GOT(IT) #8: Pwn2Own tackled top-tier phones, Fancy Bear hit-list discovered, plus Heathrow’s security leaked.

heathrow-airport-taxi.jpgA USB stick was found laying on the ground with top-secret security protocols for Britain’s Queen? Someone’s gonna get fired.

GOT(IT) #8! We had a little vacation with last Friday’s holidays and now we’re back with hacking competitions tackling top-tier phones, not-so-legal hacking organizations that aimed for Russian opponents, and London’s latest mystery…

A USB stick was found with Heathrow’s security plans, including measures to protect the Queen. Take that, Sherlock.


Pwn2Own Tackled Apple, Huawei, and Samsung’s Phones

maxresdefault-1.jpgThe 6th annual mobile Pwn2Own competition took place at the PacSec conference in Tokyo, and its participants quickly claimed high caliber mobile victims. On the first day of the event, three exploits were executed against Apple’s IPhone 7; one against Samsung’s Galaxy S8; and a single baseband exploit was also successfully carried on Huawei’s Mate 9 Pro.

The work of these masters of pwn was swift and deadly, all devices had the latest OS installed and no patch was left behind; once this attacks are researched and studied, the organization will present them to all vendors with a 90-day fix time-limit.

Samsung’s exploit was done by 360 Total Security, who managed to target the browser and managed to get code execution to further extend its breach. The biggest win of the day? By complexity it was certainly Tencent Keen Security Lab’s attack against Huawei’s phone: they used stack overflow on the baseband processor and earned the biggest amount of Pwn points in the competition. 

On the other hand, the biggest loser? Apple, who received the biggest hits on day one. A WiFi bug, one system and browser vulnerability, and two more exploits resulted in three successful attacks on the IPhone 7. 


Fancy Bear Linked Again to Russian Interests

fancy_bear2.jpgNews regarding state-sponsored hacks continue to aim against Russian organization, and these days it was Fancy Bear’s comeback that reached the headlines. In Secureworks’ latest exposition, it was revealed that during 2015 and 2016, not only did they target the US elections, but over 4,700 Gmail accounts that ranged from Ukraine’s president, to the Russian punk band Pussy Riot.

The discovery proved that the attackers didn’t only target the Democrat’s campaign during the last US elections, but also several figures opposed to the current Russian government. “It’s a wishlist of who you’d want to target to further Russian Russian interests”, said Keir Giles, one of the experts in charge of reviewing the digital “hit” list.

How did Secureworks managed to access the data? Fancy Bear slipped and accidentally exposed this phishing campaign to the internet, and a few extra tips picked up by the security firm turned all eyes to the Kremlin: all malicious links were created during Russian office hours. 


USB stick found with Heathrow’s Security Plans 

Heathrow.jpgLondon got shocked by a mysterious security breach: a USB stick was found laying on the street with thorough and confidential security plans of the Heathrow Airport, including all protocols regarding the Queen’s protection.

It’s not a surprise that the airport rushed an investigation, there’s still no proper theory on how the stick got there and why it contained 76 folders filled with 174 unsecured, and unencrypted files: pictures, maps, videos, and restricted documents.

What’s at risk? Well, these documents exposed details such as security patrol timetables, CCTV cameras, security protocols against specific threats, and the airport’s capabilities to face terror-related threats. The current top priorities are assessing the leak’s impact, avoiding further distribution, and discovering the stick’s origin.


Where’s Benedict Cumberbatch and Martin Freeman when you need them? The Queen’s in danger, call the IT Sherlock!


Nicolas Poggi

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.