Voting information on millions of Israeli’s leaked ahead of election
The data leaked on March 23rd, two days ahead of the general parliamentary election, exposing voter registration details of 6.5 million Israelis and the personal details of 3.1 million of Israel’s estimated 9.3 million total population. This personal information includes full names, phone numbers, ID card numbers, home addresses, gender, age, and political preferences. A threat actor calling itself “The Israeli Autumn” took credit for the leak. The source appears to be the website Elector, the web front end for an app used by the country’s Likud political party. In February 2020, a web developer discovered the site exposed an API endpoint that allowed him to gain access to the site’s admin logins and passwords.
Facebook disrupts Chinese group targeting Uyghur community
The company announced it took actions to disrupt the group known to security researchers as “Evil Eye” or “Poison Carp” targeting members of the Uyghur ethnic minority in the US, Turkey, Syria, Australia and Canada. Facebook first spotted the group in 2020, which used fake accounts to get targeted individuals to visit malicious websites or download Android apps that would install the trojan malware, ActionSpy and PluginPhantom. Although the group appears to operate out of China, Facebook did not link the campaign to efforts by the Chinese government.
Privacy and security issues with Slack’s Connect DM rollout
Slack rolled out Connect DMs, letting any Slack user direct message another even if outside an organization. To send messages, users must send email invitations, once accepted the DMs appear in the Slack sidebar, though organizations retain control of their own messages in these conversations. Many users pointed out that Slack’s implementation suffered from a major privacy and security flaw, with users able to customize invitation emails with any text they like, which would be sent from a Slack originating email address, easily getting around existing blocked contacts. Slack said it is now disabling letting users customize invite emails.
Google not testing FLoC in Europe
At a meeting of the Improving Web Advertising Business Group, Google engineer Michael Kleber said the company currently isn’t testing its third-party cookie replacement Federated Learning of Cohorts, or FLoC, in the EU over concerns it violates GDPR and the ePrivacy Directive. The issue is that publishers will not be providing users with clear notice and choice about how their data will be used to create cohorts. Google says it is still “100% committed to the Privacy Sandbox in Europe.”
Thanks to our episode sponsor, Trend Micro
Fast and Furious: Exchange Server Hack Edition
Microsoft released critical updates to fix four vulnerabilities in Microsoft Exchange Servers on March 2nd. Despite Microsoft urging immediate attention to the zero-day vulnerabilities, F-Secure reports that only about half the visible exchange servers on the internet have been patched and criminals are attacking tens of thousands of them a day. The UK’s National Cyber Security Centre recommends those who cannot patch right away should block untrusted connections to port 442 and require access through VPN. Microsoft has an automatic mitigation tool for unpatched servers available in Defender Antivirus.
Purple Fox botnet growing rapidly
Security researchers at Guardicore discovered a new infection vector for the Purple Fox malware, which was first spotted in 2018 and initially spread through phishing emails. The researchers found Purple Fox is now targeting internet-facing Windows computers using SMB to look for machines with weak passwords. Once access is gained, the malware downloads a rootkit from a network of 2000 infected Windows servers, closes the firewall ports it used to gain initial access, and scans the internet looking for further devices to infect. Guardicore estimates Purple Fox infections have increased 600% since May 2020.
Firefox 87 adds Smart Block
Mozilla’s latest browser release now includes the Smart Block feature, which uses “stand-in” scripts for embedded third-party trackers so that pages still load in an intended page-rendering sequence without sending data. The browser also includes improved referrer trimming, which removes query data usually sent back to site operators when requesting content.
Broker leaks billions of customer records
The online foreign exchange trading broker FBS leaked over 20TB of customer data with a misconfigured cloud database, which was left online without encryption or a password. Data leaked included full names, email and billing addresses, phone numbers, IP addresses, passport numbers, social media IDs, driver’s licenses, bank account statements, credit cards, user IDs, and unencrypted passwords. Researchers at WizCase discovered the database on October 1, 2020 and alerted FBS, who secured the server on October 5th. It’s unclear how long it was online unsecured.