February 13, 2023

265

0

Author: Matthew Turner

Cybersecurity News Digest [January 2023]

If it is difficult for you, like most, to follow all the events taking place in the field of cybersecurity, then our team presents a news digest.

This time, we will tell you about the most significant events that took place in the field of cybersecurity in January.

You can find the previous news digest here.

Cybersecurity news digest

1. Apple was accused of spying on users through the IDFA advertising tracker

The human rights organization Noyb has filed two complaints against Apple with the German and Spanish authorities for the protection of personal data. The company is accused of illegally using an advertising identifier on its devices.

IDFA (The Identifier for Advertisers) is a unique number that is assigned to each device and allows Apple, as well as third-party developers, to monitor users, and collect information about their actions and preferences. 

According to EU law, this (as for cookies) requires the direct consent of users. But Apple uses IDFA by default and without anyone’s knowledge.

According to Noyb, the actions concern only German and Spanish users who have complained about Apple. At the same time, the consequences of the decisions may go beyond these two countries and “it will be difficult for the company to continue doing with millions of people what has been declared illegal for the two countries.”

Apple responded and called Noyb’s allegations “factually inaccurate” and that it hopes to “clarify this for privacy regulators if they review the complaint.” The company added that its “practice complies with European law, supports and promotes the goals of the GDPR and the Privacy Directive, which is to give people full control over their data.”

2. 35 thousand PayPal accounts were hacked as a result of a large-scale attack with substitution of credentials

PayPal users have started receiving notifications about account hacking as a result of a login substitution attack. About 35 thousand accounts were affected.

Credential substitution is a type of attack in which hackers try to gain access to an account using real credentials stolen from another resource. The attack is designed for users who have the same password for several services.

The incident affected 34,942 clients of the platform. For two days, hackers gained access to the full names of account holders, dates of birth, postal addresses, social security numbers and individual taxpayer identification numbers, as well as transaction history, connected credit or debit card data and PayPal billing data.

PayPal claims to have restricted the attackers’ access to the platform and reset the passwords of the affected users. The platform also claims that the attackers did not try or failed to conduct any transactions from the hacked accounts.

3. Vulnerability in Signal allows capturing “Disappearing Messages”

The Israeli company Cellebrite, a developer of spyware, said that it managed to hack the Signal messenger.

Cellebrite specialists were able to bypass Signal protection using their own software tool Physical Analyzer, designed to systematize and process information received from a smartphone.

They are constantly working on improving it, and one of the updates allowed them, according to them, to hack Signal.

Cellebrite has published a detailed report on the Signal hacking process directly on its official website. The company’s specialists said that the messenger database is stored in an encrypted form using SqlScipher. SqlScipher is an open source SQLite extension that provides transparent 256–bit AES encryption of database files. 

To read the database, hackers needed a special key, which can be extracted from a file with general settings and decrypted using a key called “AndroidSecretKey”, which is stored by “Keystore” — a special function of the Android OS.

Then they ran SQLCipher in the database with the decrypted key and the values 4096 and 1 for the page size and kdf iterations, which allowed them to decrypt the database and detect text messages in the “signal.db.decrypted” file in the table with the name “sms”. All sent and received files were found in the “app_parts” folder, but they were additionally encrypted.

Cellebrite specialists found out that Signal uses the AES algorithm in CTR mode to encrypt attachments, after which they only have to decrypt. 

Additionally, they did not have to compare the found files with the chats — this was done at the stage of message analysis. As a result, they received fully readable chats, now available in the same form in which they are seen by the participants of the conversation.

Read a fair comparison of Signal with other messaging tools here.

4. Google advertisements are actively used to deceive inattentive users

The popular Bitwarden password manager, as well as other password managers, have become the target of phishing campaigns using Google Ads. The goal of scammers is to steal all the passwords of a potential victim from all services at once.

As users increasingly need to come up with unique passwords for each site, the use of password managers has become a necessity in order not to forget login details and not lose access to their accounts.

However, it is the cloud password stores that make user credentials more vulnerable to malicious attacks.

More recently, phishing pages promoted using the Google Ads service were noticed on the network. These pages target the credentials of popular password repositories, as well as their cookies. This data, if used correctly, will give cybercriminals full access to the storage itself and all passwords inside.

On January 24, users of the Bitwarden password manager started seeing a fraudulent ad in Google search results. The domain used in the ad, “appbitwarden.com” when clicked, redirected users to the site “bitwardenlogin.com”. This page was an exact copy of the real login page for the Bitwarden password manager.

The most interesting thing is that after collecting credentials, the phishing page redirected users to the real Bitwarden website. That is, the scammers acted as inconspicuously as possible, and the data collected for logging in was apparently planned to be used in a targeted attack later.

Password repositories, in essence, store the entire internet life of the user. Therefore, it is very important in no case to give access to them into the hands of scammers. First of all, when entering the master key from the password manager, you should always verify the domain name.

Is Google secure and private? Learn more here.

5. Twitter employees can post messages from under an account

A former Twitter employee under oath at a hearing of representatives of the US Congress and the US Federal Trade Commission (FTC) has said that Twitter allows employees of the platform in GodMode mode to post tweets under any account.

The IT witness claims that the GodMode mode, which was renamed “privileged mode” under Musk, is accessible remotely on the laptop of any company engineer. To run it, you need to change the parameters from “False” to “True” in a certain place of the admin panel in the access settings. In the process of making changes, a warning text in capital letters “Think before you do this” is displayed on the employee’s screen.

The witness provided several screenshots, including the process of activating GodMode mode. According to him, with Musk, this mode remained available in the system.

Another former Twitter security engineer confirmed to the media that the management was aware of the problem and access to GodMode, but no restrictions were made to this tool until the end of last year.

Read more about Twitter insecurity here.