Author Archives: admin

Android Security Bulletin — February 2019  |  Android Open Source Project

This is a serious one. A vulnerability exists on Android that will allow the phone to be hacked simply by viewing a malicious PNG image.

The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.

Source: Android Security Bulletin — February 2019  |  Android Open Source Project

Singapore Business & Consumer Email Databases

This is brazen.

Someone is openly selling aggregated databases containing PII (personally identifiable information) of Singaporeans – names, email, mobile, address, company, job title, etc. and even offering a CNY promotion of “only” SGD 688 for a total of 8 databases.

Some of the sample databases – which I won’t embed here – are not properly blurred out – you can even make out the name, email, mobile and address of the individual.

The FAQ says that:

Q: Is It Legal To Purchase Databases?

Yes. It is legal to purchase database for marketing or advertising purposes. All information in our databases are publicly available data which can be found online or offline.

That is blatantly false.

The organization behind this website claims to be SPADB, which doesn’t appear to be a legitimate company. According to archive.org, they seem to have been operating since 2015. It has another similar looking website which sells databases of registered property agents.

The server hosting the website seems to be based in Singapore, so there’s a possibility that PDPC or SingCert can do something about it.

 

Singapore’s most comprehensive business & consumer databases with over 1 million contact list. Buy 1 Get 6 Free. 7 databases For just one low price. 100% Lowest Price Guaranteed!

Source: CNY Promotion | Singapore Business & Consumer Email Databases

CCPA will hit your dev team harder than GDPR. Here’s why.

The cost of data is not just the bytes that are required to store them. Increasingly laws will target companies for over-collecting, misusing, and not doing enough to protect PII data.

An (incomplete) history of data regulation in California

California recently passed an extremely powerful, far-reaching law, the California Consumer Privacy Act (CCPA), that will likely drive even more change than the GDPR. Here’s what your dev team needs to know and how to prepare.

Source: CCPA will hit your dev team harder than GDPR. Here’s why.

Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE – Embedi

Marvell Wifi System-on-chip, which is used by Valve Steamlink, PS 4, Microsoft Surface and Samsung Chromebook is susceptible to remote compromise. Here’s the kicker: the device can be compromised just by the fact that it’s powered on. There is no need for the victim to visit any website or click on any links. That’s what makes this RCE (remote code execution) so dangerous and potent.

This vulnerability can be triggered without user interaction during the scanning for available networks. This procedure is launched every 5 minutes regardless of a device being connected to some Wi-Fi network or not. That’s why this bug is so cool and provides an opportunity to exploit devices literally with zero-click interaction at any state of wireless connection (even when a device isn’t connected to any network).

Source: Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from zero knowledge to zero-click RCE – Embedi

Mondelez Lawsuit Shows the Dangers of Attributing Cyberattacks – Bloomberg

This is a case that will test the limits of exclusion in the brave new world of cybersecurity insurance. Basically, the insurance company is refusing to pay for cybersecurity related damages by citing an exclusion clause which states the malware was created as part of a cyber warfare.

What if courts and lawyers actually start believing the cyberwar narrative and acting as if any damage caused to Western companies is uninsurable war damage?

What will happen to the insurance of cyber risks if any attack could potentially be declared part of a war?

Source: Mondelez Lawsuit Shows the Dangers of Attributing Cyberattacks – Bloomberg

unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge

CAPTCHA is almost ubiquitous in today’s web applications and an extremely popular CAPTCHA implementation is Google’s, namely reCaptcha. reCaptcha provides an audio version for visually-impaired users. Researchers manage to make use of free speech-to-text services to defeat audio reCaptcha.

unCaptcha: Talk is cheap in defeating reCaptcha

Source: unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge