Security trends 2017

3,151 Comments

1. July 27, 2017 at 6:31 pm

   Tomi Engdahl says:

   Joseph Menn / Reuters:
   Sources: Facebook traced accounts targeting Macron to tools used in past by Russia’s GRU; 70K French propaganda or spam accounts closed, up from 30K in April

   Exclusive: Russia used Facebook to try to spy on Macron campaign – sources
   http://www.reuters.com/article/us-cyber-france-facebook-spies-exclusive-idUSKBN1AC0EI

   Reply
2. July 27, 2017 at 7:40 pm

   Tomi Engdahl says:

   Financial Crimes Enforcement Network:
   US Treasury’s FinCEN fines BTC-e $110M for violating US anti-money laundering laws

   FinCEN Fines BTC-e Virtual Currency Exchange $110 Million for Facilitating Ransomware, Dark Net Drug Sales
   https://www.fincen.gov/news/news-releases/fincen-fines-btc-e-virtual-currency-exchange-110-million-facilitating-ransomware

   The Financial Crimes Enforcement Network (FinCEN), working in coordination with the U.S. Attorney’s Office for the Northern District of California, assessed a $110,003,314 civil money penalty today against BTC-e a/k/a Canton Business Corporation (BTC-e) for willfully violating U.S. anti-money laundering (AML) laws. Russian national Alexander Vinnik, one of the operators of BTC-e, was arrested in Greece this week, and FinCEN assessed a $12 million penalty against him for his role in the violations.

   BTC-e is an internet-based, foreign-located money transmitter that exchanges fiat currency as well as the convertible virtual currencies Bitcoin, Litecoin, Namecoin, Novacoin, Peercoin, Ethereum, and Dash. It is one of the largest virtual currency exchanges by volume in the world. BTC-e facilitated transactions involving ransomware, computer hacking, identity theft, tax refund fraud schemes, public corruption, and drug trafficking.

   “We will hold accountable foreign-located money transmitters, including virtual currency exchangers, that do business in the United States when they willfully violate U.S. anti-money laundering laws,” said Jamal El-Hindi, Acting Director for FinCEN. “This action should be a strong deterrent to anyone who thinks that they can facilitate ransomware, dark net drug sales, or conduct other illicit activity using encrypted virtual currency. Treasury’s FinCEN team and our law enforcement partners will work with foreign counterparts across the globe to appropriately oversee virtual currency exchangers and administrators who attempt to subvert U.S. law and avoid complying with U.S. AML safeguards.”

   Reply
3. July 28, 2017 at 9:23 am

   Tomi Engdahl says:

   A smart fish tank left a casino vulnerable to hackers
   http://money.cnn.com/2017/07/19/technology/fish-tank-hack-darktrace/index.html

   Most people know about phishing — but one casino recently learned about the dangers of actual fish tanks.
   Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.
   Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.
   “Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech.

   As internet-connected gadgets and appliances become more common, there are more ways for bad guys to gain access to networks and take advantage of insecure devices. The fish tank, for instance, was connected to the internet to automatically feed the fish and keep their environment comfortable — but it became a weak link in a the casino’s security.

   The unnamed casino’s rogue fish tank is one of nine unusual threats that Darktrace identified on corporate networks published in a report Thursday.

   When the technology notices an anomaly — like a device that doesn’t belong or data being sent somewhere it shouldn’t — it alerts the company’s security team.

   How a fish tank helped hack a casino
   https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/?utm_term=.fc55fd7e97a8

   Hackers are constantly looking for new ways to access people’s data. Most recently, the way was as simple as a fish tank.

   The hackers attempted to acquire data from a North American casino by using an Internet-connected fish tank, according to a report released Thursday by cybersecurity firm Darktrace.

   The fish tank had sensors connected to a PC that regulated the temperature, food and cleanliness of the tank.

   “Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” said Justin Fier, Darktrace’s director of cyber intelligence.

   The casino’s name and the type of data stolen were not disclosed in the report for security reasons, Darktrace said. The report said 10 GB of data were sent out to a device in Finland.

   “This one is the most entertaining and clever thinking by hackers I’ve seen,” said Hemu Nigam, a former federal prosecutor for computer crimes and current chief executive of SSP Blue, a cybersecurity company.

   As more products with the ability to connect to the Internet become available, opportunities for hackers to access data through outside-the-box ways have risen.

   Fier said that with the recent FBI toy warning and the many ways by which hackers are trying to break into systems, he wouldn’t be surprised if the government eventually got involved in regulating Internet of Things, IoT, products. But he said, even if it did, that would raise other questions.

   Reply
4. July 28, 2017 at 1:58 pm

   Tomi Engdahl says:

   British Hacker Convicted in Germany of Major Cyber Attack
   http://www.securityweek.com/british-hacker-convicted-germany-major-cyber-attack

   A British man was handed a suspended jail sentence by a German court Friday for a massive cyber attack against Deutsche Telekom last year.

   The 29-year-old last week described as “the worst mistake of my life” the attack that knocked more than one million German households offline in November, carried out for money on behalf of a Liberian client.

   German police said the goal of the attack was to infect users’ computers with a “botnet” — a network of web-connected machines that can be manipulated with malware and used to assault other online targets.

   Kaye told the court he was paid $10,000 (about 8,500 euros) by a Liberian telecom company which wanted to use the botnet to damage a local rival.

   The attack, which the company said caused about two million euros of damage, ended when it advised customers to disconnect their routers and restart them after a software update.

   The large-scale strike fuelled concerns over cyber security in Germany

   http://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions

   Reply
5. July 28, 2017 at 4:16 pm

   Tomi Engdahl says:

   Kodi Security Risk Emerges After TVAddons Shutdown
   By Andy on July 23, 2017
   https://torrentfreak.com/kodi-security-risk-emerges-after-tvaddons-shutdown-170723/

   Three domains previously operated by defunct Kodi addons site TVAddons have been transferred to a law firm in Canada. With no explanation forthcoming, the security implications cannot be ignored. According to Kodi Project Manager Nathan Betzen, a third party in control of these domains could potentially do whatever they wanted to vulnerable former TVAddons users.

   Formerly known as XBMC, the popularity of the entirely legal Kodi media player has soared in recent years.

   Controversial third-party addons that provide access to infringing content have thrust Kodi into the mainstream and the product is now a household name.

   Until recently, TVAddons.ag was the leading repository for these addons. During March, the platform had 40 million unique users connected to the site’s servers, together transferring an astounding petabyte of addons and updates.

   Everything was going well until news broke last month that the people behind TVAddons were being sued in a federal court in Texas. Shortly after the site went dark and hasn’t been back since.

   Kodi Security Risk Emerges After TVAddons Shutdown
   https://torrentfreak.com/kodi-security-risk-emerges-after-tvaddons-shutdown-170723/

   Reply
6. July 28, 2017 at 4:19 pm

   Tomi Engdahl says:

   Wallet-snatch hack: ApplePay ‘vulnerable to attack’, claim researchers
   Are you using payment system over public Wi-Fi?
   https://www.theregister.co.uk/2017/07/28/applepay_vuln/

   BlackHat USA Security researchers say they have come up with two separate “attacks” against ApplePay, highlighting what they claim are weaknesses in the mobile payment method.

   One of the attacks developed by the white hats, and presented at BlackHat USA yesterday, requires a jailbroken device to work, but the other assault does not.

   In the first attack, say the researchers from Positive Technologies, hackers will initially need to infect a jailbroken device with malware. Having achieved this, they might then be able to intercept traffic en route to an Apple server, in this case payment data being added to the device’s account. Once hackers have succeeded in pushing malware with root privileges, then it’s game over (in most scenarios), claim the white hats.

