Information Technology

A Californian grand jury has issued indictments against Apple’s head of global security, Thomas Moyer, for allegedly bribing two Santa Clara County policemen to obtain four concealed firearms licences.
The charges arose following a two-year investigation by the District Attorney’s Office, which found that the two policemen, Rick Sung and James Jensen, allegedly held up the issuance of these licences and refused to release them to Moyer until he provided something of value.
“Undersheriff Sung and Captain Jensen treated CCW licences as commodities and found willing buyers. Bribe seekers should be reported to the District Attorney’s Office, not rewarded with compliance,” district attorney Jeff Rosen said.
In the indictment [PDF], the District Attorney’s Office accuses Moyer of entering into a deal with the policemen to “donate” 200 iPads to the Santa Clara County Sheriff’s Office in exchange for the licences. 
The iPads had a total value of around $70,000, the District Attorney’s Office said.
Under state law, applicants of the carrying a concealed weapon (CCW) licence must demonstrate “good cause” for the licence, in addition to completing a firearms course and having good moral character, but the sheriff ultimately has broad discretion in determining who should qualify, the District Attorney’s Office explained.
Despite Moyer and the two policemen allegedly coming to an agreement, the bribery transaction was eventually cancelled when the accused parties realised the District Attorney’s Office had submitted a search warrant to seize the sheriff department’s concealed firearms licences records.

Moyer has worked at Apple for 15 years and has been the company’s head of global security since November 2018, according to his LinkedIn profile. 
The indictments follow four former eBay employees being charged for cyberstalking a married Massachusetts couple in September. The charged individuals, in that case, were formerly in eBay’s security and intelligence teams.
RELATED COVERAGE
Former Uber CSO charged for 2016 hack cover-up
DOJ officials say former Uber CSO Joe Sullivan lied to management about the security breach and paid hush money to the hackers.
US charges five hackers from Chinese state-sponsored group APT41
US says APT41 orchestrated intrusions at more than 100 companies across the world, ranging from software vendors, video gaming companies, telcos, and more.
Court stops Apple from taking away Epic’s developer access, Unreal Engine protected
Updated: However, Fortnite will remain absent from the App Store, for now.
US district court blocks Trump’s WeChat ban
The presiding judge granted the motion to block the ban as there is ‘scant little evidence’ that it effectively addresses national security concerns.
Former IT director gets jail time for selling government’s Cisco gear on eBay
Former Horry County IT security director sentenced to two years in federal prison. More

Image: Tesla Motors
A Belgian security researcher has discovered a method to overwrite and hijack the firmware of Tesla Model X key fobs, allowing him to steal any car that isn’t running on the latest software update.
The attack, which only takes a few minutes to execute and requires inexpensive gear, was put together by Lennert Wouters, a PhD student at the Computer Security and Industrial Cryptography (COSIC) group at the Catholic University of Leuven (KU Leuven) in Belgium.
This is Wouters’ third Tesla hack in as many years, with the researcher publishing two other Tesla attacks in 2018 and 2019, respectively.
Attack exploits bug in key fob update system
According to a report published today, Wouters said this third attack works because of a flaw in the firmware update process of Tesla Model X key fobs.
The flaw can be exploited using an electronic control unit (ECU) salvaged from an older Model X vehicle, which can be easily acquired online on sites like eBay or any stores or forums selling used Tesla car parts.
Wouters said attackers can modify the older ECU to trick a victim’s key fob into believing the ECU belonged to its paired vehicle and then push a malicious firmware update to the key fob via the BLE (Bluetooth Low Energy) protocol.
“As this update mechanism was not properly secured, we were able to wirelessly compromise a key fob and take full control over it,” Wouters said. “Subsequently we could obtain valid unlock messages to unlock the car later on.”

