Cyber Security January 2018

This posting is here to collect security alert news in January 2018.

I post links to security vulnerability news to comments of this article.

144 Comments

  1. Tomi Engdahl says:

    Kaspersky Files Injunction to Expedite Appeal Against DHS Ban
    http://www.securityweek.com/kaspersky-files-injunction-expedite-appeal-against-dhs-ban

    Kaspersky Lab last week filed a motion for a preliminary injunction as part of its appeal against the U.S. Department of Homeland Security’s decision to ban the company’s products in federal agencies.

    Reply
  2. Tomi Engdahl says:

    Gemalto Licensing Tool Exposes ICS, Corporate Systems to Attacks
    http://www.securityweek.com/gemalto-licensing-tool-exposes-ics-corporate-systems-attacks

    A significant number of industrial and corporate systems may be exposed to remote attacks due to the existence of more than a dozen vulnerabilities in a protection and licensing product from Gemalto.

    Gemalto Sentinel LDK is a software licensing solution used by many organizations worldwide on both their enterprise and industrial control systems (ICS) networks. In addition to software components, the solution provides hardware-based protection, specifically a SafeNet Sentinel USB dongle that users connect to a PC or server when they want to activate a product.

    Researchers at Kaspersky Lab discovered that when the token is attached to a device, the necessary drivers are installed – either downloaded by Windows or provided by third-party software – and the port 1947 is added to the list of exceptions in the Windows Firewall. The port remains open even after the USB dongle has been removed, allowing remote access to a system.

    Experts discovered a total of 14 vulnerabilities in Sentinel components, including ones that allow denial-of-service (DoS) attacks, arbitrary code execution with system privileges, and capturing NTLM hashes. Since port 1947 allows access to the system, these flaws can be exploited by a remote attacker.

    Reply
  3. Tomi Engdahl says:

    Can Biometrics Solve the Authentication Problem?
    http://www.securityweek.com/can-biometrics-solve-authentication-problem

    Are Biometrics as a Form of Authentication Over-hyped and Unreliable?

    Biometrics in use

    Large-scale use of biometric authentication is primarily tied to smartphones. The wide-range of sensors built into these handheld and ubiquitous devices make them an ideal tool for face and iris recognition (camera), voice (microphone), and touch (fingerprint). This authenticates the user to the device, allowing further authorized access to other devices via the phone (although this does not, in itself, confirm that it is the authenticated user still operating the phone).

    Banks are increasingly using voice and face recognition via smartphones for mobile banking purposes. Barclays introduced phone-based voice authentication, and HSBC allowed selfie-based face authentication in 2016.

    Biometrics are also used in stand-alone situations, where they can be used to access restricted buildings or rooms.

    Biometric strengths

    Biometric authentication has several distinct advantages over passwords. These include:

    Ease of use – “Biometrics are incredibly popular with users,” explains Shane Young, president & CEO of inBay Technologies. “Inherent biological… features are convenient: they are part of who we are, always with us and in most cases, we don’t have to think too much to use them (unlike remembering a password).”

    Can’t be lost – Associated with ‘ease of use’ is the idea that, unlike passwords, biometrics can be neither lost nor forgotten because the user is the biometric. This is true, but needs two qualifications. Firstly, if the biometric device is a smartphone, then the phone itself can – and often is – lost or stolen. Secondly, like a password, it is the device that is authenticated at a point in time. Subsequent use of an authenticated device could be by anyone.

    Biometric Weaknesses

    Biometric authentication also has several weaknesses. These include:

    Additional cost – A biometric solution cannot be implemented without incurring additional cost. “Anytime you require hardware, you incur additional cost – both monetary costs and costs in convenience (and therefore, cost to user adoption),”

    Susceptibility to cloning or coercion – No biometric has yet proven itself to be proof against cloning. “Mainstream biometrics really means mobile devices, where – for the most part – they have only proven reliable enough at scale to be a convenience feature, used in parallel with the passcode as backup,”

    “Whether a particular biometric method is useful or not depends on the sensor quality and ease of duplicating a particular biometric,” comments Jarno Niemela, lead researcher at F-Secure Labs. “For example fingerprints are a field where the attacker has significant advantage, since they are easy to copy and can be obtained from about anything that a person has been handling, or even from a photo.”

    Difficult to change – Despite the apparent strength of their apparent immutability, it is possible that biometric templates may need to be changed – but this is considerably more complex and costly than simply changing a password. There are two primary scenarios: theft of the biometric templates, and the aging of the user.

    Reply
  4. Tomi Engdahl says:

    Several Malware Games Downloaded by 4,500,000 Android Users From Google Play Store
    https://gbhackers.com/malware-games-downloaded/

    Several Malware games discovered in Google play store that have been downloaded around 4.5 Million Android users and these malicious games helps to steal various sensitive data from infected users mobile.

