Security Snacks is a weekly digest of the most notable InfoSec news.
Its purpose is to provide a one-stop source for getting a high-level view of the state of security and hacking.

Click here to subscribe

2020, an already memorable year, still has a stock of surprises for us: A zero-click exploit that allows anyone to get complete control of all nearby iPhones, a new type of cyber-biological threat that gives insight into the potential future of biological warfare, a US Supreme Court case that could result in hindering security research, and yet another Windows 7 vulnerability with an unofficial patch.

Continue reading for all details and cybersecurity news.

Notable Security News

iPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever

Ian Beer, a researcher at Google’s Project Zero, published his 2020 lockdown project: He devised a zero-click exploit that allowed gaining complete control of all iPhones within Wi-Fi range. An impressive feat considering that it uses a single vulnerability (“A fairly trivial buffer overflow” in Apple’s WADL protocol) and not some complex bug chain. It is also a cautionary tale on what attackers with more resources could do, if “one person, working alone in their bedroom” came up with such a powerful exploit.

Supreme Court mulls whether a cop looking up a license plate for cash is equivalent to watching Instagram at work

What does a former cop being heard by the US Supreme Court have to do with hacking? Van Buren was convicted for violating The Computer Fraud and Abuse Act (CFAA) in 2017 after using his access to a police database to run a license plate search in exchange for a bribe. He is challenging these charges in an appeal with potential ramifications on security research. CFAA is an old ambiguous law that prohibits accessing a computer without authorization, or in excess of authorization. If the Supreme Court sets the precedent of a broad interpretation, it could make common online acts like sharing passwords, violating a site’s terms of service, or good-faith security research felonies with disproportionate consequences.

Cyberthreats to financial organizations in 2021

‘Tis the season of new year cybersecurity predictions. Kaspersky go over key events of 2020 and their forecast for 2021. They expect the current pandemic and ensuing economic crisis to cause more ransomware, Advanced Persistent Threat groups from countries under economic sanctions turning to ransomware, more 0-day exploits used by ransomware, Magecart attacks shifted to the server-side, more Bitcoin theft and also more criminals moving to less traceable cryptocurrencies.

New Cyberattack Can Trick Scientists into Making Dangerous Toxins or Synthetic Viruses, According to BGU Cyber-Researchers

Researchers from the Ben-Gurion University of the Negev discovered a new type of cyberattack. By remotely changing the DNA on a bioengineer’s computer, attackers can make them unintentionally generate dangerous toxins or viruses. This is because weaknesses in current screening protocols make it possible to hide the harmful DNA injected and avoid detection. It could mean a new era of biological warfare where criminals produce and deliver viruses without coming near to a lab or dangerous substances.

If you’re still using Windows 7, you need to install this important, free 0-day patch

Microsoft ended support for Windows 7 in January 2020, but there are still millions of devices using it. This is problematic because vulnerabilities are still being discovered in this obsolete operating system. The latest example is a local privilege escalation vulnerability found by Clément Labro. Anyone still using Windows 7 should either upgrade or install the free patch published by 0patch.

Other Interesting News

Cybercrime

• Microsoft links Vietnamese state hackers to crypto-mining malware campaign

• Oracle vulnerability that executes malicious code is under active attack

• Crypto-mining malware fiends exploit insecure Docker installations with botnet

• FBI warns of email forwarding rules being abused in recent hacks

• Running in Circles: Uncovering the Clients of Cyberespionage Firm Circles

• Turla’s ‘Crutch’ Backdoor Leverages Dropbox in Espionage Attacks

Vulnerabilities

• Drupal inherits critical file archiving library flaw

• Alexa, Disarm the Victim’s Home Security System

• VMware patches security flaws leading to RCE in SD-WAN Orchestrator

Reports

• New study: DNS spoofing doubles in six years … albeit from the point of naff all

• Four years after the Dyn DDoS attack, critical DNS dependencies have only gone up

• Network hacking and ransomware fueling global cybercrime surge

Tech

• Salesforce strikes deal to acquire Slack for $27.7 billion

• PasswordsCon 2020: Authentication expert expresses skepticism about ‘passwordless’ future

• Microsoft’s ‘Project Latte’ aims to bring Android apps to Windows 10

• Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices

Misc.

• Cyberup campaign: 80% of infosec pros fear they might fall foul of UK’s outdated Computer Misuse Act

• Google security researcher banned from Call of Duty: Modern Warfare after ‘reverse engineering networking code’

• New Zealand Privacy Act: Updated data breach legislation comes into effect on December 1

• Hacker given three years for stealing secret Nintendo Switch blueprints, collecting child sex abuse vids

Intigriti Customer Story

Eric de Smedt, Manager Cyber Security at Telenet Group: Intigriti offers an international platform, where ethical hackers have to register. That makes it more trustworthy for us as clients. They also offer a platform for ethical hackers to get recognition. There’s a hall of fame for where ethical hackers earn points for reporting issues and get a ranking accordingly. Read more…

What Telenet, UZ Leuven and an ethical hacker say about Intigriti’s ethical hacking and bug bounty platform.