Welcome reader to your CybersecurityHQ report

Headlines

In the lead-up to the 2024 presidential election, a joint statement by the FBI, CISA, and the Office of the Director of National Intelligence are accusing Iran of launching cyber attacks against the campaigns of both Donald Trump and Kamala Harris.

The statement reads, “We have observed increasingly aggressive Iranian activity during this election cycle, specifically involving influence operations targeting the American public and cyber operations targeting presidential campaigns… This includes the recently reported activities to compromise former President Trump’s campaign, which the IC [Intelligence Community] attributes to Iran. The IC is confident that the Iranians have through social engineering and other efforts sought access to individuals with direct access to the presidential campaigns of both political parties. Such activity, including thefts and disclosures, are intended to influence the U.S. election process.”

The report corroborates the August 10 disclosure by the Trump campaign that Iran hacked its website. In the aftermath, confidential material from the campaign was leaked to Politico, the New York Times, and the Washington Post — though all three have refused to publish what they were given.

Just a day before that disclosure, Microsoft released research (PDF) in part focused on Iranian cyber activities meant to undermine confidence in the 2024 US election. These activities mostly include spreading disinformation by managing multiple websites that push news from points across the political spectrum. But now, that activity may become more focused on direct hacking and leaking.

In response to the claims, Iran called the allegations “unsubstantiated and devoid of any standing.”

Tensions between Washington and Tehran are extremely high after Israel’s recent assassination of Hamas official Ismail Haniyeh in Iran. Another recent Israeli strike on a leader of Iran-backed Hezbollah in Beirut provoked promises of retaliation, but nothing has happened so far. Instead, Iran has cooled public rhetoric through the Gaza cease-fire negotiation process that is ongoing in Qatar.

The French company Quarkslab has discovered a backdoor in millions of RFID cards manufactured by Shanghai Fudan Microelectronics Group. Researcher Philippe Tuewen described his findings in a paper that outlines how threat actors could copy RFIDs within minutes. (PDF)

His work shows that Fudan’s MIFARE Classic cards can be easily hacked in card-only attacks (where you only need access to the card and not the reader).

As the study concludes, “we have demonstrated various attacks, uncovered the existence of a hardware backdoor and recovered its key, which allows us to launch new attacks to dump and clone these cards, even if all their keys are properly diversified. The presence of the backdoor in this product and in all previous FM11RF08 cards since at least 2007, raises several questions, particularly given that these two chip references are not limited to the Chinese market. For example, the author found these cards in numerous hotels across the US, Europe, and India. Additionally, what are we to make of the fact that old NXP and Infineon cards share the very same backdoor key?”

Unfortunately, many people using MIFARE Classic cards may not be aware that they are Fudan FM11RF08 or FM11RF08S, which leave them open to these attacks. In fact, Quarkslab even found these cards widespread in hotels across the US, Europe, and India.

Three federal judges say Google will need to face a class action lawsuit that claims the company misled Chrome users into thinking their data wasn’t being collected. The lawsuit was thrown out in 2022, but now the US Court of Appeals for the 9th Circuit in San Francisco has struck down that ruling, saying the lower court failed to apply the reasonable person inquiry.

The case revolves around Google collecting personal information on Chrome users after they selected not to sync the browser with their Google accounts. The new ruling says that “reasonable” people might have understood this to mean the company wouldn’t collect their data.

The plaintiffs note that the browser’s own privacy notice says that users “don't need to provide any personal information to use Chrome.” The lawsuit seeks at least $5 billion.

This comes along with a wave of legal losses for Google. Late last year, the tech giant paid out $700 million along with other concessions to settle with state attorneys from all 50 states and Puerto Rico over its competition-stifling activities in the Android app store.

And in August of last year, Google was declared a monopoly, opening up a pathway for US lawmakers to break up the company.

On Tuesday, Microchip Technology filed with the SEC saying they detected suspicious activity in their information technology systems on August 17. This triggered steps to assess and contain the situation, leading to its manufacturing facilities running “at less than normal levels.”

Coinciding with the news, the company’s stock slipped 2% in extended trading on the day of the announcement.

Very little is known about the attack so far — including who is behind it and what its full impact is on the company. But it marks yet another major hack on a chip manufacturer in recent memory.

For instance, Advanced Micro Devices announced in June that it was investigating a data breach carried out by IntelBroker. And just last year, it was revealed that a hacking group with Chinese links spent two years looting the corporate network of Netherlands-based NXP, harvesting information from the chipmaker.

National Public Data (NPD) was hit by a cyber attack leading to the compromise of 2.9 billion personal information records. NPD is a data aggregator that resells personal information they collect to various clients, with clients including investigators, background check websites, data resellers, mobile apps, and more. The information NPD believes was leaked includes names, email addresses, phone numbers, social security numbers, and mailing addresses.

The massive leak began as far back as a hacking attempt in December 2023, with leaks occurring in April 2024 and through the summer. Dark web forum posters widely shared the data they allegedly stole from NPD, yet the company held back from making any official statement on the situation for months.

Breachforum member Fenice even released the largest variant of the database entirely for free, a trove made up of 2.7 billion records. Research into the data, however, shows that much of the information is inaccurate. Troy Hunt of Have I Been Pwned analyzed the data and found that one of his email addresses was connected with two separate birthdays — neither one was actually his.

NPD says that it, “cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records… We have also implemented additional security measures in efforts to prevent the reoccurrence [sic] of such a breach and to protect our systems.”

All in all, the NPD leak makes for a complicated story. The data included is mostly partial, and it is aggregated from many sources. Similarly, most people affected aren’t even aware that NPD exists, because the records were never handed over directly by individuals.

Interesting Read

In an interview with SecurityWeek, LinkedIn’s VP and head of engineering Sabry Tozin discusses how his team created the Security Posture Platform (SPP) — an AI project meant to protect the data of a billion users.

The project began by creating a single source of truth to make the entire system sensible to the program. With this in place, SPP can begin to predict vulnerabilities and mitigate them.

The write up is an interesting real-world look at how a major company with enormously high stakes in data security is implementing AI at a profound level. Whether it holds up over time is another story.

Twitter Highlights

For the latest openings in cybersecurity careers, check CybersecurityHQ.

Stay Safe, Stay Secure.

The CybersecurityHQ Team