    How does This Android Malware Games Works
    A Module called Android.RemoteCode.127.origin will helps to SDK which is basically used for developers communication but further indication reveals that it has some unique capabilities to steal sensitive information and send it to the remote server.

    Reply
  5. Tomi Engdahl says:

    Hacker infected pumps at gas-stations in Russia in a profitable fraud scheme
    http://securityaffairs.co/wordpress/68067/hacking/gas-stations-malware.html

    Authorities discovered a fraudulent scheme involving dozens of gas-station employees who installed malicious programs on electronic gas pumps to cheat customers

    The software allows gas-station employees to deliver between 3 to 7 percent less per gallon of pumped gas.

    The scam shorted customers between 3-to-7 percent per gallon of gas pumped.

    Authorities revealed that the programs were found only on gas stations in the south of the country.

    According to the authorities, the man was selling the software to gas-station employees. involved in the fraud scheme. Zayev was sharing profits with gas-station employees, it has been estimated that the fraud allowed the hacker and employees to earn “hundreds of millions of rubles.”

    The malicious software was undetectable by inspectors and oil companies that monitor gasoline inventory remotely.

    Reply
  6. Tomi Engdahl says:

    Clairvoyant launches Kogni to help companies track their most sensitive data
    https://techcrunch.com/2018/01/23/clairvoyant-launches-kogni-to-help-companies-track-their-most-sensitive-data/?utm_source=tcfbpage&sr_share=facebook

    As we inch ever closer to GDPR in May, companies doing business in Europe need to start getting a grip on the sensitive private data they have. The trouble is that as companies move their data into data lakes, massive big data stores, it becomes more difficult to find data in a particular category. Clairvoyant, an Arizona company is releasing a tool called Kogni that could help.

    Chandra Ambadipudi, Clairvoyant’s CEO, says the problem with most companies’ approach to big data is they don’t think about security until after they create the data lake, at which point it becomes quite challenging to understand what you have.

    Kogni helps companies create a data dictionary of sensitive data to more easily identify the data that matters most to them. That could be credit card numbers or whatever a particular company feels is most important.

    Reply
  7. Tomi Engdahl says:

    Bell Canada Hit by Data Breach
    http://www.securityweek.com/bell-canada-hit-data-breach

    Bell Canada has started informing customers that their personal data has been compromised in a breach that reportedly affects up to 100,000 individuals.

    Bell told customers that their names and email addresses were “illegally accessed,” but Canadian news reports said phone numbers, usernames and account numbers may have also been obtained by hackers. The telecoms company, however, says there is no evidence that credit card or banking information has been compromised.

    In response to the incident, Bell has implemented additional authentication and identification requirements for accessing accounts. The company has also advised users to frequently change their password and security questions, and regularly review their financial and online accounts for unauthorized activity.

    Reply
  8. Tomi Engdahl says:

    SamSam Operators Make $325,000 in 4 Weeks
    http://www.securityweek.com/samsam-operators-make-325000-4-weeks

    Numerous SamSam attacks over the past month or so have paid off to the ransomware’s operators, as they made over $325,000 in a short period of time, security researchers with Cisco Talos say.

    Starting last month, the malware began targeting organizations across multiple industries including government, healthcare and ICS in a series of attacks that appear to be rather opportunistic in nature. The impact, however, was wider, especially in the healthcare sector, where patients were affected too, not just the hit organizations.

    On January 11, the ransomware hit Hancock Health, headquartered in Greenfield, Indiana, a hospital that ended up paying $55,000 to regain access to its files. Adams Memorial Hospital in Decatur, Indiana, and Allscripts, a major electronic health record (EHR) company headquartered in Chicago, IL (which confirmed to SecurityWeek that roughly 1,500 clients were impacted), were also hit by SamSam.

    Reply
  9. Tomi Engdahl says:

    Jail for man who launched DDoS attacks against Skype, Google, and Pokemon Go
    https://hotforsecurity.bitdefender.com/blog/jail-for-man-who-launched-ddos-attacks-against-skype-google-and-pokemon-go-19483.html?utm_source=SMGlobal&utm_medium=Facebook&utm_campaign=H4S

    A British man has been sentenced to two years in jail after admitting to a series of computer crime offences, which included over 100 attempts to knock the likes of Google, Skype and Nintendo’s popular video game Pokemon Go offline.

    Reply
  10. Tomi Engdahl says:

    Alphabet launches new cybersecurity company, Chronicle, out of its X moonshot factory
    https://techcrunch.com/2018/01/24/alphabet-launches-new-cybersecurity-company-chronicle-out-of-its-x-moonshot-factory/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Alphabet, the company you probably still wrongly refer to as “Google,” today announced the launch of Chronicle, a new cybersecurity company that aims to give companies a better chance at detecting and fighting off hackers. Chronicle is graduating out of Alphabet’s X moonshot group and is now a standalone company under the Alphabet umbrella, just like Google.

