Cyber security April 2018

This posting is here to collect security alert news in April 2018.

I post links to security vulnerability news to comments of this article.

 

252 Comments

  1. Tomi Engdahl says:

    Mobile Phishing Attacks Up 85 Percent Annually
    https://www.securityweek.com/mobile-phishing-attacks-85-percent-annually

    The rate at which users are receiving and clicking on phishing URLs on their mobile devices has increased at an average rate of 85% per year since 2011, mobile security firm Lookout reports.

    What’s more worrisome is the fact that 56% of users received and clicked on a phishing URL that bypasses existing layers of defense, the security firm says. On average, a user clicked on a mobile phishing URL six times per year.

    In a new report (PDF) analyzing the present state of mobile phishing, the security company explains that attackers are successfully circumventing existing phishing protections to target the mobile devices. Thus, they manage to expose sensitive data and personal information at an alarming rate, the company claims.

    With over 66% of emails first opened on a mobile device and email arguably the first point of attack for a phishing actor, unprotected emails on a mobile device can easily turn into a new avenue for attack.

    https://info.lookout.com/rs/051-ESQ-475/images/Lookout-Phishing-wp-us.pdf

    Reply
  2. Tomi Engdahl says:

    Home security: Contracts out, smartphones in
    http://www.broadbandtechreport.com/articles/2018/04/home-security-contracts-out-smartphones-in.html?cmpid=enl_btr_weekly_2018-04-12&pwhid=6b9badc08db25d04d04ee00b499089ffc280910702f8ef99951bdbdad3175f54dcae8b7ad9fa2c1f5697ffa19d05535df56b8dc1e6f75b7b6f6f8c7461ce0b24

    ccording to Parks Associates, remote monitoring with no long-term commitment are key factors to attract new home security customers. The study of 10,000 U.S. broadband households indicates that among the 73% of broadband households without a home security system, 19% are very likely to buy a home security system if it can be monitored and controlled via a smartphone, and 19% are very likely to buy a home security system if it does not require a long-term contract.

    The firm says new entrants like Nest, technology enhancements like voice control from Amazon, and creative business models contribute to shifting consumer expectations and put pressure on the traditional security industry to innovate in both technology and business strategies.

    “Smart home adjacencies have helped revitalize the traditional security industry, but also create new competition,”

    Traditional security companies account for 72% of all professionally monitored subscribers, but this share is declining.

    16% of U.S. broadband households are highly likely to acquire a security system within one year of the survey; half plan to acquire a system that they can install themselves.

    Reply
  3. Tomi Engdahl says:

    Multi-Purpose Proxy Botnet Ensnares 65,000 Routers
    https://www.securityweek.com/multi-purpose-proxy-botnet-ensnares-65000-routers

    More than 65,000 routers exposed to the Internet via the Universal Plug and Play (UPnP) protocol are being abused by cybercriminals as part of a large, multi-purpose proxy botnet, Akamai has discovered.

    The vulnerable devices were found to have NAT injections that allow malicious actors to abuse them for various purposes, such as bypassing censorship, spamming and phishing, click fraud, account takeover and credit card fraud, distributed denial of service (DDoS) attacks, malware distribution, and more.

    The 65,000 injected devices, Akamai reveals, are part of a larger set of over 4.8 million devices that were found to be vulnerable to simple UDP SSDP (the UDP portion of UPnP) inquiries. Around 765,000 of the devices were also found to expose their vulnerable TCP implementations, the security firm says.

    Reply
  4. Tomi Engdahl says:

    LimeSurvey Flaws Expose Web Servers to Attacks
    https://www.securityweek.com/limesurvey-flaws-expose-web-servers-attacks

    A couple of vulnerabilities affecting the popular online survey tool LimeSurvey can be exploited by remote attackers to execute malicious code and take control of web servers with little or no user interaction, researchers warn.

    LimeSurvey is a free and open source tool that allows users to create online surveys. The software is downloaded roughly 10,000 times every month and is used by individuals and organizations worldwide.

    Researchers at RIPS Technologies discovered two potentially serious flaws in LimeSurvey version 2.72.3.

    One of the security holes is a persistent cross-site scripting (XSS) issue that affects the “resume later” feature, which allows users to save partially completed surveys and reload them by providing an email address and password.

