a partial note at the end of last week. And it took place just after a week since the Texas State Judiciary system suffered a file-encrypting malware attack.

Full article

Over 4000 Android Apps Expose Users’ Data via Misconfigured Firebase Databases

The Hacker News

More than 4,000 Android apps that use Google’s cloud-hosted Firebase databases are ‘unknowingly’ leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.

4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users’ personal information, access tokens, and other data without a password or any other authentication, Comparitech said.

Full article

Fake crypto-wallet extensions appear in Chrome Web Store once again, siphoning off victims’ passwords

The Register

Three weeks after Google removed 49 Chrome extensions from its browser’s software store for stealing crypto-wallet credentials, 11 more password-swiping add-ons have been spotted – and some are still available to download.

The dodgy add-ons masquerade as legit crypto-wallet extensions, and invite people to type in their credentials to access their digital money, but are totally unofficial, and designed to siphon off those login details to crooks.

Harry Denley, director of security at MyCrypto, who identified the previous lot of bad extensions, told The Register at least eight among the latest crop of 11 impostors, pretending to be crypto-wallet software KeyKeep, Jaxx, Ledger, and MetaMask, have been taken down.

Denley provided The Register with a list of extension identifiers, previously reported to Google, and we were able to find some still available in the Chrome Web Store at time of writing.

Full article

Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability

The Hacker News

Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the SaltStack configuration framework, a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert.

Tracked as CVE-2020-11651 and CVE-2020-11652, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The issues were fixed by SaltStack in a release published on April 29th.

We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours, F-Secure researchers had previously warned in an advisory last week.

Full article

GitHub Takes Aim at Open Source Software Vulnerabilities

WIRED

Illustration: WIRED Staff; Getty Images

Open source software has the potential to be very secure. Unlike proprietary code that can only be accessed directly by its own developers, anyone can vet open source projects to spot flaws and bugs. In practice, though, being open source is no panacea. Now, code repository GitHub is rolling out new tools for its GitHub Advanced Security suite that will make it easier to root out vulnerabilities in the open source projects managed on its platform.

Open source code present a few security challenges. In practice there aren’t always enough people with the right expertise looking at it. And open source projects are generally ad hoc; they don’t necessarily have a clear process in place for people to submit vulnerabilities, or the resources available for someone to patch them. Even if you surmount those hurdles, you may not know who’s actually using your open source code and needs a patch.

A lot of what we talk about is there’s a vulnerability, what’s the workflow for that vulnerability, now it gets addressed, says Jamie Cool, vice president of product for security for Microsoft-owned GitHub. But the nirvana is you don’t introduce the vulnerability to begin with. You stop it from ever showing up. It really seems like this is a problem we should be able to help developers not introduce again and again, but by and large we haven’t succeeded at that as a software industry yet.

In September, GitHub acquired the code scanning tool Semmle as part of a plan to help the GitHub community catch common security flaws automatically. Advanced Security includes this service, calling out which line of code contains a potential vulnerability, why it might be exploitable, and how to fix it. In addition to this automatic scanning, Semmle’s technology can also be used manually by security researchers. GitHub’s goal is to use Advanced Security as both a warning system for developers and a built-in framework for bug hunters to find and report additional issues.

GitHub Advanced Security also includes tools that scan user repositories, essentially the folder where they store their development projects, for secret data like passwords and private keys that shouldn’t be exposed and accessible. GitHub works with a number of partners, including Amazon Web Services and Alibaba, to understand the characteristics of their authentication tokens and spot them automatically. The feature has already been available to public repositories for a couple of years, but today GitHub is also adding support to scan private repositories as well. GitHub says that eight percent of active public repositories had a secret exposed in them during the last month alone.

Full article

India’s Covid-19 Contact Tracing App Could Leak Patient Locations

WIRED

Photograph: Nitin Kanotra/Hindustan Times/Getty Images

As countries around the world rush to build smartphone apps that can help track the spread of Covid-19, privacy advocates have cautioned that those systems could, if implemented badly, result in a dangerous mix of health data and digital surveillance. India’s new contact-tracing app may serve as a lesson in those privacy pitfalls: Security researchers say it could reveal the location of Covid-19 patients not only to government authorities, but to any hacker clever enough to exploit its flaws.

Independent security researcher Baptiste Robert published a blog post today sounding that warning about India’s Health Bridge app, or Aarogya Setu, created by the government’s National Informatics Centre. Robert found that one feature of the app, designed to let users check if there are infected people nearby, instead allows users to spoof their GPS location and learn how many people reported themselves as infected within any 500-meter-radius. In areas that have relatively sparse reports of infections, Robert says hackers could even use a so-called triangulation attack to confirm the diagnosis of someone they suspect to be positive.

The developers of this app didn’t think that someone malicious would be able to intercept its requests and modify them to get information on a specific area, says Robert, a French researcher known in part for finding security vulnerabilities in the Indian national ID system known as Aadhaar. With triangulation, you can very closely see who is sick and who is not sick. They honestly didn’t consider this use of the app.

Security researchers like Robert have focused their attention on Aarogya Setu in part due to its sheer scale. The Indian government has declared the contact-tracing app mandatory for many workers and it’s already been downloaded more than 90 million times according to government officials.

Full article

Massive campaign targets 900,000 WordPress sites in a week

Bleeping Computer

Hackers have launched a massive attack against more than 900,000 WordPress sites seeking to redirect visitors to malvertising sites or plant a backdoor if an administrator is logged in.

Based on the payload, the attacks seem to be the work of a single threat actor, who used at least 24,000 IP‌ addresses over the past month to send malicious requests to more than 900,000 sites.

XSS, malvertising, backdoor

Compromise attempts increased after April 28. WordPress security company Defiant, makers of Wordfence security plugin, detected on May 3 over 20 million attacks against more than half a million websites.

Ram Gall, senior QA at Defiant, said that the attackers focused mostly on exploiting cross-site scripting (XSS) vulnerabilities in plugins that received a fix months or years ago and had been targeted in other attacks.

Redirecting visitors to malvertising is one effect of a successful compromise. If the JavaScript is executed by the browser of an administrator that is logged in, the code tries to inject a PHP backdoor in the theme’s header file along with another JavaScript.

The backdoor then gets another payload and stores it in the theme’s header in an attempt to execute it. “This method would allow the attacker to maintain control of the site” Gall explains.

This way, the attacker could switch to a different payload that could be a webshell, code that creates a malicious admin or for deleting the content of the entire site. In the report today, Defiant included indicators of compromise for the final payload.

Full article

UK finds itself almost alone with centralized virus contact-tracing app that probably won’t work well, asks for your location, may be illegal

The Register

Britain is sleepwalking into another coronavirus disaster by failing to listen to global consensus and expert analysis with the release of the NHS COVID-19 contact-tracking app.

On Monday, the UK government explained in depth and in clearly written language how its iOS and Android smartphone application – undergoing trials in the Isle of Wight – will work, and why it is a better solution to the one by Apple and Google that other nations have decided to adopt. It has also released a more technical explanation.

Unfortunately for folks in UK, while the explanation is coherent, calm, well-reasoned and plausible, it is likely to be a repeat of the disastrous “herd immunity” policy that the government initially backed as a way to explain why it didn’t need to go into a national lockdown. That policy was also well-reasoned and well-explained by a small number of very competent doctors and scientists who just happened to be completely wrong.

Here’s what happening: there are broadly two types of coronavirus contact-tracing apps; those that are centralized and those that are decentralized. The first takes data from people’s phones and saves it on a central system where experts are trusted to make the best possible use of the data, including providing advice to people as and when necessary.

Full article