Louise Matsakis / Wired:
Ad-blocker Ghostery goes open source, changes revenue stream to opt-in notifications about deals and paid insights about the web tracking ecosystem — IN PRIVACY-FOCUSED, ANTI-ESTABLISHMENT corners of the internet, going open source can earn you a certain amount of street cred.
A 1.3 Tbps DDoS attack – essentially a massive torrent of data aimed at a single target – hit targets on March 1. While the attack itself is notable more interesting is what was hidden inside the attack itself.
The attack used a memcached exploit which is a legitimate service on many servers.
, “most popular DDoS tactics that abuse UDP connections can amplify the attack traffic 10 or 20 times — allowing, for example a 1 mb file request to generate a response that includes between 10mb and 20mb of traffic.”
“This attack was the largest attack seen to date by Akamai
Within the attack, however, security researchers found a 1MB file that contained a ransom request and a Monero cryptocurrency address. In other words, built into the attack payload was an extortion request.
In short, not only did the attackers slam servers with massive amounts of data, their targets were asked – millions if not billions of times – to pay extortion fees to stop the attack.
a new app aimed at Android users called Bolt App Lock. Instead of offering a VPN, Bolt App Lock is a tool that lets you lock down any app you don’t want others to be able to open, using a PIN code, pattern, or your fingerprint.
Apps that help users lock other apps is a popular category on Android, where you can today find dozens of similar solutions – though largely from unknown companies save for a few, like Keepsafe or Norton, for example. Like the others in this space, the Bolt app lets you lock down other apps that contain personal information, such as private photos or payment details.
But Onavo – and Facebook’s – primary interest isn’t on personal security. It’s about finding a way on users’ phones in order to monitor mobile activity and learn what new apps could be taking attention away from Facebook’s social network.
This is disclosed at the bottom of the app’s listing on Google Play
Catalin Cimpanu / BleepingComputer.com:
Report: China is altering its critical vulnerability disclosure database, backdating disclosure times of vulnerabilities that government hackers may want to use
Chinese intelligence agencies are doctoring the Chinese National Vulnerabilities Database (CNNVD) to hide security flaws that government hackers might have an interest in, according to a report released on Friday by US threat intelligence firm Recorded Future.
The US company says it noticed in recent months mass edits to the CNNVD website. Recorded Future says CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities.
Backdating done to hide “vulnerability evaluation” program
“CNNVD’s manipulation of its vulnerability publication data ultimately reveals more than it conceals,” the Recorded Future team says.
Joseph Cox / Motherboard:
FBI arrests CEO of Phantom Secure, which customized BlackBerrys for criminals by removing mic and camera, routing encrypted messages via overseas servers, more
Phantom Secure is one of the most infamous companies in the secure phone industry. Sources and court documents detail that its owner has been arrested for allegedly helping criminal organizations.
For years, a slew of shadowy companies have sold so-called encrypted phones, custom BlackBerry or Android devices that sometimes have the camera and microphone removed and only send secure messages through private networks. Several of those firms allegedly cater primarily for criminal organizations.
“FBI are flexing their muscle,” one source familiar with the secure phone industry, and who gave Motherboard specific and accurate details about the operation before it was public knowledge, said.
“We made it—we made it specifically for this [drug trafficking] too,” Ramos told undercover agents, according to a transcript included in the complaint.
Andy Greenberg / Wired:
Inside Operation Bayonet, the Dutch police sting and takeover of Hansa, once the largest dark web market in Europe, that netted data on ~420K users — FOR ANYONE WHO has watched the last few years of cat-and-mouse games on the dark web’s black markets, the pattern is familiar …
For anyone who has watched the last few years of cat-and-mouse games on the dark web’s black markets, the pattern is familiar: A contraband bazaar like the Silk Road attracts thousands of drug dealers and their customers, along with intense scrutiny from police and three-letter agencies. Authorities hunt down its administrators, and tear the site offline in a dramatic takedown—only to find that its buyers and sellers have simply migrated to the next dark-web market on their list.
So when Dutch police got onto the trail of the popular dark-web marketplace Hansa in the fall of 2016, they decided on a different approach: Not a mere takedown, but a takeover.
n their probe into that free-trade zone, which would come to be known as Operation Bayonet, the Dutch investigators not only identified the two alleged administrators of Hansa’s black market operation in Germany, but went so far as to hijack the two arrested men’s accounts to take full control of the site itself.
they surveilled Hansa’s buyers and sellers, discreetly altered the site’s code to grab more identifying information of those users, and even tricked dozens of Hansa’s anonymous sellers into opening a beacon file on their computers that revealed their locations. The fallout of that law enforcement coup, the officers claim, has been one of the most successful blows against the dark web in its short history: millions of dollars worth of confiscated bitcoins, more than a dozen arrests and counting of the site’s top drug dealers, and a vast database of Hansa user information that authorities say should haunt anyone who bought or sold on the site during its last month online.
In less then ten days, Memcache DDoS attack has come out of nowhere and really captured lots of attentions within the security community. When we look at the news, we see all sort of reports but hardly can get a good idea what the real situation is, for example the most important question, how many victims are out there? And how big the attack army is?
since 2018-02-24, the frequency of attacks has increased dramatically.
In the past ten days, quite a few popular websites became victims of this DDoS attack. For example, in github around Feb 28 17:20 UTC suffered a DDoS attack, the peak flow rate reached 1.35Tbps, according to akamai and github.
you will spot lots of interesting targets
Overall, the current victims are mainly concentrated in the United States, China (including Hong Kong, China), South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.
We set up a honeypot for this type of attack and filtered out over 37k attack instructions.
As shown in the following table, 99% of the attack instructions are based on memcache STATS directives.
How do I secure Memcached server on Linux or Unix-like system to avoid an attacker to exploit my Memcached services as an amplification vector, causing unexpected volumes of traffic to be sent to targeted networks?
Memcached and DDoS attack
By default memcached server uses TCP/UDP port number 11211. A DDoS (Distributed Denial of Service) amplification attacks performed by exploiting Memcached servers exposed to the public Internet IPv4/IPv6 address. A significant increase in amplification attack vector – using the Memcached protocol, coming from UDP port 11211.
How to secure memcached server
The procedure to secure memecached server is as follows:
1. Configure a firewall
2. Disable UDP
3. Force memcached to listen on private LAN/VLAN IP address
Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server
Dan Goodin / Ars Technica:
Kaspersky Lab details sophisticated Slingshot malware likely used for spying on targeted individuals and organizations, which remained hidden for six years — Nation-sponsored Slingshot is one of the most advanced attack platforms ever. — Researchers have discovered malware so stealthy …
DDoS attacks taking advantage of ill-advised use of memcached have begun to decline, either because sysadmins are securing the process, or because people are using a potentially-troublesome “kill switch”.
Memcached is a handy caching tool that can improve database performance but has no security controls because it was never intended to be used on internet-exposed systems. In late February attackers started to take advantage of the fact that memcached is a very effective amplifier of UDP messages, since a 15-byte query returns answers that could be hundreds of kilobytes. Attacks on the cache briefly gave GitHub the honour of the biggest ever DDoS attack at 1.7 Tbps, but within days a US service provider took an even bigger hosing.
Corero said that there’s a kill-switch it was deploying for clients. The flush_all command does exactly what it says: the process drops all the objects in memory, and the attack ends.
Cloudflare and Arbor Networks, warned eWeek they’re worried about the ethics and legality of someone firing flush_all at someone else’s machine, because changing the contents of a computer you don’t own is illegal in many or most jurisdictions.
The attack volumes kept increasing for most of last week. Qihoo 360 last Wednesday said it had logged 10,000 attack events in the previous week, and identified 7,131 victim IP addresses.
Those included Qihoo, Google, and Amazon, various smut sites, games, security vendors, various National Rifle Association sites, and Brian Krebs’ page.
A vulnerability in Softbank Robotics’ NAO and Pepper robots can lead to costly ransomware attacks that could cause robots deployed in businesses to stop working, curse at customers, or even perform violent movements.
The vulnerability was disclosed at Kaspersky Lab’s Security Analyst Summit by IOActive Labs. The security firm said that Softbank was notified of the vulnerability January 2017, but they aren’t aware of any available patches.
Lucas Apa and Cesar Cerrudo, researchers with IOActive Labs, told Threatpost that the vulnerability can open opportunities for ransomware attacks targeting sensitive in-transit information collected on the robot, like high-definition video feed, audio captured by up to four directional microphones, and payment or other business information running on the robots. Another critical ransomware target is downtime in robots – many businesses lose money every second one of their robots is nonoperational.