    Reply
  5. Tomi Engdahl says:

    Not hacking, but operational error:

    Samsung Securities’ $105 Billion Fat-Finger Share Error Triggers Urgent Regulator Inquiry
    https://spectrum.ieee.org/riskfactor/computing/it/samsung-securities-105-billion-fatfinger-share-error-triggers-urgent-regulator-inquiry

    Last week, an employee of Samsung Securities Co., Samsung Group’s stock-trading entity and one of the largest trading companies in South Korea, accidentally issued shares worth some $105 billion to 2,018 of its employees who are members of its stock-owner program. The employees in the program were supposed to receive a dividend totaling 2 billion won (or about $0.93 per share they owned), but were mistakenly issued 2 billion shares instead. The amount issued was more than 30 times the total number of outstanding Samsung Securities’ shares.

    Embarrassingly, Samsung Securities admitted that it took 37 minutes to fix what had occurred after it became aware of the problem. Even more humiliating, sixteen Samsung Security employees were able to still sell off some 5 million shares of their payout, despite repeatedly being warned not to do so by their managers.

    Perhaps the warnings were ignored because they were able to make about 10 billion won ($9.3 million) each.

    The combined action of the mistake along with the rogue employee share sell-offs helped depress Samsung Securities’ stock price by nearly 12 percent.

    seen its market value drop about $300 million.

    After news of the error became public, South Korea’s Financial Supervisory Service (FSS) announced that it was going to initiate an urgent “special” inquiry into what it called a “big financial incident that significantly undermines the safety of and trust in [Korea’s] capital markets.” Its inquiry will be concerned with: how 2 billion Samsung Securities shares―which did not exist― managed to get allocated; how those “ghost shares” could even be legally sold by Samsung Securities’ employees; why some employees continued to sell the shares after being instructed not to; and how the employees could sell the shares without the activity being reported to the brokerage.

    Reply
  6. Tomi Engdahl says:

    China forces spyware onto Muslim’s Android phones, complete with security holes
    https://hotforsecurity.bitdefender.com/blog/china-forces-spyware-onto-muslims-android-phones-complete-with-security-holes-19760.html?utm_source=SMGlobal&utm_medium=Twitter&utm_campaign=H4S

    Whereas many of us are concerned that law enforcement agencies might seek to weaken or open backdoors in secure messaging products running on our smartphones, the Chinese have gone one step further demanding that some eight million Uyghurs, a Turkic ethnic group, install a spyware app known as JingWang Weishi their Android smartphones.

    JingWang (“clean internet” in Chinese) doesn’t just block access to specific websites. It also searches your Android phone for “illegal” images, audio recordings, and videos, and can upload them to an external server – alongside identifying details of your phone such as its IMEI number, model, phone number, and manufacturer.

    And if you think you can simply avoid installing the app, think again. If police find in a spot-check that you don’t have JingWang installed, you could face up to ten days in detention.

    It’s frightening to think how easily the Chinese authorities could roll out such mass surveillance across its entire population

    And sure enough, the Open Technology Fund (OTF) has just published a report that claims JingWang is itself a security risk, because it fails to encrypt the collected data which it transfers to a server based in China.

    “Nothing is transmitted from the individuals device to the receiving server over HTTPS — all in plaintext via HTTP — and updates are unsigned.”

    https://www.opentech.fund/article/app-targeting-uyghur-population-censors-content-lacks-basic-security

    Reply
  7. Tomi Engdahl says:

    Telegram hit with block in Russia over encryption
    https://techcrunch.com/2018/04/13/telegram-blocked-in-russia/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    A Russian court has ordered a block on access to the Telegram messaging app — with the block coming into force immediately, according to the BBC.

    The messaging platform has been under pressure to hand over encryption keys to Russian authorities so they can access user data — which they claim is needed for counterterrorism purposes — but has so far refused.

    Reply
  8. Tomi Engdahl says:

    Manish Singh / The Outline:
    Sources: secure messaging app Telegram is being used to distribute pirated movies, TV, music, apps, and even stolen credentials for online services like Netflix

    Telegram is the hot new source for pirated content
    Law-abiding citizens: Please do NOT download. Thank you.
    https://theoutline.com/post/4143/telegram-is-the-hot-new-source-for-illegal-downloads?zd=1&zi=4zuowbpy

    Reply
  9. Tomi Engdahl says:

    The Guardian:
    UK court on right to be forgotten: Google has to remove links about one man who “showed remorse” for past conviction, can keep links for another, who didn’t

    Google loses landmark ‘right to be forgotten’ case
    https://www.theguardian.com/technology/2018/apr/13/google-loses-right-to-be-forgotten-case

    Businessman wins legal action to force removal of search results about past conviction

    Reply
  10. Tomi Engdahl says:

    Wall Street Journal:
    A breakdown of all the data tech companies can collect during a low-key pizza and movie night with a friend, according to their privacy policies — The smartphones, Facebook accounts and other technology products deeply embedded in modern life help people get more things done every day.