    Reply
  11. Tomi Engdahl says:

    Huib Modderkolk / De Volkskrant:
    Dutch media: Dutch intelligence penetrated Russian APT29 Cozy Bear’s network, office security camera in 2014, provided info on State Department, DNC hacks to US — Hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections.

    Dutch agencies provide crucial intel about Russia’s interference in US-elections
    https://www.volkskrant.nl/media/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/

    Hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections. For years, AIVD had access to the infamous Russian hacker group Cozy Bear. That’s what de Volkskrant and Nieuwsuur have uncovered in their investigation.

    It’s the summer of 2014. A hacker from the Dutch intelligence agency AIVD has penetrated the computer network of a university building next to the Red Square in Moscow, oblivious to the implications. One year later, from the AIVD headquarters in Zoetermeer, he and his colleagues witness Russian hackers launching an attack on the Democratic Party in the United States. The AIVD hackers had not infiltrated just any building; they were in the computer network of the infamous Russian hacker group Cozy Bear. And unbeknownst to the Russians, they could see everything.

    That’s how the AIVD becomes witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents. It won’t be the last time they alert their American counterparts. And yet, it will be months before the United States realize what this warning means: that with these hacks the Russians have interfered with the American elections. And the AIVD hackers have seen it happening before their very eyes.

    The Dutch access provides crucial evidence of the Russian involvement in the hacking of the Democratic Party, according to six American and Dutch sources who are familiar with the material, but wish to remain anonymous.

    Reply
  12. Tomi Engdahl says:

    Reuters:
    Investigation finds Pentagon, NASA, FBI, State Dept., other agencies used HP, SAP, Symantec, McAfee software that underwent code reviews by Russian government

    Tech firms let Russia probe software widely used by U.S. government
    https://www.reuters.com/article/us-usa-cyber-russia/tech-firms-let-russia-probe-software-widely-used-by-u-s-government-idUSKBN1FE1DT?sp=44

    Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O) and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

    The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

    In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

    Reply
  13. Tomi Engdahl says:

    Issie Lapowsky / Wired:
    DNC hires Yahoo’s former Chief Information Security Officer Bob Lord, who led response to 2013 and 2014 hacks, as its chief security officer

    The DNC’s New Chief Security Officer Knows All About Crisis
    https://www.wired.com/story/bob-lord-dnc-chief-security-officer

    Reply
  14. Tomi Engdahl says:

    Japanese exchange says hackers stole over $400M in cryptocurrency
    https://techcrunch.com/2018/01/26/coincheck-nem/

    MenuTechCrunch
    Japanese exchange says hackers stole over $400M in cryptocurrency
    Posted 4 hours ago by Jon Russell (@jonrussell)

    A Japanese cryptocurrency exchange has claimed it lost more than $400 million in tokens following an alleged hack on its service.

    Coincheck said Friday that some 500 million tokens of NEM, worth around $400 million at the time of writing, according to comments at a press event attended by Bloomberg. NEM, the tenth largest cryptocurrency based on total coin market cap, is a distributed ledger platform primarily aimed at enabling payments and other financial services.

    The apparent heist is larger than the Mt. Gox hack in 2014 — in U.S. dollar value

    Reply
  15. Tomi Engdahl says:

    Yuji Nakamura / Bloomberg:
    Japanese cryptocurrency exchange Coincheck says that 500M NEM cryptocurrency tokens, worth ~$400M, have been “illicitly” transferred out of the exchange — Coincheck Inc., one of Japan’s biggest digital exchanges, said that about $400 million of the NEM cryptocurrency was lost after it was sent …

    Coincheck Says It Lost Crypto Coins Valued at About $400 Million
    https://www.bloomberg.com/news/articles/2018-01-26/cryptocurrencies-drop-after-japanese-exchange-halts-withdrawals

    Reply
  16. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    YouTube served ads containing Coinhive’s cryptocurrency-mining, CPU-draining JavaScript, likely via Google’s DoubleClick ad server; Google says ads now blocked — Ad campaign lets attackers profit while unwitting users watch videos. — YouTube was recently caught displaying ads …

    Now even YouTube serves ads with CPU-draining cryptocurrency miners
    Ad campaign lets attackers profit while unwitting users watch videos.
    https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners/

    YouTube was recently caught displaying ads that covertly leach off visitors’ CPUs and electricity to generate digital currency on behalf of anonymous attackers, it was widely reported.