The NAO and Pepper robots, priced around $10,000, are some of the most widely used research and education robots in the world, with 20,000 Pepper robots deployed in 2,000 businesses worldwide, and 10,000 NAO robots in use globally. These robots are used by an array of businesses, in the education, retail and industrial space
“This undocumented function allows executing commands remotely by instantiating a NAOqi object using the ALLauncher module and calling the internal _launch function,” according to IOActive Labs.
New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey
Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and ‘aggressive’ operation that resembles earlier attacks against the global SWIFT financial network.
McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack — which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim’s system.
The Australian government’s habit of losing filing cabinets full of confidential documents is merely a symptom of much deeper problems, in both policy development and implementation.
As Oscar Wilde might have put it: “To lose one filing cabinet full of government documents may be regarded as a misfortune; to lose two looks like carelessness.”
US President Donald Trump blocked Monday an unsolicited bid by Singapore-based Broadcom to take over smartphone chipmaker Qualcomm, citing national security concerns.
Trump issued an order barring the proposed mega-acquisition, saying there is credible evidence such a deal “threatens to impair the national security of the United States,” according to a White House statement.
The order came despite Broadcom’s assurances that it would complete its move to the United States by early April, ahead of a planned Qualcomm shareholder vote on the $117 billion deal — meaning any national security concerns were moot.
“Broadcom strongly disagrees that its proposed acquisition of Qualcomm raises any national security concerns,” the company said, adding that it was reviewing the order.
Hundreds of users in Turkey and Syria have been redirected to nation-state malware at the Internet Service Provider (ISP) level, a recent Citizen Lab report reveals.
Following ESET’s discovery that ISPs might be involved in the FinFisher distribution, Citizen Lab launched its own investigation into the matter, only to discover that Türk Telekom has been using Sandvine/Procera Networks Deep Packet Inspection (DPI) devices for the delivery of FinFisher when users attempted to download certain legitimate Windows applications.
Furthermore, the same DPI middleboxes at a Telecom Egypt demarcation point were used to hijack Egyptian users’ unencrypted Internet connections en masse, to redirect them to affiliate ads and in-browser crypto-currency mining scripts.
New samples of Hacking Team’s Remote Control System (RCS) flagship spyware have recently emerged, slightly different from previously observed variations, ESET warns.
Hacking Team, an Italian spyware vendor founded in 2003, is well known for selling surveillance tools to governments worldwide. In 2015, the firm was hacked, which led to 400GB of internal data being leaked online, including a list of customers, internal communications, and spyware source code.
Hanwha’s SmartCam cameras are affected by more than a dozen vulnerabilities, including critical flaws that can be exploited remotely to take control of devices.
The impacted cameras are widely used for surveillance and monitoring. They can record at high resolutions, they have night vision capabilities and motion sensors, and they allow their users to talk to the person being monitored via a built-in speaker. The product can be controlled remotely from any type of device and all the recorded video is stored in the cloud.
Samsung Electronics sold its Samsung Techwin security division to South Korean conglomerate Hanwha Group in 2014. However, Hanwha’s SmartCam products are still branded “Samsung.”
Last month, U.S. intelligence agencies weren’t so into the idea of people using Chinese phones.
The heads of the CIA, FBI and NSA told a Senate committee in February they didn’t recommend products or services by China’s Huawei or ZTE be used by Americans, concerned about companies or entities becoming “beholden to foreign governments.”
Now, in Australia, that suspicion has seemingly extended to Chinese apps. Messaging platform WeChat has reportedly been banned from being installed on phones belonging to the country’s Department of Defence, according to the Australian Financial Review.
“Defence does not provide or support the use of unauthorised software, including the WeChat social media application, on Defence mobile devices,” a Defence spokesperson told the newspaper. Limited use of Facebook is reportedly allowed though.
Security researchers at Kaspersky Lab have discovered what’s likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves.
Security researchers at Kaspersky Lab have discovered what’s likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive.
Kaspersky describes these two elements as “masterpieces,” and for good reason. For one, it’s no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active.
Cyber crime is expensive in the Nordic countries – almost half of the companies are subject to abuse
Misconduct on companies will worsen their targets more seriously, says consultant company PwC .
According to PwC’s latest report, 46 per cent of businesses in the Nordic countries were subjected to various abuses, and the damage they caused was not minor. In the Nordic countries, more than one in ten, financial damage was over 800,000 euros, and in many cases, much more.
The most common irregularities were cyber crime in the Nordic countries, which has increased in recent years. As a result, more than a quarter of Nordic companies had breaks that hindered operational operations. The cyber crime was also followed by abuse of funds and intimidation.
Businesses were also burdened with misuse of funds or resources, which was often fraud and embezzlement in practice.
“Companies should invest in employee involvement and emphasis on ethical corporate culture. In addition to technological solutions, in the complex world of misconduct, one has to be aware of human beings, “says New-Hautamaa.
A team of researchers has demonstrated how air-gapped computers can stealthily communicate with each other using speakers or headphones over ultrasonic waves.
Experts from the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel combined previous research on communications through ultrasonic waves with a technique that can be used to turn a device’s speakers into a microphone in an effort to create a covert data exfiltration channel.
Researchers demonstrated several years ago that audio modulation and demodulation can be used to exchange data between computers over the air via the ultrasonic frequency range. The method requires that the devices communicating with each other are equipped with both microphones and speakers.
However, it’s possible to turn speakers, headphones or earphones into microphones using only software, which Ben-Gurion University researchers demonstrated back in 2016 in an attack they dubbed SPEAKE(a)R.
The data exchange can take place over inaudible sound waves at frequencies of 18kHz or higher, which can be captured by regular headphones or speakers. The data can be modulated through audio frequency-shift keying (AFSK), which uses one frequency to transmit “0” bits and a different frequency to transmit “1” bits.
Tests conducted by researchers showed that a transfer rate ranging between 1200 bits/sec and 1800 bits/sec can be obtained for up to 8 meters (26 feet) for audible frequencies transmitted and captured using loudspeakers. The transfer rate drops to between 300 bits/sec and 600 bits/sec for inaudible frequencies.
“Our experiments shows that at a distance of three meters between two speakers, a transmission rate of 166 bit/sec results in a 1% bit error rate, during the exfiltration of a 1Kbit binary file,”
Security researchers: Never connect to an unknown USB bus!
Between the tests, leaving USB sticks loose for example at a university campus and surprisingly many falls to plug a stick into their own machine. Israeli security researchers have now mapped as many as 29 different USB attacks.
The researchers are from the Malware Laboratory of the Cybercrime Center at Ben-Gurion University. Nir Nissim, the director of the laboratory, and Ran Yahalom, a researcher, were responsible for the study.
Men can get a lot of dangerous attacks through the USB bus. At the very end of the USB stick you can hide the electrical device that drives the whole machine as long as the stick is attached to it. Of these, ETN has reported in the past.
Researchers have simple instructions: use your own charger, do not connect to wifi networks, if possible use your own mobile connection.
Alfred Ng / CNET:
Experts reveal 13 alleged flaws in AMD Ryzen and EPYC chips, just 24 hours after showing AMD, that allow malware to be installed on secure portions of the chips — Researchers say they’ve discovered critical security flaws in AMD chips that could allow attackers to access sensitive data …
Researchers say they’ve found 13 flaws in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded parts of the processor.
David Ingram / Reuters:
After January reports that military locations were leaked by Strava, the fitness service will tweak the activity map and restrict access to registered users
A researcher last year discovered some information disclosure vulnerabilities in Facebook that exposed users’ friend lists and partial payment card information. The social media giant patched one of the flaws within hours.
Web security consultant Josip Franjković had been analyzing the Facebook application for Android when he identified a flaw that allowed him to obtain any user’s list of friends via a specially crafted request.
Facebook users can prevent others from seeing their friends, but the vulnerability discovered by Franjković could have been exploited to obtain this information regardless of the targeted user’s privacy settings.
GraphQL is an open source data query language designed by Facebook for its mobile applications. GraphQL queries can only be used for Facebook’s own applications—only whitelisted query IDs are allowed—and they require an access token.
Earlier today, we covered news that a previously unknown security research firm, CTS-Labs, has accused AMD of 13 serious security flaws within its products. If these security flaws exist, it’s critically important AMD deal with them immediately. Nothing about their provenance or the process by which they were communicated to the press changes that. But we’d be remiss if we didn’t note the perplexing nature of how they were communicated. Security researchers are also raising the alarm regarding some highly suspicious disclosures and framing of the underlying issues.
In the wake of Meltdown and Spectre, AMD has come out relatively clean compared with Intel. While it remains exposed to Spectre (Variant 1 and Variant 2), it dodged Meltdown altogether. But a new security firm is claiming AMD has no fewer than 13 critical vulnerabilities in its Ryzen processor and chipsets, including vulnerabilities within the heart of the CPU itself.
