It is Wednesday January 22nd, 2020 and here are today’s most pressing cyber stories we need to know about.
Journalist Glenn Greenwald charged with hacking
The co-founder of investigative news website The Intercept and journalist Glenn Greenwald has been accused of cybercrimes linked to hacking the phones of senior government officials in Brazil. Alongside Greenwald, six other individuals are being accused. In an official statement, the Brazilian prosecution service claimed the journalist took part and encouraged hacking of exchanges between senior government figures through messaging service Telegram that related to Operation Car Wash, Brazil's largest corruption investigation to date.
The investigations led to the arrest of former president Luis Inácio Lula da Silva, who presented a threat to the election of current incumbent, Jair Bolsonaro. Lula's case was handled by a former judge, Sergio Moro, who was later named minister of justice by Bolsonaro. The inner workings of Car Wash were exposed in the leaked messages, casting doubts over Moro's conduct and potential political bias when working on Lula's case.
The Telegram exchanges in question are linked to The Intercept's extensive reporting series questioning the ethics and methods employed by the anti-corruption taskforce, which began in June 2019.
Greenwald's charges have sparked controversy, as the Brazilian federal police said last December that it could not find any evidence of wrongdoing in the journalist's modus operandi. However, the latest accusations present a different take on the case: while accepting a journalist's right to report on leaks related to the corruption case, the prosecutors argue Greenwald was part of a "criminal organization" and "helped, encouraged and guided" the hackers that obtained the Telegram chat histories.
The prosecutors' claims around the hacking activity supposedly carried out by Greenwald, who was not investigated, are based on the analysis of a computer that was found at the house of one of the hackers. The MacBook, according to the prosecutors' statement, contained an audio recording with a conversation between the journalist and one of the hackers about the intercepted messages.
According to the prosecutors, Greenwald told hackers to delete stolen messages that had been forwarded to him, so as to cover their tracks and reduce the possibility of criminal liability. In July 2019, four hackers were arrested in connection with the Telegram hack. According to court documents, the group used a relatively unknown hacking trick to bind the victims' Telegram accounts to their phones.
The Intercept's co-founder posted a reaction to the charges on Twitter, describing the accusations as "an attack on Brazilian democracy" and "an obvious attempt to attack a free press in retaliation for the revelations we reported on Minister Moro and the Bolsonaro government." He added that he would continue his reporting work regardless of the charges.
In a statement, Greenwald, who won a Pulitzer Prize for his reporting on the National Security Agency (NSA) spying revealed by Edward Snowden, said he exercised extremely caution" in his dealings with his sources and did nothing more than his job as a journalist, "acting ethically and within the law."
"We will not be intimidated by these tyrannical attempts to silence journalists," he said, adding that he would continue to write stories based on the intercepted material.
The charges against Greenwald now need to be accepted by a judge before the journalist would stand trial.
Data leak strikes US cannabis users
Another day, another leaky database -- and this one has impacted 30,000 people connected to the medical and recreational marijuana industry.
On Wednesday, the research team from VPNMentor, led by Noam Rotem and Ran Locar, said that an unsecured Amazon S3 bucket uncovered online without any authentication or security in place was the source of the leak.
The database, found on December 24, 2019 as part of the firm's web scanning project, is reportedly owned by THSuite, described as "seed to sale" software -- a Point-Of-Sale (POS) and management system used in dispensaries across the United States.
Medical marijuana is now permissible by law in some US states. However, dispensaries are held to strict legal standards to prevent abuse or the flouting of state law, and as a result, automatic systems like THSuite can make compliance and record-keeping easier for operators.
According to VPNMentor, personally identifiable information (PII) belonging to 30,000 individuals was leaked. In total, over 85,000 files were exposed to anyone who stumbled across the database.
The full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts were all available to view. In addition, "scanned government and employee IDs" were recorded in the leaky bucket, stored through the Amazon Simple Storage Service.
Rather than examine every record -- which would skirt the lines of ethical behavior -- the researchers grabbed some random samples related to dispensaries in Maryland, Ohio, and Colorado to ascertain the depth of the leak.
Among the samples were records from Amedicanna Dispensary, including customer PII and information related to the firm's inventory and sales. Bloom Medicinals included similar PII, alongside cannabis product lists, suppliers, price, monthly sales, discounts, returns, and taxes paid. Colorado Grow Company's exposed information related to monthly sales, discounts, taxes, employee names, and inventory lists. It is likely that more dispensaries have been impacted.
As a medical data breach, it may be that there could be consequences under the US Health Insurance Portability and Accountability Act (HIPPA) of 1996, which demands strict security to be implemented by controllers of protected health information (PHI). Under the law, those who violate HIPPA can face multi-million-dollar fines or jail time.
Two days after the database was discovered, VPNMentor reached out to THSuite but received no response. This led to the researchers contacting Amazon AWS on January 7, 2020. A week later, access to the database was revoked.
ProtonVPN apps handed to open source community
ProtonVPN has handed over application code to the open source community in a bid to improve transparency and security standards.
On Tuesday, the virtual private network (VPN) provider, also known for the ProtonMail secure email service, said that the code backing ProtonVPN applications on every system -- Microsoft Windows, Apple macOS, Android, and iOS -- is now publicly available for review in what Switzerland-based ProtonVPN calls "natural" progression.
"There is a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like GDPR," the company says. "Making all of our applications open source is, therefore, a natural next step."
Each application has also undergone a security audit by SEC Consult, which ProtonVPN says builds upon a previous partnership with Mozilla.
Back in 2018, Mozilla ran a trial with a small number of US-based Mozilla Firefox browser users to offer ProtonVPN as a recommended service to protect their privacy and mask online activity.
While the partnership did not go any further -- instead, Mozilla has created its own Firefox Private Network -- the trial did require ProtonVPN's technology to undergo an inspection by the browser as part of Mozilla's due diligence requirements.
The Windows audit report identified two low-risk vulnerabilities related to jailbreaking and a lack of SSL certificate pinning. The macOS report uncovered no bugs at all, whereas one medium-risk vulnerability and four low-risk vulnerabilities were discovered in the Android audit, the worst of which was an insecure logout issue.
Finally, the iOS report documents two medium-risk vulnerabilities and two low-risk vulnerabilities, the most serious security flaw being the use of hardcoded credentials and sensitive data contained in memory.
All of the vulnerabilities were either accepted or fixed at the time of disclosure.
The source code for each app is now available on GitHub.
"As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible," ProtonVPN says. "Going open source helps us to do that and serve you better at the same time."
Microsoft Exposes 250 Million Call Center Records in Privacy Snafu
Microsoft briefly exposed call center data on almost 250 million customers via several unsecured cloud servers late last year, according to researchers.
Bob Diachenko spotted the major privacy snafu a day after databases across five Elasticsearch servers were indexed by the BinaryEdge search engine on December 28.
Each contained a seemingly identical trove of Microsoft Customer Service and Support (CSS) records spanning a 14-year period. The records included phone conversations between service agents and customers dating back to 2005, all password-free and completely unprotected, according to Comparitech. Most personally identifiable information (PII) was redacted from the records, but “many” apparently contained customer email and IP addresses, support agent emails and internal notes and descriptions of CSS cases.
This presented not just a phishing risk but a valuable collection of data for tech support scammers who impersonate call center agents from Microsoft and other companies to install malware on victim machines and steal financial data.
If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.
However, Microsoft was praised for acting swiftly to lock down the exposed servers.
After being informed by Diachenko on December 29, the firm had secured all data by December 31.