Cyber security April 2018

This posting is here to collect security alert news in April 2018.

I post links to security vulnerability news to comments of this article.

 

252 Comments

  1. Tomi Engdahl says:

    Cloudflare Launches Free Secure DNS Service
    https://www.securityweek.com/cloudflare-launches-free-secure-dns-service

    Cloudflare Launches Globally Available Secure Free DNS Resolver

    Cloudflare launched a new free service, designed to improve both the speed and the security of the internet, on April Fool’s Day (4/1/2018). But this is no joke. The idea is that 4/1 is geekery four ones, or 1.1.1.1 — the name and heart of the new service.

    1.1.1.1 (and 1.0.0.1) is the address of Cloudflare’s new, globally available, free DNS resolver service. It is similar to — but according to Cloudflare — faster and more secure than, Google’s 8.8.8.8 service. Both address speed and security issues in the standard internet DNS look-up process. The biggest problem is security because DNS lookups are primarily controlled by ISPs; and ISPs are commercial organizations seeking to monetize data; and are often heavily controlled or influenced by governments.

    Google’s 8.8.8.8 DNS service

    Little could be more memorable than 1.1.1.1. This address was held by the APNIC research group, which agreed to provide it to the new service. “We began testing and found that a resolver, running across our global network, outperformed any of the other consumer DNS services available (including Google’s 8.8.8.8),” says Prince.

    1.1.1.1 is primarily a consumer service (the IPv6 numbers are 2602:4700:4700::1111 and 2602:4700:4700::1001). Technical details are provided in a separate blog written by director of engineering, Olafur Gudmundsson. The service uses DNS Query Name Minimization defined in RFC7816 to minimize the data sent, and supports privacy-enabled TLS queries on port 853 (DNS over TLS), “so,” he writes, “we can keep queries hidden from snooping networks.”

    Introducing DNS Resolver, 1.1.1.1 (not a joke)
    https://blog.cloudflare.com/dns-resolver-1-1-1-1/

    Reply
  2. Tomi Engdahl says:

    New Bill in Georgia Could Criminalize Security Research
    https://www.securityweek.com/new-bill-georgia-could-criminalize-security-research

    A new bill passed by the Georgia State Senate last week deems all forms of unauthorized computer access as illegal, thus potentially criminalizing the finding and reporting of security vulnerabilities.

    The new bill, which met fierce opposition from the cybersecurity community ever since it first became public, amends the Georgia code that originally considered only unauthorized computer access with malicious intent to be a crime.

    “Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access,” the bill reads (Senate Bill 315).

    “Any person convicted of computer password disclosure or unauthorized computer access shall be fined not more than $5,000.00 or incarcerated for a period not to exceed one year, or both punished for a misdemeanor of a high and aggravated nature,” the bill continues.

    The original code only made a crime out of the access of a computer or computer network without authority and with the intention of tampering with applications or data; interfering with the use of a computer program or data; or causing the malfunction of the computer, network, or application.

    The main issue with the bill is that it does little to protect security researchers who find and responsibly disclose vulnerabilities.

    In fact, it is possible that the new bill was created because a security researcher discovered a vulnerability in the Kennesaw State University election systems last year. The flaw was reported ethically and the researcher came clean after being investigated by the FBI.

    However, the breach made it to the news and, because the state felt very embarrassed by the incident, the attorney general’s office apparently asked for law that would criminalize so-called “poking around.”

    “Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law,” Scott M. Jones from Electronic Frontiers Georgia pointed out.

    Reply
  3. Tomi Engdahl says:

    njRAT Gets Ransomware, Crypto-Currency Stealing Capabilities
    https://www.securityweek.com/njrat-gets-ransomware-crypto-currency-stealing-capabilities

    An updated version of the njRAT remote access Trojan (RAT) is capable of encrypting files and stealing virtual currencies from crypto-wallets, Zscaler warns.

    Also known as Bladabindi, njRAT has been around since at least 2013 and is one of the most prevalent malware families. Built in .NET Framework, the malware provides attackers with remote control over the infected systems, utilizes dynamic DNS for command-and-control (C&C), and uses a custom TCP protocol over a configurable port for communication.

    Dubbed njRAT Lime Edition, the new malware variant includes support for ransomware infection, Bitcoin grabber, and distributed denial of service (DDoS), while also being able to log keystrokes, spread via USB drives, steal passwords, and lock the screen.

    Reply
  4. Tomi Engdahl says:

    Jaywalkers under surveillance in Shenzhen soon to be punished via text messages
    http://www.scmp.com/tech/china-tech/article/2138960/jaywalkers-under-surveillance-shenzhen-soon-be-punished-text

    Traffic police in the southern Chinese city of Shenzhen have always had a reputation for strict enforcement of those flouting road rules in the metropolis of 12 million people.

    Now with the help of artificial intelligence and facial recognition technology, jaywalkers will not only be publicly named and shamed, they will be notified of their wrongdoing via instant messaging – along with the fine.

    Intellifusion, a Shenzhen-based AI firm that provides technology to the city’s police to display the faces of jaywalkers on large LED screens at intersections, is now talking with local mobile phone carriers and social media platforms such as WeChat and Sina Weibo to develop a system where offenders will receive personal text messages as soon as they violate the rules, according to Wang Jun, the company’s director of marketing solutions.

    First-tier Chinese cities like Beijing and Shanghai have already employed AI and facial recognition technology to regulate traffic and identify driver’s who violate road rules, while Shenzhen traffic police began displaying photos of jaywalkers on large LED screens at major intersections starting in April 2017.