In a recent disclosure, security firm CTS-Labs has accused AMD of failing to catch 13 high-profile and serious security flaws in four separate families: Masterkey, Ryzenfall, Chimera, and Fallout.
The IRS issued a warning last month about an updated version of the old wire transfer phishing scam, where fake emails are sent to accounting supposedly from a company executive, requesting a wire transfer to a provided account. In the updated version cautioned by the IRS, the request is to payroll or human resources requesting a list of employees and their W-2 forms. Many have been fooled by this and other phishing related scams, exposing their companies and now their employees. Divulging employee lists and W-2 information exposes employees’ personal information that can be immediately used in identity theft and other social engineering activities.
From a people and process perspective, which is always the place to start, reviewing business processes and training employees about being cautious when clicking on links and transferring sensitive data is a first step as part of a larger security training program.
Ensuring that processes and procedures used by your organization promote secure practices is especially important. It not only reduces your exposure in general, but it will make those fake requests stand out even more, reducing the risk that somebody be fooled.
From a technology point of view, anti-phishing tools to identify and block fake emails, and data loss prevention technology are essential for combatting these phishing scams. However, analysts are getting buried in false positive alerts resulting from legitimate tax related activities or employees emailing their tax information back and forth (regardless of what your acceptable use policy says). I
The mission of security departments is to eliminate the noise of false positives, identify users intentionally or accidentally acting in a risky way, and identify business processes that may be exposing the organization.
Behavioral analytics (“User and Entity Behavioral Analytics, or UEBA”) can help solve all three of these challenges. UEBA analyzes a user’s activities and identifies unusual behavior relative to their own history and that of peer groups.
Microsoft’s Patch Tuesday updates for March 2018 fix a total of 75 vulnerabilities, including more than a dozen critical flaws affecting the company’s Edge and Internet Explorer web browsers.
SAP this week released its March 2018 set of security patches to address High and Medium priority vulnerabilities in its products.
A total of 10 Security Notes were included in the SAP Security Patch Day this month, three rated High priority and 7 considered Medium priority. Two of the Notes were updates for previously released Security Notes.
Alfred Ng / CNET:
Experts reveal 13 alleged flaws in AMD Ryzen and EPYC chips, just 24 hours after showing AMD, that allow malware to be installed on secure portions of the chips — Researchers say they’ve found 13 flaws in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded parts of the processor.
Researchers say they’ve found 13 flaws in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded parts of the processor.
Former boss at Brit electronic spy agency GCHQ, Robert Hannigan, has called for the application of “unexplained wealth orders” and economic sanctions against Russia rather than cyber attacks.
Hannigan damped down talk in the UK media that cyber attacks against Russia might form part of the response to poisoning of Russian-born double agent Sergei Skripal and his daughter in the medieval cathedral city of Salisbury in southern England last week.
He cited UK government statements to explain this was either a state-run operation or that Russia had lost control of a chemical weapons agent. This follows Russia’s highly contentious annexation of Crimea back in 2014.
WikiLeaks recently published thousands of documents that the organization said belongs to the CIA. Among them, there was a document that showed a list of antivirus and other security products that have been exploited and bypassed by the CIA.
A newly discovered Android malware family masquerades as various popular applications and can steal a broad range of information from infected devices, Palo Alto Networks warns.
Dubbed HenBox, the malware was observed installing the legitimate versions of apps it poses as to hide its presence on compromised devices. The threat is distributed via third-party app stores and mainly targets Uyghur, a minority Turkic ethnic group in the Xinjiang Uyghur Autonomous Region in North West China, and Xiaomi devices.
Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.
Some text editors allow users to run third-party code and extend the application’s functionality through extensions. While this provides some benefits, an expert determined that it can also introduce security risks.
SafeBreach researcher Dor Azouri has analyzed the Sublime, Vim, Emacs, Gedit, pico and nano text editors, and found that only pico and its clone, nano, are not prone to abuse, mainly due to the fact that they offer only limited extensibility.
One part of the problem is that users — particularly on Linux servers — may often need to execute text editors with elevated privileges. If an attacker can plant malicious extensions in locations specific to the targeted text editor, their code will get executed with elevated privileges when the application is launched or when certain operations are performed.
In the case of Emacs, for example, attackers simply need to add one line of code to the “init.el” file in order to get their code executed on startup.
SafeBreach also pointed to a couple of incidents related to npm packages that resulted in malicious code getting loaded and applications breaking. Azouri has described several possible scenarios involving post-exploitation techniques that can be leveraged to gain root access on Unix-like systems.
“Badly configured Cron jobs, that are a natural part in Unix-like systems, can be abused to get root access.
“Some cases exist where the developers of 3rd party plugins, after gaining popularity for their plugin, updated the plugin’s code with malicious code (either intentionally or unintentionally
The developers of the text editors analyzed by SafeBreach said they don’t plan on making any changes to prevent this type of abuse.
Less than 1% of the top 1 million websites have yet to replace Symantec-issued certificates before major browsers distrust them, DigiCert announced this week.
Last year, DigiCert bought the Certification Authority (CA) business run by Symantec, one of the oldest and largest CAs, after a series of issues observed over the past couple of years triggered major browser vendors to announce plans to remove trust in digital certificates issued by the CA.
Later this year, both Chrome and Firefox will stop trusting certificates issued by Symantec, and others might follow suite. The move will affect all certificates issued before DigiCert acquired the Symantec CA division, including those issued under the GeoTrust, RapidSSL, Thawte, and VeriSign brands.
DigiCert, which said last year it would ensure the newly acquired division won’t repeat previous errors, is determined to help all websites owners get replacement certificates and says the process is nearly complete.
Less than 1% of the top 1 million sites still use Symantec-issued certificates that will be affected by upcoming browser distrust action. According to DigiCert, it is ready to help their owners get replacement certificates before the beta releases of Firefox 60 and Chrome 66 in the next couple of months.
White hat hackers have earned a total of $267,000 at this year’s Pwn2Own competition for exploits targeting Microsoft Edge, Apple Safari, Oracle VirtualBox and Mozilla Firefox.
White hats managed to hack Microsoft Edge, Apple Safari and Oracle VirtualBox on the first day of the Pwn2Own 2018 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.
Niklas Baumstark from the Phoenhex team had a partially successful entry against Oracle VirtualBox. While he did manage to execute code using out-of-bounds read and time of check to time of use (TOCTOU) bugs, he was awarded only $27,000 of the maximum of $35,000.
Reuters:
In a first, US publicly accuses Russia for cyberattack campaign dating back to at least March 2016 targeting the US power grid and other critical infrastructure — WASHINGTON (Reuters) – The Trump administration on Thursday blamed the Russian government for a campaign of cyber attacks stretching …
The Trump administration on Thursday blamed the Russian government for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid, marking the first time the United States has publicly accused Moscow of hacking into American energy infrastructure.
CNN:
Trump administration announces new Russia sanctions on 5 entities, including IRA, and 19 individuals, in response to US election interference and cyberattacks
Washington (CNN)The Trump administration announced Thursday it is enacting new sanctions on Russia, including individuals indicted last month by special counsel Robert Mueller, in a sweeping new effort to punish Moscow for its attempts to interfere in the 2016 US election.
The OAIC has revealed to ZDNet it has received 31 notifications since the Notifiable Data Breaches scheme came into effect last month.
The Office of the Australian Information Commissioner (OAIC) has told ZDNet there has been 31 notifications provided to the office led by Timothy Pilgrim since Australia’s Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018.
The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.
The figure emerged as the OAIC is investigating a notification provided by tugboat operator Svitzer Australia.
Ali Winston / The Verge:
New Orleans says it won’t renew its contract with Palantir, which has been testing its crime prediction technology in the city since 2012
Two weeks ago, The Verge reported the existence of a six-year predictive policing collaboration between the New Orleans Police Department and Palantir Technologies, a data mining giant co-founded by Peter Thiel. The nature of the partnership, which used Palantir’s network-analysis software to identify potential aggressors and victims of violence, was unknown to the public and key members of the city council prior to publication of The Verge’s findings.
Yesterday, outgoing New Orleans Mayor Mitch Landrieu’s press office told the Times-Picayune that his office would not renew its pro bono contract with Palantir, which has been extended three times since 2012.
There is also potential legal fallout from the revelation of New Orleans’ partnership with Palantir.
Emil Protalinski / VentureBeat:
Android Security 2017 Year in Review: 60.3% of potentially harmful Android apps were detected via machine learning, Play Protect reviews 50B+ apps every day
Google released its Android Security 2017 Year in Review report today, the fourth installment of the company’s attempt to educate the public about Android’s various layers of security and its failings. One of the most interesting learnings to come out of the report is that 60.3 percent of Potentially Harmful Apps (PHAs) were detected via machine learning.