   Reply
7. July 28, 2017 at 4:25 pm

   Tomi Engdahl says:

   Nest security camera captures landlord’s romp on tenants’ bed
   Including post-coital clean-up
   https://www.theregister.co.uk/2017/07/28/landlord_tenants_bed/

   In yet another demonstration that truth can be stranger than fiction – or at least as strange – a landlord has ‘fessed up to entering his married tenants’ flat and having sexual relations on their bed.

   According to court records, spied by The Smoking Gun, the daytime romp was exposed by a Nest security system that was surveilling the $1,100-a-month flat.

   Landlord Cops To Having Sex In Tenants’s Bed
   Security cam recorded Colorado creep’s encounter with man
   http://www.thesmokinggun.com/documents/colorado/landlord-pleads-to-trespass-174892

   Quijada-Lara’s daytime tryst was discovered thanks to a Nest security system that was installed in the $1100-a-month apartment by the tenants. After Quijada-Lara and his partner entered the bedroom, Pierce received a notification on his phone that the surveillance system had detected noise in the residence.

   Upon checking the camera feed, Pierce saw Quijada-Lara and another man (pictured above) in his bedroom.

   Quijada-Lara was arrested after Pierce provided the security footage to the Colorado Springs Police Department.

   Pierce and DiGiulio (seen below) rented the apartment from Quijada-Lara after responding to a Craigslist ad. They vacated the premises upon discovering that Quijada-Lara used their home as a hook-up spot while they were at work.

   Reply
8. July 28, 2017 at 4:29 pm

   Tomi Engdahl says:

   German court rules bosses can’t use keyboard-tracking software to spy on workers
   https://www.thelocal.de/20170727/court-rules-bosses-cant-use-keyboard-tracking-software-to-spy-on-workers

   Are bosses going too far when they use spy software to track employees’ every keystroke? Apparently yes, according to a ruling by Germany’s highest labour court on Thursday.

   The Federal Labour Court ruled on Thursday that evidence collected by a company through keystroke-tracking software could not be used to fire an employee, explaining that such surveillance violates workers’ personal rights.

   The complainant had been working as a web developer at a media agency in North Rhine-Westphalia since 2011 when the company sent an email out in April 2015 explaining that employees’ complete “internet traffic” and use of the company computer systems would be logged and permanently saved. Company policy forbade private use of the computers.

   The firm then installed keylogger software on company PCs to monitor keyboard strokes and regularly take screenshots.

   Less than a month later, the complainant was called in to speak with his boss about what the company had discovered through the spying software. Based on their findings, they accused him of working for another company while at work, and of developing a computer game for them.

   He was fired that same day.

   The complainant claimed that he had indeed been programming a computer game and done other work for his father’s company, but argued that this was mostly only during his work breaks. He said the work only took about ten minutes out of his day, and that over the course of four months, he had only spent three hours total on this outside work.

   http://juris.bundesarbeitsgericht.de/cgi-bin/rechtsprechung/document.py?Gericht=bag&Art=pm&Datum=2017&nr=19403&pos=0&anz=31&titel=%DCberwachung_mittels_Keylogger_-_Verwertungsverbot

   Reply
9. July 28, 2017 at 4:37 pm

   Tomi Engdahl says:

   Researchers Discover Critical Security Flaws Found In Nuke Plant Radiation Monitors
   https://hardware.slashdot.org/story/17/07/28/006215/researchers-discover-critical-security-flaws-found-in-nuke-plant-radiation-monitors?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

   Researchers have discovered multiple unpatched vulnerabilities in radiation monitoring devices that could be leveraged by attackers to reduce personnel safety, delay detection of radiation leaks, or help international smuggling of radioactive material. Ruben Santamarta, a security consultant at Seattle-based IOActive, at the Black Hat conference on Wednesday, saying that radiation monitors supplied by Ludlum, Mirion and Digi contain multiple vulnerabilities. There are many kinds of radiation monitors used in many different environments. IOActive concentrated its research on portal monitors, used at airports and seaports; and area monitors, used at Nuclear Power Plants (NPPs).

   Critical Vulnerabilities Found in Nuke Plant Radiation Monitors
   http://www.securityweek.com/critical-vulnerabilities-found-nuke-plant-radiation-monitors

   In a paper (PDF) delivered by Ruben Santamarta, principal security consultant at Seattle-based IOActive, at Black Hat Wednesday, it was disclosed that radiation monitors supplied by Ludlum, Mirion and Digi contain multiple vulnerabilities.

   Patching will be difficult since these are design flaws rather than software bugs; and the vendors’ early response to IOActive’s discoveries was, in each case, to decline to work on patches. Since then, Digi has told IOActive that it is collaborating with Mirion to patch the critical vulnerabilities.

   Nevertheless, IOActive concludes, “we should acknowledge these issues are not currently patched, so increasing awareness of the possibility of such attacks will help to mitigate the risks.” It is likely that the same flaws will be present in other vendors’ radiation monitoring devices.

   “the initial analysis revealed a complete lack of security in these devices, so further testing wasn’t necessary to identify significant vulnerabilities,” notes the report.

   In the Ludlum Model 53 personnel portal, IOActive found a backdoor password that granted the highest privilege. With this, malicious personnel could bypass authentication and take control of the device, preventing the triggering of proper alarms.

   In the Ludlum Model 4525 gate monitor, IOActive discovered a complete lack of security in the communication between the gate and the controller Windows device.

   In fact, adequately resourced attackers could fine-tune their malware, says IOActive, to deploy “an advanced payload that hides specific isotopes from detectors, while providing the expected readings for others.”

   In the first, under normal working conditions, attackers could simulate a radiation leak by inserting a dataset of falsified readings. Although this on its own is unlikely to cause a reactor shutdown (because of the need for human intervention), it could lead to an evacuation of the site.

   Reply
10. July 28, 2017 at 4:39 pm

    Tomi Engdahl says:

    TVAddons domains transferred to law firm, could spy on Kodi users watching pirated material
    A worrying development for many Kodi users
    https://www.techspot.com/news/70297-defunct-kodi-domains-transferred-law-firm-could-used.html

    Reply
11. July 28, 2017 at 4:39 pm

    Tomi Engdahl says:

    Ransomware scum straighten ties, invest in good customer service
    Word of mouth matters when you’re taking users’ cash
    https://www.theregister.co.uk/2017/07/28/ransomware_customer_service_improvements/

    Ransomware scum are investing in customer service processes to get more people paying, according to McAfee’s lead scientist and principal engineer Christiaan Beek.

    Speaking at the RSA Pacific and Japan conference in Singapore today, Beek said that ransomware victims share stories of their experiences handing over bitcoin. If those stories describe difficult processes, ransomware scum have figured out they become a disincentive to pay.

    Some have therefore added prominent help features to the sites they use to collect ransoms, even going so far as to offer real-time help.

    Reply
12. July 28, 2017 at 7:34 pm

    Tomi Engdahl says:

    How to encrypt your SQL server backups and why it’s so important
    https://cqureacademy.com/blog/secure-server/encrypt-sql-server-backups

    This subject is a very interesting because every time we deliver a pen test, we encounter the same problem — unencrypted SQL server backups. One time we discovered it in… a hospital. Really NOT fun.

    In this episode, we are going to be talking about protection of the SQL server backups.

    This subject is particularly interesting because every single time we deliver a pen-test, we find that problem – we are able to find unencrypted SQL server backups in the different kinds of network shares.

    Encrypt your database backups – it’s important!
    In this episode I will show you how to encrypt your database backups and why it’s so important. Also what you can do and what you cannot do with backups after they are done.

    Phase #3: Let’s encrypt the backup
    If you want to prevent the database backup files that contain all the data, your precious data that you want to protect, just simply encrypt the backup. Of course, you can also store the backup files in a secure location. This is the very good solution. But still, usually, when we are doing the penetration tests we are finding those backups laying around in some work folders, temp folders, sometimes desktops. And even on the removable medium that we can find around the workplace.

    It’s always nice to have a backup that is encrypted.