    For the current system installed in Shenzhen, Intellifusion installed cameras with 7 million pixels of resolution to capture photos of pedestrians crossing the road against traffic lights. Facial recognition technology identifies the individual from a database and displays a photo of the jaywalking offence, the family name of the offender and part of their government identification number on large LED screens above the pavement.

    Reply
  5. Tomi Engdahl says:

    Cloudflare touts privacy-friendly 1.1.1.1 public DNS service. Hmm, let’s take a closer look at that
    We’ll share query data, but only with these really trustworthy researchers
    https://www.theregister.co.uk/2018/04/03/cloudflare_dns_privacy/

    Cloudflare has revealed a deal with regional internet registry APNIC to provide a possibly more privacy-conscious DNS resolver at a prestige network address, 1.1.1.1.

    The biz contends DNS – which translates human-friendly domain names like theregister.com into numeric IP addresses, such as 159.100.131.165, used by software – lacks privacy protection. That largely undisputed claim has become more noteworthy since the US Congress last year dropped rules that prohibited ISPs from selling users’ browsing data.

    “Your ISP, and anyone else listening in on the internet, can see every site you visit and every app you use – even if their content is encrypted,” the company says on its 1.1.1.1 website. “Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.”

    Cloudflare’s 1.1.1.1 isn’t primarily a website; it’s a DNS lookup service that, when queried by browsers and other software, asks around to various servers where to find the authoritative name server to resolve a particular domain to a network IP address.

    Ironically for a project predicated on privacy, Cloudflare is sharing DNS query data with APNIC Labs, a part of Asian registry APNIC, in exchange for the use of its 1.1.1.1 network address.

    The research relationship is set to run for at least five years, after which it may be renewed and APNIC will consider permanently allocating the 1.1.1.1 IP address – along with 1.0.0.1 – to Cloudflare.

    Logging

    In this Cloudflare’s venture is similar to Google’s Public DNS (8.8.8.8), which claims that it keeps some data for just 24 to 48 hours. Google, however, keeps other non-personally identifiable information for longer periods.

    Sure enough, Cloudflare has positioned its DNS service as an alternative to Google’s.

    Reply
  6. Tomi Engdahl says:

    Encryption breaks down with brain-imitating machines

    Researchers from the US Army Research Laboratory (ARL) have found a way to utilize neuromorical computer architectures for the numerical theoretical problem known as integer factor factoring. For example, technology can be used to deploy RSA encryption more efficiently.

    Neuromorphic computation means brain function imitates. The security of the widely used RSA algorithm today is based on the difficulty of finding a large integer. Scientists have now demonstrated how brain-like computers enhance the factor-forming algorithms at present known integers.

    Neuromorphic architectures continue to increase size and speed and are not limited by Moore’s law, so their ability to handle the bigger integer’s factorization problems is growing. The study estimates that the 1024-bit keys could break down in about a year. For comparison, the current record, the 232 decimal figure (RSA-768), required about 2000 years of computational time.

    - At hardware level, encrypted message often has an expiration date where their content becomes useless.

    Source: http://www.etn.fi/index.php/13-news/7790-salaukset-murtuvat-aivoja-jaljittelevilla-koneilla

    Reply
  7. Tomi Engdahl says:

    Grindr sends HIV status to third parties, and some personal data unencrypted
    https://techcrunch.com/2018/04/02/grindr-sends-hiv-status-to-third-parties-and-some-personal-data-unencrypted/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Hot on the heels of last week’s security issues, dating app Grindr is under fire again for inappropriate sharing of HIV status with third parties (not advertisers, as I had written here before) and inadequate security on other personal data transmission. It’s not a good look for a company that says privacy is paramount.

    Reply
  8. Tomi Engdahl says:

    Commonwealth Bank of Australia Tries to Explain Coding Errors Found After 4 Years
    https://spectrum.ieee.org/riskfactor/computing/it/commonwealth-bank-of-australia-tries-to-explain-lending-coding-errors-hidden-for-4-years

    The Commonwealth Bank of Australia, the country’s largest bank, finally got around to explaining last week why two software coding errors first disclosed in 2016 laid hidden for more than four years. The errors allowed the approval of personal overdrafts for 9,577 of its customers that should have been declined, while also approving another 1,152 customers for higher overdraft limits than they were qualified for. Many of the customers were in financial distress, and the erroneous approvals allowed them to dig themselves into even deeper financial trouble. The interest rate the bank charged customers on an overdraft was a hefty 16.6 percent.

    Reply
  9. Tomi Engdahl says:

    Frank Bajak / Associated Press:
    In letter to Sen. Ron Wyden, DHS acknowledges existence in Washington DC of unauthorized “stingray” devices, used to track cell phones, intercept SMS messages

    APNewsBreak: US suspects listening devices in Washington
    https://apnews.com/d716aac4ad744b4cae3c6b13dce12d7e

    For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages.

    The use of what are known as cellphone-site simulators by foreign powers has long been a concern, but American intelligence and law enforcement agencies — which use such eavesdropping equipment themselves — have been silent on the issue until now.

    In a March 26 letter to Oregon Sen. Ron Wyden, the Department of Homeland Security acknowledged that last year it identified suspected unauthorized cell-site simulators in the nation’s capital. The agency said it had not determined the type of devices in use or who might have been operating them. Nor did it say how many it detected or where.

    The devices work by tricking mobile devices into locking onto them instead of legitimate cell towers, revealing the exact location of a particular cellphone. More sophisticated versions can eavesdrop on calls by forcing phones to step down to older, unencrypted 2G wireless technology. Some attempt to plant malware.

    The reply from DHS official Christopher Krebs noted that DHS had observed “anomalous activity” consistent with Stingrays in the Washington area.