    Word of the abusive ads started no later than Tuesday, as people took to social media sites to complain their antivirus programs were detecting cryptocurrency mining code when they visited YouTube. The warnings came even when people changed the browser they were using, and the warnings seemed to be limited to times when users were on YouTube.

    On Friday, researchers with antivirus provider Trend Micro said the ads helped drive a more than three-fold spike in Web miner detections. They said the attackers behind the ads were abusing Google’s DoubleClick ad platform to display them to YouTube visitors in select countries, including Japan, France, Taiwan, Italy, and Spain.

    The ads contain JavaScript that mines the digital coin known as Monero. In nine out of 10 cases, the ads will use publicly available JavaScript provided by Coinhive, a cryptocurrency-mining service that’s controversial because it allows subscribers to profit by surreptitiously using other people’s computers. The remaining 10 percent of the time, the YouTube ads use private mining JavaScript that saves the attackers the 30 percent cut Coinhive takes. Both scripts are programmed to consume 80 percent of a visitor’s CPU, leaving just barely enough resources for it to function.

    “YouTube was likely targeted because users are typically on the site for an extended period of time,”

    To add insult to injury, the malicious JavaScript in at least some cases was accompanied by graphics that displayed ads for fake AV programs, which scam people out of money and often install malware when they are run.

    As the problem of Web-based cryptomining has surged to almost epidemic proportions, a variety of AV programs have started warning of cryptocurrency-mining scripts hosted on websites and giving users the option of blocking the activity.

    Reply
  17. Tomi Engdahl says:

    Malware Epidemic: Monero Mining Campaigns Are Becoming a Real Problem
    https://www.bleepingcomputer.com/news/security/malware-epidemic-monero-mining-campaigns-are-becoming-a-real-problem/

    Malware that secretly mines Monero is becoming a real problem in the real world, with the number of different incidents growing with each week. For example, only this past week, three new attacks came to light.

    But the year has barely started, and 2018 is primed to be the year of crypto-mining malware. Since our last report on Monero-mining malware (the RubyMiner campaign), things have become worse.

    Reply
  18. Tomi Engdahl says:

    ‘Terrifying’: How a single line of computer code put thousands of innocent Turks in jail
    http://www.cbc.ca/beta/news/world/terrifying-how-a-single-line-of-computer-code-put-thousands-of-innocent-turks-in-jail-1.4495021

    A lawyer and 2 digital forensic experts helped solve cases no one else would

    took her into custody — for using a messaging app the government deems seditious.

    She knew the arrest was coming. She’d already lost her job, because traces of the app known as Bylock were found on her phone.

    But Elif is adamant she never used or downloaded it.

    Having Bylock on your phone or even knowing someone who did is to become an instant pariah in Turkey, resulting in isolation, shame, a lost livelihood or worse

    Alleged Bylock users are a large part of the nearly 150,000 Turks detained, arrested or forced from their jobs under state of emergency decrees since the summer of 2016.

    An estimated 30,000 are believed to be among the innocent swept up in this particular campaign

    The Bylock ‘trap’
    Bylock was a free messaging app used between 2014 and 2016. Available in the Google and Apple app stores for part of that time, it was a less sophisticated version of Whatsapp, but more secretive — you could only communicate with others on the network if you knew their usernames.

    Bylock was downloaded roughly half a million times and had 215,000 registered users. About 100,000 of them were identified by the Turkish government as “real users.”

    Beşikçi said it was due to a single line of code, which created a window “one pixel high, one pixel wide” — essentially invisible to the human eye — to Bylock.net. Hypothetically, people could be accused of accessing the site without having knowingly viewed it.

    Some people have been accused because someone they shared a wifi connection with was linked to Bylock.

    police asked him about a single phone call placed a year earlier.

    That agent was also accused of using Bylock.

    The Turkish government and the country’s courts rarely admit they are wrong, but in December, they revealed the gravity of the mistake they’d made by publishing a list of 11,480 mobile phone numbers. Each number represented a person wrongly accused of terrorism in the Bylock affair.

    an atmosphere “where everyone was suspicious of everyone else,” pitting neighbour against neighbour, sibling against sibling.

    “Living in fear is an awful thing,”

    Reply
  19. Tomi Engdahl says:

    Fitness tracking app Strava gives away location of secret US army bases
    https://www.theguardian.com/world/2018/jan/28/fitness-tracking-app-gives-away-location-of-secret-us-army-bases

    Data about exercise routes shared online by soldiers can be used to pinpoint overseas facilities

    Reply
  20. Tomi Engdahl says:

    Keylogger Campaign Hits Over 2,000 WordPress Sites
    https://www.bleepingcomputer.com/news/security/keylogger-campaign-hits-over-2-000-wordpress-sites/

    Security researchers have discovered over 2,000 WordPress sites —possibly more— infected with a keylogger that’s being loaded on the WordPress backend login page and a cryptojacking script (in-browser cryptocurrency miner) on their frontends.

