Secjuice Squeeze Volume 15
Welcome to the 15th edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed.
Welcome to the 15th edition of the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly prepared for you on a weekly basis. This week's volume compiled by Secjuice writer Bhumish Gajjar.
Samsung Admits to Data-Breach After Mysterious Messages
Last week, some Samsung smartphone owners saw a strange “1/1” push notification on their phones. The notification came from an app called Find My Mobile, a proprietary tool that allows you to connect with your device should it get lost or stolen. Turns out, this notification was the result of a Samsung data breach.
This contradicts what Samsung claimed after news of the notification was picked up by the media. The company called the errant notification the result of “an internal test,” and there would be “no effect on your device.” However, that doesn’t appear to be the case anymore. The notification stemmed from a Samsung data breach that resulted in “a small number of users being able to access the details of another user".
Source: theregister.co.uk/2020/02/24/samsung_data_breach_find_my_mobile/
Cybersecurity Alliance Launches Open-source Framework
A new language framework designed to breach fragmentation gaps between cybersecurity tools has been released to the open-source community by the Open Cybersecurity Alliance, a consortium of cybersecurity vendors, including IBM, Crowdstrike, and McAfee. OpenDXL Ontology is the "first open-source language for connecting cybersecurity tools through a common messaging framework."
OpenDXL Ontology aims to create a common language between cybersecurity tools and systems by removing the need for custom integrations between products that can be most effective when communicating with each other - such as endpoint systems, firewalls, but suffer from fragmentation and vendor-specific architecture.
Researchers Punished After Reporting PayPal Vulnerabilities
According to CyberNews, ever since PayPal moved its bug bounty program to HackerOne, its entire system for supporting bug bounty hunters has become more opaque, mired in illogical delays, vague responses and suspicious behavior.
When CyberNews analysts discovered 6 vulnerabilities in PayPal – ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication (2FA), to being able to send malicious code through their SmartChat system – they were met with non-stop delays, unresponsive staff, and lack of appreciation.
Source: cybernews.com/security/we-found-6-critical-paypal-vulnerabilities-and-paypal-punished-us/
PayPal Account Unauthorized Payment Abuse
Hackers have found a bug in PayPal's Google Pay integration. They are now using it to buy products online and incur unauthorized charges to PayPal accounts. Users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account. Victims report that hackers are abusing their Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US shopping stores, and especially at Target stores.
Link: https://www.zdnet.com/article/paypal-accounts-are-getting-abused-en-masse-for-unauthorized-payments/
US Defense Agency: Data Breach Affected 200k People
The Defense Information Systems Agency (DISA), which handles IT and telecommunications support for the White House and U.S. military troops, has disclosed a data breach that may have affected 200,000 people between May and July 2019. According to the letter sent by the U.S. defense agency to victims, Social Security numbers and other personal information may have been compromised.
Source: securityboulevard.com/2020/02/us-defense-it-agency-says-data-breach-may-have-affected-200000-people/
Clearview AI: Facial Recognition Service Data Stolen
US-based facial recognition company Clearview AI informed its customers that its complete list of clients — which includes over 600 law enforcement agencies — was stolen in a data breach. In its notification to its clients, Clearview AI reportedly told its customers that an intruder “gained unauthorized access” to its list of customers, including the number of user accounts those customers had set up, and the number of searches they had done. The company told that the vulnerability had been fixed, and that law enforcement search histories had not been revealed.
Source: medianama.com/2020/02/223-clearview-ai-data-client-list-stolen/
Malware Can Steal Google Authenticator 2FA Codes
Security researchers from Dutch mobile security firm ThreatFabric say they have spotted an Authenticator OTP-stealing capability in recent samples of Cerberus, a relatively new Android banking trojan that launched in June 2019. Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the Authenticator app is running, the Trojan can get the content of the interface and can send it to the command-and-control server.
Source: zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/