    Legislators have been raising alarms about the use of Stingrays in the capital since at least 2014, when Goldsmith and other security-company researchers conducted public sweeps that located suspected unauthorized devices near the White House, the Supreme Court, the Commerce Department and the Pentagon, among other locations.

    The executive branch, however, has shied away from even discussing the subject.

    After the 2014 news reports about Stingrays in Washington, Rep. Alan Grayson, D-Fla, wrote the FCC in alarm. In a reply, then-FCC chairman Tom Wheeler said the agency had created a task force to combat illicit and unauthorized us e of the devices.

    “To the extent that there is a major problem here, it’s largely due to the FCC not doing its job,” said Laura Moy of the Center on Privacy and Technology at Georgetown University. The agency, she said, should be requiring wireless carriers to protect their networks from such security threats and “ensuring that anyone transmitting over licensed spectrum actually has a license to do it.”

    Reply
  10. Tomi Engdahl says:

    Russians Used Reddit and Tumblr to Troll the 2016 Election
    https://www.thedailybeast.com/russians-used-reddit-and-tumblr-to-troll-the-2016-election

    A leak of internal data from the Kremlin-backed Internet Research Agency discovered by The Daily Beast serves as the first confirmation that the Russian troll farm deployed its online agitators on Reddit as part of its campaign to interfere in American politics.

    The leak also reveals 21 Tumblr accounts, including login credentials, run by the Internet Research Agency (IRA). The listing for the leak offers “American proxies” for Reddit and viral meme site 9Gag. The leak comes after months of speculation from Reddit users

    Reply
  11. Tomi Engdahl says:

    Josh Constine / TechCrunch:
    Facebook debuts new feature in settings that makes it easy for users to bulk remove third-party apps and an option to delete posts from those apps

    Facebook launches bulk app removal tool amidst privacy scandal
    https://techcrunch.com/2018/04/03/facebook-app-bulk-removal/

    Following the Cambridge Analytica scandal, users have flocked to their Facebook privacy settings to sever their connection to third-party apps that they no longer wanted to have access to their data. But deleting them all took forever because you had to remove them one by one. Now Facebook has released a new way to select as many apps as you want, then remove them in bulk. The feature has rolled out on mobile and desktop, and Facebook also offers the option to delete any posts those apps have made to your profile.

    Facebook confirmed the launch to TechCrunch, pointing to its Newsroom and Developer News blog posts from the last few weeks that explained that “We already show people what apps their accounts are connected to and control what data they’ve permitted those apps to use. In the coming month, we’re going to make these choices more prominent and easier to manage.”

    Cracking Down on Platform Abuse
    https://newsroom.fb.com/news/2018/03/cracking-down-on-platform-abuse/

    Reply
  12. Tomi Engdahl says:

    1Password Business launches with compliance controls, auto-provisioning, free Family accounts
    https://9to5mac.com/2018/04/03/1password-business-rich-features/

    Popular password and data manager 1Password is out today with an all new offering, 1Password Business. Launching today, developer AgileBits has taken what it has learned from its 1Password Teams product and created a robust business password manager.

    Reply
  13. Tomi Engdahl says:

    Hacked Magento Sites Steal Card Data, Spread Malware
    https://www.securityweek.com/hacked-magento-sites-steal-card-data-spread-malware

    Cybercriminals are targeting websites running the Magento platform to inject them with code that can steal credit card data and infect visitors with malware, Flashpoint reports.

    The open-source platform written in PHP has long stirred threat actors’ interest due to its popularity among online e-commerce sites. According to Flashpoint, members of entry-level and top-tier Deep & Dark Web forums have shown continued interest in the platform since 2016, and also targeted content management systems such as Powerfront CMS and OpenCart.

    As part of the newly observed attacks, hackers are attempting to brute-force Magento administration panels. Once they gain access, malware capable of scraping credit card numbers is installed, along with crypto-currency miners.

    Reply
  14. Tomi Engdahl says:

    Several U.S. Gas Pipeline Firms Affected by Cyberattack
    https://www.securityweek.com/several-us-gas-pipeline-firms-affected-cyberattack

    Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology.

    Energy Transfer Partners was the first pipeline company to report problems with its Electronic Data Interchange (EDI) system due to a cyberattack that targeted Energy Services Group, specifically the company’s Latitude Technologies unit.

    EDI is a platform used by businesses to exchange documents such as purchase orders and invoices. In the case of energy firms, the system is used to encrypt, decrypt, translate, and track key energy transactions. Latitude says it provides EDI and other technology services to more than 100 natural gas pipelines, storage facilities, utilities, law firms, and energy marketers across the U.S.

    “This looks like a financially-motivated cyberattack, likely by cybercriminals, but we’ve seen in the past that cybercriminals often collaborate with nation-states and share hacking tools with each other,” said Phil Neray, VP of Industrial Cybersecurity at CyberX, a critical infrastructure and industrial cybersecurity firm based in Boston. “It’s easy to imagine a ransomware attack that uses nation-state tools to hijack ICS/SCADA systems and hold the pipeline hostage for millions of dollars per day.”

    Reply
  15. Tomi Engdahl says:

    New KevDroid Android Backdoor Discovered
    https://www.securityweek.com/new-kevdroid-android-backdoor-discovered

    Security researchers have discovered a new Android Remote Access Trojan (RAT) that can steal a great deal of information from infected devices.

    Dubbed KevDroid, the mobile threat can steal contacts, messages, and phone history, while also able to record phone calls, Talos reports. Two variants of the malware have been identified so far.