The steps of the attack are detailed below:
Attacker approaches the owner of Tesla Model X vehicle. The attacker needs to get as close as 5 meters to the victim in order to allow the older modified ECU to wake up and ensnare the victim’s key fob.
The attacker then pushes the malicious firmware update to the victim’s key fob. This part requires around 1.5 minutes to execute, but the range also goes up to 30 meters, allowing the attacker to distance themselves from the targeted Tesla owner.
Once a key fob has been hacked, the attacker extracts car unlock messages from the key fob.
The attacker uses these unlock messages to enter the victim’s car.
The attacker connects the older ECU to the hacked Tesla car’s diagnostics connector — normally used by Tesla technicians to service the car.
The attacker uses this connector to pair their own key fob to the car, which they later use to start the vehicle and drive away. This part also takes a few minutes to execute.
The only downside of this attack is the relatively bulky attack rig, which would be easy to spot unless concealed inside a backpack, bag, or another car.
Nonetheless, the attack rig isn’t expensive, requiring a Raspberry Pi computer ($35) with a CAN shield ($30), a modified key fob, an older ECU from a salvaged vehicle ($100 on eBay, and a LiPo battery ($30).
Below is also a video of the entire attack steps and the attack rig.
[embedded content]
Wouters said he discovered the bug earlier this summer and reported it to Tesla’s security team in mid-August.
The researcher has published his findings today after Tesla began rolling out an over-the-air software update to all its Model X cars this week. The software update where this bug has been fixed is 2020.48, according to Wouters. More

After suffering the most severe cyberattack ever orchestrated against a Brazilian public sector institution, the Superior Electoral Court (STJ, in the Portuguese acronym) has managed to get its systems back up and running, after more than two weeks facing disruption.
After the ransomware attack, which took place in November 3, the STJ’s systems were totally unavailable for 26 hours, so that the Federal Police could gather the evidence. The investigation process, which also involves he federal data processing service Serpro, and the Army’s cyberdefence unit, is still ongoing. The Court then had to operate with limited functionality for urgent cases until the systems were fully re-established in November 20.

According to the president of the STJ, minister Henrique Martins, the event was “the worst-ever” cyberattack that a Brazilian government body has suffered, both in terms of the dimension and complexity involved.
“Up until that point, our team had not experienced anything similar, and, despite the fact we were ready, we were led towards transformations, which will enhance the way in which the Court deals with information security”, the minister said in a statement.
According to the STJ, the work around the re-establishment of the access to the network, systems and backups, as well as the enhanced cybersecurity set-up, involved a team of over 50 IT professionals from its own team.
In addition, another 50 professionals from eight technology companies including Atos, Microsoft and Redbelt Security were involved in the process, also supported the recovery project.
However, the STJ minister pointed out that there are challenges that still need to be overcome, including the revision of policies, technology architecture and an adaptation to the General Data Protection Regulations, which went live in September. The process of restructuring and improving data security at the STJ “will be constantly improved,” the statement noted.

“There is unconditional support from [STJ’s] management to raise the level of information security that we offer. This is an institutional asset, which we will not give up”, the statement from the minister noted. More

Image: ZDNet, WordPress
A new cybercrime gang has been seen taking over vulnerable WordPress sites to install hidden e-commerce stores with the purpose of hijacking the original site’s search engine ranking and reputation and promote online scams.

ZDNet Recommends

The best VPNs in 2020
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

The attacks were discovered earlier this month targeting a WordPress honeypot set up and managed by Larry Cashdollar, a security researcher for the Akamai security team.
Also: The best web hosting providers: Find the right service for your site 
The attackers leveraged brute-force attacks to gain access to the site’s admin account, after which they overwrote the WordPress site’s main index file and appended malicious code.
While the code was heavily obfuscated, Cashdollar said the malware’s primary role was to act as a proxy and redirect all incoming traffic to a remote command-and-control (C&C) server managed by the hackers.
It was on this server where the entire “business logic” of the attacks took place. According to Cashdollar, a typical attack would go as follows:
User visits hacked WordPress site.
The hacked WordPress site redirects the user’s request to view the site to the malware’s C&C server.
If a user meets certain criteria, the C&C server tells the site to reply with an HTML file containing an online store peddling a wide variety of mundane objects.
The hacked site responds to the user’s request with a scammy online store instead of the original site the user wanted to view.

