DHS acknowledges leak of facial recognition images

The images were part of a Department of Homeland Security facial recognition pilot project and were obtained in a hack of the Customs and Border Control subcontractor Perceptics last year. According to the DHS Office of Inspector General, 184,000 images including faces and license plate, were stolen, with at least 19 posted on the dark web. According to the report, Perceptrics transfered the images to its own network where they were not encrypted. A cyberattack against Perceptics in May 2019 obtained the images. CBP pulled Perceptics credentials and banned it from working with the DHS ever again.

(Vice)

Judge rules the TikTok ban be delayed or defended

The ruling comes from U.S. District Judge Carl Nichols, who said the government must file a response to a request by TikTok for a preliminary injunction or delay the order banning the app by September 25th at 2:30 p.m. EDT. The ban is currently scheduled to take place on Sunday. The government also has yet to file a legal challenge to a preliminary injunction blocking a similar Commerce Department order from taking effect on Sunday against WeChat.

(Reuters)

Local government email systems are vulnerable to cyberattacks

Research by ProPublica found that dozens of municipal government email systems in swing states relied either Homebrew setups or didn’t follow industry best practices, like using default encryption, using cloud-hosted email, implementing DMARC, or using two factor authentication. They highlighted an attack on Hamilton County in central Texas using the Emotet malware, which saw spoof emails sent with a malicious word doc attached, seemingly from the county clerk. While the attack did not compromise any election-related systems, experts warned ProPublica that Emotet is often used to launch further ransomware attacks that could hamper government services. 

(ProPublica)

Ring bringing end-to-end encryption to video feeds

Amazon said the feature was coming to its brand of home security products for free by the end of the year. Footage is encrypted on device and only decrypted with a key on a mobile device. Activating encryption will disable sharing video clips and displaying footage on smart displays. Amazon will also allow Ring owners to disable the Neighbors feed, which allows users to share video clips with other users in their vicinity. 

(The Verge)

Thanks to this week’s sponsor, Trusona

Trusona enables enterprises to secure and simplify user access by removing passwords from the Windows 10 login experience. With a single desktop sign-in using Trusona’s passwordless MFA, employees are automatically authenticated into Office 365 or their SSO, giving them secure access to all of their corporate applications. Give your workforce a solution they don’t have to work around.

Apple rejected 150,000 apps over privacy violations in 2019

This comes from updated figures provided on Apple’s App Store website. The company also said it rejected 1 million apps over illegal, unsafe, harmful, or objectionable content, and that the App Store receives 100,000 new apps and app update submissions a week for review.

(Apple Insider)

Cobalt Strike is being used by black hats

This comes from findings by Cisco Talos, which saw the pen test tool in non-simulated attacks in everything from ransomware to state-backed APT threats. Cobalt Strike is a paid-for tool and provides  a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in a network. Cisco Talos Incident Response saw the tool in 66% of all ransomware attacks it responded to this quarter. 

(The Register)

Alien malware spotted on Android

The security researchers at ThreatFabric discovered the malware, which it claims has stolen credentials from 226 applications, and appears to be based on source code from the Cerberus malware. Alien operates as a Malware-as-a-Service offering, designed primarily as a banking trojan, showing a fake login page to steal a user’s information. The malware has been mostly spotted trying to spoof applications used by financial institutions in Spain, Turkey, Germany, the US, Italy, and France. 

(Security Affairs)

Facebook patches remote exploit flaw in Instagram

The exploit was discovered by researchers at Check Point, targeting a heap overflow issue in Instagram’s image processing. Saving a maliciously crafted image to a users mobile device, would trigger the exploit the next time Instagram was opened through a memory overflow from the parsing JPEG decompression process. This would allow the attacker to get the code execution within its context and permissions, potentially allowing access to a device’s phone contacts, camera, GPS data, and files stored into the device, and at the very least completely crashing Instagram until the malicious image was deleted. 

(Security Affairs)

Amazon introduces local language processing silicon

The company worked with MediaTek to develop the AZ1 Neural Edge processor, claiming that on-device speech recognition will allow for faster responses to voice queries. The chip with on-board neural engine will be available on Amazon’s newly announced Echo smart speaker and Echo Show 10 smart display. Previous Amazon smart speakers sent audio recordings and interactions to the cloud for processing. It’s unclear if the AZ1 chip will allow for offline use of the smart speakers. 

(The Verge)