    One of the variants exploits CVE-2015-3636 to gain root access, but both implement the same call recording capabilities, taken from an open-source project on GitHub.

    https://github.com/aykuttasil/CallRecorder

    Reply
  16. Tomi Engdahl says:

    Google Bans Crypto-Mining Chrome Extensions
    https://www.securityweek.com/google-bans-crypto-mining-chrome-extensions

    Google on Monday announced that Chrome extensions designed to mine for crypto-currencies are no longer accepted in the Chrome Web Store.

    While still focused on allowing the Chrome extensions ecosystem to evolve, Google also wants to keep users as safe as possible. Thus, a rise in the number of malicious Chrome extensions that mine for virtual coins without informing the users has sparked the Internet giant to ban all such extensions.

    The scripts designed for mining purposes often require significant CPU power to perform their activity, and could result in severely diminished system performance or in increased power consumption. Called in-browser cryptojacking, such mining behavior is employed by many websites as well, often with heavy impact on user experience.

    Extensions with blockchain-related purposes that do not attempt to mine for virtual coins will continue to be distributed through the Web Store.

    Reply
  17. Tomi Engdahl says:

    New Monero-Mining Android Malware Discovered
    https://www.securityweek.com/new-monero-mining-android-malware-discovered

    A newly discovered malware family attempts to leverage the (limited) computing power of Android devices to mine for Monero crypto-currency, Trend Micro warns.

    Dubbed HiddenMiner, the malware was developed with self-protection and persistence mechanisms that allow it to hide itself from the unwitting user and to abuse the Device Administrator feature to perform its nefarious activities.

    The main issue with this threat, however, is the fact that it has no switch, controller, or optimizer in its code, meaning that it essentially continuously mines for Monero until all of the device’s resources are depleted. Because of that, the malware can cause the infected devices to overheat and potentially fail, Trend Micro’s researchers point out.

    Reply
  18. Tomi Engdahl says:

    BBC:
    Eurocontrol says a failure of its air traffic management software, the second in 20 years, is now fixed, but could delay ~15,000 flights in Europe — The organisation responsible for co-ordinating European air traffic says it has fixed an earlier fault which led to widespread flight delays.

    Half of European flights delayed due to system failure
    http://www.bbc.com/news/world-europe-43633094

    The organisation responsible for co-ordinating European air traffic says it has fixed an earlier fault which led to widespread flight delays.

    Eurocontrol earlier said that delays could affect up to half of all flights in Europe – about 15,000 trips.

    It said the faulty system was restarted at 19:00 GMT, and normal operations had resumed.

    Tuesday’s fault was only the second failure in 20 years, Eurocontrol said – the last happened in 2001.

    Reply
  19. Tomi Engdahl says:

    Revealed: Facebook hate speech exploded in Myanmar during Rohingya crisis
    https://www.theguardian.com/world/2018/apr/03/revealed-facebook-hate-speech-exploded-in-myanmar-during-rohingya-crisis#img-2

    Analyst says: ‘I really don’t know how Zuckerberg and co sleep at night’ after evidence emerges of a spike in posts inciting violence

    Hate speech exploded on Facebook at the start of the Rohingya crisis in Myanmar last year, analysis has revealed, with experts blaming the social network for creating “chaos” in the country.

    Evidence of the spike emerged after the platform was accused of playing a key role in the spread of hate speech in Myanmar at a time when 650,000 Rohingya refugees were forced to flee to Bangladesh following persecution.

    Digital researcher and analyst Raymond Serrato examined about 15,000 Facebook posts from supporters of the hardline nationalist Ma Ba Tha group. The earliest posts dated from June 2016 and spiked on 24 and 25 August 2017, when ARSA Rohingya militants attacked government forces, prompting the security forces to launch the “clearance operation” that sent hundreds of thousands of Rohingya pouring over the border.

    “Facebook definitely helped certain elements of society to determine the narrative of the conflict in Myanmar,” Serrato told the Guardian. “Although Facebook had been used in the past to spread hate speech and misinformation, it took on greater potency after the attacks.”

    Alan Davis, an analyst from the Institute for War and Peace Reporting who led a two-year study of hate speech in Myanmar, said that in the months before August he noticed posts on Facebook becoming “more organised and odious, and more militarised”.

    His research team encountered fabricated stories stating that “mosques in Yangon are stockpiling weapons in an attempt to blow up various Buddhist pagodas and Shwedagon pagoda”, the most sacred Buddhist site in Yangon in a smear campaign against Muslims. These pages also featured posts calling Rohingya the derogatory term “kalars” and “Bengali terrorists”. Signs denoting “Muslim-free” areas were shared more than 11,000 times.

    Facebook the only source of information

    Among Myanmar’s 53 million residents, less than 1% had internet access in 2014. But by 2016, the country appeared to have more Facebook users than any other south Asian country. Today, more than 14 million of its citizens use Facebook. A 2016 report by GSMA, the global body representing mobile operators, found that in Myanmar many people considered Facebook the only internet entry point for information, and that many regarded postings as news.

    One cyber security analyst in Yangon, who asked to remain anonymous for fear of online attacks, said: “Facebook is arguably the only source of information online for the majority in Myanmar.”

    In early March, UN Myanmar investigator Yanghee Lee warned that “Facebook has become a beast.” “It was used to convey public messages but we know that the ultra-nationalist Buddhists have their own Facebooks and are really inciting a lot of violence and a lot of hatred against the Rohingya or other ethnic minorities,” she said.

    Reply
  20. Tomi Engdahl says:

    Exclusive: Facebook CEO stops short of extending European privacy globally
    https://www.reuters.com/article/us-facebook-ceo-privacy-exclsuive/exclusive-facebook-ceo-says-not-planning-to-extend-european-privacy-law-globally-idUSKCN1HA2M1?feedType=RSS&feedName=topNews&utm_medium=Social&utm_source=twitter

    Facebook Inc (FB.O) Chief Executive Mark Zuckerberg said on Tuesday that he agreed “in spirit” with a strict new European Union law on data privacy but stopped short of committing to it as the standard for the social network across the world.