The detection is done by a service called Google Play Protect, which is enabled on over 2 billion devices (running Android 4.3 and up) to constantly scan Android apps for malicious activity. Play Protect uses a variety of tactics to keep users and their data safe, but machine learning is particularly effective in helping catch PHAs.
GrayShift has brought the authorities into use of the device that opens all iPhones. Also for the new iPhone X.
The device is called GrayKey. Two iPhones can be connected at one time. The Malwarebytes security company has tested the box and the device is running. Depending on whether the PIN code is 4- or 6-digit, decryption takes between two hours and three days.
Finally, GrayKey breaks the key and displays the PIN code on the phone screen. After opening, the whole file system of the device is downloaded to the GrayKey box, which can be accessed from the computer’s web browser.
According to Malwarebytes, there are two versions of the box. The 15-thousand-dollar version requires an internet connection, and its implementation on a given network will tie the device to this network. A double-priced version runs without network connectivity and unlocked unlocked iPhone phones.
Israeli Cellebrite sells the hacking service for $ 5,000.
Who can view your browsing history? If you’re based in the UK, it turns out that a wide range of government agencies can – and if this doesn’t surprise you, then the length of the list itself might.
As reported by the Guardian at the time, it demanded that web and phone companies must store everyone’s browsing histories for 12 months, and permit the police, security services and a variety of state-run agencies to access it whenever they wish during that period of time.
At the same time, it allows the security services to use many of their powers to infiltrate communications equipment and collect data in bulk – as long as such requests are signed off by a judge.
According to Georgia’s Attonery General Chris Carr, the state is only one of three, along with Virginia and Alaska, without a cybersecurity law that makes it illegal for someone to remotely access your computer and search it for sensitive information, and then sell it to a third party. Presently, it is only illegal in Georgia to access a computer to delete or tamper with its contents. However, this will change if Georgia Senate Bill 315: The Computer Intrusion Bill is finally passed into law.
One could be forgiven for thinking, well, it’s about time. However, cybersecurity experts are worried that SB315 as written is so open-ended that it could potentially make a range of legitimate security research and other innocuous activities into criminal offenses.
According to the Electronic Frontier Foundation (EFF), a person doing personal work on their business computer could be at risk of being charged, as would security researchers looking for vulnerabilities on corporate or government websites, or others who scrape online information from public websites. The Georgia ACLU calls the bill “draconian,” while others worry that cybersecurity firms will be negatively affected
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
227 Comments
Tomi Engdahl says:
Louise Matsakis / Wired:
Ad-blocker Ghostery goes open source, changes revenue stream to opt-in notifications about deals and paid insights about the web tracking ecosystem — IN PRIVACY-FOCUSED, ANTI-ESTABLISHMENT corners of the internet, going open source can earn you a certain amount of street cred.
Ad-Blocker Ghostery Just Went Open Source—And Has a New Business Model
https://www.wired.com/story/ghostery-open-source-new-business-model
Tomi Engdahl says:
New DDoS extortions hit the Internet
https://techcrunch.com/2018/03/08/new-ddos-extortions-hit-the-internet/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
A 1.3 Tbps DDoS attack – essentially a massive torrent of data aimed at a single target – hit targets on March 1. While the attack itself is notable more interesting is what was hidden inside the attack itself.
The attack used a memcached exploit which is a legitimate service on many servers.
, “most popular DDoS tactics that abuse UDP connections can amplify the attack traffic 10 or 20 times — allowing, for example a 1 mb file request to generate a response that includes between 10mb and 20mb of traffic.”
“This attack was the largest attack seen to date by Akamai
Within the attack, however, security researchers found a 1MB file that contained a ransom request and a Monero cryptocurrency address. In other words, built into the attack payload was an extortion request.
In short, not only did the attackers slam servers with massive amounts of data, their targets were asked – millions if not billions of times – to pay extortion fees to stop the attack.
Tomi Engdahl says:
Do NOT trust any “security” apps from Facebook or anyone owned by Facebook. They literally just mine your data…
Facebook-owned Onavo quietly launches Bolt App Lock, a data-tracking app that locks other apps
https://techcrunch.com/2018/03/09/facebook-owned-onavo-quietly-launches-bolt-app-lock-a-data-tracking-app-that-locks-other-apps/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook
a new app aimed at Android users called Bolt App Lock. Instead of offering a VPN, Bolt App Lock is a tool that lets you lock down any app you don’t want others to be able to open, using a PIN code, pattern, or your fingerprint.
Apps that help users lock other apps is a popular category on Android, where you can today find dozens of similar solutions – though largely from unknown companies save for a few, like Keepsafe or Norton, for example. Like the others in this space, the Bolt app lets you lock down other apps that contain personal information, such as private photos or payment details.
But Onavo – and Facebook’s – primary interest isn’t on personal security. It’s about finding a way on users’ phones in order to monitor mobile activity and learn what new apps could be taking attention away from Facebook’s social network.
This is disclosed at the bottom of the app’s listing on Google Play
Tomi Engdahl says:
Catalin Cimpanu / BleepingComputer.com:
Report: China is altering its critical vulnerability disclosure database, backdating disclosure times of vulnerabilities that government hackers may want to use
Chinese Intelligence Agencies Are Doctoring the Country’s Vulnerability Database
https://www.bleepingcomputer.com/news/security/chinese-intelligence-agencies-are-doctoring-the-countrys-vulnerability-database/
Chinese intelligence agencies are doctoring the Chinese National Vulnerabilities Database (CNNVD) to hide security flaws that government hackers might have an interest in, according to a report released on Friday by US threat intelligence firm Recorded Future.
The US company says it noticed in recent months mass edits to the CNNVD website. Recorded Future says CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities.
Backdating done to hide “vulnerability evaluation” program
“CNNVD’s manipulation of its vulnerability publication data ultimately reveals more than it conceals,” the Recorded Future team says.
Tomi Engdahl says:
Joseph Cox / Motherboard:
FBI arrests CEO of Phantom Secure, which customized BlackBerrys for criminals by removing mic and camera, routing encrypted messages via overseas servers, more
Feds Bust CEO Allegedly Selling Custom BlackBerry Phones to Sinaloa Drug Cartel
https://motherboard.vice.com/en_us/article/a34b7b/phantom-secure-sinaloa-drug-cartel-encrypted-blackberry
Phantom Secure is one of the most infamous companies in the secure phone industry. Sources and court documents detail that its owner has been arrested for allegedly helping criminal organizations.
For years, a slew of shadowy companies have sold so-called encrypted phones, custom BlackBerry or Android devices that sometimes have the camera and microphone removed and only send secure messages through private networks. Several of those firms allegedly cater primarily for criminal organizations.
“FBI are flexing their muscle,” one source familiar with the secure phone industry, and who gave Motherboard specific and accurate details about the operation before it was public knowledge, said.
“We made it—we made it specifically for this [drug trafficking] too,” Ramos told undercover agents, according to a transcript included in the complaint.
Tomi Engdahl says:
Andy Greenberg / Wired:
Inside Operation Bayonet, the Dutch police sting and takeover of Hansa, once the largest dark web market in Europe, that netted data on ~420K users — FOR ANYONE WHO has watched the last few years of cat-and-mouse games on the dark web’s black markets, the pattern is familiar …
Operation Bayonet: Inside the Sting That Hijacked an Entire Dark Web Drug Market
https://www.wired.com/story/hansa-dutch-police-sting-operation
For anyone who has watched the last few years of cat-and-mouse games on the dark web’s black markets, the pattern is familiar: A contraband bazaar like the Silk Road attracts thousands of drug dealers and their customers, along with intense scrutiny from police and three-letter agencies. Authorities hunt down its administrators, and tear the site offline in a dramatic takedown—only to find that its buyers and sellers have simply migrated to the next dark-web market on their list.
So when Dutch police got onto the trail of the popular dark-web marketplace Hansa in the fall of 2016, they decided on a different approach: Not a mere takedown, but a takeover.
n their probe into that free-trade zone, which would come to be known as Operation Bayonet, the Dutch investigators not only identified the two alleged administrators of Hansa’s black market operation in Germany, but went so far as to hijack the two arrested men’s accounts to take full control of the site itself.
they surveilled Hansa’s buyers and sellers, discreetly altered the site’s code to grab more identifying information of those users, and even tricked dozens of Hansa’s anonymous sellers into opening a beacon file on their computers that revealed their locations. The fallout of that law enforcement coup, the officers claim, has been one of the most successful blows against the dark web in its short history: millions of dollars worth of confiscated bitcoins, more than a dozen arrests and counting of the site’s top drug dealers, and a vast database of Hansa user information that authorities say should haunt anyone who bought or sold on the site during its last month online.
