Cybersecurity news bash in bullet form for the busy individual.
Researchers Reveal New Security Flaw Affecting China's DJI Drones
- Cybersecurity researchers on Thursday revealed security issues in the Android app developed by Chinese drone-maker Da Jiang Innovations (DJI)
- The App comes with an auto-update mechanism that bypasses Google Play Store and could be used to install malicious applications and transmit sensitive personal information to DJI's servers.
- Vulnerability was reported from cybersecurity firms Synacktiv and GRIMM found that
- The DJI's Go 4 Android app not only asks for extensive permissions and collects personal data (IMSI, IMEI, the serial number of the SIM card), it makes of anti-debug and encryption techniques to thwart security analysis.
"Given the wide permissions required by DJI GO 4 — contacts, microphone, camera, location, storage, change network connectivity — the DJI or Weibo Chinese servers have almost full control over the user's phone."
DJI has Pushed Back Against the Findings
- DJI disputed the research, stating it contradicts "reports from the U.S. Department of Homeland Security (DHS), Booz Allen Hamilton and others that have found no evidence of unexpected data transmission connections”
"There is no evidence they were ever exploited, and they were not used in DJI's flight control systems for government and professional customers," the company said
FBI Issues Alert on Use of Chinese Tax Software
- The Federal Bureau of Investigation has issued an alert to inform organizations in the United States of the risk associated with the use of Chinese tax software.
- Security researchers at Trustwave published a report that malware was dropped into the environment of an organization doing businesses in China through tax software that is mandatory in the country.
- The threat, was named by Trustwave GoldenSpy
- It was delivered to an organization via software from the Golden Tax Department of Aisino Corporation
- It appears to have been in use since 2016.
- Once installed, it provides SYSTEM-level backdoor access to the network.
- Within days after the initial report was published, an uninstaller was delivered to compromised organizations through the update service of the tax software
- Weeks later, Trustwave published information on another piece of malware deployed through mandatory tax software onto the networks of organizations doing business in China.
Last week, the FBI issued an alert to warn healthcare, chemical, and finance organizations in the United States of “potential targeting activity by the Chinese government against their business and operational components based in China.”
Digital Banking Service Dave Says Data Stolen in Third-Party Breach
- Digital banking service Dave announced over the weekend that user data was compromised in a third-party security incident.
- Dave or Dave.com, provides individuals with loans for overdraft protection, without asking for interest.
- The newly disclosed data breach, Dave says, was the result of a security incident at Git analytics tool Waydev, a former service provider for Dave.
- Earlier this month, Waydev revealed that the security incident involved users of its Waydev GitHub application, with the hackers being able to compromise GitHub OAuth tokens.
- The attackers also cloned GitHub and GitLab projects from the users who were connected via GitHub OAuth.
“The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers,” Dave said in a breach notification.
Australian Watchdog Accuses Google of Privacy Breaches
- The Australian Competition and Consumer Commission’s launched court action against Google on Monday
- The allegation is that the technology giant misled account holders about its use of their personal data.
- It is a result of Google’s move in 2016 to start combining users’ personal information in their Google accounts with the same users’ activity on non-Google sites that used Google technology.
“We allege that Google did not obtain explicit consent from customers to take this step,” the commission’s chair, Rod Sims, said in a statement.
“The ACCC considers that consumers effectively pay for Google’s services with their data, so this change introduced by Google increased the ‘price’ of Google’s services, without consumers’ knowledge,” Sims added.
- Google said it had cooperated with the watchdog in its investigation and that its account holders.
“We strongly disagree with their allegations and intend to defend our position,” a Google statement said.
- The watchdog also plans to make global digital platforms including Facebook pay for content siphoned from news media.
Sheffield Hallam University Confirms Blackbaud-Linked Data Breach
- Sheffield Hallam University has confirmed that it is dealing with a data breach linked to the software provider Blackbaud.
- Blackbaud’s systems were hacked and personal information relating to its alumni and other members of the community were stolen on Thursday July 16 2020.
- Sheffield Hallam University also believed the “names and contact details for alumni, donors and other stakeholders” were taken during the cyber-attack.
“We sincerely apologize for any distress that this data security breach by Blackbaud may cause,” Boryslawskyj said. “The university takes data protection very seriously and we regret any inconvenience caused by this incident.”
- Blackbaud, one of the world’s largest providers of education administration, fundraising and financial management software said in a statement that it “discovered and stopped a ransomware attack” in May 2020, however the attacker was able to remove a copy of a subset of data from Blackbaud’s self-hosted environment.
- Blackbaud did not disclose the incident until universities began to investigate incidents in the last few weeks.