    Researchers have tied these newly discovered infected sites to a similar operation that took place in early December 2017.

    The attack is quite simple. Miscreants find unsecured WordPress sites —usually running older WordPress versions or older themes and plugins— and use exploits for those sites to inject malicious code into the CMS’ source code.

    The malicious code includes two parts. For the admin login page, the code loads a keylogger hosted on a third-party domain. For the site’s frontend, crooks load the Coinhive in-browser miner and mine Monero using the CPUs of people visiting the site.

    Based on data obtained via PublicWWW, there are over 2,000 sites that are loading scripts from these three domains

    Cloudflare[.]solutions Keylogger Returns on New Domains
    https://blog.sucuri.net/2018/01/cloudflare-solutions-keylogger-returns-on-new-domains.html

    A few months ago, we covered two injections related to the “cloudflare.solutions” malware: a CoinHive cryptominer hidden within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflare[.]solutions. This malware was originally identified by one of our analysts in April 2017 and has since evolved and spread to new domains.
    Keylogger Spreads to New Domains

    A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down. This was not the end of the malware campaign, however

    The cdjs[.]online script is injected into either a WordPress database (wp_posts table) or into the theme’s functions.php file, just like we saw in the former cloudflare[.]solutions attack.

    Reply
  21. Tomi Engdahl says:

    No, OnePlus is still not sending your clipboard data to China
    http://www.androidpolice.com/2018/01/26/no-oneplus-still-not-sending-clipboard-data-china/

    OnePlus can’t catch a break lately. While it’s made some legitimate mistakes (eg. the credit card hack), there have also been some incidents where hysteria took precedence over common sense. That was the case with the clipboard story a few weeks back, and now there’s another clipboard-related accusation making the rounds. A Twitter post claims OnePlus is identifying and uploading clipboard data like bank account numbers to a Chinese server, but the company says this is incorrect. The file in question specifically stops the OS from monitoring certain types of data, and it’s not even active in OxygenOS.

    The apparent misunderstanding comes down to a file in the OxygenOS beta called badwords.txt.

    This time, the company is wasting no time issuing a clear explanation of the situation. Here’s the official statement.

    There’s been a false claim that the Clipboard app has been sending user data to a server. The code is entirely inactive in the open beta for OxygenOS , our global operating system. No user data is being sent to any server without consent in OxygenOS.

    In the open beta for HydrogenOS, our operating system for the China market, the identified folder exists in order to filter out what data to not upload. Local data in this folder is skipped over and not sent to any server.

    The allegation is that OP uses this file to identify data to upload to a Chinese server. According to OnePlus, badwords.txt is actually a blacklist file—it tells the OS not to monitor matching data for its smart clipboard service. You’re probably not familiar with that feature because it’s only used in China as part of HydrogenOS.

    So, it sounds like OnePlus’ only mistake here was including files from HydrogenOS in the OxygenOS beta. The code is inactive, but it’s bound to confuse people.

    Reply
  22. Tomi Engdahl says:

    Perv raided college girls’ online accounts for nude snaps – by cracking their security questions
    Personal info obtained to pull off 1,400 password resets. Now he’s behind bars
    http://www.theregister.co.uk/2018/01/25/college_nude_selfie_hacker_jailed/

    Jonathan C. Powell, who hacked into over 1,000 email accounts in search of sexually explicit images and videos of college-aged women, was jailed for six months for computer fraud, the US Department of Justice said on Thursday.

    Arrested in November, 2016, Powell, a resident of Phoenix, Arizona, pleaded guilty last August in a New York court to accessing email accounts without authorization at two universities: Pace University in New York, and another unnamed university in Pennsylvania.

    Reply
  23. Tomi Engdahl says:

    Iranian Hackers Target IIS Web Servers With New Backdoor
    http://www.securityweek.com/iranian-hackers-target-iis-web-servers-new-backdoor

    The Iran-linked cyber-espionage group known as OilRig is using a backdoor to target Internet Information Services (IIS) Web servers used by Middle Eastern government organizations and financial and educational institutions.

    Dubbed RGDoor, the malware is believed to be a secondary backdoor that allows the actor to regain access to a compromised Web server in the event the primary malware is detected and removed. This primary malicious tool is the TwoFace webshell, which OilRig is believed to have been using since at least June 2016.

    The backdoor was created using C++, which results in a compiled dynamic link library (DLL) with an exported function named “RegisterModule.” Because of that, Palo Alto’s researchers believe the DLL was used as a custom native-code HTTP module loaded into IIS, and suggest that there is no visual representation of the shell for the actors to interact with.