Tomi Engdahl says:
Memcache UDP Reflection Amplification Attack II: The Targets, the Sources and Breakdowns
https://blog.netlab.360.com/memcache-udp-reflection-amplification-attack-ii-the-targets-the-sources-and-breakdowns-en/
In less then ten days, Memcache DDoS attack has come out of nowhere and really captured lots of attentions within the security community. When we look at the news, we see all sort of reports but hardly can get a good idea what the real situation is, for example the most important question, how many victims are out there? And how big the attack army is?
since 2018-02-24, the frequency of attacks has increased dramatically.
In the past ten days, quite a few popular websites became victims of this DDoS attack. For example, in github around Feb 28 17:20 UTC suffered a DDoS attack, the peak flow rate reached 1.35Tbps, according to akamai and github.
you will spot lots of interesting targets
Overall, the current victims are mainly concentrated in the United States, China (including Hong Kong, China), South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.
We set up a honeypot for this type of attack and filtered out over 37k attack instructions.
As shown in the following table, 99% of the attack instructions are based on memcache STATS directives.
Tomi Engdahl says:
Secure memcached server to avoid DDoS amplification attacks
https://www.cyberciti.biz/faq/secure-memcached-server-avoid-ddos-amplification/
How do I secure Memcached server on Linux or Unix-like system to avoid an attacker to exploit my Memcached services as an amplification vector, causing unexpected volumes of traffic to be sent to targeted networks?
Memcached and DDoS attack
By default memcached server uses TCP/UDP port number 11211. A DDoS (Distributed Denial of Service) amplification attacks performed by exploiting Memcached servers exposed to the public Internet IPv4/IPv6 address. A significant increase in amplification attack vector – using the Memcached protocol, coming from UDP port 11211.
How to secure memcached server
The procedure to secure memecached server is as follows:
1. Configure a firewall
2. Disable UDP
3. Force memcached to listen on private LAN/VLAN IP address
Make sure that your Memcached firewalled and TCP/UDP ports closed from the public Internet. Only allow your web server/app to access Memcached server
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Kaspersky Lab details sophisticated Slingshot malware likely used for spying on targeted individuals and organizations, which remained hidden for six years — Nation-sponsored Slingshot is one of the most advanced attack platforms ever. — Researchers have discovered malware so stealthy …
Potent malware that hid for six years spread through routers
Nation-sponsored Slingshot is one of the most advanced attack platforms ever.
https://arstechnica.com/information-technology/2018/03/potent-malware-that-hid-for-six-years-spread-through-routers/
Tomi Engdahl says:
Australian crims used half of the Phantom Secure modified BlackBerry handsets
http://www.zdnet.com/article/australian-crims-used-half-of-the-phantom-secure-modified-blackberry-handsets/
Of the 20,000 Phantom Secure devices in service around the world, 10,000 were allegedly in Australia, according to the FBI.
Tomi Engdahl says:
https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf
Tomi Engdahl says:
Cavalry riding to the rescue of DDOS-deluged memcached users
Attacks tapering, as experts argue over ‘kill switch’
https://www.theregister.co.uk/2018/03/12/memcached_cavalry_spotted_on_the_horizon/
DDoS attacks taking advantage of ill-advised use of memcached have begun to decline, either because sysadmins are securing the process, or because people are using a potentially-troublesome “kill switch”.
Memcached is a handy caching tool that can improve database performance but has no security controls because it was never intended to be used on internet-exposed systems. In late February attackers started to take advantage of the fact that memcached is a very effective amplifier of UDP messages, since a 15-byte query returns answers that could be hundreds of kilobytes. Attacks on the cache briefly gave GitHub the honour of the biggest ever DDoS attack at 1.7 Tbps, but within days a US service provider took an even bigger hosing.
Corero said that there’s a kill-switch it was deploying for clients. The flush_all command does exactly what it says: the process drops all the objects in memory, and the attack ends.
Cloudflare and Arbor Networks, warned eWeek they’re worried about the ethics and legality of someone firing flush_all at someone else’s machine, because changing the contents of a computer you don’t own is illegal in many or most jurisdictions.
The attack volumes kept increasing for most of last week. Qihoo 360 last Wednesday said it had logged 10,000 attack events in the previous week, and identified 7,131 victim IP addresses.
Those included Qihoo, Google, and Amazon, various smut sites, games, security vendors, various National Rifle Association sites, and Brian Krebs’ page.
Tomi Engdahl says:
Vulnerability in Robots Can Lead To Costly Ransomware Attacks
https://threatpost.com/vulnerability-in-robots-can-lead-to-costly-ransomware-attacks/130245/
A vulnerability in Softbank Robotics’ NAO and Pepper robots can lead to costly ransomware attacks that could cause robots deployed in businesses to stop working, curse at customers, or even perform violent movements.
The vulnerability was disclosed at Kaspersky Lab’s Security Analyst Summit by IOActive Labs. The security firm said that Softbank was notified of the vulnerability January 2017, but they aren’t aware of any available patches.
Lucas Apa and Cesar Cerrudo, researchers with IOActive Labs, told Threatpost that the vulnerability can open opportunities for ransomware attacks targeting sensitive in-transit information collected on the robot, like high-definition video feed, audio captured by up to four directional microphones, and payment or other business information running on the robots. Another critical ransomware target is downtime in robots – many businesses lose money every second one of their robots is nonoperational.
The NAO and Pepper robots, priced around $10,000, are some of the most widely used research and education robots in the world, with 20,000 Pepper robots deployed in 2,000 businesses worldwide, and 10,000 NAO robots in use globally. These robots are used by an array of businesses, in the education, retail and industrial space
“This undocumented function allows executing commands remotely by instantiating a NAOqi object using the ALLauncher module and calling the internal _launch function,” according to IOActive Labs.
Tomi Engdahl says:
New North Korea-linked Cyberattacks Target Financial Institutions
https://www.securityweek.com/new-north-korea-linked-cyberattacks-target-financial-institutions
New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey
Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and ‘aggressive’ operation that resembles earlier attacks against the global SWIFT financial network.
McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack — which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim’s system.
Tomi Engdahl says:
Password manager maker Keeper hit by another security snafu
http://www.zdnet.com/article/password-manager-maker-keeper-hit-by-another-security-snafu/
The exposed server contained the company’s downloadable software — including a code-signing certificate.
Tomi Engdahl says:
Government’s dumb data disasters demonstrate decaying diligence
http://www.zdnet.com/article/governments-dumb-data-disasters-demonstrate-decaying-diligence/
The Australian government’s habit of losing filing cabinets full of confidential documents is merely a symptom of much deeper problems, in both policy development and implementation.
As Oscar Wilde might have put it: “To lose one filing cabinet full of government documents may be regarded as a misfortune; to lose two looks like carelessness.”
Tomi Engdahl says:
Trump Blocks Broadcom’s Bid to Buy Qualcomm
https://www.securityweek.com/trump-blocks-broadcoms-bid-buy-qualcomm
US President Donald Trump blocked Monday an unsolicited bid by Singapore-based Broadcom to take over smartphone chipmaker Qualcomm, citing national security concerns.
Trump issued an order barring the proposed mega-acquisition, saying there is credible evidence such a deal “threatens to impair the national security of the United States,” according to a White House statement.
The order came despite Broadcom’s assurances that it would complete its move to the United States by early April, ahead of a planned Qualcomm shareholder vote on the $117 billion deal — meaning any national security concerns were moot.
“Broadcom strongly disagrees that its proposed acquisition of Qualcomm raises any national security concerns,” the company said, adding that it was reviewing the order.
Tomi Engdahl says:
Internet Provider Redirects Users in Turkey to Spyware: Report
https://www.securityweek.com/internet-provider-redirects-users-turkey-spyware-report
Hundreds of users in Turkey and Syria have been redirected to nation-state malware at the Internet Service Provider (ISP) level, a recent Citizen Lab report reveals.
Following ESET’s discovery that ISPs might be involved in the FinFisher distribution, Citizen Lab launched its own investigation into the matter, only to discover that Türk Telekom has been using Sandvine/Procera Networks Deep Packet Inspection (DPI) devices for the delivery of FinFisher when users attempted to download certain legitimate Windows applications.
Furthermore, the same DPI middleboxes at a Telecom Egypt demarcation point were used to hijack Egyptian users’ unencrypted Internet connections en masse, to redirect them to affiliate ads and in-browser crypto-currency mining scripts.
Tomi Engdahl says:
New Hacking Team Spyware Samples Detected: ESET
https://www.securityweek.com/new-hacking-team-spyware-samples-detected-eset
New samples of Hacking Team’s Remote Control System (RCS) flagship spyware have recently emerged, slightly different from previously observed variations, ESET warns.