    How Pizza Night Can Cost More in Data Than Dollars
    http://www.wsj.com/graphics/how-pizza-night-can-cost-more-in-data-than-dollars/

    Even a low-key evening at home can mean handing over a trove of personal information to high-tech companies

    Reply
  11. Tomi Engdahl says:

    John Herrman / New York Times:
    People quickly trusted tech companies with personal info amid a data boom, despite risks, spawning resentment and distrust after the Cambridge Analytica scandal — The queasy truth at the heart of Facebook’s Cambridge Analytica scandal, which is so far the company’s defining disgrace of 2018 …

    Cambridge Analytica and the Coming Data Bust
    https://www.nytimes.com/2018/04/10/magazine/cambridge-analytica-and-the-coming-data-bust.html

    Reply
  12. Tomi Engdahl says:

    Benjamin Herold / Education Week:
    Study finds ~3,337 free apps in Google Play’s Designed for Families program that may violate COPPA, a federal law aimed to protect children from online tracking — Thousands of free apps available in the Google Play store are potentially violating a major federal data-privacy law intended …

    Thousands of Android Mobile Apps Improperly Track Children, Study Says
    http://blogs.edweek.org/edweek/DigitalEducation/2018/04/android_mobile_apps_track_children_study.html

    Thousands of free apps available in the Google Play store are potentially violating a major federal data-privacy law intended to protect children from online tracking, according to a new study published by researchers affiliated with the International Computer Science Institute.

    “These problems are rampant, and it’s resulting in kids being exposed to targeted advertising and automatic profiling that could be illegal,” said Serge Egelman, who co-authored the report and works as the director of usable security and privacy research at ICSI, which is connected witih the University of California, Berkeley.

    Reply
  13. Tomi Engdahl says:

    Tom Warren / The Verge:
    Gmail redesign may include Confidential Mode letting users restrict forwarding, downloading, and printing of emails as well as set expiration date on sent items

    Gmail’s new design will include a ‘Confidential Mode’
    New feature gives you control over how emails are used
    https://www.theverge.com/2018/4/13/17233504/gmail-design-confidential-mode-feature

    Reply
  14. Tomi Engdahl says:

    The U.S. doesn’t have a national cybersecurity doctrine, more than a year after President Donald Trump took office. Tom Kellermann, chief cybersecurity officer of Carbon Black, is concerned that Russia will retaliate with cyberattacks in response to the Trump administration’s most recent sanctions.

    The U.S. still doesn’t have a cybersecurity doctrine
    https://www.axios.com/us-still-doesnt-have-cybersecurity-doctrine-6c5b4a1b-068e-49b6-a257-fe7e4f214d83.html

    The U.S. still doesn’t have a national cybersecurity doctrine that outlines what would happen to adversaries when they launch cyberattacks against the U.S.

    Why it matters: The country’s ability to fight back is limited without the overarching doctrine and authority laid out for government agencies. That’s a problem given that the midterm elections are coming up, and intelligence leaders have said Russia is showing no signs of letting up on its hacking attempts.

    What they’re saying:

    “When you lack a strategy or a doctrine, you don’t have the advantage of deterrence,” Republican Rep. Will Hurd, who serves on the House Homeland Security Committee, told Axios.
    The concern, as independent Sen. Angus King put it during a recent hearing on election security, is that “the Russians sent in this whole operation in to our election system…and paid no price.”
    “No one is saying ‘the buck stops here,’” said Democratic Sen. Martin Heinrich.

    Reply
  15. Tomi Engdahl says:

    Hackers Can Stealthily Exfiltrate Data via Power Lines
    https://www.securityweek.com/hackers-can-stealthily-exfiltrate-data-power-lines

    Researchers have created proof-of-concept (PoC) malware that can stealthily exfiltrate data from air-gapped computers using power lines.