    Phase #4: Creating backup of the master key
    I will be placing it in the same folder, but of course, it’s not the best solution to have the database master key or the backup of the certificates stored together with the backups.

    They are protected together with the password. But it is as strong as the password so we can use the brute force attack on it.

    The database is not encrypted
    You need to remember that the database, it’s not encrypted itself. But the backup file is encrypted, and you need to have access to this certificate to restore the database backup.

    Now the backups are safe and we can focus on different part of protecting our SQL server.

    Reply
13. July 28, 2017 at 7:44 pm

    Tomi Engdahl says:

    The opsec blunders that landed a Russian politician’s fraudster son in the clink for 27 years
    Pro tip from the US DoJ: Don’t reuse passwords
    https://www.theregister.co.uk/2017/07/27/russian_politicians_son_gets_27yrs_fraud/

    Black Hat Uncle Sam’s lawyers have revealed the catalog of operational security mistakes that led to the cuffing of one of the world’s most prolific credit-card crooks.

    Last year, Roman V Seleznev, 32, was found guilty of multiple counts of fraud and hacking by a jury in Washington, USA. He was later thrown in the cooler for 27 years. Seleznev – the son of ultra-nationalist Russian politician Valery Seleznev – also faces other charges.

    This week, US Department of Justice prosecutors who worked on the case told the Black Hat security conference how the fraudster was brought down.

    Seleznev, now in prison in Guam, planned to use Microsoft Windows in his defense. His lawyers found that some files had been altered after Seleznev was arrested, and based their defense on claims that either hackers or the US government had tried to set him up.

    However, a forensic study of the laptop showed that the changes were the result of the laptop now being powered down, and were all normal operating system backups. The resulting evidence was enough to get him convicted by a jury who deliberated for less than three hours on the case.

    In two years, the Feds say Seleznev cleared over $17m in illicit profits and many of the businesses he hit have since gone out of business. There are two more Federal cases now ongoing against him, so he’s unlikely to be taking any more beach holidays for a while. ®

    Reply
14. July 28, 2017 at 7:47 pm

    Tomi Engdahl says:

    Hackers can turn web-connected car washes into horrible death traps
    Yeah, boss, I took care of him. I had him waxed. Literally
    https://www.theregister.co.uk/2017/07/27/killer_car_wash/

    Black Hat Forget hijacking smart light bulbs. Researchers claim they can hack into internet-connected car wash machines from the other side of the world and potentially turn them into death traps.

    In a presentation at the Black Hat conference in Las Vegas on Wednesday, Billy Rios, founder of security shop Whitescope, and Jonathan Butts, committee chair for the IFIP Working Group on Critical Infrastructure Protection, showed how easy it was to compromise a widely used car wash system: the Laserwash series manufactured by PDQ, based in Wisconsin, USA.

    The pair found that Laserwash installations can be remotely monitored and controlled by their owners via a web-based user interface: the hefty gear has a builtin web server, and can be hooked up to the public internet allowing folks to keep an eye on their equipment from afar.

    The hardware’s control system is an embedded WindowsCE computer powered by an ARM-compatible processor. However, Microsoft no longer supports the version of WinCE used in the kit, Rios said, meaning it may be possible to commandeer the machinery by exploiting security vulnerabilities lingering in the operating system.

    Once the infosec duo had found a suitable car wash connected to the web, the researchers found that the default password – 12345 – just worked. Once logged in from their browser, they were given full control of the system.

    “Car washes are really just industrial control systems. The attitudes of ICS are still in there,” Rios said. “We’ve written an exploit to cause a car wash system to physically attack; it will strike anyone in the car wash. We think this is the first exploit that causes a connected device to attack someone.”

    In their talk the pair showed how they managed to bypass the safety sensors on the car wash doors to close them on a car entering the washer. Butts told The Register that much more destructive hacks were possible.

    “We controlled all the machinery inside the car wash and could shut down the safety systems,” he said. “You could set the roller arms to come down much lower and crush the top of the car, provided there was not mechanical barriers in place.”

    The duo said they shared their findings with PDQ in February 2015, and kept trying to warn the biz for two years. It was only when their talk was accepted for Black Hat this year that the manufacturer replied to their emails, and then it turned out that it wasn’t possible to patch against the aforementioned exploits, we’re told.

    In a statement to The Register on Thursday, PDQ spokesman Todd Klitzke said the car wash maker alerted its customers yesterday, coinciding with the conference presentation, and urged people to change their passwords from the default, or firewall off their equipment

    Reply
15. July 28, 2017 at 7:52 pm

    Tomi Engdahl says:

    Marketing giant Marketo forgets to renew domain name. Hilarity ensues
    Red faces all round at dotcom after emails, tracking links go TITSUP
    https://www.theregister.co.uk/2017/07/26/marketo_forgot_to_renew_domain/

    With a perfect dose of irony, a biz that sells automated marketing software online failed to automatically renew its dotcom.

    Silicon Valley-based Marketo started receiving customer complaints Tuesday morning that its reporting systems weren’t working.

    Since the corp’s marketing emails use “marketo.com” links to track user interactions, suddenly every hyperlink, image and form in millions of client emails went dead. The company’s main website vanished, so clients were unable to log in to their accounts, and its apps failed.

    Two hours later, at just after 7:00am Pacific Time, the company tweeted – with some degree of panic – that it was looking into the problem: “We are aware of the issue with the marketo.com domain and are working quickly to resolve it. We apologize for any inconvenience,” it told customers.

    Fortunately one of those customers was a domain name specialist and quickly figured out the problem – the company had somehow, unfathomably, failed to renew its dotcom and its registration had expired.

    While Marketo was floundering, Travis Prebble decided to help out, registering the domain for a year for $38 and paying the $35.99 restatement fee. He tweeted the invoice at the company – seventy-four bucks for an organization once valued at $1.8bn.

    “I renewed your domain @Marketo. Hopefully things will be back up soon.”

    Unfortunately, Travis’ renewal did not give him access to the domain control panel

    Nearly three hours later – at 9:30am – Marketo finally found their domains guy and switched the nameservers back. Slowly the service came back online as the change propagated through the domain name system.

    It’s safe to say the issue took up a lot of the Marketo CEO’s morning. “Resolving DNS issues re: our site and I profusely apologize to everyone. No excuses, just fixing,” tweeted Steve Lucas.

    Of course, that doesn’t answer the obvious question: how did a multi-billion-dollar company forget to renew its own dotcom domain? Or, at least, simply click on the auto-renew button that every single registrar offers?

    “We identified process errors with auto renewals as well as human errors,”

    Considering the size of Marketo, and the fact that the registrar – Network Solutions – would be more than happy to sell the company its premium renewal service, where it will contact a specific person before any changes are made, it’s safe to assume Marketo has never done a domain management audit. Here’s betting it has one soon.

    Meanwhile, across corporate America, CTOs are emailing their IT departments frantically ensuring that their domains don’t expire anytime soon.

    Reply
16. July 29, 2017 at 5:46 am

    Tomi Engdahl says:

    Johana Bhuiyan / Recode:
    GM’s Cruise Automation hires Didi’s Charlie Miller and Uber’s Chris Valasek, the security researchers who had previously hacked into moving jeeps

    Famed hackers Charlie Miller and Chris Valasek are joining Cruise after leaving Didi and Uber
    Miller left Didi after just four months.
    https://www.recode.net/2017/7/28/16059386/cruise-charlie-miller-chris-valasek-uber-didi

    Noted security experts Charlie Miller and Chris Valasek — famed for remotely hacking a Jeep — are joining Cruise, GM’s self-driving car company.