    This approach takes advantage of IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, such as carry out custom actions on requests. These “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.

    Reply
  24. Tomi Engdahl says:

    Exercise Tracking App Reveals Details of Military Sites
    http://www.securityweek.com/exercise-tracking-app-reveals-details-military-sites

    A map showing paths taken by users of an exercise tracking app reveals potentially sensitive information about American and allied military personnel in places including Afghanistan, Iraq and Syria.

    While some bases are well known to groups that want to attack them, the map also shows what appear to be routes taken by forces moving outside of bases — information that could be used in planning bombings or ambushes.

    Routes are highlighted over large parts of some countries, but in others, specific locations stand out.

    Smaller sites are also highlighted on the map in northern and western Iraq, indicating the presence of other, lesser-known installations.

    More dangerously, stretches of road are also highlighted, indicating that Strava users kept their devices on while traveling, potentially providing details about commonly-taken routes.

    Tobias Schneider, a security analyst who was among the group of people who discovered that the map showed military bases, noted that it indicated military sites in Syria, as well as the Madama base used by French forces in Niger.

    Reply
  25. Tomi Engdahl says:

    Top Dutch Banks Hit by Cyber Attacks
    http://www.securityweek.com/top-dutch-banks-hit-cyber-attacks

    The top three banks in the Netherlands have been targeted in multiple cyber attacks over the past week, blocking access to websites and internet banking services, they said on Monday.

    The number one Dutch bank, ING, was hit by a distributed denial of service (DDoS) attack on Sunday evening while the eurozone nation’s third largest lender, ABN Amro, suffered three attacks over the weekend in a total of seven over the last week, Dutch media reported.

    Rabobank, the country’s number two lender, saw its internet banking services go down on Monday morning.

    “We have been targeted by a DDoS attack since 9.10 am (0810 GMT) this morning (Monday) and our clients don’t have access or very little access to online banking,” Rabobank spokeswoman Margo van Wijgerden said.

    “We are working to resolve the problem as quickly as possible,” she told AFP.

    “I think these (recent) attacks are serious, but our own website is being attacked thousands of times per day,” Knot told the Buitenhof talk show. “That is the reality in 2018,” he said.

    Reply
  26. Tomi Engdahl says:

    “20 euros per attack” – DDoS is far too easy

    The Helsinki District Court issued a judgment in December in a cybernetic attack on OP. There were several acts of accusation, a denial of service, a “denial” of the most serious of them against the bank in the New Year’s Eve 2014, which resulted in customers being left without money.

    Two young men – nicknames Stacks and John – were given relatively mild judgments: the chief employee of the year and four months of conditional and 50 hours of community service, his friend for three months conditional. The prosecutor demanded unconditional imprisonment and OP compensation of over € 450,000.

    Indemnities and court costs were sentenced to EUR 26,000, which is a big sum for the young.
    OP did not receive compensation for damages as it asked in its application. The decision of the court was secret in this respect, so I can only guess: its own technology was not in place. Stacks and John attacked all banks, but only OP collapsed.

    The case and the judgment awaken thoughts. First, DDoS attack up is far too easy. In court, John told how he was a member of the Core Sec group to buy an attack on MTV, the Finnish Communications Regulatory Authority and the OP Bank at a price of “20 euros per laak”.

    If the functions of society can be disturbed by plain pocket money, we are truly in the mercy of youth. On the net, money does not solve, but expertise and contacts. Both young people have enough.

    “If I was to stop the largest bank in Finland at the age of 17, what else could he do the country?”

    Poor information security does not remove the punishability of the crime, but in the interests of national security, things have to be put in place. Important services should not crash into conventional charging, syn, or ntp attacks.

    Judgments on cybercrime are quite mild in Finland. Another problem is the under age of the creators.

    The severity of punishment is influenced by the plan’s nature. The online offensive threshold is low and can be done for a moment’s whim. That is precisely why the punishment should have a preventive deterrent effect.

    The positive judgment, however, was that the charge of extortion went through.

    The last observation is most worrying: Stacks and John were caught in their negligence. A little more cautiously, the attacks would not have been resolved.
    Many previous cyber attacks have become obscure. It is difficult to find cybercrime, and gathering enough evidence is difficult.

    A great year passed with the arrest. Then it took another one and a half years before the trial started to begin. The process is far too slow for the punishment to follow. The boys managed to commit other crimes and make money with them.

    Source: https://www.tivi.fi/blogit/20-euroa-per-laaki-dossaus-on-aivan-liian-helppoa-6698399

    Reply
  27. Tomi Engdahl says:

    Man pleads guilty to launching DDoS attacks against former employers
    http://www.zdnet.com/article/man-pleads-guilty-to-launching-ddos-attacks-against-former-employers/

    A man had admitted to disrupting domains belonging to former employers, competition, and law enforcement agencies.

