Inside the Lawless New World of Electric-Scooter Hacking

If major corporations and voting infrastructure can be hacked, then it stands to reason that one could also, and much more easily, hack a $400 electric scooter. And in their rush to make dockless, app-enabled two-wheelers a way of life across every urban neighborhood worldwide — while throttling the competition — startups Bird, Lime, Scoot, Skip and Spin have caused localized backlashes while putting their tech at risk of both clever and stupid exploits.

What’s funny is that the companies tend to dismiss these vulnerabilities as insignificant. Lime’s director of government relations and strategic development, Sam Sadle, told the Dallas Observer this summer that theft and vandalism of scooters is rare because they’re so often in use. Reacting to complaints that hacking has become common, he added: “It hasn’t in any way limited our ability to operate in the markets in which we do operate.”

How to Find Out if You Were Affected by the Recent Facebook Hack [Ed: Facebook is almost certainly lying/lowballing the number and far more people got cracked]

Facebook has now confirmed that hackers stole access tokens for “only” 30 million people, not 50 million. For 15 million of those people, the hackers were able to get phone number, email address, or both. And for 14 million more people, the hackers were able to get a lot more information, like username, gender, relationship status, religious, birthday, and a ton of other information including things you’ve searched for.

Facebook Revises Data Breach Impact Downward, Provides New Details

Google Fuchsia: Here's what the NSA knows about it

A while back, Google told us Fuchsia is not Linux. There have also been endless rumors, with little hard proof, it will eventually replace Android. Other than that, we don't know much. But the National Security Agency (NSA), of all groups, has been checking into Fuchsia and revealed its findings at the recent North American Linux Security Summit in Vancouver, B.C.

Course Review: Adversarial Attacks and Hunt Teaming

At DerbyCon 8, I had the opportunity to take the “Adversarial Attacks and Hunt Teaming” presented by Ben Ten and Larry Spohn from TrustedSec. I went into the course hoping to get a refresher on the latest techniques for Windows domains (I do mostly Linux, IoT & Web Apps at work) as well as to get a better understanding of how hunt teaming is done. (As a Red Teamer, I feel understanding the work done by the blue team is critical to better success and reducing detection.)

Supermicro boards were so bug ridden, why would hackers ever need implants?

New U.S. Weapons Systems Are a Hackers’ [sic] Bonanza, Investigators Find

The report by the Government Accountability Office concluded that many of the weapons, or the systems that control them, could be neutralized within hours. In many cases, the military teams developing or testing the systems were oblivious to the hackingi [sic].

Cool Cool Cool Oversight Office Says It's Incredibly Easy To Hack The Defense Dept.'s Weapons Systems

The GAO points out the DOD has spent more time locking down its accounting systems than its weapons systems, even as the latter has increasingly relied on computer hardware and software to operate. The systems used by the DOD are a melange of commercial and open-source software, which relies on vendors to provide regular updates and patch vulnerabilities. (Unfortunately for the DOD, some vulnerabilities may not have been disclosed to software/hardware vendors by other government agencies like the NSA.) But the DOD gives itself a 21-day window to apply patches and some remote weapons systems may go months without patching because they often need to return from deployment to be patched properly.

The end result is a network of defense systems riddled with security holes. The GAO says it doesn't take much to commandeer weapons of mass destruction.

Hackers Can Take Control Of Your WhatsApp Just With A Video Call: Update Now

Natalie Silvanovich, a Google Project Zero security researcher, has uncovered a critical security flaw in WhatsApp. The flaw could allow a notorious actor to make a video call and take complete control of your messaging application.

Just Answering A Video Call Could Compromise Your WhatsApp Account

New Website Claims Flatpak is a “Security Nightmare”

A newly launched website is warning users about Flatpak, branding the tech a “security nightmare”.

The ‘Flatkills.org’ web page takes aim at a number of security claims routinely associated with the fledgling Flatpak app packaging and distribution format.

DNS Security Still an Issue

DNS security is a decades-old issue that shows no signs of being fully resolved. Here's a quick overview of some of the problems with proposed solutions and the best way to move forward.

...After many years of availability, DNSSEC has yet to attain significant adoption, even though any security expert you might ask recognizes its value. As with any public key infrastructure, DNSSEC is complicated. You must follow a lot of rules carefully, although some network services providers are trying to make things easier.

But DNSSEC does not encrypt the communications between the DNS client and server. Using the information in your DNS requests, an attacker between you and your DNS server could determine which sites you are attempting to communicate with just by reading packets on the network.

So despite best efforts of various Internet groups, DNS remains insecure. Too many roadblocks exist that prevent the Internet-wide adoption of a DNS security solution. But it is time to revisit the concerns.

Pete Zaitcev: Ding-dong, the witch is dead

One thing that comes across very strongly is how reluctant people are to run their own infrastructure. For one thing, the danger of a devastating DDoS is absolutely real. And then you have to deal with spam. Those who do not have the experience also tend to over-estimate the amount of effort you have to put into running "dnf update" once in a while.

Personally, I think that although of course it's annoying, the time wasted on the infra is not that great, or at least it wasn't for me. The spam can be kept under control with a minimal effort. Or, could be addressed in drastic ways. For example, my anime blog simply does not have comments at all. As far as DoS goes, yes, it's a lottery. But then the silo platform can easily die (like G+), or ban you. This actually happens a lot more than those hiding their heads in the sand like to admit. And you don't need to go as far as to admit to your support of President Trump in order to get banned. Anything can trigger it, and the same crazies that DoS you will also try to deplatform you.

(SSH) Keys to Unix Security

Root accounts are the keys to powerful IT systems, the backbone of your entire infrastructure. They use privileged credentials to control shell access, file transfers, or batch jobs that communicate with other computers or apps, often accessed remotely, with local configuration. They can be the trickiest of all types of privileged accounts to secure, particularly if they are based on Unix or Linux.

Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says [iophk: "Windows TCO"]

Still, the tests cited in the report found "widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover."

[...]

In several instances, simply scanning the weapons' computer systems caused parts of them to shut down.

[...]

When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says.

Flatpak - a security nightmare

Let's hope not! Sadly, it's obvious Red Hat developers working on flatpak do not care about security, yet the self-proclaimed goal is to replace desktop application distribution - a cornerstone of linux security.

And it's not only about these security problems. Running KDE apps in fakepak? Forget about desktop integration (not even font size). Need to input Chinese/Japanese/Korean characters? Forget about that too - fcitx has been broken since flatpak 1.0, never fixed since.

The way we package and distribute desktop applications on Linux surely needs to be rethinked, sadly flatpak is introducing more problems than it is solving.

Encryption bill will hit family violence victims: claim

In a submission to the public consolation on the draft bill, Carolyn Worth, the manager of SECASA, said the broadening of the Telecommunications (Interception and Access) Act 1979 was unwarranted and would be detrimental to all citizens, especially those with a background of family violence and/or sexual assault.

The period for public comment on the bill, which is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, ended on 10 September after the draft was released on 14 August.

Bloomberg says big US telco hit by hardware tampering

Apparently undeterred by strong criticism of a supply chain attack story it published last week, Bloomberg has put out another yarn, dealing with a similar theme, this time about a "major US telecommunications company" that allegedly encountered doctored hardware made by the US company Supermicro Computer.

RiskIQ Detects and Mitigates New Magecart Supply Chain Attack

"If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," said Yonathan Klijnsma, Head Researcher at RiskIQ. "Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information."