    The malware, dubbed PowerHammer, is the work of researchers at the Ben-Gurion University of the Negev in Israel. The university has previously published research on jumping air gaps via magnetic fields, infrared cameras, router LEDs, scanners, HDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

    PowerHammer exfiltrates data from a compromised machine by regulating its power consumption, which can be controlled through the workload of the device’s CPU. Sensitive pieces of information, such as passwords and encryption keys, can be stolen one bit at a time by modulating changes in the current flow.

    Researchers have devised two versions of the PowerHammer attack: line level power-hammering and phase level power-hammering.

    In the line level variant, the attacker intercepts the bits of data exfiltrated by the malware by tapping the compromised computer’s power cable. In the phase level attack, the attacker collects the data from the main electrical service panel. The data can be harvested using a non-invasive tap that measures the emissions on power cables, and converting them to a binary form via demodulation and decoding.

    A computer’s CPU is a significant power consumer and its workload has a direct impact on power consumption and implicitly the flow of current in the device’s power cable. By overloading the CPU with calculations and stopping and starting the workload, it’s possible to generate a signal over the power lines at a specified frequency.

    PowerHammer:
    Exfiltrating Data from Air-Gapped Computers through Power Lines
    https://arxiv.org/pdf/1804.04014.pdf

    Reply
  16. Tomi Engdahl says:

    U.K. Launched Major Cyberattack on Islamic State: Spy Chief
    https://www.securityweek.com/uk-launched-major-cyberattack-islamic-state-spy-chief

    The head of Britain’s Government Communications Headquarters (GCHQ) revealed this week that the U.K. has launched a major cyberattack on the Islamic State (IS) group, significantly disrupting its operations.

    The attack was launched by the GCHQ in collaboration with the U.K. Ministry of Defence. The operation was the “first time the UK has systematically and persistently degraded an adversary’s online efforts as part of a wider military campaign,” GCHQ director Jeremy Fleming told an audience at the Cyber UK conference in Manchester.

    “These operations have made a significant contribution to coalition efforts to suppress Daesh propaganda, hindered their ability to coordinate attacks, and protected coalition forces on the battlefield,” the spy chief said.

    Reply
  17. Tomi Engdahl says:

    Hackers Start Exploiting Drupalgeddon2 Vulnerability
    https://www.securityweek.com/hackers-start-exploiting-drupalgeddon2-vulnerability

    Attempts to exploit a recently patched vulnerability in the Drupal content management system (CMS) were spotted by researchers shortly after someone published a proof-of-concept (PoC) exploit.

    In late March, Drupal developers rolled out an update to address CVE-2018-7600, a highly critical remote code execution flaw that can be exploited to take full control of a site. The security hole affects Drupal 6, 7 and 8, and patches have been released for each of the impacted versions – Drupal 6 is no longer supported since February 2016, but a patch has still been created.

    https://www.securityweek.com/drupalgeddon-critical-flaw-exposes-million-drupal-websites-attacks

    Reply
  18. Tomi Engdahl says:

    ‘Spectrum’ Service Extends Cloudflare Protection Beyond Web Servers
    https://www.securityweek.com/spectrum-service-extends-cloudflare-protection-beyond-web-servers

    Cloudflare on Thursday announced the availability of a new service that extends the company’s protection capabilities to gaming, remote access, email, IoT and other types of systems.

    The new product, named Spectrum, allows enterprises to leverage Cloudflare not only to protect their websites, but also any other system that is exposed to the Internet through an open TCP port, including SSH, SFTP, SMTP and custom protocols.

    Spectrum includes protection against distributed denial-of-service (DDoS) attacks, which will likely attract the interest of gaming companies. Hypixel, which runs the largest Minecraft server and one of the first victims of the massive Mirai botnet attacks, has already started using Spectrum.Cloudflare launches Spectrum

    Banking services provider Montecito Bank & Trust has also started using Spectrum to protect its email and SSH servers.

    The new service also integrates with Cloudflare’s IP Firewall, allowing users to choose which connections can pass through to their servers and which should be blocked.

    Spectrum also allows organizations to terminate TLS at the edge of the Cloudflare infrastructure, which can speed up performance.

    Reply
  19. Tomi Engdahl says:

    Google Turns TLS on By Default on Android P
    https://www.securityweek.com/google-turns-tls-default-android-p

    Applications targeting the next version of Android (Android P) are required to use encrypted connections by default, Google said on Thursday.