    As Facebook reels from a scandal over the mishandling of personal information belonging to millions of users, the company is facing demands to improve privacy and learn lessons from the landmark EU law scheduled to take effect next month.

    Reply
  21. Tomi Engdahl says:

    Outgoing White House Emails Not Protected by Verification System
    https://yro.slashdot.org/story/18/04/04/1356248/outgoing-white-house-emails-not-protected-by-verification-system?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    The security advocacy group Global Cyber Alliance tested the 26 email domains managed by the Executive Office of the President (EOP) and found that only one fully implements a security protocol that verifies the emails as genuinely from the White House

    Outgoing White House emails not protected by verification system
    https://www.axios.com/outgoing-white-house-emails-not-protected-by-verification-system-deafc584-759b-4c8f-969a-3ced8a8059f8.html

    The security advocacy group Global Cyber Alliance tested the 26 email domains managed by the Executive Office of the President (EOP) and found that only one fully implements a security protocol that verifies the emails as genuinely from the White House. Of the 26 domains, 18 are not in compliance with a Department of Homeland Security directive to implement that protocol.

    Why it matters: Imagine the havoc someone could cause sending misinformation from a presidential aide’s account: Such fraudulent messages could be used in phishing campaigns, to spread misinformation to careless reporters, or to embarrass White House employees by sending fake tirades under their names.

    Reply
  22. Tomi Engdahl says:

    It’s begun: ‘First’ IPv6 denial-of-service attack puts IT bods on notice
    Internet engineers warn this is only the beginning
    https://www.theregister.co.uk/2018/03/03/ipv6_ddos/

    Analysis What’s claimed to be the first IPv6-based distributed denial-of-service attack has been spotted by internet engineers who warn it is only the beginning of what could become the next wave of online disruption.

    Network guru Wesley George noticed the strange traffic earlier this week as part of a larger attack on a DNS server in an effort to overwhelm it. He was taking packet captures of the malicious traffic as part of his job at Neustar’s SiteProtect DDoS protection service when he realized there were “packets coming from IPv6 addresses to an IPv6 host.”

    Computers behind 1,900 IPv6 addresses were attacking the DNS server as part of a larger army of commandeered systems, mostly using IPv4 addresses on the public internet. Anyone running an IPv6 network needs to, therefore, ensure they have the same level of network security and mitigation tools in place as their IPv4 networks – and fast.

    Reply
  23. Tomi Engdahl says:

    Facebook admits Cambridge Analytica hijacked data on up to 87M users
    https://techcrunch.com/2018/04/04/cambridge-analytica-87-million/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Facebook will warn 87 million users, mostly in the U.S, that their data “may have been improperly shared with Cambridge Analytica by apps that they or their friends used”, the company just announced. Facebook CTO Mike Schoepfer tells TechCrunch that Facebook will warn these users with a notice atop the News Feed with information about what data of theirs might have been attained, and what they should do now.

    https://newsroom.fb.com/news/2018/04/restricting-data-access/

    Reply
  24. Tomi Engdahl says:

    Facebook drops a bombshell and says most of its 2 billion users may have had their personal data scraped
    https://amp.businessinsider.com/facebook-87-million-cambridge-analytica-data-2018-4?__twitter_impression=true

    Facebook revealed Wednesday that “malicious actors” had scraped the personal data of most of its users by using a search feature to find their profile pages.
    The company also revealed that the Cambridge Analytica data leak was potentially much bigger than first estimated; the data firm may have gotten access to the data on up to 87 million users.
    The revelations come as the company is still reeling from and responding to the Cambridge Analytica scandal.

    “Most” of Facebook’s 2 billion users may have had their personal data skimmed from the site by “malicious actors,” the company said in a blog post by Chief Technology Officer Mike Schroepfer. Facebook said it has disabled the feature in its site’s search function that enabled the data scraping

    https://newsroom.fb.com/news/2018/04/restricting-data-access/

    Reply
  25. Tomi Engdahl says:

    Critical Vulnerability Patched in Microsoft Malware Protection Engine
    https://www.securityweek.com/critical-vulnerability-patched-microsoft-malware-protection-engine

    An update released this week by Microsoft for its Malware Protection Engine patches a vulnerability that can be exploited to take control of a system by placing a malicious file in a location where it would be scanned.

    The Microsoft Malware Protection Engine provides scanning, detection and cleaning capabilities for security software made by the company. The engine is affected by a flaw that can be exploited for remote code execution when a specially crafted file is scanned.

    The vulnerability, tracked as CVE-2018-0986 and rated “critical,” affects several Microsoft products that use the Malware Protection Engine, including Exchange Server, Forefront Endpoint Protection 2010, Security Essentials, Windows Defender, and Windows Intune Endpoint Protection.

    While the flaw is dangerous and easy to exploit, Microsoft believes exploitation is “less likely.” The company pointed out that the patch for this vulnerability will be automatically delivered to customers within 48 hours of release – users and administrators do not have to take any action.

    Reply
  26. Tomi Engdahl says:

    Facebook to Offer ‘Clearer’ Terms on Privacy, Data Use
    https://www.securityweek.com/facebook-offer-clearer-terms-privacy-data-use

    Facebook said Wednesday it is updating its terms on privacy and data sharing to give users a clearer picture of how the social network handles personal information.