    Reply
17. July 29, 2017 at 5:48 am

    Tomi Engdahl says:

    Dustin Volz / Reuters:
    US House committee asks 22 US agencies for documents about Kaspersky Lab dating from 2013, including risk assessments, names of contractors, subcontractors

    Exclusive: Congress asks U.S. agencies for Kaspersky Lab cyber documents
    http://www.reuters.com/article/us-usa-kasperskylab-probe-idUSKBN1AD2H0

    A U.S. congressional panel this week asked 22 government agencies to share documents on Moscow-based cyber firm Kaspersky Lab, saying its products could be used to carry out “nefarious activities against the United States,” according to letters seen by Reuters.

    The committee asked the agencies for all documents and communications about Kaspersky Lab products dating back to Jan. 1, 2013, including any internal risk assessments.

    Kaspersky has repeatedly denied that it has ties to any government and said it would not help any government with cyber espionage.

    Reply
18. July 29, 2017 at 5:12 pm

    Tomi Engdahl says:

    Deception tech helps to thwart hackers’ attacks
    http://www.bbc.com/news/technology-40751656

    The same principles of deception and misdirection, albeit on a much smaller scale, are now starting to be used by some organisations to thwart malicious hackers keen to establish a bridgehead on internal networks.
    “It’s a classic idea of warfare to prevent the adversary from having a real understanding of your reality,” said Ori Bach from deception technology firm Trapx. “It’s just like the Allies in WWII. They made fake tanks, fake air bases, fake everything.”
    And just like those ersatz weapons of war, the fakes implanted on a network look just like the real thing.

    “We create a shadow network that is mimicking the real network and is constantly changing,” he said.
    The use of so-called deception technology has grown out of a realisation that no organisation can mount perfect digital defences. At some point, the attackers are going to worm their way in.

    Reply
19. July 30, 2017 at 6:07 am

    Tomi Engdahl says:

    Crooks Reused Passwords On the Dark Web So Dutch Police Took Over Their Accounts
    https://it.slashdot.org/story/17/07/29/0915218/crooks-reused-passwords-on-the-dark-web-so-dutch-police-took-over-their-accounts?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Dutch Police is aggressively going after Dark Web vendors using data they collected from the recently seized Hansa Market. According to reports, police is using the Hansa login credentials to authenticate on other Dark Web portals, such as Dream. If vendors reused passwords, police take over the accounts and set up traps or map the sales of illegal products. Other crooks noticed the account hijacks because Dutch Police changed the PGP key for the hijacked accounts with their own, which was accidentally signed with the name “Dutch Police.”

    Crooks Reused Passwords on the Dark Web, so Dutch Police Hijacked Their Accounts
    https://www.bleepingcomputer.com/news/security/crooks-reused-passwords-on-the-dark-web-so-dutch-police-hijacked-their-accounts/

    Dutch Police are aggressively going after Dark Web vendors using data they collected from the recently seized Hansa Market.

    Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors.

    Reply
20. July 30, 2017 at 6:08 am

    Tomi Engdahl says:

    BBC’s Micro:bit turns out to be an excellent drone hijacking tool
    Much love for tiny microcomputer
    https://www.theregister.co.uk/2017/07/29/bbcs_microbit_drone_hijacking_tool/

    DEF CON The BBC’s Micro:bit computer board may be winning over school kids, but hackers have found its wireless capabilities and programmable nature make it an excellent tool for mischief.

    In a presentation at this year’s DEF CON hacking conference in Las Vegas on Friday, Damien Cauquil, senior security researcher at Econocom Digital Security, showed how the pocket-sized microcomputer could be configured to sniff out keystrokes from a wireless keyboard, and even take control of a quadcopter drone with just some nifty programming.

    The Micro:bit, which costs just £12 in the UK or $15 in the US, is powered by a 16MHz 32-bit ARM Cortex-M0 CPU with 16KB of RAM and Bluetooth connectivity that, with a little Python coding, turns out to be an excellent wireless sniffer. To make matters better for hackers, it’s also tiny, and thus easy to hide while doing this job.

    Reply
21. July 30, 2017 at 6:09 am

    Tomi Engdahl says:

    It took DEF CON hackers minutes to pwn these US voting machines
    We’ve got three years to shore up election security
    https://www.theregister.co.uk/2017/07/29/us_voting_machines_hacking/

    DEF CON After the debacle of the 2000 presidential election count, the US invested heavily in electronic voting systems – but not, it seems, the security to protect them.

    This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.

    In less than 90 minutes, the first cracks in the systems’ defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly.

    Reply
22. July 30, 2017 at 6:10 am

    Tomi Engdahl says:

    Dark web doesn’t exist, says Tor’s Dingledine. And folks use network for privacy, not crime
    Cofounder brings us up to date on network status
    https://www.theregister.co.uk/2017/07/29/tor_dark_web/

    DEF CON A Tor Project grandee sought to correct some misconceptions about the anonymizing network during a presentation at the DEF CON hacking convention in Las Vegas on Friday.

    Roger Dingledine, one of the three founders of the Tor Project, castigated journos for mischaracterizing the pro-privacy system as a bolthole exclusively used by drug dealers and pedophiles to hide from the authorities.

    In fact, he said, only three per cent of Tor users connect to hidden services, suggesting the vast majority of folks on the network are using it to anonymously browse public websites for completely legit purposes. In other words, netizens – from journalists to activists to normal peeps – use Tor to mask their identities from website owners, and it’s not just underworld villains.

    Reply
23. July 30, 2017 at 6:10 am

    Tomi Engdahl says:

    Flaws in web-connected, radiation-monitoring kit? What could go wrong?
    Ripe target for ne’er-do-wells…
    https://www.theregister.co.uk/2017/07/28/radiation_monitoring_infosec/

    Black Hat Vulnerabilities in widely deployed Radiation Monitoring Devices (RDMs) present a potential mechanism for triggering false alarms and worse, according to research unveiled at Black Hat on Wednesday.

    RDMs are used to monitor radiation in critical infrastructure such as nuclear power plants, seaports, borders, and hospitals. However, like many Internet of Things devices, security shortcomings provide a means to subvert their operation.

    An inspection of the technology by Ruben Santamarta, principal security consultant for IOActive, uncovered flaws in RDMs from multiple vendors, including Ludlum and Mirion.

    Reply
24. July 30, 2017 at 6:12 am

    Tomi Engdahl says:

    The $10 Hardware Hack That Wrecks IoT Security
    https://www.wired.com/story/sd-card-hack-iot-zero-days

    Most consumer tech manufacturers figure that once a hacker can physically access a device, there’s not much left that can be done to defend it. But a group of researchers known as the Exploitee.rs say that giving up too soon leaves devices susceptible to hardware attacks that can lead to bigger problems. Hardware hack techniques, like a flash memory attack they developed, can facilitate the discovery of software bugs that not only expose the one hacked device, but every other unit of that model.

    The group, which includes the hackers Zenofex, 0x00string, and maximus64_, presented their flash memory hack this week at the Black Hat security conference in Las Vegas. On Saturday, they built on it at DefCon by presenting 22 zero-day (previously undisclosed) exploits in a range of consumer products—mainly home automation and Internet of Things devices—a number of which they discovered using that hack.

    Tinker, Hacker, Solder, Spy

    On many devices, all it takes to access everything stored on the flash memory chip is a $10 SD card reader, some wire, and some soldering experience. The researchers focus on a type of memory called eMMC flash, because they can access it cheaply and easily by connecting to just five pins (electrical connections). By soldering five wires to the chip—a command line, a clock line, a data line, a power line, and a ground—they can get read/write access that lets them exfiltrate data and start reprogramming to eventually control the whole device.

    This process could theoretically work on any digital device that uses flash memory, but most types would require interfacing with more pins than eMMC does, and many necessitate specialized readers and protocols to gain access. “For the most common types of memory, most people don’t want to open things up, solder to them, do all that kind of stuff, because it’s kind of a giant mess,” Heres says. “But with eMMC you can do it with five wires. Of course, the soldering is a little difficult, but totally doable. It’s not 40 or 50 wires.”