    To keep user data and devices safe, the company is protecting all inbound and outbound data on Android devices with Transport Layer Security (TLS) in transit. Thus, applications on Android P are no longer allowed to use unencrypted connections by default.

    This is the latest step the Internet giant has taken to keep Android users better protected, after preventing accidental unencrypted connections on Android (6.0) Marshmallow.

    Reply
  20. Tomi Engdahl says:

    Android Vendors Regularly Omit Patches in Security Updates
    https://www.securityweek.com/android-vendors-regularly-omit-patches-security-updates

    There is a good chance that your Android phone doesn’t have all of the security patches that it should, as vendors regularly omit some vulnerability fixes, security researchers have discovered.

    Reply
  21. Tomi Engdahl says:

    Severe Flaws Expose Moxa Industrial Routers to Attacks
    https://www.securityweek.com/severe-flaws-expose-moxa-industrial-routers-attacks

    Cisco’s Talos intelligence and research group has reported identifying a total of 17 vulnerabilities in an industrial router from Moxa, including many high severity command injection and denial-of-service (DoS) flaws.

    The security holes have been identified in Moxa EDR-810, an integrated industrial multiport secure router that provides firewall, NAT, VPN and managed Layer 2 switch capabilities. According to the vendor, the device is designed for controlling, monitoring and protecting critical assets, such as pumping and treatment systems in water stations, PLC and SCADA systems in factory automation applications, and DCS in oil and gas organizations.Moxa industrial router vulnerabilities

    Several of the problems found by Cisco have been described as high severity command injection vulnerabilities affecting the web server functionality of this Moxa router. The flaws allow an attacker to escalate privileges and obtain a root shell on the system by sending specially crafted HTTP POST requests to the targeted device.

    Reply
  22. Tomi Engdahl says:

    Illumio, Qualys Partner on Vulnerability-based Micro-Segmentation
    https://www.securityweek.com/illumio-qualys-partner-vulnerability-based-micro-segmentation

    Vulnerability management has two major components: discovering vulnerabilities, and mitigating those vulnerabilities. The first component is pointless without the second component. So, for example, Equifax, WannaCry, NotPetya, and many other breaches — if not most breaches — are down to a failure to patch, which is really a failure in vulnerability management.

    In these examples the vulnerabilities were known, but not mitigated. Patches were available, but not implemented. It’s a hugely complicated problem, because although there are vulnerability management platforms, immediate patching is not always possible (for fear of breaking essential applications); and the ramifications of not patching are not easily understood.

    “Everyone does vulnerability management,” says Illumio’s VP of product management, Matthew Glenn. “It’s like motherhood and apple pie — it’s just something you have to do.” So, companies have a vulnerability team that scans for and locates vulnerabilities, and then that team tries to persuade the app team to patch the vulnerable application.

    Micro-segmentation firm Illumio is now seeking to provide that compensating control to this problem via a relationship with the Qualys vulnerability platform. Illumio already has a dependency mapping capability, called Illumination, as part of its Adaptive Security Platform. This shows dependencies and connections between different applications, even when spread across multiple data centers or in the cloud. It highlights whether connections are within policy, allowing companies to micro-segment the infrastructure to increase security.

    Reply
  23. Tomi Engdahl says:

    Multi-Purpose Proxy Botnet Ensnares 65,000 Routers
    https://www.securityweek.com/multi-purpose-proxy-botnet-ensnares-65000-routers

    More than 65,000 routers exposed to the Internet via the Universal Plug and Play (UPnP) protocol are being abused by cybercriminals as part of a large, multi-purpose proxy botnet, Akamai has discovered.

    The vulnerable devices were found to have NAT injections that allow malicious actors to abuse them for various purposes, such as bypassing censorship, spamming and phishing, click fraud, account takeover and credit card fraud, distributed denial of service (DDoS) attacks, malware distribution, and more.

    Reply
  24. Tomi Engdahl says:

    Researchers Sinkhole Deep-Rooted “EITest” Infection Chain
    https://www.securityweek.com/researchers-sinkhole-deep-rooted-eitest-infection-chain

    Proofpoint on Thursday said that it has managed to sinkhole what could be the oldest “infection chain” out there, which redirected users to exploit kits (EKs), social engineering schemes, and other malicious or fraudulent operations.