    Reply
  27. Tomi Engdahl says:

    North Korean Hackers Behind Online Casino Attack: Report
    https://www.securityweek.com/north-korean-hackers-behind-online-casino-attack-report

    The infamous North Korean hacking group known as Lazarus is responsible for attacking an online casino in Central America, along with various other targets, ESET says.

    The Lazarus Group has been active since at least 2009 and is said to be associated with a large number of major cyber-attacks, including the $81 million cyber heist from Bangladesh’s account at the New York Federal Reserve Bank.

    Said to be the most serious threat against banks, the group has shown increased interest in crypto-currencies and has recently updated its arsenal of tools.

    ESET now reports that an attack on an online casino in Central America and assaults on various other targets last year are the doings of this group. The attackers used a similar toolset in all incidents, including the KillDisk wiping tool.

    Reply
  28. Tomi Engdahl says:

    Google Patches 9 Critical Android Vulnerabilities in April 2018 Update
    https://www.securityweek.com/google-patches-9-critical-android-vulnerabilities-april-2018-update

    Google this week has released its April 2018 set of Android security patches which address more than two dozen Critical and High severity vulnerabilities.

    19 vulnerabilities were found to affect components such as Android runtime, Framework, Media framework, and System. These include 7 issues rated Critical and 12 considered High risk. All of the flaws were patched as part of the 2018-04-01 security patch level.

    Reply
  29. Tomi Engdahl says:

    US Department of Defense now fully armed with Windows 10
    https://mspoweruser.com/us-department-of-defense-now-fully-armed-with-windows-10/

    After missing their January deadline, the US Defense Department has announced that they have completed their transition to Windows 10 by the end of their second deadline, March 31st.

    The move was driven by the need to harden the US military against cyber attacks and also to enable future missions. Windows 10’s security features would allow software patches to install faster, making it less obtrusive while making networks safer.

    “Windows 10 obviously postures us on a security operating environment and that’s what we want,” noted Miller.

    Reply
  30. Tomi Engdahl says:

    Michelle Broder Van Dyke / BuzzFeed:
    YouTube shooter Nasim Aghdam had denounced the platform for age-restricting and demonetizing her videos; her father warned police she might visit YouTube HQ

    This Is What We Know About YouTube Shooter Nasim Aghdam
    https://www.buzzfeed.com/mbvd/this-is-what-we-know-about-youtube-shooting-suspect-nasim

    The woman, who posted frequently on YouTube about animal rights and veganism, said she believed the video-sharing platform had discriminated against her.

    Reply
  31. Tomi Engdahl says:

    Dot-cm Typosquatting Sites Visited 12M Times So Far in 2018
    https://krebsonsecurity.com/2018/04/dot-cm-typosquatting-sites-visited-12m-times-so-far-in-2018/

    A story published here last week warned readers about a vast network of potentially malicious Web sites ending in “.cm” that mimic some of the world’s most popular Internet destinations (e.g. espn[dot]cm, aol[dot]cm and itunes[dot].cm) in a bid to bombard visitors with fake security alerts that can lock up one’s computer. If that piece lacked one key detail it was insight into just how many people were mistyping .com and ending up at one of these so-called “typosquatting” domains.

    On March 30, an eagle-eyed reader noted that four years of access logs for the entire network of more than 1,000 dot-cm typosquatting domains were available for download directly from the typosquatting network’s own hosting provider. The logs — which include detailed records of how many people visited the sites over the past three years and from where — were deleted shortly after that comment was posted here, but not before KrebsOnSecurity managed to grab a copy of the entire archive for analysis.

    Reply
  32. Tomi Engdahl says:

    1.5 Billion Sensitive Documents on Open Internet: Researchers
    https://www.securityweek.com/15-billion-sensitive-documents-open-internet-researchers

    Some 1.5 billion sensitive online files, from pay stubs to medical scans to patent applications, are visible on the open internet, security researchers said Thursday.

    Researchers from the cybersecurity firm Digital Shadows said a scanning tool used in the first three months of 2018 found mountains of private data online from people and companies across the world.

    The unprotected data amounted to some 12 petabytes, or four thousand times larger than the “Panama Papers” document trove which exposed potential corruption in dozens of countries.

    “These are files that are freely available” to anyone with minimal technical knowledge, said Rick Holland, a vice president at Digital Shadows.

    Holland told AFP his team scanned the web and found unsecured files, adding “we didn’t authenticate to anything.”

    The availability of open data makes it easier for hackers, nation-states or rival companies to steal sensitive information, Holland said.

    A significant amount of the data left open was from payroll and tax return files, which accounted for 700,000 and 60,000 files respectively, Digital Shadows said.

    It noted medical files and lists were also weakly protected, with some 2.2 million body scans open to inspection.

    Many corporate secrets were also out in the open including designs, patent summaries and details of yet-to-be-released products.

    “While organizations may consider insiders, network intrusions and phishing campaigns as sources of corporate espionage, these findings demonstrate that there is already a large amount of sensitive data publicly available,” the report said.

    The researchers said about 36 percent of the files were located in the European Union. The United States had the largest amount for a single country at 16 percent, but exposed files were also seen around the world including in Asia and the Middle East.

    Reply
  33. Tomi Engdahl says:

    Shooter hated YouTube: Iranian animal rights protester, 39, who shot three staff at video giant’s HQ before killing herself, had a vendetta against ‘dictatorial’ site for censoring her videos and not paying her
    http://www.dailymail.co.uk/news/article-5575105/Active-shooter-reported-YouTube-HQ-California.html

    Aghdam, who was a self-described animal rights activist and ‘vegan bodybuilder’, had a significant online presence with multiple YouTube channels and social media pages.

    In a video that Aghdam posted back in January 2017, she vented about her content being censored. She also said that her YouTube channel, which had more than 5,000 subscribers, used to get many views but claimed she started getting less when the company ‘filtered’ her videos.

