Security summary – March 2019

Our short monthly review summarises important news and blog posts, which focus on IT security, cloud computing and privacy protection.

1. Cyber-attack forces global aluminum manufacturer to its knees

One of the world’s largest aluminum manufacturers, Norwegian Norsk Hydro, was attacked by hackers. The company confirms that most of their IT systems were infiltrated and affected by the attack. The hackers also targeted the company’s website and managed to shut it down. The comprehensive attack forced Norsk Hydro to switch to manual production wherever possible. Facilities in both Europe and the US have been affected.

Source: heise.de

2. Tesla successfully hacked in competition

The team “Fluoroacetate” successfully hacked a Tesla Model 3 car as part of the Vancouver-based hacker competition Pwn2Own. They exploited a vulnerability in the infotainment system and took home a USD 375,000 prize. Other teams successfully hacked the popular browsers Safari and Firefox. A total of 19 security vulnerabilities were found by the participating teams.

Source: heise.de

3. Motel guests unknowingly filmed by spycams

Four people have been arrested for planting spycams in various motels across 10 cities in South Korea in order to live stream their guests. More than 800 illegally recorded films showing unknowing guests partly nude or during intercourse were broadcast to 97 paying viewers of an undisclosed website. The suspects now face up to 5 years in prison along with a fine of USD 35,000.

Source: threatpost.com

4. Facebook routine check finds millions of users' passwords in plaintext

During a routine check, Facebook found that they have been storing the passwords of hundreds of millions of Facebook service users in plain text and accessible to internal employees. They since stated to have corrected this mistake and plan to notify: "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users and tens of thousands of Instagram users …". The company claims to have found no indication of any abuse of the passwords.

Source: heise.de

5. Severe error discovered in Swiss e-voting system

Researchers discovered that an error in the source code of the Swiss e-voting system could be used by attackers to manipulate votes; worse still, any manipulation would have been undetectable even if the voting system had been checked. The researchers also found that it was possible to create fake verification documents, though only employees of the Swiss Postal Service or the cantonal authorities could have changed votes unnoticed.

Source: heise.de

6. Uber used spy-ware to get rid of competition in Australia

According to an unnamed source claiming to be a former senior employee, Uber developed an information-gathering software in 2015 that: “… allowed Uber Australia to see in real time all of the competitor cars online and to scrape data, such as the driver’s name, car registration and so on.” The source reports that Uber used the intel to offer drivers from competing startups better employment conditions if they’d switch to Uber.

Source: threatpost.com

7. Burglars able to deactivate wireless alarm system from Abus

The wireless alarm system Secvest from Abus has been shown to suffer from three severe security vulnerabilities leaving it open to attack from cyber savvy burglars. The security researcher Thomas Detert found the vulnerabilities, which were allegedly reported to Abus in November 2018. The company has yet to provide patches to remedy the issue.

Source: heise.de

8. FDP calls for German identity cards for the mobile phone

The German liberal party “FDP” is calling for an overall federal strategy to introduce a German digital identity card. First and foremost, they want to make a Germany-wide identity card for the mobile phone a reality. Furthermore, they are pushing for a motion to allow all German citizens to have a “digital wallet” of sorts for official documents and to allow citizens to apply for social benefits or rent a car using their digital ID.

Source: security-insider.de

9. Hackers remotely hijack Android phones through unsafe browser feature

Android phone owners that use the UC browser may be targeted by remote attackers because of a hidden feature that automatically installs new libraries and modules to their phones. The updates are downloaded over an insecure connection making it possible to perform so-called “Man-in-the-Middle attacks” and import malicious software to the unknowing user’s phone.

Source: thehackernews.com

10. EU promotes Europe-wide security standards for 5G to avoid espionage

The EU has put forward a suggestion for how to create uniform Europe-wide security standards for the new, fast 5G mobile network. Concerns include the possibility of Chinese espionage, a matter which was raised by the American government. The US officials suspect Chinese telecommunications companies such as Huawei to be misused for espionage purposes.

Source: inside-it.ch