    Dubbed EITest and supposedly active since 2011, the infection chain has been associated with the distribution of ransomware, information stealers, and other malware. Performing around two million potential malicious redirects a day, the chain has been rendered ineffective after Proofpoint sinkholed it in collaboration with brillantit.com and abuse.ch.

    In 2011, the infection chain was redirecting to a private EK known as Glazunov, but switched to Angler in July 2014, after being silent for about half a year. The actor behind EITest started rework on infrastructure around November 2013, the creation dates of command and control (C&C) domains reveal.

    When the chain reappeared in July 2014, it was spreading multiple payloads

    Reply
  25. Tomi Engdahl says:

    US, Britain Warn of Russian Campaign to Hack Networks
    https://www.securityweek.com/us-britain-warn-russian-campaign-hack-networks

    Russian government-sponsored hackers are compromising the key hardware of government and business computer networks like routers and firewalls, giving them virtual control of data flows, Britain and the United States warned Monday.

    The operation was “to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” Washington and London said in a joint statement.

    “Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” they said.

    US, UK Detail Networking Protocols Abused by Russian Cyberspies
    https://www.securityweek.com/us-uk-detail-networking-protocols-abused-russian-cyberspies

    A joint technical alert issued on Monday by the United States and the United Kingdom details how cyberspies believed to be working for the Russian government have abused various networking protocols to breach organizations.

    According to the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre (NCSC), the hackers targeted routers, switches, firewalls, and network-based intrusion detection systems (NIDS). Their main targets have been government and private-sector organizations, critical infrastructure operators, and their Internet service providers (ISPs).

    Reply
  26. Tomi Engdahl says:

    McAfee Expands Cloud Security Program
    https://www.securityweek.com/mcafee-expands-cloud-security-program

    At RSA Conference 2018 in San Francisco, CA, McAfee announced two additions to its cloud security program, and published a new analysis of the corporate adoption of cloud services. The new services are centered on securing containers in the cloud, and adding consistent security to third-party cloud services. The analysis, Navigating a Cloudy Sky, surveyed 1,400 IT decision makers around the world, and interviewed several C-level executives.

    Reply
  27. Tomi Engdahl says:

    U.S. Energy Department Offers $25 Million for Cybersecurity Tech
    https://www.securityweek.com/us-energy-department-offers-25-million-cybersecurity-tech

    The United States Department of Energy (DOE) on Monday announced that it’s prepared to award up to $25 million for the research and development of technologies designed to protect the country’s energy infrastructure against cyber threats.

    The funding opportunity announcement (FOA) comes from the Office of Electricity Delivery and Energy Reliability’s Cybersecurity for Energy Delivery Systems (CEDS) program and it seeks applications for researching, developing and demonstrating novel approaches to improving cyber resilient energy delivery systems.Energy Department offers $25 million for cybersecurity

    “This FOA builds on DOE’s efforts with the private sector toward improving the security of the Nation’s critical energy infrastructure, and reducing the risk of a cyber incident that could disrupt energy delivery,” the DOE said. “It will expand the development and adoption of energy technologies that will help ensure a more secure, resilient, and reliable electricity system.”

    In September 2017, the Energy Department announced its intention to invest $50 million in the research and development of tools and technologies that would make the country’s energy infrastructure more resilient and secure, including more than $20 million in cybersecurity.

    Reply
  28. Tomi Engdahl says:

    Symantec Releases Targeted Attack Analytics Tool
    https://www.securityweek.com/symantec-releases-targeted-attack-analytics-tool

    Symantec is releasing its own targeted attack analytics (TAA) tool to existing Symantec Advanced Threat Protection (ATP) customers free of additional charge. It is the same tool that Symantec’s researchers use, and was used to uncover Dragonfly 2.0. Its primary purpose is to uncover stealthy and targeted attacks.

    Symantec’s data scientists developed TAA by applying artificial intelligence machine learning to the process, knowledge and capabilities of the firm’s own security experts and researchers. These researchers have a long and successful history of detecting and analyzing global cyber threats. The reasoning behind TAA was to automate the task of analyzing the vast pool of telemetry gathered from the Symantec global customer base with the expertise of its human researchers; that is, to automate those tasks previously performed by human analysts — finding more things, faster, with the help of advanced analytics.

