Cyber Bites

Hackers can abuse Amazon Alexa and Google Home smart assistants to eavesdrop on user conversations without users' knowledge, or trick users into handing over sensitive information.  The attacks aren't technically new. Security researchers have previously found similar phishing and eavesdropping vectors impacting Amazon Alexa in April 2018; Alexa and Google Home devices in May 2018; and again Alexa devices in August 2018. Both Amazon and Google have deployed countermeasures every time, yet newer ways to exploit smart assistants...

Jane Manchun Wong has an incessant need to know every single feature of every single app on her smartphone. Wong, a 25-year-old software engineer in Hong Kong, checks every new line of code any time one of her Android smartphone’s apps get an update. She locates new code, reverse-engineers it and finds new features before they are announced. “I do it mostly for personal amusement,” Wong told CNBC. “If I see the feature, I check...

The high school students say they just wanted to win a water-gun fight. But officials in their Pennsylvania school district say they took a senior-year tradition way too far, hacking into test scores and personal information of the district’s more than 12,000 students while trying to get the home addresses they say they wanted for a tactical edge. Downingtown Area School District is calling it a crime — and considering whether to press charges in...

Suspected Russia-linked hackers have attacked dozens of countries, including Britain, disguised as Iranian cyber spies, UK and US intelligence agencies have revealed. They have accused the Turla group - allegedly based in Russia - of letting an Iranian hacking outfit take the blame for a spate of cyber espionage after gaining access to its cyber tools and infrastructure and piggybacking on its hacking exploits. Source: Sky News

Hackers infected servers used by the San Bernardino City Unified School District with ransomware, locking faculty and staff out of their e-mails over the weekend and forcing classes to proceed without Wi-Fi and other tech-based tools beginning Monday, Oct. 21. The district’s information technology staff alerted administrators and law enforcement to the attack early Saturday, Oct. 19, SBCUSD Director of Communications and Community Relations Linda Bardere said Sunday. Officials did not disclose what demands the...

Cyber-espionage operations from Cozy Bear, a threat actor believed to work for the Russian government, continued undetected for the past years by using malware families previously unknown to security researchers. Relying on stealthy communication techniques between infected systems and the command and control (C2) servers, the group managed to keep their activity under the radar for a long time. Source: Bleeping Computer

Telstra’s brand is being employed by scammers in order to launch an email phishing campaign aimed at harvesting confidential details from victims. Spotted on 15 October by email filtering provider MailGuard, the phishing scam purports to be from Telstra and appears to be a notification from the telco.  Source: Arnet

A phishing campaign using fake invalid account Stripe support alerts as lures has been spotted while attempting to harvest customers' bank account info and user credentials using booby-trapped Stripe customer login pages. Stripe is one of the top online payment processors, a company that provides the payment logistics internet businesses need to accept payments over the Internet from their e-commerce customers. Source: Dark Reading

Malicious plugins for WordPress websites are being used not just to maintain access on the compromised server but also to mine for cryptocurrency. Researchers at website security company Sucuri noticed the number of malicious plugins increase over the past months. The components are clones of legitimate software, altered for nefarious purposes. Source: Bleeping Computer

Amazon Echo and Kindle devices were discovered last year to contain WPA/WPA2 protocol vulnerabilities that could potentially allow malicious actors to uncover keychains used to encrypt Wi-Fi traffic. Source: SC Magazine