    Reply
  34. Tomi Engdahl says:

    Facebook retracted Zuckerberg’s messages from recipients’ inboxes
    https://techcrunch.com/2018/04/05/zuckerberg-deleted-messages/

    Facebook says it was for security, but is it a breach of user trust?

    You can’t remove Facebook messages from the inboxes of people you sent them to, but Facebook did that for Mark Zuckerberg and other executives. Three sources confirm to TechCrunch that old Facebook messages they received from Zuckerberg have disappeared from their Facebook inboxes, while their own replies to him conspiculously remain.

    When asked by TechCrunch about the situation, Facebook claimed it was done for corporate security

    However, Facebook never publicly disclosed the removal of messages from users’ inboxes, nor privately informed the recipients. That raises the question of whether this was a breach of user trust.

    A Facebook spokesperson confirmed to TechCrunch that users can only delete messages their own inboxes, and that they would still show up in the recipient’s thread.

    None of Facebook’s terms of service appear to give it the right to remove content from users’ accounts unless it violates the company’s community standards. While it’s somewhat standard for corporations to have data retention policies that see them delete emails or other messages from their own accounts that were sent by employees, they typically can’t remove the messages from the accounts of recipients outside the company. It’s rare that these companies own the communication channel itself and therefore host both sides of messages as Facebook does in this case, which potentially warrants a different course of action with more transparency than quietly retracting the messages.

    Reply
  35. Tomi Engdahl says:

    Intel Discontinues Keyboard App Affected by Critical Flaws
    https://www.securityweek.com/intel-discontinues-keyboard-app-affected-critical-flaws

    Serious vulnerabilities have been found in Intel’s Remote Keyboard application, but the company will not release any patches and instead advised users to uninstall the app.

    Introduced in June 2015, the Intel Remote Keyboard apps for Android and iOS allow users to wirelessly control their Intel NUC and Compute Stick devices from a smartphone or tablet. The Android application has been installed more than 500,000 times.

    Researchers discovered recently that all versions of Intel Remote Keyboard are affected by three severe privilege escalation flaws.

    The most serious of them, rated “critical” and identified as CVE-2018-3641, allows a network attacker to inject keystrokes as a local user. The vulnerability was reported to Intel by a UK-based researcher who uses the online moniker trotmaster.

    Reply
  36. Tomi Engdahl says:

    Best Buy Hit by [24]7.ai Payment Card Breach
    https://www.securityweek.com/best-buy-hit-247ai-payment-card-breach

    After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider [24]7.ai.

    Similar to Delta and Sears, Best Buy contracted [24]7.ai for online chat/support services. The retailer says it will contact impacted customers and provide free credit monitoring if needed.

    Best Buy has not specified exactly how many of its customers are impacted, but noted that “only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

    Reply
  37. Tomi Engdahl says:

    Financial Services DDoS Attacks Tied to Reaper Botnet
    https://www.securityweek.com/financial-services-ddos-attacks-tied-reaper-botnet

    Recorded Future’s “Insikt” threat intelligence research group has linked the Mirai variant IoTroop (aka Reaper) botnet with attacks on the Netherlands financial sector in January 2018.

    The existence of IoTroop was first noted by Check Point in October 2017. At that point the botnet had not been used to deliver any known DDoS attacks, and its size was disputed. What was clear, however, was its potential for growth.

    In January 2018, the financial services sector in the Netherlands was hit by a number of DDoS attacks. Targets included ABN Amro, Rabobank and Ing; but at that time the source of the attack was unknown.

    The attack itself was not excessively high by modern standards. “The initial attack was a DNS amplification attack with traffic volumes peaking at 30Gb/s,” reports Insikt — far short of the 1.7Tb/s attack that occurred in February.

    Reply
  38. Tomi Engdahl says:

    Microsoft Adds New Security Features to Office 365
    https://www.securityweek.com/microsoft-adds-new-security-features-office-365

    Microsoft today announced new protections for Office 365 Home and Office 365 Personal subscribers, aimed at helping them recover files, protect data, and defend against malware.

    Courtesy of the newly announced protections, Office 365 Home and Office 365 Personal users can now recover their files after a malicious attack like ransomware, Kirk Koenigsbauer, Corporate Vice President for Office at Microsoft, says.

    The new functionality is available through a Files Restore option that has been long available for OneDrive for Business customers. The feature is now available for personal OneDrive accounts and is enabled for both work and personal files.

    Reply
  39. Tomi Engdahl says:

    Unprotected Switches Expose Critical Infrastructure to Attacks: Cisco
    https://www.securityweek.com/unprotected-switches-expose-critical-infrastructure-attacks-cisco

    Cisco has advised organizations to ensure that their switches cannot be hacked via the Smart Install protocol. The networking giant has identified hundreds of thousands of exposed devices and warned that critical infrastructure could be at risk.

    The Cisco Smart Install Client is a legacy utility that allows no-touch installation of new Cisco switches. Roughly one year ago, the company warned customers about misuse of the Smart Install protocol following a spike in Internet scans attempting to detect unprotected devices that had this feature enabled. It also made available an open source tool for identifying devices that use the protocol.

    Attackers can abuse the Smart Install protocol to modify the configuration file on switches running IOS and IOS XE software, force the device to reload, load a new IOS image, and execute high-privilege commands. These attacks rely on the fact that many organizations fail to securely configure their switches, rather than an actual vulnerability.