    Reply
  29. Tomi Engdahl says:

    Why Mass Transit Could Be the Next Big Target for Cyber Attacks—and What to do About it
    https://www.securityweek.com/why-mass-transit-could-be-next-big-target-cyber-attacks%E2%80%94and-what-do-about-it

    The constantly evolving tools and methods of cyber attackers has resulted in specific industries becoming the unfortunate subjects of sudden upswings in incident volume and severity. In recent years, for example, we’ve seen waves of ransomware attacks in healthcare and large-scale customer data breaches in technology. So, this trend begs the question, who’s next?

    1. What Makes Mass Transit So Vulnerable?

    SCADA Systems

    Supervisory control and data acquisition (SCADA) systems control the physical automation that coordinates mass transit. Some of these systems have been in operation since the 1970s, and needless to say, they were not designed with modern cybersecurity in mind.

    Other Legacy Systems

    It was revealed by a Department of Homeland Security report, that there is elevated risk in transportation due to the aging infrastructure used across the industry. These legacy systems are not limited to SCADA. The industry as a whole has made the move towards network-enabled “intelligent public transport” (IPT) but has simultaneously been slow to phase out aging systems.

    2. Potential for Terrorist and Criminal Attacks

    Unlike most industries, where the potential consequences of poor cybersecurity are largely financial or privacy-driven, an attack on a public transit system has the potential to be lethal. Vulnerable SCADA systems could be hijacked by terrorists or cyber-criminals to cause derailing or collisions. While this nightmare scenario has not yet occurred, there have been numerous incidents involving mass transit and other SCADA-dependent industries that paint a clear picture of how it could happen

    3. How to Prepare

    The consequences of a significant cyber-attack against a mass transit system will go well beyond a few fines and bad publicity. Even when dealing with an attack that only succeeds in stealing data, the American Public Transportation Association (APTA) has warned that it could breach compliance violations under HIPAA, PCI DSS, the Patriot Act, and more. To prevent this, the recommendations provided by the Department of Homeland Security (DHS) and the APTA stress the importance of “defense-in-depth”, meaning multiple layers of security to protect against future attacks. Strong compliance and audit programs are complements to—and not substitutes for—this type of robust multi-layer defense. With the stakes so high, and the volume of incidents on the rise, what more can transit authorities do to minimize the damage?

    Identify Critical Assets
    Manage Patches and Vulnerabilities
    Prepare for the Inevitable

    Reply
  30. Tomi Engdahl says:

    Intel Unveils New Threat Detection Technology
    https://www.securityweek.com/intel-unveils-new-threat-detection-technology

    Intel late on Monday announced two new security-related technologies, including a threat detection system and a framework for building protection into processors, and a strategic collaboration with Purdue University whose goal is to address the shortage of cybersecurity talent.

    Following the discovery of the Meltdown and Spectre vulnerabilities, Intel has promised to take steps to avoid these types of situations through protections built into CPUs, a dedicated bug bounty program, and industry collaboration.

    Intel recently detailed the protection mechanisms it plans on adding to its chips, and the company has now unveiled its Threat Detection Technology. This system uses silicon-level telemetry and functionality to help security products detect sophisticated cyber threats.

    One component of the Threat Detection Technology is called Accelerated Memory Scanning, which Microsoft will integrate into Windows Defender Advanced Threat Protection (ATP) later this month.

    The Advanced Platform Telemetry capability will first be integrated into Cisco Tetration, a product that provides holistic workload protection for multicloud data centers.

    Intel has also unveiled Security Essentials, a framework that standardizes built-in security features in Intel chips, including Core, Xeon and Atom processors.

    “These capabilities are platform integrity technologies for secure boot, hardware protections (for data, keys and other digital assets), accelerated cryptography and trusted execution enclaves to protect applications at runtime,” explained Rick Echevarria, vice president and general manager of Intel Platforms Security Division.

    Reply
  31. Tomi Engdahl says:

    Considering The Complexities of Hack Back Laws
    https://www.securityweek.com/considering-complexities-hack-back-laws

    Back in October 2017, U.S. Congressman Tom Graves spearheaded a modification of the Active Cyber Defense Certainty (ACDC) Act (PDF), which allows companies to “hack back” against hackers in an effort to identify and stop cyberattacks. In theory, the concept makes sense – in sports for example, defense doesn’t win championships, offense does. Responding to your attackers, or ‘taking them out’ in some cases, could be an effective way to get ahead of potential threats. However, discussions around hacking back in Congress today rely on analogies that are too simple and use examples focused on physical self-defense that fail to capture the true nature of online interactions.

