Incidents Calendar

Notable recent developments in digital security

The Incidents Calendar is best viewed when JavaScript is enabled on your web browser.

2017 | 2016

Digital Security

    • 10 Feb

      US: Microsoft allowed to sue gov't over secret gag orders

      A US federal judge has determined that Microsoft has sufficient standing to sue the US Department of Justice (DOJ) for the right to inform its users when their data has been subjected to a legal data demand from the government.

      Currently, legal demands for user data made under the Electronic Communications Privacy Act (ECPA) are also accompanied by gag orders which prevent the affected companies from alerting their users to the  requests. These gag orders frequently have no end date, a situation which the companies say violates the Fourth Amendment rights of their users. The DOJ in turn has argued that the companies suffer no material harm from not providing such notice to their users, and that the companies themselves have no standing to pursue Fourth Amendment claims on behalf of others.

      The judge's decision to allow Microsoft to proceed with its lawsuit has been hailed as a promising development by privacy advocates, who remain concerned about secretive government overreach to data held in cloud storage.

    • 20 Feb

      Concerns raised over US border phone searches

      Following the controversy over the travel ban initiated by President Trump, concerns have been raised over the impact on privacy of the vetting procedures used by US border officials, especially after multiple reports surfaced of travelers (both US citizens and non-citizens) being pressured to give their phone or device passwords in order for immigration officers to view the contents.

      The concerns were also heightened by comments from Department of Homeland Security (DHS)Secretary John Kelly that foreign visa applicants may be required to provide the passwords to their social media accounts, as part of vetting procedures.The news reports and controversy have lead at least one US Senator to launch legislation that would require border agents to obtain a warrant before they can search devices.

    • 6 Jan

      US: Election systems designated 'critical infrastructure'

      Following the contentious 2016 US presidential elections, which was marred by claims of election rigging and cyber attacks, the nation's election infrastructure has been officially designated as 'critical', alongside other sectors such as finance, food and agriculture, and communications. The designation formally gives responsibility to the Department of Homeland Security (DHS) to prioritize and protect the identified sectors.

    • 26 Jan

      US executive order prompts Privacy Shield concerns

      US President Trump's executive order, Enhancing Public Safety in the Interior of the United States, which expressly excludes non-US citizens from being granted privacy protections under the US Privacy Act, have raised concerns over the standing of the US-EU Privacy Shield legislation, especially among the tech companies who would be hardest hit if the legislation was dismantled.

      European legislators, who have to date been stringent in overseeing the privacy of European data being held on servers belonging to US tech companies, had already scuttled the preceding Safe Harbor act after the European Court of Justice ruled that the US had failed to properly heed European privacy requirements.

      While some legal commentators have noted that the executive order does not appear to affect Privacy Shield, the uncertainty has prompted calls from the tech industry for more overt assurance from the US government.

Privacy

    • 16 Feb

      Yahoo!: Forged cookies used to hack some accounts

      Yahoo! has again returned to the headlines for a security incident, as it sent email notifications to some users informing them that their account had been accessed as recently as 2015 or 2016 using forged cookies. The company had last year quietly announced that it had suffered an data breach exploiting the cookie-related vulnerability in a filing with the Securities and Exchange Commission, but this is the first notification of that particular breach to be sent to the affected users themselves.

      Verizon, which is in acquisitions negotiations with the embattled Yahoo!, have since announced that the agreed price for the deal has been reduced by $350 million.

    • 17 Feb

      Germany: connected doll 'illegal spy device'

      Germany's telecommunications regulator the Federal Network Agency (Bundesnetzagentur) have urged parents to get rid of the Cayla Internet-connected dolls, after ruling that the toys were legally considered 'surveillance devices'. The toys themselves have been banned in the country.

      Germany is considered one of the most privacy-conscious countries in Europe, and considers any device that can record and transmit audio or video without detection to be unlawful. Security researchers have demonstrated that the Bluetooth connection used by the doll can be hacked to eavesdrop on persons within the toy's vicinity.

    • 24 Feb

      'Cloudbleed': Cloudflare bug leaks user data

      Google researchers announced the discovery of a bug, dubbed 'Cloudbleed', in the Cloudflare web hosting hosting and security infrastructure, which has been leaking private user data for months. The infrastructure, which is owned and managed by Cloudflare, is quietly used in the background by hundreds of thousands of websites to improve their traffic handling capabilities, particular popular services such as OKCupid, Uber and Fitbit.

      The bug, in simple terms, unintentionally loaded the private data of other users in a webpage's source code, where it is not visible from normal users. All reports have indicated that the data is not currently being exploited.

      In response, Cloudflare has been open, prompt and transparent in fixing and addressing the issue. They have also urged users to change all passwords, strictly as a precaution.

    • 28 Feb

      Cloudpets connected toys data breach

      Security researcher Troy Hunt reported that the personal data of over half a million customers who had bought Internet-connected toys had been compromised due to a poorly secured database.

      The CloudPets toys, which could be connected via Bluetooth to a phone app that allowed parents to leave audio messages for their children, reportedly stored user info and voice messages on a public-facing database with weak security. Though the database has since been removed from public access, the researcher noted that multiple demands for ransom had been left by then. Warnings sent to the Spiral Toys company selling the toys were reportedly ignored, and no notice about the data breach have yet been provided to affected users. Spiral Toys have also denied the breach, saying that no recordings had been stolen.