    Some data recovery services already use that method to help customers retrieve their information from broken devices, but it isn’t widely known.

    Reply
25. July 30, 2017 at 6:15 am

    Tomi Engdahl says:

    How Hackers Can Use ‘Evil Bubbles’ to Destroy Industrial Pumps
    https://www.wired.com/story/evil-bubbles-industrial-pump-hack

    Since the NSA’s infamous Stuxnet malware started exploding Iranian centrifuges, hacker attacks that disrupt big, physical systems have moved out of the realm of Die Hard sequels and into reality. As those attacks evolve, the cybersecurity community has started to move beyond the question of whether hacks can impact physical infrastructure, to the more chilling question of exactly what those attacks might accomplish. Judging by one proof-of-concept demonstration, they could come in far more insidious forms than defenders expect.

    In a talk at the Black Hat security conference Thursday, Honeywell security researcher Marina Krotofil showed one example of an attack on industrial systems meant to drive home just how surreptitious the hacking of so-called cyberphysical systems—physical systems that can be manipulated by digital means—might be. With a laptop connected to a $50,000, 610-pound industrial pump, she showed how a hacker could leverage a hidden, highly destructive weapon on that massive machine: bubbles.

    “Bubbles can be evil,” she said. “These bubbles are my attack payload. And I deliver them through the physics of the process.”

    Importantly, Krotofil’s hacker had delivered the evil bubbles without having any access to the pump component of her rig. Instead, he had only adjusted a valve further upstream to decrease the pressure in a certain chamber, which caused bubbles to form. When those bubbles strike the pump, they implode and, in a process called “cavitation,” turn back into a liquid, transfering their energy to the pump. “They collapse at very high velocity and high frequency, which creates massive shockwaves,” Krotofil explained.

    That means a hacker would be able to quietly and steadily cause damage to the pump, despite obtaining only indirect access to it. But Krotofil’s attack doesn’t merely warn about the specific the danger of hacker-induced bubbles. Instead, it’s meant as a more general harbinger, illustrating that in the coming world of cyberphysical hacking, attackers can use physics to cause chain reactions, inducing mayhem even in parts of a system that they haven’t directly breached.

    “She can use a less critical piece to control that critical piece of the system,” says Jason Larsen, a researcher with security consultancy IOActive who worked with Krotofil on some parts of her research. “If you look at just the data flows, you’re going to miss a bunch of attack vectors. There are also these physical flows that go between parts of the system.”

    Reply
26. July 30, 2017 at 6:18 am

    Tomi Engdahl says:

    Systemd Named ‘Lamest Vendor’ At Pwnie Security Awards
    https://linux.slashdot.org/story/17/07/29/1647255/systemd-named-lamest-vendor-at-pwnie-security-awards

    The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year’s ceremony in Las Vegas… The gongs are divided into categories, and nominations in each section are voted on by the hacker community… The award for best server-side bug went to the NSA’s Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers…

    And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone’s favorite init replacement: 5998, 6225, 6214, 5144, and 6237… “Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there’s no chance that the CVE number will referenced in either the change log or the commit message,”

    Systemd wins top gong for ‘lamest vendor’ in Pwnie security awards
    Epic fails and l33t pops celebrated by hackers
    https://www.theregister.co.uk/2017/07/28/black_hat_pwnie_awards/

    The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year’s ceremony in Las Vegas.

    That’s not surprising: government officials, US spy agencies, and software makers aren’t usually in the mood to acknowledge their failures.

    The Pwnies give spray-painted pony statues to those who have either pulled off a great hack or failed epically.

    Reply
27. July 30, 2017 at 6:48 am

    Tomi Engdahl says:

    LANGSEC: Language-theoretic Security
    “The View from the Tower of Babel”
    http://langsec.org/

    The Language-theoretic approach (LANGSEC) regards the Internet insecurity epidemic as a consequence of ad hoc programming of input handling at all layers of network stacks, and in other kinds of software stacks. LANGSEC posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language, and the respective input-handling routines as a recognizer for that language. The recognition must be feasible, and the recognizer must match the language in required computation power.

    When input handling is done in ad hoc way, the de facto recognizer, i.e. the input recognition and validation code ends up scattered throughout the program, does not match the programmers’ assumptions about safety and validity of data, and thus provides ample opportunities for exploitation. Moreover, for complex input languages the problem of full recognition of valid or expected inputs may be UNDECIDABLE, in which case no amount of input-checking code or testing will suffice to secure the program. Many popular protocols and formats fell into this trap, the empirical fact with which security practitioners are all too familiar.

    LANGSEC helps draw the boundary between protocols and API designs that can and cannot be secured and implemented securely, and charts a way to building truly trustworthy protocols and systems.

    Reply
28. July 30, 2017 at 6:52 am

    Tomi Engdahl says:

    Learned helplessness and the languages of DAO
    https://techcrunch.com/2016/10/01/learned-helplessness-and-the-languages-of-dao/

    Everything is terrible. Most software, even critical system software, is insecure Swiss cheese held together with duct tape, bubble wrap, and bobby pins. See eg this week’s darkly funny post “How to Crash Systemd in One Tweet.” But it’s not just systemd, not just Linux, not just software; the whole industry is at fault. We have taught ourselves, wrongly, that there is no alternative.

    Everything is terrible because the fundamental tools we use are, still, so flawed that when used they inevitably craft terrible things. This applies to software ranging from low-level components like systemd, to the cameras and other IoT devices recently press-ganged into massive DDoS attacks —

    — to high-level science-fictional abstractions like the $150 million Ethereum DAO catastrophe. Almost all software has been bug-ridden and insecure for so long that we have grown to think that this is the natural state of code. This learned helplessness is not correct. Everything does not have to be terrible.

    In principle, code can be proved correct with formal verification. This is a very difficult, time-consuming, and not-always-realistic thing to do; but when you’re talking about critical software, built for the long term, that conducts the operation of many millions of machines, or the investment of many millions of dollars, you should probably at least consider it.

    Less painful and rigorous, and hence more promising, is the langsec initiative:

    The Language-theoretic approach (LANGSEC) regards the Internet insecurity epidemic as a consequence of ad hoc programming of input handling at all layers of network stacks, and in other kinds of software stacks. LANGSEC posits that the only path to trustworthy software that takes untrusted inputs is treating all valid or expected inputs as a formal language, and the respective input-handling routines as a recognizer for that language.

    …which is moving steadily into the real world, and none too soon, via vectors such as the French security company Prevoty.

    As mentioned, programming languages themselves are a huge problem. Vast experience has shown us that it is unrealistic to expect programmers to write secure code in memory-unsafe languages. (Hence my “Death to C” post last year.)

    The best is the enemy of the good. We cannot move from our current state of disgrace to one of grace immediately. But, as an industry, let’s at least set a trajectory. Let’s move towards writing system code in better languages, first of all — this should improve security and speed. Let’s move towards formal specifications and verification of mission-critical code.

    And when we’re stuck with legacy code and legacy systems, which of course is still most of the time, let’s do our best to learn how make it incrementally better, by focusing on the basic precepts and foundations of programming.

    I write this as large swathes of the industry are moving away from traditional programming and towards the various flavors of AI. How do we formally specify a convoluted neural network? How does langsec apply to the real-world data we feed to its inputs? How do these things apply to quantum computing?

    I, uh, don’t actually have answers to any of those last few questions. But let’s at least start asking them!