    Reply
  28. Tomi Engdahl says:

    Japan punishes Coincheck after $530m cryptocurrency theft
    http://www.zdnet.com/article/japan-punishes-coincheck-after-530m-cryptocurrency-theft/

    Coincheck has been ordered by Japan’s financial regulator to get its act together after hackers stole $530 million worth of digital money from its exchange.

    Japan’s financial regulator has ordered Coincheck to get its act together after hackers stole $530 million worth of digital money from its exchange, jolting the nation’s cryptocurrency market in one of the biggest cyber heists.

    The theft highlights the vulnerabilities in trading an asset that global policymakers are struggling to regulate and the broader risks for Japan as it aims to leverage the fintech industry to stimulate economic growth.

    The Financial Services Agency (FSA) said on Monday it has ordered improvements to operations at Tokyo-based Coincheck, which on Friday suspended trading in all cryptocurrencies except bitcoin after hackers stole 58 billion yen of NEM coins.

    Reply
  29. Tomi Engdahl says:

    First ‘Jackpotting’ Attacks Hit US ATMs
    https://it.slashdot.org/story/18/01/29/1348216/first-jackpotting-attacks-hit-us-atms

    ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

    First ‘Jackpotting’ Attacks Hit U.S. ATMs
    https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/

    ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

    To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics — often a combination of both — to control the operations of the ATM.

    Reply
  30. Tomi Engdahl says:

    US military reviewing tech use after Strava privacy snafu
    https://techcrunch.com/2018/01/29/us-military-reviewing-tech-use-after-strava-privacy-snafu/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    The U.S. military has responded to privacy concerns over a heatmap feature in the Strava app which displays users’ fitness activity — and has been shown exposing the locations of military facilities around the world — by saying it’s reviewing the rules around usage of wireless devices and apps by its personnel.

    Reply
  31. Tomi Engdahl says:

    Top Dutch Banks, Revenue Service Hit by Cyber Attacks
    http://www.securityweek.com/top-dutch-banks-hit-cyber-attacks

    The top three banks in the Netherlands have been targeted in multiple cyber attacks over the past week, blocking access to websites and internet banking services, they said on Monday.

    The Dutch Revenue Service was also briefly targeted on Monday by a similar attack, but services were quickly restored, a spokesman said.

    The number one Dutch bank, ING, was hit by a so-called distributed denial of service (DDoS) attack on Sunday evening while the eurozone nation’s third largest lender, ABN Amro, suffered three attacks over the weekend in a total of seven over the last week, Dutch media reported.

    Rabobank, the country’s number two lender, saw its internet banking services go down on Monday morning.

    Reply
  32. Tomi Engdahl says:

    phpBB Website Served Malicious Packages
    http://www.securityweek.com/phpbb-website-served-malicious-packages

    The developers of the free and open source forum software phpBB informed users over the weekend that the official website had served malicious files for roughly three hours on Friday.

    Reply
  33. Tomi Engdahl says:

    Dridex Authors Build New Ransomware
    http://www.securityweek.com/dridex-authors-build-new-ransomware

    The authors of the infamous Dridex banking Trojan have created a sophisticated ransomware family, ESET warns.

    Reply
  34. Tomi Engdahl says:

    Security Explorations Launches New Research Program
    http://www.securityweek.com/atm-jackpotting-attacks-strike-us

    Hackers have been targeting automated teller machines (ATMs) in the United States to make them spill out cash using an attack technique known as “jackpotting.”

    As part of the attacks, individuals with physical access to the machines connect to them and “install malware, or specialized electronics, or a combination of both to control the operations of the ATM,” The United States Secret Service revealed in a warning issued on Friday.

    The attackers targeted stand-alone ATMs located in pharmacies, big box retailers, and drive thru ATMs, the alert reads. Both individual suspects and large organized groups (both local and international organized crime syndicates) are engaged in such attacks.

    Reply
  35. Tomi Engdahl says:

    Lenovo Addresses Hardcoded Password in Fingerprint Manager
    http://www.securityweek.com/lenovo-addresses-hardcoded-password-fingerprint-manager

    Computer maker Lenovo has updated Fingerprint Manager Pro for Windows 7, 8, and 8.1 to address several insecure credential storage issues in the software, including the presence of a hardcoded password.

    Reply
  36. Tomi Engdahl says:

    Mozilla Patches Critical Code Execution Flaw in Firefox
    http://www.securityweek.com/mozilla-patches-critical-code-execution-flaw-firefox

    An update released this week by Mozilla for Firefox 58 patches a critical vulnerability that can be exploited by a remote attacker for arbitrary code execution.

