WIRED

A Likely Chinese Hacker Crew Targeted 10 Phone Carriers to Steal Metadata

WIRED

For anyone who’s worried that their phone might be hacked to track their location, who they call and when, and other metadata that describes the intimate details of their life, one cyberespionage group has provided a reminder that hackers don’t necessarily even need to reach out to your device to gain that access. It may be far easier and more efficient for sophisticated stalkers to penetrate a mobile provider, and use its data to surveil whichever customers they please.

Full article

ZDNet

NASA hacked because of unauthorized Raspberry Pi connected to its network

ZDNet

A report published this week by the NASA Office of Inspector General reveals that in April 2018 hackers breached the agency’s network and stole approximately 500 MB of data related to Mars missions.

The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review.

Full article

Miscellanious

Tor Browser 8.5.2

Changelog:

  • All platforms
    • Pick up fix for Mozilla’s bug 1544386
    • Update NoScript to 10.6.3
      • Bug 29904: NoScript blocks MP4 on higher security levels
      • Bug 30624+29043+29647: Prevent XSS protection from freezing the browser
The New York Times

U.S. Escalates Online Attacks on Russia’s Power Grid

The New York Times

The United States is stepping up digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin and a demonstration of how the Trump administration is using new authorities to deploy cybertools more aggressively, current and former government officials said.

Full article

WIRED

Security News This Week: Telegram Says China Is Behind DDoS

WIRED

As protests erupted in the streets of Hong Kong this week, over a proposed law that would allow criminal suspects to be extradited to mainland China, the secure messaging app Telegram was hit with a massive DDoS attack. The company tweeted on Wednesday that it was under attack. Then the app’s founder and CEO Pavel Durov followed up and suggested the culprits were Chinese state actors. He tweeted that the IP addresses for the attackers were coming from China.

Full article

WIRED

Cellebrite Says It Can Unlock Any iPhone for Cops

WIRED

Not so long ago, companies that cracked personal devices on behalf of governments did so in secret, closely guarding even the descriptions of their capabilities. Now, it seems, they proudly tweet about their updated abilities to hack into new iPhones, like a videogame firm offering an expansion pack.

On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it’s calling UFED Premium. In marketing that update, it says that the tool can now unlock any iOS device cops can lay their hands on, including those running iOS 12.3, released just a month ago.

Full article

ZDNet

Mysterious Iranian group is hacking into DNA sequencers

ZDnet

Web-based DNA sequencer applications are under attack from a mysterious hacker group using a still-unpatched zero-day to take control of targeted devices.

The attacks have started two days ago, on June 12, and are still going on, according to Ankit Anubhav, a security researcher with NewSky Security, who shared his findings with ZDNet.

Anubhav says the group, which operates from an Iran-based IP address, has been scanning the internet for dnaLIMS, a web-based application installed by companies and research institutes to handle DNA sequencing operations.

The researcher told ZDNet the hacker is exploiting CVE-2017-6526, a vulnerability in dnaLIMS that has not been patched to this day after the vendor was notified back in 2017.

Full article

ZDNet

Security bug would have allowed hackers access to Google’s internal network

ZDNet

A young Czech bug hunter has found a security flaw in one of Google’s backend apps. If exploited by a malicious threat actor, the bug could have allowed hackers a way to steal Google employee cookies for internal apps and hijack accounts, launch extremely convincing spear-phishing attempts, and potentially gain access to other parts of Google’s internal network.

This attack vector was discovered by security researcher Thomas Orlita in February, this year, and has been patched in mid-April, but only now made public.

Full article