Oracle’s bid calls for access to TikTok’s source code

The news comes to sources speaking to Bloomberg, and would see Oracle also getting access to any updates to source code as part of being named TikTok’s trusted technology partner in the US. This is meant to ensure there are no back doors that would allow ByteDance to gather data on users in the US. Since this would not involve a transfer of any Bytedance algorithms to Oracle, it would seemingly not run afoul of recently updated Chinese technology export restrictions. 

(Bloomberg)

Patient dies in the wake of a ransomware attack

The attack impacted Duesseldorf University hospital in Germany on September 10th, resulting in planned and outpatient treatments and emergency care not being possible at the facility. A patient with a life-threatening condition was redirected to another hospital, receiving care an hour later but ultimately passing away. The ransomware note on the hospital’s servers indicated the attack was meant for Heinrich Heine University. After police contacted the threat actors to advice that a hospital was impacted, they provided the decryption key. German prosecutors are investigating this attack as a negligent manslaughter.

(Bleeping Computer)

Backdoors and bugs discovered in HiSilicon video encoders

The backdoors were discovered by Salesforce security engineer Alexei Kojenov, impacting the software running on a Linux stack provided by HiSilicon for its IPTV/H.264/H.265 video encoders powered by the hi3520d chipset. Flaws found could all be exploited over a network including an administrative interface with a backdoor password, root access via telnet, and unauthenticated file uploads. In a statement, HiSilicon’s corporate parent Huawei said the vulnerabilities are in the   application layer provided by the equipment vendors, not introduced by the chips or HiSilicon’s SDK. Kojenov tested encoders from URayTech, J-Tech Digital, and Pro Video Instruments and found them to be vulnerable to some or all of the exploits, and suspects other products based on the chipset are as well. 

(The Register)

Dunkin Donuts reaches settlement over failure to disclose data breaches

These breaches date back to 2015, when over 19,000 customer accounts were compromised in a credential-stuffing attack. This provided the attackers with access to user names, emails, accounts numbers, PINs, and account balances, with information eventually sold to third-parties. Dunkin didn’t disclose the breach until 2018, and failed to reset passwords of impacted users, freeze funds in its loyalty program, or put in place any security changes to prevent another attack. A similar credentiall-stuffing attack hit Dunkin in 2019, spurring a lawsuit from the state of New York. In the settlement, Dunkin agreed to pay $650,000 in damages, and adhere to better disclosure and security policies. Dunkin claims that prior to the settlement, it had already made such changes to its security policies. 

(Graham Cluley)

Thanks to this week’s sponsor, Dtex Systems

Dtex Systems
Forget projects, get answers. Start preventing insider threats, stopping data loss, and monitoring remote employees in minutes, not days. And do it all without invading user privacy. DTEX Systems helps enterprises run safer and smarter with a first-of-its-kind human-centric approach to enterprise operational intelligence.
Learn more and start a free 30-day trial at
dtexsystems.com.

Mozilla shutting down Firefox Send and Firefox Notes

Firefox Send, a popular free file-sharing service, was already taken offline after ZDNet reported it was being used by malware groups. At the time the move was said to be temporary. The move to permantly shutter Send appears related to recent layoffs at Mozilla, with the team tasked to re-engineer the service no longer with the company. Notes, a way to sync encrypted notes across browsers, will be shutdown in October, with its support team also part of the layoffs.  

(ZDNet)

Two Iranian nationals indicted for hacking into American networks

Federal prosecutors have accused two men from Hamedan, Iran of the hacks, which seemed to be motivated by financial gain and at the request of the Iranian government. The Justice Department claims information stolen in the attacks relate to national security, nuclear information, personal financial information and intellectual property. Attacks date back as far as 2013, impacting higher education, human rights activists, telecommunication businesses, and defense contractors. 

(Politico)

Wilbur Ross provides details about the forthcoming WeChat ban

An executive order prohibiting transactions with WeChat in the US is set to go into effect Sunday. Secretary of Commerce Wilbur Ross was given until Sunday to determine how transactions are defined. In a court filing, Secretary Ross said the US does “not intend to take actions that would target persons or groups whose only connection with WeChat is their use or downloading of the app to convey personal or business information between users, or otherwise define the relevant transactions in such a way that would impose criminal or civil liability on such users.” However, users may find the app is “directly or indirectly” impaired because of other actions.

(Ars Technica)

Google bans stalkerware apps in the Play Store

The ban affects any apps designed to track a device that can be installed and run without a users knowledge. While Google has removed apps when pointed out by security researchers, an update to its Developer Program Policy states that apps that track users and send their data to another device must include an “adequate notice or consent” and show a “persistent notification” of the tracking. The new rules go into effect October 1st. 

(ZDNet)