Security News > 2020 > July

Cybercriminals could be stealing data from payment cards with EMV chips and using it to create magnetic stripe cards which they can use for card-present transactions, cybersecurity firm Gemini Advisory reported on Thursday. This enables cybercriminals who can steal EMV card data to encode that data on a magnetic stripe, inserting the iCVV instead of the CVV that is expected to be on the magnetic stripe.

A mobile spearphishing attack targeting "a small number of employees" is what led to the unprecedented, major attack earlier in the month on high-profile Twitter accounts to push out a Bitcoin scam. On the day of the attack, Twitter revealed that the accounts fell victim to a compromise of the company's internal systems by a group of unidentified hackers that managed to access Twitter company tools and secure employee privileges.

Twitter on Thursday revealed that several employees were targeted with phone spear-phishing in a social engineering attack leading to the recent security incident. A total of 130 accounts were targeted in the incident, with hackers abusing internal Twitter systems and tools to reset the passwords for 45 of them.

US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back. The ransomware, a relatively new strain first seen late last year, deploys a Windows XP virtual machine onto the target network in order to unleash the ransomware itself.

"The social engineering that occurred on July 15, 2020, targeted a small number of employees through a phone spear phishing attack," Twitter explained. "Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools."

Roughly one month after United States senators introduced a "Balanced" bill that would require tech companies to provide law enforcement with access to encrypted user data, a companion bill was introduced in the House of Representatives this week. Referred to as the Lawful Access to Encrypted Data Act, the bill aims to put a stop to criminals using "Warrant-proof encryption and other technological advances" to hide their activity from authorities, Congresswoman Ann Wagner, who introduced the bill, said.

I know, it's not presented by Charlie Miller and Chris Valasek, necessarily, but there is always really cool car security research that comes out of Black Hat. You know, it'll be interesting to see how I mean how the vendors deal with communicating their messages outside of the Black Hat in a sense that you know, so much about Black Hat wasn't actually about the sessions, but some of the off-site stuff and some of the meet and greets and some of the private briefings.

Some 3D printers can be flashed with firmware updates downloaded directly from the internet - and an infosec research firm says it has discovered a way to spoof those updates and potentially make the printer catch fire. Research from the appropriately named Coalfire biz claimed printers from Chinese company Flashforge could be abused through crafted updates that bypass safety features built into the devices' firmware.

Red Hat has told customers not to install the package updates released in response to the recently disclosed BootHole vulnerability after users reported that their systems hung after applying the updates. The flaw, officially identified as CVE-2020-10713, impacts systems that use Secure Boot, and fully patching it involves replacing vulnerable bootloaders and updating the Secure Boot revocation list to ensure that the old bootloaders can no longer be executed.

An investigation by consumer watchdog Which? has found that nearly a third of all phones sold on second-hand sites are no longer supported by the vendor, leaving punters at risk of being hacked. The publication found that 31 per cent of all phones sold via CeX no longer receive security patches.