    • 13 Jan

      900GB Cellebrite data lost to hack, some tools published online

      900GB of data were reportedly leaked from Cellebrite, the data extraction company best known for . The stolen data was said to include customer information, technical product details and also some of the evidence the company was able to retrieve from devices.

      The company itself has confirmed that it detected "unauthorized access" on an external server, but was "not aware of any specific inicreased risk to customers as a result of this incident".

      A couple weeks later, the hacker publicly released (a part of) the stolen data to Pastebin. The released data mainly focused on tools to hack iOS but there are also references to Samsung and Blackberry. Some of the iOS tools are nearly identical to software written by the jailbreaking scene.

Attacks

Malware

    • 15 Feb

      APT28 Xagent backdoor for Mac reported

      Security researchers reported discovering a new version of a malware linked to a known cyberespionage goup which can target OS X systems in order to steal passwords and screenshots, execute files and so on.

      The emergence of a Mac version of the Xagent backdoor, which is already operable on Windows, Linux and Android, indicate the expanding scope of the APT298 hacker group, which has been previously linked to the 2016 hack of the US Democratic National Committee, among other alleged cyber attacks.

    • 16 Feb

      Flaws found in Android 'connected-car' apps

      Security researchers reported finding security flaws in the Android 'connected-car' apps on offer from seven car manufacturers that could allow hackers to locate or access a connected car through the app itself. The apps were not named in the report.

      According to the researchers, the apps' code lack basic security protections, potentially allowing attackers to tamper with the programs in order to affect the connected car. The researchers have stressed they have not found any real-world attacks targeting the flaws they note, and compare the nascent state of 'connected-car' apps to the more secure banking apps, which rapidly incorporated security layers into their design in response to repeated attacks.

    • 10 Jan

      Spora ransomware targets Russian users

      A new ransomware variant dubbed Spora targets Russian customers. The malware arrives to the system by spam pretending to be an invoice from an accounting software with .hta downloader attached (filename: "Скан-копия _ 10 января 2017г. Составлено и подписано главным бухгалтером. Экспорт из 1С.a01e743_рdf.hta").

      This ransomware differs from other variants in that it asks for a relatively small ransom, and provides options for paying up. The affected users can choose from only restoring files, removing the malware, purchasing an immunity, or all previously mentioned options for a cheaper package price. This kind of revenue model is first of it's kind with ransomware.

    • 18 Jan

      Fruitfly/Quimitchin backdoor targets Mac OS X and Linux

      Researchers from Malwarebytes discovered a new backdoor malware dubbed as Fruitfly/Quimitchin targetin Mac OS X and Linux platforms. The comments and imported libraries suggest that the malware has been around for multiple years, and have resided on the compromised system for at least two years. The malware was discovered only recently due to tightly targeted systems all belonging to biomedical research institutions.

Vulnerabilities

    • 20 Feb

      Project Zero discloses Microsoft zero-day

      Google's Project Zero announced its discovery of a zero-day vulnerability (CVE-2017-0038) in Windows Graphics Driver Interface (GDI) after Microsoft failed to address the issue within the standard 90-day window Project Zero provides for disclosing and fixing vulnerabilities.

      According to reports, the announcement had been timed to coincide with Microsoft's February Patch Tuesday release, but the updates were unexpectedly postponed for a month due to a 'last-minute issue'.

    • 23 Feb

      Linux patches decade-old DCCP flaw

      A patch has been released for a recently discovered vulnerability (CVE-2017-6074) in the code for Linux's Datagram Congestion Control Protocol (DCCP), which is enabled on many Linux distributions. According to news reports, the vulnerability was introduced in 2005 when DCCP was first incorporated.

      Administrators are advised to check if their installations are vulnerable and apply the relevant patches as soon as possible. A workaround to manually disable the DCCP kernel module is also available.

    • 22 Feb

      Adobe, Microsoft release updates for Flash flaws

      Adobe and Microsoft both released security updates this week to address 13 vulnerabilities in Flash Player libraries used by Internet Explorer 10, Internet Explorer 11 and Edge. According to reports, the vulnerabilities were not under active exploitation at the time of patch release.

Enforcement

Product Security

    • 13 Jan

      Whatsapp vs The Guardian: It's not a 'backdoor', it's a 'feature'

      An article published in The Guardian caused concern among security researchers over claims that the popular mobile messaging app Whatsapp contained what it called a 'backdoor'. The article reported on the contentions of an independent security researcher that the way the app handles changes in a user's encryption key amounted to a 'retransmission vulnerability' that could allow an attacker to intercept and read encrypted messages.

      Whatsapp has refuted the claim, arguing that the issue was in fact a deliberate design choice that balanced performance and usability to provide security without disrupting the user experience suitable to the less tech-savvy profile of its user base. Security researchers also disagreed with the characterization of the issue as either a 'backdoor' or a 'vulnerability', and issued an open letter to The Guardian calling for the retraction of the article.

    • 19 Jan

      $40K payout for critical ImageMagick bug bounty report

      A security researcher discovered a way to circumvent the patch that the Facebook security team had used to fix the critical remote code execution vulnerability in the opensource ImageMagik photo-editing tool that was reported last May. The researcher subsequently reported his discovery to Facebook, who quickly closed the hole, and rewarded the researcher with a $40,000 payout under their bug bounty program, the biggest payment they've made to date.

Sources

Items listed in the Calendar were reported in various technology news portals, security research publications, law enforcement sites, major newspapers and our own F-Secure Weblog.

See our Threat Reports for previous editions of the Incidents Calendar.