Naked Security

GitHub ‘encourages’ hacking, says lawsuit following Capital One breach

Naked Security

GitHub has been named in a class action lawsuit because the hacker who allegedly stole data from more than 100 million Capital One users posted details about the theft onto the platform.

GitHub is a code hosting platform for software development version control that uses Git and which lets coders remotely collaborate on projects. Microsoft bought the open-source developers’ site for $7.5 billion in stock in 2018.

The lawsuit, filed in US district court for the Northern District of California, names Capital One as well.

The suit says that GitHub had an obligation under California law and industry standards to keep off or remove Social Security numbers (SSNs) and personal information from its site. It says that it should be easy to do, given that SSNs are all nine digits long, in the sequence of XXX-XX-XXXX, but that GitHub “nonetheless chose not to.” Ditto for the other sensitive information that was leaked and posted, such as individuals’ addresses, which are all “similarly readily identifiable.”

The information was available on GitHub for over three months, until a bug hunter spotted it and notified Capital One.

The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act. It also alleges that GitHub is guilty of negligence, negligence per se, and violation of the California civil code.

Full article

Naked Security

Five Eyes nations demand access to encrypted messaging

Naked Security

An alliance of national intelligence partners known as the Five Eyes – Australia, Canada, New Zealand, the UK and the US – is demanding encryption backdoors in apps such as Facebook’s WhatsApp.

As reported by the Telegraph on Wednesday, the UK’s new Home Secretary, Priti Patel, accused Facebook of helping out child abusers, drug traffickers and terrorists plotting attacks with its plans to help them hide messages behind the end-to-end encryption it plans to spread across all of its messaging services.

Full article

Our comment

Saying that Facebook, by offering encryption in their apps, is helping criminals is just stupid. We say “up yours, Priti Patel“!

When can we expect mrs Patel to accuse manufacturers of security doors for helping perverse people and terrorist to commit crimes in apartments by making it more difficult for the police to enter the apartment?

Again – “up yours, Priti Patel“!

Naked Security

Hackers target Telegram accounts through voicemail backdoor

Naked Security

As politicians should know by now, secure messaging apps such as Telegram can quickly become a double-edged sword.

On the one hand, a growing number of governments are so worried about its security capabilities, they try to ban the app. On the other, politicians who use the app themselves on the assumption of privacy can find their conversations exposed in the media.

The Brazilian Government’s Justice Minister Sergio Moro announced on 5 June 2019 that his smartphone had been hacked, four days before the politically compromising contents of his Telegram chats with a senior prosecutor started turning up as source material for articles in the media.

Since then, it has emerged that other Brazilian politicians, including President Jair Bolsonaro, and Economy Minister Paulo Guedes were also among a total of 1,000 other Telegram accounts targeted, which led to the arrest on 23 July 2019 of four suspects accused of being behind the attacks.

Full article

Naked Security

NAS targeted by brute force ransomware attacks

Naked Security

Network Attached Storage (NAS) company Synology has issued an urgent warning for owners to check their box’s security settings after it emerged cybercriminals are targeting numerous NAS vendors with a new wave of ransomware.

At first it was thought that recent attacks could be exploiting an unknown software vulnerability in Synology’s products, but according to the company it has since been established that the attackers’ method is a much simpler but still effective brute-forcing of admin credentials.

We believe this is an organised attack. After an intensive investigation into this matter, we found that the attacker used botnet addresses to hide the real source IP.

Synology’s Manager of Security Incident Response Team, Ken Lee

Spotted on 19 July 2019, the campaign involves trying lots of commonly used passwords on internet-connected NAS boxes. The attackers hope that eventually they’ll hit on a password that allows them the access necessary to encrypt the data on it.

Full article

Naked Security

Facebook admits to Messenger Kids security hole

Naked Security

Facebook was red-faced this week after admitting to a loophole in its child-focused Messenger Kids system.

The company was found apologizing to parents via email after a hole in the supposed closed-loop messaging system allowed children to join group chats with people their parents hadn’t approved.

Full article

Naked Security

Big password hole in iOS 13 beta spotted by testers

Naked Security

A security clanger has been spotted in the current beta version of iOS 13 which allows anyone to access a user’s stored web and app passwords without having to authenticate.

Affecting iOS 13 public beta 2, developer beta 3, and iPadOS 13 betas, the issue appears to have surfaced first on Reddit, complete with a brief demo video later expanded with commentary on YouTube channel iDeviceHelp.

The issue can be reproduced by repeatedly tapping on Website & App Passwords menu (Settings > Password & Accounts) which stores credentials used by the web autofill function.

Full article

Naked Security

Hacked Bulgarian database reaches online forums

Naked Security

Data on millions of people stolen from the Bulgarian government has already popped up on hacker trading forums.

A hacker originally stole the data from the National Revenue Agency (NRA), which is part of Bulgaria’s Ministry of Finance, sending media outlets a link to the downloadable copy last Monday, 15 July 2019. The NRA confirmed this in a statement on its website.

Full article