Hacking Team, an Italian spyware vendor founded in 2003, is well known for selling surveillance tools to governments worldwide. In 2015, the firm was hacked, which led to 400GB of internal data being leaked online, including a list of customers, internal communications, and spyware source code.
Tomi Engdahl says:
Remotely Exploitable Flaws Found in SmartCam Cameras
https://www.securityweek.com/remotely-exploitable-flaws-found-smartcam-cameras
Hanwha’s SmartCam cameras are affected by more than a dozen vulnerabilities, including critical flaws that can be exploited remotely to take control of devices.
The impacted cameras are widely used for surveillance and monitoring. They can record at high resolutions, they have night vision capabilities and motion sensors, and they allow their users to talk to the person being monitored via a built-in speaker. The product can be controlled remotely from any type of device and all the recorded video is stored in the cloud.
Samsung Electronics sold its Samsung Techwin security division to South Korean conglomerate Hanwha Group in 2014. However, Hanwha’s SmartCam products are still branded “Samsung.”
Tomi Engdahl says:
Chinese messaging app WeChat banned by Australia’s Defence Force
https://mashable.com/2018/03/13/wechat-ban-defence-australia/?utm_campaign=Mash-BD-Synd-Flipboard-All-Full&utm_cid=Mash-BD-Synd-Flipboard-All-Full#5Q6tmVegJgqR
Last month, U.S. intelligence agencies weren’t so into the idea of people using Chinese phones.
The heads of the CIA, FBI and NSA told a Senate committee in February they didn’t recommend products or services by China’s Huawei or ZTE be used by Americans, concerned about companies or entities becoming “beholden to foreign governments.”
Now, in Australia, that suspicion has seemingly extended to Chinese apps. Messaging platform WeChat has reportedly been banned from being installed on phones belonging to the country’s Department of Defence, according to the Australian Financial Review.
“Defence does not provide or support the use of unauthorised software, including the WeChat social media application, on Defence mobile devices,” a Defence spokesperson told the newspaper. Limited use of Facebook is reportedly allowed though.
Tomi Engdahl says:
Comcast ‘blocks’ an encrypted email service: Yet another reminder why net neutrality matters
http://www.zdnet.com/article/comcast-customers-blocked-encrypted-email-service-net-neutrality-repeal/
Now imagine your favorite websites getting blocked by your internet provider in the name of net neutrality.
Tomi Engdahl says:
‘Slingshot’ Malware That Hid For Six Years Spread Through Routers
https://it.slashdot.org/story/18/03/12/2034219/slingshot-malware-that-hid-for-six-years-spread-through-routers
Security researchers at Kaspersky Lab have discovered what’s likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves.
Sophisticated malware attacks through routers
It’s likely the creation of a government surveillance agency.
https://www.engadget.com/2018/03/11/sophisticated-malware-attacks-through-routers/
Security researchers at Kaspersky Lab have discovered what’s likely to be another state-sponsored malware strain, and this one is more advanced than most. Nicknamed Slingshot, the code spies on PCs through a multi-layer attack that targets MikroTik routers. It first replaces a library file with a malicious version that downloads other malicious components, and then launches a clever two-pronged attack on the computers themselves. One, Canhadr, runs low-level kernel code that effectively gives the intruder free rein, including deep access to storage and memory; the other, GollumApp, focuses on the user level and includes code to coordinate efforts, manage the file system and keep the malware alive.
Kaspersky describes these two elements as “masterpieces,” and for good reason. For one, it’s no mean feat to run hostile kernel code without crashes. Slingshot also stores its malware files in an encrypted virtual file system, encrypts every text string in its modules, calls services directly (to avoid tripping security software checks) and even shuts components down when forensic tools are active.
Tomi Engdahl says:
Cyber crime is expensive in the Nordic countries – almost half of the companies are subject to abuse
Misconduct on companies will worsen their targets more seriously, says consultant company PwC .
According to PwC’s latest report, 46 per cent of businesses in the Nordic countries were subjected to various abuses, and the damage they caused was not minor. In the Nordic countries, more than one in ten, financial damage was over 800,000 euros, and in many cases, much more.
The most common irregularities were cyber crime in the Nordic countries, which has increased in recent years. As a result, more than a quarter of Nordic companies had breaks that hindered operational operations. The cyber crime was also followed by abuse of funds and intimidation.
Businesses were also burdened with misuse of funds or resources, which was often fraud and embezzlement in practice.
“Companies should invest in employee involvement and emphasis on ethical corporate culture. In addition to technological solutions, in the complex world of misconduct, one has to be aware of human beings, “says New-Hautamaa.
Source: https://www.tivi.fi/Kaikki_uutiset/kyberrikollisuus-tulee-pohjoismaissa-kalliiksi-melkein-puolet-yrityksista-vaarinkaytosten-kohteena-6706240
Tomi Engdahl says:
Stealthy Data Exfiltration Possible via Headphones, Speakers
https://www.securityweek.com/stealthy-data-exfiltration-possible-headphones-speakers
A team of researchers has demonstrated how air-gapped computers can stealthily communicate with each other using speakers or headphones over ultrasonic waves.
Experts from the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel combined previous research on communications through ultrasonic waves with a technique that can be used to turn a device’s speakers into a microphone in an effort to create a covert data exfiltration channel.
Researchers demonstrated several years ago that audio modulation and demodulation can be used to exchange data between computers over the air via the ultrasonic frequency range. The method requires that the devices communicating with each other are equipped with both microphones and speakers.
However, it’s possible to turn speakers, headphones or earphones into microphones using only software, which Ben-Gurion University researchers demonstrated back in 2016 in an attack they dubbed SPEAKE(a)R.
The data exchange can take place over inaudible sound waves at frequencies of 18kHz or higher, which can be captured by regular headphones or speakers. The data can be modulated through audio frequency-shift keying (AFSK), which uses one frequency to transmit “0” bits and a different frequency to transmit “1” bits.
Tests conducted by researchers showed that a transfer rate ranging between 1200 bits/sec and 1800 bits/sec can be obtained for up to 8 meters (26 feet) for audible frequencies transmitted and captured using loudspeakers. The transfer rate drops to between 300 bits/sec and 600 bits/sec for inaudible frequencies.
“Our experiments shows that at a distance of three meters between two speakers, a transmission rate of 166 bit/sec results in a 1% bit error rate, during the exfiltration of a 1Kbit binary file,”
https://arxiv.org/ftp/arxiv/papers/1611/1611.07350.pdf
Tomi Engdahl says:
Security researchers: Never connect to an unknown USB bus!
Between the tests, leaving USB sticks loose for example at a university campus and surprisingly many falls to plug a stick into their own machine. Israeli security researchers have now mapped as many as 29 different USB attacks.
The researchers are from the Malware Laboratory of the Cybercrime Center at Ben-Gurion University. Nir Nissim, the director of the laboratory, and Ran Yahalom, a researcher, were responsible for the study.
Men can get a lot of dangerous attacks through the USB bus. At the very end of the USB stick you can hide the electrical device that drives the whole machine as long as the stick is attached to it. Of these, ETN has reported in the past.
Researchers have simple instructions: use your own charger, do not connect to wifi networks, if possible use your own mobile connection.
Source: http://www.etn.fi/index.php/13-news/7695-tietoturvatutkijat-ala-koskaan-liita-tuntemattomaan-usb-vaylaan
Tomi Engdahl says:
Alfred Ng / CNET:
Experts reveal 13 alleged flaws in AMD Ryzen and EPYC chips, just 24 hours after showing AMD, that allow malware to be installed on secure portions of the chips — Researchers say they’ve discovered critical security flaws in AMD chips that could allow attackers to access sensitive data …
AMD allegedly has its own Spectre-like security flaws
https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/
Researchers say they’ve found 13 flaws in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded parts of the processor.
Tomi Engdahl says:
David Ingram / Reuters:
After January reports that military locations were leaked by Strava, the fitness service will tweak the activity map and restrict access to registered users
Exclusive: Fitness app Strava overhauls map that revealed military positions
https://www.reuters.com/article/us-strava-privacy-exclusive/exclusive-fitness-app-strava-overhauls-map-that-revealed-military-positions-idUSKCN1GP1WE
Tomi Engdahl says:
Facebook Flaws Exposed Friend Lists, Payment Card Data
https://www.securityweek.com/facebook-flaws-exposed-friend-lists-payment-card-data
A researcher last year discovered some information disclosure vulnerabilities in Facebook that exposed users’ friend lists and partial payment card information. The social media giant patched one of the flaws within hours.