    Reply
  40. Tomi Engdahl says:

    You can use malware to frame evidence to send innocent person to jail:

    Vähän tunnettu vaara: Lapsipornolla voi lavastaa syyttömän vankilaan
    https://www.is.fi/digitoday/tietoturva/art-2000001880913.html
    https://github.com/hackedteam/rcs-common/blob/master/lib/rcs-common/evidence/file.rb#L17

    Reply
  41. Tomi Engdahl says:

    Multiple vulnerabilities were found on the 4G networks

    Researchers from Purdue and Iowa have found several vulnerabilities in fourth-generation LTE networks. For example, they can force a terminal to indicate a certain location on the network and to create messages.

    The researchers describe in their article a total of ten new and nine previously found LTE vulnerabilities. One of them, for example, allows an attacker to join the backbone network without the required passwords. This will allow an attacker to run online for a second and, for example, forfeit the location of this terminal on the network.

    According to researchers, vulnerabilities relate to three key LTE protocols, namely: attach, detach, and paging.

    American researchers used a tool called LTEInspector to detect vulnerabilities.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=7810&via=n&datum=2018-04-05_14:46:43&mottagare=31202

    Reply
  42. Tomi Engdahl says:

    Rhett Jones / Gizmodo:
    Facebook disables email and phone number search after malicious actors abused the features to scrape public profile data; company says most accounts affected — Since the Cambridge Analytica privacy scandal first broke last month, Facebook has tried out a number of PR strategies to address the growing outcry.

    Facebook Just Made a Shocking Admission, and We’re All Too Exhausted to Notice
    https://gizmodo.com/facebook-just-made-a-shocking-admission-and-were-all-t-1825009566

    Since the Cambridge Analytica privacy scandal first broke last month, Facebook has tried out a number of PR strategies to address the growing outcry. At this point, the social media company is just going for broke, telling the public it should just assume that “most” of the 2.2 billion Facebook users have probably had their public data scraped by “malicious actors.” That’s huge news. But it doesn’t feel huge—if you managed to pick up that detail at all.

    Reply
  43. Tomi Engdahl says:

    Paul Mozur / New York Times:
    Myanmar civil society groups say Zuckerberg mischaracterized efficacy of Facebook systems to detect hate speech on Messenger in their country in Vox interview

    Groups in Myanmar Fire Back at Zuckerberg
    https://www.nytimes.com/2018/04/05/technology/zuckerberg-facebook-myanmar.html

    Civil society groups in Myanmar on Thursday criticized Facebook’s chief executive, Mark Zuckerberg, arguing that he mischaracterized his company’s effectiveness at detecting and quashing messages encouraging violence in the country.

    Taking aim at comments Mr. Zuckerberg made in a recent interview, the groups said that Facebook had no consistent methods for dealing with hate speech in Myanmar. The same problems keep recurring, they said, with the company routinely failing to follow up on their comments and suggestions.

    “So that’s the kind of thing where I think it is clear that people were trying to use our tools in order to incite real harm,” Mr. Zuckerberg said. “Now, in that case, our systems detect that that’s going on. We stop those messages from going through.”

    Reply
  44. Tomi Engdahl says:

    Julia Angwin / The Atlantic:
    Facebook reforms being discussed in Washington: fines for data breaches, political ad policing, liability for objectionable content, and ethics review boards

    How the Government Could Fix Facebook
    https://www.theatlantic.com/technology/archive/2018/04/four-ways-to-fix-facebook/557255/

    After years of allowing the world’s largest social network to police itself, Congress and federal regulators are discussing some promising reforms.

    Reply
  45. Tomi Engdahl says:

    Mary Jo Foley / ZDNet:
    Microsoft brings Files Restore to all OneDrive customers, letting users restore their entire OneDrive to a point in last 30 days, and adds ransomware detection — Microsoft is bringing more of the OneDrive and Outlook security protection tools it offers its Office 365 business customers to consumers.

    Microsoft to add ransomware protection tools, advanced Outlook.com encryption for consumers
    https://www.zdnet.com/article/microsoft-to-add-ransomware-protection-tools-advanced-outlook-com-encryption-for-consumers/

    Microsoft is bringing more of the OneDrive and Outlook security protection tools it offers its Office 365 business customers to consumers.

    Reply
  46. Tomi Engdahl says:

    The Billion-Dollar Hacking Group Behind a String of Big Breaches
    https://www.wired.com/story/fin7-carbanak-hacking-group-behind-a-string-of-big-breaches

    This week, Saks Fifth Avenue, Saks Off 5th, and Lord & Taylor department stores—all owned by The Hudson’s Bay Company—acknowledged a data breach impacting more than five million credit and debit card numbers. The culprits? The same group that’s spent the last few years pulling off data heists from Omni Hotels & Resorts, Trump Hotels, Jason’s Deli, Whole Foods, Chipotle: A mysterious group known as Fin7.

    Data breaches dog consumers every day, whether they’re ordering food from Panera, or tracking their nutrition with an Under Armour app. But if you’ve particularly had your credit card number stolen from a restaurant, hotel, or retail store in the past few years, you may have experienced Fin7 up close.

    While lots of criminal hacking gangs are simply out to make money, researchers regard Fin7 as a particularly professional and disciplined organization. The group—which often appears to be Russian-speaking, but hasn’t been tied to a home country—generally works on a normal business schedule, with nights and weekends off. It has developed its own malware tools and attack styles, and seems to have a well-funded research and testing division that helps it evade detection by antivirus scanners and authorities more broadly. I

    ‘Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.’

    Reply
  47. Tomi Engdahl says:

    1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak
    Borked FTP, SMB, rsync, and S3 buckets fingered
    https://www.theregister.co.uk/2018/04/05/billions_files_exposed_aws_ftp_wide_open/

    Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe’s General Data Protection Regulation comes into force.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*