Europol confirms dark web marketplace takedown

The law enforcement agency announced it coordinated with police departments across several countries to take down DarkMarket, which had almost 500,000 users and had hosted over 320,000 transactions. According to Europol the site was mostly used to traffic drugs, counterfeit money and credit card details, malware and anonymous SIM cards. Over the weekend, German authorities arrested an Australian citizen who allegedly operated the site at a location close to the German-Danish border, as well as shuttering over 20 servers in Moldova and Ukraine. Europol became aware of DarkMarket initially as part of an investigation into the Germany-based web-hosting service Cyberbunker.

(Engadget)

Google to reportedly block all political ads again

According to internal emails seen by Axios, Google has informed advertising partners it will block all political ads as of January 14th across its platforms, as well as any ads related to the Capitol insurrection of January 6th. Google had previously initiated a political ad ban from November 3rd through early December. In addition, Google said it will be “extremely vigilant” about enforcement of its Dangerous and Derogatory Content policy, which prohibits ads that promote hate and incite violence. The ban will be in effect until at least January 21st, although Google said it will look at “a number of factors” before determining to end it. 

(Axios)

DoD halts deployment of cybersecurity system

The Pentagon’s testing office announced the halt on the $2 billion system, which was designed to detect intrusions and prevent cyberattacks, citing poor test results. This project, named the Joint Regional Security Stack, was an effort to consolidate hundreds of networks onto a single secured and classified network to provide continuous network security capabilities. The project began in 2015 and was originally set to be completed in 2019. The report citing poor performance was written before the Solarwinds supply-chain attack became public. The report recommends the Pentagon’s CIO “continue developing more effective alternatives.” A Pentagon spokesperson said the project has been postponed, with fiscal spend on it deferred through 2023. 

(Bloomberg)

WordPress plugin bugs allow for site takeover

Two bugs found by researchers at Wordfence in the Orbit Fox plugin were discovered that when used in conjunction could allow for the injection of malicious code into sites, and potentially a full site takeover. One is an authenticated privilege-escalation flaw that allows users with contributor-level access to make themselves admins. This bug is found in the Orbit Fox registration widget, meaning users could sign up and immediately change their access permissions, taking advantage of a lack of server-side verification of access. The other is an authenticated stored cross-site scripting issue that lets contributors inject JavaScript into posts. The latest version of Orbit Fox fixes the bugs, but the researchers found over 40,000 sites still vulnerable.

(ThreatPost)

Thanks to our episode sponsor,  IT Asset Management Group

Organizations must have adequate written policies and procedures to meet the regulatory requirements for the disposal of their retired data containing devices.  These policies should be readily available and regularly reviewed by leadership.  IT Asset Management Group offers a free policy template to help establish or improve your written policies for IT asset disposal practices. Download the policy template today at itamg.com/CISO .

Google details sophisticated Android and Windows hacking

Google published a six-part report detailing a hacking operation first detected in early 2020 that impacted Android and Windows. Attacks were carried out using two different exploit servers each using discrete exploit chains for each platform, including four zero-day vulnerabilities for Windows. No zero days were found for Android, but the researchers believe it likely some were used but not discovered yet.  These servers used Google Chrome vulnerabilities to gain a foothold in systems, further deploying OS-level exploits to gain more control over systems. The researchers found the modular approach to the attack was designed for “efficiency & flexibility.” Patches for all zero days in the report have been patched as of spring 2020, and Google is publishing the findings, while staying cagey with details about suspected perpetrators, to help security teams identify these attacks. 

(ZDNet)

Door opens for filing GDPR privacy complaints in any EU member state

The Advocate General of the European Court of Justice issued an opinion stating that a privacy complaint against Facebook could be handled by any of the national data protection authorities across the EU. Previously all privacy complaints had gone through the data protection office in the country a company was headquartered in, for Facebook that was the Irish Data Protection Commissioner. This opinion is not binding and would need to be upheld by the European Court of Justice. The court is hearing an appeal from Belgian regulators, originating from a September 2015 about requiring consent for placing cookies by Facebook. 

(RTE)

WhatsApp clarifies what data it will share with Facebook

The company said that with its Terms of Service change, set to take effect February 8, the messaging service requires all users to agree to a policy that lets businesses store WhatsApp chat logs on Facebooks servers. WhatsApp says it doesn’t keep its own logs of who people message, doesn’t share contacts with Facebook, and it doesn’t see your location data. And of course WhatsApp can’t and never has been able to see your messages because of end-to-end encryption. 

(The Verge)

Ledger offers Bitcoin bounty on hacker info

The hardware wallet security company Ledger disclosed it suffered a cyberattack in July 2020, at the time estimated to have impacted data on 9500 customers. Then in December, a data dump revealed 1 million email addresses and 272,000 names, mailing addresses and phone numbers of customers who had ordered products from Ledger, seeing customers facing a rash of SIM swapping attacks in attempts to extort or access cryptocurrency wallets. This data appears to have been, at least in part, obtained by rogue members of Shopify’s support team, which Ledger was notified of on December 21st. According to Ledger’s new CISO, Matt Johnson, the company’s hardware devices are secure and the company will never ask or store the 24 word passphrase required to unlock them, and will keep any other customer data for as little time as legally possible. The company is also offering a 10 Bitcoin bounty for any further information on the hack.  

(CoinDesk)