    Reply
29. July 30, 2017 at 2:25 pm

    Tomi Engdahl says:

    Jon Russell / TechCrunch:
    Apple removes all major VPN apps from the App Store in China; the apps allowed users to bypass China’s internet censorship — The Chinese government’s crackdown on the internet continues with the news that Apple has removed all major VPN apps, which help internet users overcome …
    http://techcrunch.com/2017/07/29/apple-removes-vpn-apps-from-the-app-store-in-china/

    Reply
30. July 30, 2017 at 2:43 pm

    Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    A now-patched flaw in Broadcom WiFi chips opened 1B iPhones and Android devices to a fully remote worm attack — Wi-Fi chips used in iPhones and Android may revive worm attacks of old. — LAS VEGAS—It’s not often that a security researcher devises an attack that can unleash …

    Broadcom chip bug opened 1 billion phones to a Wi-Fi-hopping worm attack
    Wi-Fi chips used in iPhones and Android may revive worm attacks of old.
    https://arstechnica.com/information-technology/2017/07/broadcom-chip-bug-opened-1-billion-phones-to-a-wi-fi-hopping-worm-attack/

    LAS VEGAS—It’s not often that a security researcher devises an attack that can unleash a self-replicating attack which, with no user interaction, threatens 1 billion smartphones. But that’s just what Nitay Artenstein of Exodus Intelligence did in a feat that affected both iOS and Android devices.

    At the Black Hat security conference, Artenstein demonstrated proof-of-concept attack code that exploited a vulnerability in Wi-Fi chips manufactured by Broadcom. It fills the airwaves with probes that request connections to nearby computing devices. When the specially devised requests reach a device using the BCM43xx family of Wi-Fi chipsets, the attack rewrites the firmware that controls the chip. The compromised chip then sends the same malicious packets to other vulnerable devices, setting off a potential chain reaction. Until early July and last week—when Google and Apple issued patches respectively—an estimated 1 billion devices were vulnerable to the attack. Artenstein has dubbed the worm “Broadpwn.”

    Although the flaw is now closed, the hack has important lessons as engineers continue their quest to secure mobile phones and other computing devices.

    In sharp contrast to the kernels in iOS and Android, the Broadcom chips Artenstein targeted aren’t protected by ASLR or DEP. That meant he could reliably know where his malicious code would be loaded in chip memory so he could ensure it got executed. Additionally, he found a flaw across various chipset firmware versions that allowed his code to work universally rather than having to be customized for each firmware build. Making the attack even more potent, targets didn’t have to connect to the attacker’s Wi-Fi network. Simply having Wi-Fi turned on was sufficient to being hacked.

    Artenstein said his attack worked on a wide range of phones, including all iPhones since the iPhone 5, Google’s Nexus 5, 6, 6X and 6P models, Samsung Notes 3 devices, and Samsung Galaxy devices from S3 to S8. After he privately reported the flaw, Google and Apple released patches that closed the underlying vulnerability that made the attack possible. Because Wi-Fi chipsets in laptop and desktop computers have more limited access to the computer’s networking functions, the researcher doesn’t believe they are vulnerable to the same attack. While Artenstein’s proof of concept didn’t spread from the Wi-Fi chip to infect the phone’s kernel, he said that additional step is well within the means of determined hackers.

    Reply
31. July 30, 2017 at 7:39 pm

    Tomi Engdahl says:

    MEET MIA ASH, THE FAKE WOMAN IRANIAN HACKERS USED TO LURE VICTIMS
    https://www.wired.com/story/iran-hackers-social-engineering-mia-ash/

    MIA ASH IS a 30-year-old British woman with two art school degrees, a successful career as a photographer, and plenty of friends—more than 500 on Facebook, and just as many on LinkedIn. A disproportionate number of those friends happen to be Middle Eastern men, and when she posts coy selfies to Facebook, they shower her with likes. Her intriguing relationship status: “It’s complicated.” No kidding. Mia Ash doesn’t exist.

    A Phish Called Mia
    In February, as SecureWorks helped a Middle Eastern company diagnose an attempted spyware infection, the security analysts found that one of that company’s employees had been communicating with the Ash persona for more than a month.

    Reply
32. July 30, 2017 at 7:52 pm

    Tomi Engdahl says:

    How to report cybersecurity strategies to senior leaders
    https://fcw.com/articles/2017/07/27/comment-cyber-reporting.aspx?lipi=urn:li:page:d_flagship3_feed;oZerYq32RJKiWnh91qINdQ==&m=1

    Although it might not be surprising that Americans are deeply concerned about cybersecurity, that anxiety has grown dramatically in the past few years. This year’s Unisys Security Index, a global consumer survey, found that concern about hacking and malware in the U.S. increased by 55 percent since the survey was last performed in 2014.

    I wholeheartedly agree with Ross but would add a next step: Government security professionals must be prepared to crisply communicate to senior-most government leaders — agency and department heads — the steps they are taking to improve security and how they are actively collaborating with key stakeholders across all functions.

    Reply
33. July 31, 2017 at 9:10 am

    Tomi Engdahl says:

    Cybercriminals Study-up on Credit Card Fraud
    http://www.securityweek.com/cybercriminals-study-credit-card-fraud

    Credit card fraud has been big business for quite some time with losses expected to reach $24 billion by 2018. There are two types of credit card fraud – physical card fraud which involves the cloning of credit cards and Card Not Present (CNP) fraud, when the card is used online and over the phone. While the Europay, Mastercard and Visa (EMV) chip technology has made physical card fraud more difficult, online card spending is expected to double by 2021 and business will likely continue to boom for fraudsters.

    We all know that cybercriminals don’t operate alone. Benefitting from a rich ecosystem that provides supporting infrastructure, malware and money services, even less sophisticated actors can turn a profit. Lately we’ve seen an influx of extremely professional online tutorials designed to educate bad actors on the latest fraud tactics and tools. Complete with webinars, instructors and reading material, these online courses also provide insights that defenders can use to protect against this increasingly popular threat. Here is just a glimpse into what students can learn from one class that costs nearly $1,000 and is conducted in Russian, targeting fraudsters in that geography.

    How to find shops that sell credit card details. Alphabay, one of the largest marketplaces for illicit goods, was recently shut down, but a Google search returns almost 25,000 results of other shops that traffic in credit card information.

    How to socially engineer individuals. A week-long lecture series focuses on how to build local knowledge and rapport with the target.

    How to cash out. Fraudsters are coached on three main ways to make a profit – direct purchase, agent fraud and through the use of drops and middlemen. For direct purchase they target sites that are “card-able,” meaning susceptible to fraudulent purchases as a result of lax security controls. Agent fraud involves impersonating an agent, for example from an airline or hotel, making a reservation in the cardholder’s name, and then changing the reservation name once the card is authorized. The use of drops and middlemen includes a range of techniques that involve duping individuals and legitimate delivery companies to reship stolen goods and counterfeit money to safe addresses.

    As the opportunity for payment card fraud grows, it’s safe to assume that more cybercriminals will take advantage of new, sophisticated online courses to get a piece of the pie. Even as you put additional precautions in place, remember that attackers continue to innovate and update their training regularly.

    Reply
34. July 31, 2017 at 9:20 am

    Tomi Engdahl says:

    Azure security boss tells sysadmins to harden up and properly harden Windows Server
    You’re leaving stuff ON that deserves to be OFF
    https://www.theregister.co.uk/2017/07/30/azure_boss_advises_windows_server_hardening/

    DEF CON Windows Server admins keep making mistakes that let criminals target the OS, according to Microsoft’s lead security architect for Azure management Lee Holmes, Redmond therefore wants you to harden up by using PowerShell Just Enough Administration.

    “In running Just Enough Administration, the idea is that admins are your attack surface and you can’t treat them as buddies anymore,” he said. “We need admins but people make mistakes. Everything they can do an attacker can do as well, if you’re worried about PowerShell attacks you have to be worried about admins.”

    The key to controlling administrator accounts is reducing the time such accounts can be used, and ensuring users have only the privileges they need to do do their jobs. Such restrictions, Holmes argued, can dramatically reduce the attack surface available to hackers.