    The vulnerability, tracked as CVE-2018-5124, affects Firefox versions 56 through 58 and it has been fixed with the release of Firefox 58.0.1. According to Mozilla, Firefox for Android and Firefox 52 ESR are not impacted. Linux distributions have also started pushing out updated packages that include the fix.

    “The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software,”

    Reply
  37. Tomi Engdahl says:

    Cisco Patches Critical Code Execution Flaw in Security Appliances
    http://www.securityweek.com/cisco-patches-critical-code-execution-flaw-security-appliances

    Cisco informed customers on Monday that updates released for its Adaptive Security Appliance (ASA) software patch a critical vulnerability that can be exploited to gain full control of devices or cause them to reload.

    The security hole, tracked as CVE-2018-0101 and assigned a CVSS score of 10, allows a remote and unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) condition.

    Reply
  38. Tomi Engdahl says:

    Scammers become the scammed: Ransomware payments diverted with Tor proxy trickery
    Of course this does nothing for victims’ encrypted files
    https://www.theregister.co.uk/2018/01/30/ransomware_diversions/

    Cybercriminals are using Tor proxies to divert ransomware payments to their own Bitcoin wallets.

    Ransomware scammers have long directed victims to payment portals on the Tor network. For those who do not want to or cannot install the Tor browser necessary to pay their ransoms, operators generally direct victims to a Tor proxy such as onion.top or onion.to, which allows users to access the Tor network via standard web browsers.

    But, in what appears to be the first such attack of its kind, operators of a onion.top proxy are performing man-in-the-middle attacks to substitute their own Bitcoin payment addresses for those originally specified in selected ransomware strains, net security firm Proofpoint reports.

    Double dipping: Diverting ransomware Bitcoin payments via .onion domains
    https://www.proofpoint.com/us/threat-insight/post/double-dipping-diverting-ransomware-bitcoin-payments-onion-domains

    Reply
  39. Tomi Engdahl says:

    Unsanitary Firefox gets fix for critical HTML-handling hijack flaw
    Versions 56 through 58 need patching, pronto
    https://www.theregister.co.uk/2018/01/30/mozilla_patches_critical_firefox_vulnerability/

    Mozilla has patched a nasty security bug in Firefox, affecting versions 56, 57 and 58, and their point updates.

    The CVSS-8.8-rated flaw means that if an attacker can get a user to open a malicious document or link, remote code execution becomes a possibility – allowing spyware, ransomware and other nasties to be installed and run.

    An advisory from Cisco explains: “The vulnerability is due to insufficient sanitisation of HTML fragments in chrome-privileged documents by the affected software … A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

    Reply
  40. Tomi Engdahl says:

    To hack Australia and learn its secrets, buy second-hand furniture
    Secret cabinet documents found in filing cabinet sold because someone lost the key
    https://www.theregister.co.uk/2018/01/31/australian_cabinet_leaked_a_cabinet/

    The Australian government has suffered what must as one of the most ridiculously embarrassing security breach in its history: cabinet records from five successive governments were sent to a second-hand furniture store.

    The trove ended up in the hands of the Australian Broadcasting Corporation (ABC – which is in the process of publishing what it judges safe to publish here).

    It appears that someone decided to sell two filing cabinets intact because they’d lost the key (really); the buyer applied a power drill to the locks, and the rest is history.

    And what a history it’s turned out to be: for the ABC. The broadcaster says it’s “withheld documents if there are national security reasons, if the information is already public, or to protect the privacy of public servants.”

    Vulture South will keep our eyes on the cabinet leaks to look for other snippets of interest to our readers.

    Reply
  41. Tomi Engdahl says:

    Ugly, perfect ten-rated bug hits Cisco VPNs
    https://www.theregister.co.uk/2018/01/30/cisco_asa_and_firepower_cvss_10_0_bug_patch_asap/

    Patch your Adaptive Security Appliance and Firepower Threat Defense code before they’re utterly p0wned

    A programming slip in Cisco VPN software has introduced a critical vulnerability hitting ten different Adaptive Security Appliance and Firepower Threat Defense Software products.

    Reply
  42. Tomi Engdahl says:

    UK mass digital surveillance regime ruled unlawful
    https://www.theguardian.com/uk-news/2018/jan/30/uk-mass-digital-surveillance-regime-ruled-unlawful-appeal-ruling-snoopers-charter?CMP=twt_gu

    Judges say snooper’s charter lacks adequate safeguards around accessing personal data

    Appeal court judges have ruled the government’s mass digital surveillance regime unlawful in a case brought by the Labour deputy leader, Tom Watson.

    Liberty, the human rights campaign group which represented Watson in the case, said the ruling meant significant parts of theInvestigatory Powers Act 2016 – known as the snooper’s charter – are effectively unlawful and must be urgently changed.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*