Image: Akamai
Cashdollar said that during the time the hackers had access to his honeypot, the attackers hosted more than 7,000 e-commerce stores that they intended to serve to incoming visitors.
Intruders poisoned the site’s XML sitemap

In addition, the Akamai researchers said the hackers also generated XML sitemaps for the hacked WordPress sites that contained entries for the fake online stores together with the site’s authentic pages.
The attackers generated the sitemaps, submitted them to Google’s search engine, and then deleted the sitemap to avoid detection.
While this procedure looked pretty harmless, it actually had a pretty big impact on the WordPress site because it ended up poisoning its keywords with unrelated and scammy entries that lowered the website’s search engine results page (SERP) ranking.
Cashdollar now believes that this kind of malware could be used for SEO extortion schemes — where criminal groups intentionally poison a site’s SERP ranking and then ask for a ransom to revert the effects.
“This makes them a low-barrier attack for criminals to pull off, as they only need a few compromised hosts to get started,” Cashdollar said. “Given that there are hundreds of thousands of abandoned WordPress installations online, and millions more with outdated plug-ins or weak credentials, the potential victim pool is massive.” More

GoDaddy employees were exploited to facilitate attacks on multiple cryptocurrency exchanges through social engineering and phishing. 

Staff at the domain name registrar were subject to a social engineering scam that duped them into changing email and registration records, used to conduct attacks on other organizations. 
Also: The best web hosting providers: Find the right service for your site 
As reported by security expert Brian Krebs last week, GoDaddy confirmed that the scam led to a “small number” of customer domain names being ‘modified” earlier this month.
Starting in mid-November, fraudsters ensured that email and web traffic intended for cryptocurrency exchanges was redirected. Liquid.com and the NiceHash cryptocurrency trading posts were impacted, and it is suspected that other exchanges may also have been affected. 
According to Liquid CEO Mike Kayamori, a security incident on November 13 was caused by GoDaddy incorrectly transferring control of an account related to the firm’s core domain names. 
“This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts,” Kayamori said in a blog post. “In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

Liquid.com contained the attack after discovery, and while the attacker may have accessed user emails, names, addresses, and encrypted passwords, client funds were accounted for. 
In NiceHash’s case, the company blamed “technical issues” at GoDaddy resulting in “unauthorized access” to domain settings, leading to the DNS records for nicehash.com being changed. 
Also: Best VPN 2020: NordVPN, PureVPN, others with free VPN tiers
This attack occurred on November 18. NiceHash responded quickly, freezing all wallet activity to prevent any loss of user cryptocurrency. Withdrawals were suspended for 24 hours while an internal audit took place and normal service has since resumed. 
NiceHash says that it does not look like user information was exposed or compromised, but urges caution if users receive links or suspicious emails claiming to be from the cryptocurrency exchange. 
The company also recommended that users change their passwords and enable two-factor authentication (2FA) to be on the safe side.
Speaking to Krebs, NiceHash founder Matjaz Skorjanc added that the attackers attempted to force password resets on third-party services, including Slack, but NiceHash was able to fend off these attempts. 
A GoDaddy spokesperson said the domain registrar “immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts.”
TechRepublic: It’s time for banks to rethink how they secure customer information
The spokesperson added that as “threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them.”
In May, GoDaddy reported a security breach in which an individual was able to access SSH accounts within the firm’s hosting infrastructure without permission. GoDaddy said there was no evidence of tampering that would impact customers, but security bolt-ons would be provided for a year, for free, to anyone affected. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals will be targeting online shopping as people take to the internet to bag Black Friday and Cyber Monday bargains as Christmas shopping begins – and the UK’s National Cyber Security Centre (NCSC) has urged shoppers to be vigilant and report suspected cyberattacks and scams.
The run up to Christmas is a lucrative period for retailers as people look to stock up on gifts – and many outlets will run promotional offers to coincide with Black Friday and Cyber Monday to encourage spending.

More on privacy

Retailers send emails offering promotions and discounts – and that’s something cyber criminals can exploit by sending messages of their own; phishing emails tempting people with an offer of bargains in order to steal money, usernames and passwords, personal information and more.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The NCSC is warning shoppers to be cautious when shopping by being selective about where they make purchases from.
For example, people should be mindful if they’ve not heard of a particular retailer before, or if they receive an email claiming to offer direct links to bargain items. It’s best to take the precaution of visiting the retailer’s web address rather than clicking on a direct link.
And users should be wary of websites that ask for an unnecessary amount of personal information when taking payments – if they’re asking for additional security details, like a codeword or an answer to a secret question used to retrieve your password, it’s highly likely to be a scam.