    Reply
35. July 31, 2017 at 10:04 am

    Tomi Engdahl says:

    Microsoft won’t patch SMBv1 flaw that only an idiot would expose
    ‘SlowLoris’ flaw could see a mouse of a machine take down an elephant of a server
    https://www.theregister.co.uk/2017/07/30/slow_loris_smbv1_attack/

    The 20-year-old bug was discovered by two RiskSense researchers combing code for vulnerabilities exposed by the NSA’s EternalBlue exploit.

    After it landed, Twitter user @JennaMagius detailed what happens in a longish Twitter-thread, saying that the bug offers an easy vector to hose big web servers with small computers (all the way down to a Raspberry Pi).

    However, it only works if the target machine has SMBv1 exposed to the Internet, and for that reason, Microsoft doesn’t see it as demanding an immediate patch.

    If they launch the attack on IPv4 and IPv6, that rises to 16 GB, and if an attack comes from just two IPs, they can fill 32 GB, and so on. Eventually, the target can’t allocate memory for NBSS and needs a manual reboot.

    Reply
36. July 31, 2017 at 10:05 am

    Tomi Engdahl says:

    Systemd wins top gong for ‘lamest vendor’ in Pwnie security awards
    Epic fails and l33t pops celebrated by hackers
    https://www.theregister.co.uk/2017/07/28/black_hat_pwnie_awards/

    Reply
37. July 31, 2017 at 10:06 am

    Tomi Engdahl says:

    Malware? In my Docker container? It’s more common than you think
    Researchers say software prisons can hide nasty attack payloads
    https://www.theregister.co.uk/2017/07/28/malware_docker_containers/

    Black Hat Docker containers are the perfect disguise for malware infections, warn researchers.

    Speaking at the 2017 Black Hat USA conference in Las Vegas, Aqua Security researchers Michael Cherny and Sagie Dulce said [PDF] the Docker API can be abused for remote code execution and security bypass.

    Popular with developers as a way to test code, Docker allows for an entire IT stack (OS, firmware, and applications) to be run within an enclosed environment called a container. While the structure has great appeal for trying out code, it could also be abused by attackers to get malware infections running within a company.

    By targeting the developers for invasion, the researchers explain, attackers could not only get their malware code running in the company network, but could do so with heightened privileges.

    The attack involves duping the victim into opening a webpage controlled by the attacker, then using a REST API call to execute the Docker Build command to create a container that will execute arbitrary code. Through a technique called Host Rebinding, the attacker can bypass Same-Origin Policy protections and gain root access to the underlying Moby Linux VM.

    The Aqua Security duo says they have already reported one of the attack vectors – the vulnerable TCP component – to Docker, which has issued an update to remedy the flaw.

    Still, Cherny and Dulce say that other flaws in Docker could be exploited to not only infect the container, but the host machines and other VMs running on the system as well.

    “It is important to scan images to remove malicious code or vulnerabilities that may be exploited. Additionally, runtime protection ensures that your containers ‘behave’ and don’t perform any malicious actions.”

    https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf

    Reply
38. July 31, 2017 at 10:11 am

    Tomi Engdahl says:

    The $10 Hardware Hack That Wrecks IoT Security
    https://www.wired.com/story/sd-card-hack-iot-zero-days

    Most consumer tech manufacturers figure that once a hacker can physically access a device, there’s not much left that can be done to defend it. But a group of researchers known as the Exploitee.rs say that giving up too soon leaves devices susceptible to hardware attacks that can lead to bigger problems. Hardware hack techniques, like a flash memory attack they developed, can facilitate the discovery of software bugs that not only expose the one hacked device, but every other unit of that model.

    The group, which includes the hackers Zenofex, 0x00string, and maximus64_, presented their flash memory hack this week at the Black Hat security conference in Las Vegas. On Saturday, they built on it at DefCon by presenting 22 zero-day (previously undisclosed) exploits in a range of consumer products—mainly home automation and Internet of Things devices—a number of which they discovered using that hack.

    On many devices, all it takes to access everything stored on the flash memory chip is a $10 SD card reader, some wire, and some soldering experience. The researchers focus on a type of memory called eMMC flash, because they can access it cheaply and easily by connecting to just five pins (electrical connections). By soldering five wires to the chip—a command line, a clock line, a data line, a power line, and a ground—they can get read/write access that lets them exfiltrate data and start reprogramming to eventually control the whole device.

    This process could theoretically work on any digital device that uses flash memory, but most types would require interfacing with more pins than eMMC does, and many necessitate specialized readers and protocols to gain access.

    Some data recovery services already use that method to help customers retrieve their information from broken devices, but it isn’t widely known.

    Reply
39. July 31, 2017 at 10:11 am

    Tomi Engdahl says:

    For 20 Years, This Man Has Survived Entirely by Hacking Online Games
    A hacker says he turned finding and exploiting flaws in popular MMO video games into a lucrative, full-time, job.
    https://motherboard.vice.com/en_us/article/59p7qd/this-man-has-survived-by-hacking-mmo-online-games

    At the current exchange rate, Manfred estimates he has $397 trillion worth of WildStar gold. This is obviously an outlandish number, but, essentially, his income was only limited by the real-life market for the in-game currency.

    “The best hacks are the invisible ones because you change the rules without anyone knowing what’s going on.”

    Reply
40. July 31, 2017 at 10:14 am

    Tomi Engdahl says:

    Security Automation is About Trust, Not Technology
    http://www.securityweek.com/security-automation-about-trust-not-technology

    We Can Automate the Action, Without Automating the Decision…

    Over the past years I have been heavily involved in research on the topic of security automation. One of the consistent feedback points has been that automation is highly desirable, at least by security teams. But this desire has been inhibited by doubt and fear. Doubt about the accuracy of the detection of threats, and fear of the consequences of automating the containment or mitigation responses and the prospect of detrimental impact and damage resulting from doing this wrong.

    For those of us who have been active in cybersecurity for a long time, this is not a new phenomenon. We remember the promise of Antispam and Intrusion Prevention Systems, and the chaos these caused based on too much confidence in their ability to reliably identify anomalies and attacks.

    Many organizations own an IPS, but run it in non-blocking mode, demoting them to Intrusion Detection Systems. This trend has not abated, with organizations that have automation capabilities built into existing technologies such as Security Information and Event Management, Endpoint Detection & Response and Security Automation & Orchestration solutions not trusting these to automate much beyond basic tasks such as sending out notifications or running a threat intelligence query.

    Reply
41. July 31, 2017 at 10:46 am

    Tomi Engdahl says:

    Injecting Code Into Mouse Firmware Should Be Your Next Hack
    http://hackaday.com/2017/07/29/injecting-code-into-mouse-firmware-should-be-your-next-hack/

    Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

    The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

    The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards.

    Perhaps the biggest leap in this project is that the firmware wasn’t read-protected.

    The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

    http://usbrubberducky.com/?_escaped_fragment_=index.md#!index.md

    Reply
42. July 31, 2017 at 11:19 am

    Tomi Engdahl says:

    Broadpwn – All Your Mobiles are Belong to Us
    http://hackaday.com/2017/07/29/broadpwn-all-your-mobiles-are-belong-to-us/

    Researchers from Exodus Intel recently published details on a flaw that exists on several Broadcom WiFi chipsets. It’s estimated to affect nearly 1 Billion devices, from Android to iPhone. Just to name a few in the top list:

    Samsung Galaxy from S3 through S8, inclusive
    All Samsung Notes3. Nexus 5, 6, 6X and 6P
    All iPhones after iPhone 5

    So how did this happen? And how does a bug affect so many different devices?

    Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets
    https://blog.exodusintel.com/2017/07/26/broadpwn/

    Reply
43. July 31, 2017 at 9:48 pm

    Tomi Engdahl says:

    HBO got hacked and some Game of Thrones materials are bubbling up online
    https://techcrunch.com/2017/07/31/hbo-hack-got/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    HBO got hacked and some Game of Thrones materials are bubbling up online
    Posted 3 hours ago by Taylor Hatmaker (@tayhatmaker)

    In a statement to Entertainment Weekly, HBO confirms that it was the target of a hack, though the company doesn’t appear to be quite sure what the damage is yet.