Web security consultant Josip Franjković had been analyzing the Facebook application for Android when he identified a flaw that allowed him to obtain any user’s list of friends via a specially crafted request.
Facebook users can prevent others from seeing their friends, but the vulnerability discovered by Franjković could have been exploited to obtain this information regardless of the targeted user’s privacy settings.
GraphQL is an open source data query language designed by Facebook for its mobile applications. GraphQL queries can only be used for Facebook’s own applications—only whitelisted query IDs are allowed—and they require an access token.
Tomi Engdahl says:
Everything Surrounding These New AMD Security Allegations Reeks of a Hit Job
https://www.extremetech.com/computing/265582-everything-surrounding-new-amd-security-allegations-reeks-hit-job
Earlier today, we covered news that a previously unknown security research firm, CTS-Labs, has accused AMD of 13 serious security flaws within its products. If these security flaws exist, it’s critically important AMD deal with them immediately. Nothing about their provenance or the process by which they were communicated to the press changes that. But we’d be remiss if we didn’t note the perplexing nature of how they were communicated. Security researchers are also raising the alarm regarding some highly suspicious disclosures and framing of the underlying issues.
AMD’s Ryzen CPUs, Chipsets Allegedly Contain Serious Security Flaws
https://www.extremetech.com/computing/265568-amds-ryzen-cpus-chipsets-allegedly-contain-serious-security-flaws
In the wake of Meltdown and Spectre, AMD has come out relatively clean compared with Intel. While it remains exposed to Spectre (Variant 1 and Variant 2), it dodged Meltdown altogether. But a new security firm is claiming AMD has no fewer than 13 critical vulnerabilities in its Ryzen processor and chipsets, including vulnerabilities within the heart of the CPU itself.
In a recent disclosure, security firm CTS-Labs has accused AMD of failing to catch 13 high-profile and serious security flaws in four separate families: Masterkey, Ryzenfall, Chimera, and Fallout.
Tomi Engdahl says:
Woe is the Life of a Security Analyst in March
https://www.securityweek.com/woe-life-security-analyst-march
The IRS issued a warning last month about an updated version of the old wire transfer phishing scam, where fake emails are sent to accounting supposedly from a company executive, requesting a wire transfer to a provided account. In the updated version cautioned by the IRS, the request is to payroll or human resources requesting a list of employees and their W-2 forms. Many have been fooled by this and other phishing related scams, exposing their companies and now their employees. Divulging employee lists and W-2 information exposes employees’ personal information that can be immediately used in identity theft and other social engineering activities.
From a people and process perspective, which is always the place to start, reviewing business processes and training employees about being cautious when clicking on links and transferring sensitive data is a first step as part of a larger security training program.
Ensuring that processes and procedures used by your organization promote secure practices is especially important. It not only reduces your exposure in general, but it will make those fake requests stand out even more, reducing the risk that somebody be fooled.
From a technology point of view, anti-phishing tools to identify and block fake emails, and data loss prevention technology are essential for combatting these phishing scams. However, analysts are getting buried in false positive alerts resulting from legitimate tax related activities or employees emailing their tax information back and forth (regardless of what your acceptable use policy says). I
The mission of security departments is to eliminate the noise of false positives, identify users intentionally or accidentally acting in a risky way, and identify business processes that may be exposing the organization.
Behavioral analytics (“User and Entity Behavioral Analytics, or UEBA”) can help solve all three of these challenges. UEBA analyzes a user’s activities and identifies unusual behavior relative to their own history and that of peer groups.
Tomi Engdahl says:
Researchers Find Critical Security Flaws in AMD Chips
https://www.securityweek.com/researchers-find-critical-security-flaws-amd-chips
Tomi Engdahl says:
Microsoft Patches Over Dozen Critical Browser Flaws
https://www.securityweek.com/microsoft-patches-over-dozen-critical-browser-flaws
Microsoft’s Patch Tuesday updates for March 2018 fix a total of 75 vulnerabilities, including more than a dozen critical flaws affecting the company’s Edge and Internet Explorer web browsers.
Tomi Engdahl says:
Adobe Patches Critical Code Execution Flaws in Dreamweaver, Flash
https://www.securityweek.com/adobe-patches-critical-code-execution-flaws-dreamweaver-flash
Security updates released by Adobe on Tuesday patch several vulnerabilities in the company’s Dreamweaver, Flash Player and Connect products.
Flash Player 29.0.0.113 for Windows, Mac, Linux and Chrome OS addresses two critical flaws affecting versions 28.0.0.161 and earlier.
Tomi Engdahl says:
SAP Patches Decade-Old Flaws With March 2018 Patches
https://www.securityweek.com/sap-patches-decade-old-flaws-march-2018-patches
SAP this week released its March 2018 set of security patches to address High and Medium priority vulnerabilities in its products.
A total of 10 Security Notes were included in the SAP Security Patch Day this month, three rated High priority and 7 considered Medium priority. Two of the Notes were updates for previously released Security Notes.
Tomi Engdahl says:
Alfred Ng / CNET:
Experts reveal 13 alleged flaws in AMD Ryzen and EPYC chips, just 24 hours after showing AMD, that allow malware to be installed on secure portions of the chips — Researchers say they’ve found 13 flaws in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded parts of the processor.
AMD allegedly has its own Spectre-like security flaws
https://www.cnet.com/news/amd-has-a-spectre-meltdown-like-security-flaw-of-its-own/
Researchers say they’ve found 13 flaws in AMD’s Ryzen and EPYC chips, which could let attackers install malware on highly guarded parts of the processor.
Tomi Engdahl says:
Ex-GCHQ boss: All the ways to go after Russia. Why pick cyberwar?
Adds his 2 cents as PM, security council meet about Salisbury poisoning
https://www.theregister.co.uk/2018/03/14/russia_cyberwar_speculation/
Former boss at Brit electronic spy agency GCHQ, Robert Hannigan, has called for the application of “unexplained wealth orders” and economic sanctions against Russia rather than cyber attacks.
Hannigan damped down talk in the UK media that cyber attacks against Russia might form part of the response to poisoning of Russian-born double agent Sergei Skripal and his daughter in the medieval cathedral city of Salisbury in southern England last week.
He cited UK government statements to explain this was either a state-run operation or that Russia had lost control of a chemical weapons agent. This follows Russia’s highly contentious annexation of Crimea back in 2014.
Tomi Engdahl says:
Most Major Antivirus Programs Bypassed By The CIA, Shows WikiLeaks Document
http://www.tomshardware.com/news/antivirus-programs-bypassed-cia-wikileaks,33845.html
WikiLeaks recently published thousands of documents that the organization said belongs to the CIA. Among them, there was a document that showed a list of antivirus and other security products that have been exploited and bypassed by the CIA.
Tomi Engdahl says:
New “HenBox” Android Malware Discovered
https://www.securityweek.com/new-%E2%80%9Chenbox%E2%80%9D-android-malware-discovered
A newly discovered Android malware family masquerades as various popular applications and can steal a broad range of information from infected devices, Palo Alto Networks warns.
Dubbed HenBox, the malware was observed installing the legitimate versions of apps it poses as to hide its presence on compromised devices. The threat is distributed via third-party app stores and mainly targets Uyghur, a minority Turkic ethnic group in the Xinjiang Uyghur Autonomous Region in North West China, and Xiaomi devices.
Tomi Engdahl says:
Hackers Can Abuse Text Editors for Privilege Escalation
https://www.securityweek.com/hackers-can-abuse-text-editors-privilege-escalation
Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.
Some text editors allow users to run third-party code and extend the application’s functionality through extensions. While this provides some benefits, an expert determined that it can also introduce security risks.
SafeBreach researcher Dor Azouri has analyzed the Sublime, Vim, Emacs, Gedit, pico and nano text editors, and found that only pico and its clone, nano, are not prone to abuse, mainly due to the fact that they offer only limited extensibility.
One part of the problem is that users — particularly on Linux servers — may often need to execute text editors with elevated privileges. If an attacker can plant malicious extensions in locations specific to the targeted text editor, their code will get executed with elevated privileges when the application is launched or when certain operations are performed.
In the case of Emacs, for example, attackers simply need to add one line of code to the “init.el” file in order to get their code executed on startup.
SafeBreach also pointed to a couple of incidents related to npm packages that resulted in malicious code getting loaded and applications breaking. Azouri has described several possible scenarios involving post-exploitation techniques that can be leveraged to gain root access on Unix-like systems.
“Badly configured Cron jobs, that are a natural part in Unix-like systems, can be abused to get root access.
“Some cases exist where the developers of 3rd party plugins, after gaining popularity for their plugin, updated the plugin’s code with malicious code (either intentionally or unintentionally
The developers of the text editors analyzed by SafeBreach said they don’t plan on making any changes to prevent this type of abuse.
