McAfee has released a fantastic blog post about a phishing kit known as 16Shop in which they describe the complexity of the kit as well as how it is now being used to not only target Apple users but Amazon too. This was released a few days before Prime Day, essentially black Friday in the summer on Amazon, since the kits are so advanced. One of the most common ploys to get users to enter their credentials on these malicious sites is to send an email saying that there was an update on the account and to please login to verify the changes. The link in the email will lead users to a very convincing copy of the site in question and then will log the users information to then be sold.

We recommend that if users want to check any account changes on Amazon, which they received via email or other sources, that they go to Amazon.com directly and navigate from there rather than following suspicious links.

McAfee

There is something to be said that there was a cracked version online that pirates of 16Shop have been using that harvests all the data stolen by the attacker. Usually 16Shop will send the victim’s information only to the attacker, but with the cracked version the user who cracked it also gets a copy of the stolen information. For more you can read either McAfee’s post mentioned or this article by Bleeping Computer.

At PrivacyCon 2019 a study was shared in which Android applications are track a user’s position/location even when the specific apps have been denied permissions by the user. The Verge’s article breaks down one way apps with insufficient permissions can still access location data:

“A second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app — potentially even a malicious one — can read it. “

The Verge

The study is worth a read through as it points out how “companies getting the MAC addresses of the connected WiFi base stations from the ARP cache” as well as one app, Shutterfly, that “used picture metadata as a side channel to access precise location information despite not holding location permissions.” The study goes on to specify, “While this app may not be intending to circumvent the permission system, this technique can be exploited by a malicious actor to gain access to the user’s location.”

The FDA has announced that specific type of Insulin pumps can be controlled by a hacker to alter the settings of the pump. As the FDA puts it:

This could allow a person to over deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis (a buildup of acids in the blood).

FDA

There has been multiple articles talking about the SupportAssistant vulnerability found with Dell computers. This article by the Los Alamos Daily Post does an amazing job describing what the vulnerability actually allows attackers to accomplish:

SupportAssist seeks out several software libraries (Dynamic Link Libraries- DLL) that a rogue user with local access could use to replace the system’s DLL with a malicious file of their own.

The program does not validate whether the DLL is signed, and the program will load an arbitrary, unsigned DLL.

Los Alamos Daily Post

Users need to make sure they are fully up to date and can use the Dell website to verify update information.

Firefox has patched a vulnerability that allows attackers to hijack a user’s system. As engadget, “attackers would be able to inject code into your system through malicious webpages if you visit them while running an unpatched version of Firefox”.

Panda Security said it best about the myth that only computers running Windows are vulnerable by stating, “Apple computers have developed a reputation for exceptional security. In fact, many people believe that Macs are completely invulnerable to malware, like viruses and ransomware.” As their article goes on to explain users cannot speak of anything being absolutely secure all the time. This leads Panda to bring up an interesting point that, “the first viruses ever created was targeted at the Apple II computer back in 1982. The virus was relatively harmless – it simply displayed a rather childish poem on screen. But the reality was that the computer’s built-in security had been breached. ” It is also important to note that there were over 18 million Mac computers in 2018 as opposed to the 3 million in 2002. Meaning, there are more opportunities for malicious entities to spend time on developing attacks for non-Windows users.

macOS had a vulnerability announced in May in which applications can bypass macOS’s Gatekeeper the application that checks to see if the code is signed by Apple and if not to ask the user for their permission to run it. The newest release of macOS (10.14.5) is still exploitable.

With in the last week VICE posted a story that explained that some Snapchat employees may have abused internal tools to spy on its users. This paired with the recent Outlook hack shows that even when there is not an outside threat, internal threats are just as real. And with proper auditing and access restriction policies it may help aid in the fight against the misuse of these internal tools.

This week there have been two data incidents of interest. The first being 50 million Instagram users had their data exposed on an Amazon database that did not require a password (BBC). The other being HCL, in which their HR portal housed unhashed passwords as well as names and usernames of 54 people that did not require authentication to see. In addition to employee information there was also customer information that was publicly available. The data exposure was discovered by UpGuard who had this to say, “A large services provider like HCL necessarily manages lots of data, personnel, and projects. That management complexity writ large is the root cause of data leaks in general. In this case, pages that appeared like they should require user authentication instead were accessible to anonymous users.”

There is a new exploit for Windows XP and Windows 7, via the Remote Desktop Services in which an unauthorized user can gain access to a system without its users knowing. Since the threat is so sever Microsoft is putting out an update for XP which has been out of updates for five years. Tom’s guide, when covering this exploit, brought up a great point that if a user or business is using XP; because of hardware limitations, could opt for a new version of Linux that would be free and offer more than the outdated OS.

Windows 10 is a widely used Operating System for both corporate and personal worlds. There are some features that some users may not want, and especially with companies harvesting users’ data for free it is nice to know you can protect yourself from prying eyes. At least, have a starting point of privacy with Windows 10.

CNET has compiled five things a user can do with Windows 10 to help gain back privacy: Turning off the features that allow Windows to know a user’s location, syncing passwords, run advertisement based off an ID, as well as not allowing Windows to show notifications on the lock screen. We encourage users to search and review the Privacy Settings on their OS to make sure they are comfortable with what is being allowed.