“You shouldn’t have to provide security details (such as your mother’s maiden name, or the name of your first pet) to complete your purchase,” NCSC notes.
It also suggests: “The store may also ask you if they can save your payment details for a quicker check-out next time you shop with them. Unless you’re going to use the site regularly, don’t allow this.”
If people see suspicious emails or websites that seem to ask for too much information or seem to be too good to be true, the NCSC suggests the potential phishing emails or scam sites should be reported to its Suspicious Email Reporting Service (SERS).
Since being launched earlier this year, SERS had resulted in over two million reports of suspicious emails and websites, and has led to thousands of malicious sites being taken down.

“At this time of year our inboxes are filling up with promotional emails promising incredible deals, making it hard to tell real bargains from scams,” said Sarah Lyons, NCSC deputy director for economy and society.
“If you spot a suspicious email, report it to us or, if you think you’ve fallen victim to a scam, report the details to Action Fraud and contact your bank as soon as you can,” she added.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
Other tips the NCSC recommends for staying safe online while making Christmas purchases include keeping accounts secure with two-factor authentication as well as looking for the closed padlock in the browser’s address bar of the payment page on a retailer’s website. The padlock icon doesn’t guarantee that the retailer itself is legitimate, but it at least means your connection to it is secured. 
Retailers are also being urged to play their part in helping consumers stay safe online in the run up to Christmas.

ZDNet Recommends

MORE ON CYBERSECURITY More

TikTok has patched a reflected XSS security flaw and a bug leading to account takeover impacting the firm’s web domain. 

Reported via the bug bounty platform HackerOne by researcher Muhammed “milly” Taskiran, the first vulnerability relates to a URL parameter on the tiktok.com domain which was not properly sanitized.
See also: What TikTok’s big deal means for cloud, e-commerce: TikTok Global created with Oracle, Walmart owning 20%
While fuzzing the platform, the bug bounty researcher found that this issue could be exploited to achieve reflected cross-site scripting (XSS), potentially leading to the execution of malicious code in a user’s browser session. 
In addition, Taskiran found an endpoint vulnerable to Cross-Site Request Forgery (CSRF), an attack in which threat actors can dupe users into submitting actions on their behalf to a web application as a trusted user.
CNET: What’s the best cheap VPN? We found 3 good options
Taskiran was able to create a simple JavaScript payload that combined both vulnerabilities. The script was able to trigger the CSRF issue, and then if injected into the vulnerable URL parameter, would lead to a one-click account takeover. 

“The endpoint enabled me to set a new password on accounts which had used third-party apps to sign-up,” the bug bounty hunter said. 
TechRepublic: It’s time for banks to rethink how they secure customer information
TikTok first received a report describing the vulnerabilities on August 26. By September 3, TikTok had triaged the security issues and assigned a severity score of 8.2. The bugs were patched on September 18. 
Taskiran was awarded a bug bounty reward of $3,860. 
ZDNet has reached out to TikTok and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

GitHub has finally fixed a high severity security flaw reported to it by Google Project Zero more than three months ago. 
The bug affected GitHub’s Actions feature – a developer workflow automation tool – that Google Project Zero researcher Felix Wilhelm said was “highly vulnerable to injection attacks”. GitHub’s Actions support a feature called workflow commands as a communication channel between the Action runner and the executed action.  

More on privacy

While Google described it as a ‘high severity’ bug, GitHub argued it was a ‘moderate security vulnerability’.
SEE: Network security policy (TechRepublic Premium)
Google Project Zero usually discloses any flaws it finds 90 day after reporting them, and by November 2, GitHub had exceeded Google’s one-off grace period of 14 days without having fixed the flaw. 
A day before the extended disclosure deadline, GitHub told Google it would not be disabling the vulnerable commands by November 2 and then requested an additional 48 hours – not to fix the issue, but to notify customers and determine a ‘hard date’ at some point in the future. Google then published details of the bug 104 days after it reported the issue to GitHub.
GitHub finally got around to addressing the issue last week by disabling the feature’s old runner commands, “set-env” and “add-path”, as per Wilhelm’s suggestion. 

The fix was implemented on November 16, or two weeks after Wilhelm publicly disclosed the issue.
As Wilhelm noted in his bug report, the former version of Github’s action runner command “set-env” was interesting from a security perspective because it can be used to define arbitrary environment variables as part of a workflow step. 
“The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable,” wrote Wilhelm. 
SEE: Google to GitHub: Time’s up – this unfixed ‘high-severity’ security bug affects developers
“In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed.”
Now that GitHub has disabled the two vulnerable commands, Wilhelm has also updated his issue report to confirm the issue is fixed.     More