Tomi Engdahl says:
Vast Majority of Symantec Certificates Already Replaced: DigiCert
https://www.securityweek.com/vast-majority-symantec-certificates-already-replaced-digicert
Less than 1% of the top 1 million websites have yet to replace Symantec-issued certificates before major browsers distrust them, DigiCert announced this week.
Last year, DigiCert bought the Certification Authority (CA) business run by Symantec, one of the oldest and largest CAs, after a series of issues observed over the past couple of years triggered major browser vendors to announce plans to remove trust in digital certificates issued by the CA.
Later this year, both Chrome and Firefox will stop trusting certificates issued by Symantec, and others might follow suite. The move will affect all certificates issued before DigiCert acquired the Symantec CA division, including those issued under the GeoTrust, RapidSSL, Thawte, and VeriSign brands.
DigiCert, which said last year it would ensure the newly acquired division won’t repeat previous errors, is determined to help all websites owners get replacement certificates and says the process is nearly complete.
Less than 1% of the top 1 million sites still use Symantec-issued certificates that will be affected by upcoming browser distrust action. According to DigiCert, it is ready to help their owners get replacement certificates before the beta releases of Firefox 60 and Chrome 66 in the next couple of months.
Tomi Engdahl says:
Hackers Awarded $267,000 at Pwn2Own 2018
https://www.securityweek.com/hackers-awarded-267000-pwn2own-2018
White hat hackers have earned a total of $267,000 at this year’s Pwn2Own competition for exploits targeting Microsoft Edge, Apple Safari, Oracle VirtualBox and Mozilla Firefox.
Edge, VirtualBox, Safari Hacked at Pwn2Own 2018
https://www.securityweek.com/edge-virtualbox-safari-hacked-pwn2own-2018
White hats managed to hack Microsoft Edge, Apple Safari and Oracle VirtualBox on the first day of the Pwn2Own 2018 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.
Niklas Baumstark from the Phoenhex team had a partially successful entry against Oracle VirtualBox. While he did manage to execute code using out-of-bounds read and time of check to time of use (TOCTOU) bugs, he was awarded only $27,000 of the maximum of $35,000.
Tomi Engdahl says:
Reuters:
In a first, US publicly accuses Russia for cyberattack campaign dating back to at least March 2016 targeting the US power grid and other critical infrastructure — WASHINGTON (Reuters) – The Trump administration on Thursday blamed the Russian government for a campaign of cyber attacks stretching …
In a first, U.S. blames Russia for cyber attacks on energy grid
https://www.reuters.com/article/us-usa-russia-sanctions-energygrid/u-s-blames-russia-for-cyber-attacks-on-energy-grid-other-sectors-idUSKCN1GR2G3?il=0
The Trump administration on Thursday blamed the Russian government for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid, marking the first time the United States has publicly accused Moscow of hacking into American energy infrastructure.
Tomi Engdahl says:
CNN:
Trump administration announces new Russia sanctions on 5 entities, including IRA, and 19 individuals, in response to US election interference and cyberattacks
Trump administration finally announces Russia sanctions over election meddling
https://edition.cnn.com/2018/03/15/politics/russia-sanctions-trump-yevgeniy-viktorovich-prigozhin/
Washington (CNN)The Trump administration announced Thursday it is enacting new sanctions on Russia, including individuals indicted last month by special counsel Robert Mueller, in a sweeping new effort to punish Moscow for its attempts to interfere in the 2016 US election.
Tomi Engdahl says:
OAIC received 31 notifications in the first three weeks of data breach scheme
http://www.zdnet.com/article/oaic-received-31-notifications-in-the-first-three-weeks-of-data-breach-scheme/
The OAIC has revealed to ZDNet it has received 31 notifications since the Notifiable Data Breaches scheme came into effect last month.
The Office of the Australian Information Commissioner (OAIC) has told ZDNet there has been 31 notifications provided to the office led by Timothy Pilgrim since Australia’s Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018.
The NDB scheme requires agencies and organisations in Australia that are covered by the Privacy Act 1988 to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as practicable after becoming aware of a breach.
The figure emerged as the OAIC is investigating a notification provided by tugboat operator Svitzer Australia.
Tomi Engdahl says:
Ali Winston / The Verge:
New Orleans says it won’t renew its contract with Palantir, which has been testing its crime prediction technology in the city since 2012
New Orleans ends its Palantir predictive policing program
The partnership ran for six years without public knowledge
https://www.theverge.com/2018/3/15/17126174/new-orleans-palantir-predictive-policing-program-end
Two weeks ago, The Verge reported the existence of a six-year predictive policing collaboration between the New Orleans Police Department and Palantir Technologies, a data mining giant co-founded by Peter Thiel. The nature of the partnership, which used Palantir’s network-analysis software to identify potential aggressors and victims of violence, was unknown to the public and key members of the city council prior to publication of The Verge’s findings.
Yesterday, outgoing New Orleans Mayor Mitch Landrieu’s press office told the Times-Picayune that his office would not renew its pro bono contract with Palantir, which has been extended three times since 2012.
There is also potential legal fallout from the revelation of New Orleans’ partnership with Palantir.
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Android Security 2017 Year in Review: 60.3% of potentially harmful Android apps were detected via machine learning, Play Protect reviews 50B+ apps every day
Google: 60.3% of potentially harmful Android apps in 2017 were detected via machine learning
https://venturebeat.com/2018/03/15/google-60-3-of-potentially-harmful-android-apps-in-2017-were-detected-via-machine-learning/
Google released its Android Security 2017 Year in Review report today, the fourth installment of the company’s attempt to educate the public about Android’s various layers of security and its failings. One of the most interesting learnings to come out of the report is that 60.3 percent of Potentially Harmful Apps (PHAs) were detected via machine learning.
The detection is done by a service called Google Play Protect, which is enabled on over 2 billion devices (running Android 4.3 and up) to constantly scan Android apps for malicious activity. Play Protect uses a variety of tactics to keep users and their data safe, but machine learning is particularly effective in helping catch PHAs.
Tomi Engdahl says:
This device breaks all iPhones
GrayShift has brought the authorities into use of the device that opens all iPhones. Also for the new iPhone X.
The device is called GrayKey. Two iPhones can be connected at one time. The Malwarebytes security company has tested the box and the device is running. Depending on whether the PIN code is 4- or 6-digit, decryption takes between two hours and three days.
Finally, GrayKey breaks the key and displays the PIN code on the phone screen. After opening, the whole file system of the device is downloaded to the GrayKey box, which can be accessed from the computer’s web browser.
According to Malwarebytes, there are two versions of the box. The 15-thousand-dollar version requires an internet connection, and its implementation on a given network will tie the device to this network. A double-priced version runs without network connectivity and unlocked unlocked iPhone phones.
Israeli Cellebrite sells the hacking service for $ 5,000.
Source: http://etn.fi/index.php?option=com_content&view=article&id=7719&via=n&datum=2018-03-16_14:56:07&mottagare=31202
Tomi Engdahl says:
Here’s A List Of Everyone Who Can View Your Internet History Any Time They Want
http://www.iflscience.com/technology/heres-list-all-uk-government-agencies-can-view-internet-history/
Who can view your browsing history? If you’re based in the UK, it turns out that a wide range of government agencies can – and if this doesn’t surprise you, then the length of the list itself might.
As reported by the Guardian at the time, it demanded that web and phone companies must store everyone’s browsing histories for 12 months, and permit the police, security services and a variety of state-run agencies to access it whenever they wish during that period of time.
At the same time, it allows the security services to use many of their powers to infiltrate communications equipment and collect data in bulk – as long as such requests are signed off by a judge.
Tomi Engdahl says:
Georgia’s Intrusive Computer Intrusion Bill
https://spectrum.ieee.org/riskfactor/computing/it/georgias-intrusive-computer-intrusion-bill
According to Georgia’s Attonery General Chris Carr, the state is only one of three, along with Virginia and Alaska, without a cybersecurity law that makes it illegal for someone to remotely access your computer and search it for sensitive information, and then sell it to a third party. Presently, it is only illegal in Georgia to access a computer to delete or tamper with its contents. However, this will change if Georgia Senate Bill 315: The Computer Intrusion Bill is finally passed into law.
One could be forgiven for thinking, well, it’s about time. However, cybersecurity experts are worried that SB315 as written is so open-ended that it could potentially make a range of legitimate security research and other innocuous activities into criminal offenses.
According to the Electronic Frontier Foundation (EFF), a person doing personal work on their business computer could be at risk of being charged, as would security researchers looking for vulnerabilities on corporate or government websites, or others who scrape online information from public websites. The Georgia ACLU calls the bill “draconian,” while others worry that cybersecurity firms will be negatively affected