    So far, episodes of the HBO series Room 104 and Ballers have trickled out online. Though new episodes of its bloody centerpiece Game of Thrones have yet to surface, the leak reportedly contains writing suspected to be either a treatment or a script of an upcoming Game of Thrones episode, which is a big deal in its own right. HBO notified its employees of the breach Monday morning and hackers claim to have made off with 1.5 terabytes of HBO data, alluding that more leaks are on the way.

    Reply
44. August 1, 2017 at 4:12 am

    Tomi Engdahl says:

    Spiderman hacker faces further charges in UK after German conviction
    http://www.reuters.com/article/us-deutsche-telekom-outages-idUSKBN1AD1EX

    COLOGNE, Germany (Reuters) – A British hacker-for-hire was given a suspended sentence by a German court on Friday after confessing to a cyber attack that knocked out the internet for around 1 million Deutsche Telekom (DTEGn.DE) customers.

    The 29-year old hacker, who used the online alias “Spiderman”, among other names, also faces criminal charges in Britain

    The attack caused internet outages for about 4.5 percent of Deutsche Telekom’s 20 million fixed-line customers.

    Reply
45. August 1, 2017 at 4:19 am

    Tomi Engdahl says:

    It is easy to expose users’ secret web habits, say researchers
    http://www.bbc.com/news/technology-40770393

    Two German researchers say they have exposed the porn-browsing habits of a judge, a cyber-crime investigation and the drug preferences of a politician.

    The pair obtained huge amounts of information about the browsing habits of three million German citizens from companies that gather “clickstreams”.

    These are detailed records of everywhere that people go online.

    The researchers argue such data – which some firms scoop up and use to target ads – should be protected.

    The data is supposed to be anonymised, but analysis showed it could easily be tied to individuals.

    People’s browsing history is often used to tailor marketing campaigns.

    The pair found that 95% of the data they obtained came from 10 popular browser extensions.

    “What these companies are doing is illegal in Europe but they do not care,”

    “The public information available about users is growing so it’s getting easier to find the information to do the de-anonymisation,” he said. “It’s very, very difficult to de-anonymise it even if you have the intention to do so.”

    The information revealed an intimate portrait of the browsing habits of people, said Ms Eckert.

    “This could be so creepy to abuse,” she said “You could have an address book and just look up people by their names and see everything they did.”

    When asked about UK plans to make ISPs gather clickstreams on every Briton for security purposes, Ms Eckert urged the government to restrict for how long the information could be kept.

    “If you are strong on data protection then you should not be allowed to do it,” she said, “But for security purposes then perhaps you can hold on to it for a while.”

    Reply
46. August 1, 2017 at 5:12 am

    Tomi Engdahl says:

    BLACK HAT
    Hacker Says He Broke Through Samsung’s Secure Smartphone Platform
    https://motherboard.vice.com/en_us/article/pad5jn/hacker-says-he-broke-through-samsungs-secure-smartphone-platform

    When his rooting exploit worked on plenty of Android devices but failed on the Samsung Galaxy S7 Edge, researcher Di Shen decided to dig into KNOX.

    KNOX is a security platform available on Galaxy devices. It detects any tampering and provides more assurance that data is secure, according to Samsung’s website. KNOX products are certified by 29 governments, and are also marketed towards business and enterprise customers, the website adds.

    In short, Shen’s exploit is a jailbreak, which removed the normal restrictions over installing new software or features. All a user needed to do was to download Shen’s app, called KingRoot.

    Shen said Samsung contacted him and asked for some technical details about the exploit, and asked whether the vulnerabilities have been fixed. Shen says Google fixed the issues in December.

    Reply
47. August 1, 2017 at 7:54 am

    Tomi Engdahl says:

    Google Wants Symantec Certificates Replaced Until Chrome 70
    http://www.securityweek.com/google-wants-symantec-certificates-replaced-until-chrome-70

    After several months of debate, Google has released its final proposal in the case of Symantec’s certificate authority (CA) business. All Symantec-issued certificates must be replaced by the time Google releases Chrome 70 next year.

    Google announced its intention to take action against Symantec for improperly issued digital certificates in March. The announcement came after the company, particularly some of its subsidiaries and WebTrust audited partners, were caught wrongly issuing certificates.

    After several proposals on both sides, Google has come up with a final decision. According to the company, between now and March 15, 2018, websites using TLS certificates issued by Symantec before June 1, 2016, should obtain replacements from a trusted CA, including Symantec.

    While Symantec will be allowed to release certificates, it will have to find a subordinate certificate authority (SubCA) whose infrastructure it can use. The company expects to have new infrastructure set up by December 1.

    Starting with Chrome 66, currently scheduled for release on March 15, 2018, certificates issued on or after June 1, 2016, will no longer be trusted.

    Reply
48. August 1, 2017 at 7:54 am

    Tomi Engdahl says:

    Airlines Alert Customers, Employees of Cybersecurity Incidents
    http://www.securityweek.com/airlines-alert-customers-employees-cybersecurity-incidents

    Several North American airlines alerted customers and employees in the past days about various types of cybersecurity incidents, including system breaches, data leaks and credential stuffing attacks.

    Virgin America said it detected unauthorized access to information systems containing employee and contractor data on March 13. According to the company, a third-party accessed logins and passwords used for its corporate network.

    Canada-based WestJet Airlines told customers on Friday that an unauthorized third party disclosed some WestJet Rewards member profile data.

    Florida-based ultra low cost carrier Spirit Airlines has sent an email to customers to notify them of an incident involving their FREE SPIRIT account.

    Reply
49. August 1, 2017 at 8:04 am

    Tomi Engdahl says:

    ‘Game of Thrones’ Script Leaked After HBO Hack
    http://www.securityweek.com/game-thrones-script-leaked-after-hbo-hack

    HBO said Monday its network was victimized by a cyberattack, and media reports said the hack resulted in the leak of a script of the popular series “Games of Thrones” and content from other productions.

    A statement by the Time Warner-owned TV group said a “cyber incident” resulted in “the compromise of proprietary information,” and that the company had contacted law enforcement and outside cybersecurity firms.

    Reply
50. August 1, 2017 at 8:06 am

    Tomi Engdahl says:

    PoC Malware Exploits Cloud Anti-Virus for Data Exfiltration
    http://www.securityweek.com/poc-malware-exploits-cloud-anti-virus-data-exfiltration

    Security researchers at SafeBreach have created proof-of-concept (PoC) malware that can exfiltrate data from endpoints that don’t have a direct Internet connection by exploiting cloud-enhanced anti-virus (AV) agents.

    Although highly secure enterprises might employ strict egress filtering, meaning that endpoints either have no direct Internet connection or have a connection restricted to hosts required by their legitimately installed software, data can be exfiltrated if cloud AV products are in use, the security researchers argue.

    Presented at BlackHat USA 2017 by Itzik Kotler and Amit Klein from SafeBreach Labs, the PoC tool relies on packing data inside an executable the main malware process creates on the compromised endpoint. Thus, if the AV product employs an Internet-connected sandbox as part of its cloud service, data is exfiltrated as soon as the AV agent uploads the newly created executable to the cloud for further inspection, although the file is executed in an Internet connected sandbox.

    In a whitepaper (PDF), the researchers not only provide data and insights on AV in-the-cloud sandboxes, but their also cover the use of on-premise sandboxes, cloud-based/online scanning and malware categorization services, and sample sharing.

    https://www.blackhat.com/docs/us-17/thursday/us-17-Kotler-The-Adventures-Of-Av-And-The-Leaky-Sandbox-wp.pdf

    Reply