    Reply
  32. Tomi Engdahl says:

    Hacked Aquarium Controller Used In Casino Cyber Attack!
    https://reefbuilders.com/2017/08/07/aquarium-controller-used-to-hack-casino/

    An internet connected aquarium controller has just been confirmed as the gateway into the secure network of a casino, and it was used to steal up to 10 gigabytes of data! We knew this day would inevitably come, and it’s actually a surprise that it’s taken this long to happen.

    The internet of things (IOT) has been seeping into our daily lives as well as the aquarium hobby since the beginning, and it’s pretty common to hear about some of these devices used as bots to perform DDOS attacks. But a recent cyber-attack on a casino used an aquarium controller as a portal to funnel data out of a private network, the damage it caused has not been reported but it can’t be good.

    Darktrace co-founder Dave Palmer was quoted as saying:

    “We’ve seen insiders sneak data out of heavily-protected organizations by attacking digitally-connected fish tanks. Completely blew my mind. Who would plug their fish tank into the internet? Well it turns out lots of people do.”

    It turns out that our highly capable and internet connected fish tank controllers can be a gateway for much more surreptitious cyber activities.

    Apparently this is not even the first time a ‘smart fish tank’ has been used in cyber crimes! The report goes on to mention that the controller was equipped “with advanced sensors that automatically regulate temperature, salinity, and feeding schedules“. The device in question was not named but we do know the casino is in North America.

    The three main companies with internet connected aquarium controllers in the North American market are the Digital Aquatics ReefKeeper, GHL Profilux, and by far the most common in the U.S. is the Apex by Neptune Systems.

    Reply
  33. Tomi Engdahl says:

    Peter Bright / Ars Technica:
    Intel unveils two Threat Detection Technology features: allowing software to scan system memory for malware using integrated GPUs and advanced telemetry tools — The company is also using its processors’ performance monitoring to detect malicious code. — Since the news of the Metldown …

    Intel, Microsoft to use GPU to scan memory for malware
    https://arstechnica.com/gadgets/2018/04/intel-microsoft-to-use-gpu-to-scan-memory-for-malware/

    The company is also using its processors’ performance monitoring to detect malicious code.

    Since the news of the Metldown and Spectre attacks earlier this year, Intel has been working to reassure the computer industry that it takes security issues very seriously and that, in spite of the Meltdown issue, the Intel platform is a sound choice the security conscious.

    To that end, the company is announcing some new initiatives that use features specific to the Intel hardware platform to boost security. First up is Intel Threat Detection Technology (TDT), which uses features in silicon to better find malware.

    The company is announcing two specific TDT features. The first is “Advanced Memory Scanning.” In an effort to evade file-based anti-virus software, certain kinds of malware refrain from writing anything to disk. This has can have downsides for the malware—it can’t persistently infect a machine and, instead, has to reinfect the machine each time it is rebooted—but makes it harder to spot and analyze. To counter this, anti-malware software can scan system memory to look for anything untoward. This, however, comes at a performance cost, with Intel claiming it can cause processor loads of as much as 20 percent.

    This is where Advanced Memory Scanning comes into effect: instead of using the CPU to scan through memory for any telltale malware signatures, the task is offloaded to the GPU. In typical desktop applications, the GPU sits there only lightly loaded, with abundant unused processing capacity. Intel says that moving the memory scanning to the GPU cuts the processor load to about two percent.

    Intel is positioning Advanced Memory Scanning as a feature for third parties to use. Later this month, Microsoft Windows Defender Advanced Threat Protection (ATP) will add the GPU-based memory scanning, and in principle, other software could add it, too.

    Reply
  34. Tomi Engdahl says:

    Alfred Ng / CNET:
    TaskRabbit informs users that it is investigating a cybersecurity incident and that it has temporarily taken down its app and website —

    TaskRabbit investigates ‘cybersecurity incident,’ app taken down
    https://www.cnet.com/news/taskrabbit-investigates-cybersecurity-incident-app-taken-down/

    The handyman-for-hire app sends an email to users Monday recommending they change their password if they’ve used the same one for different websites.

    Reply
  35. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer.com:
    After Telegram moved some of its infrastructure to AWS and Google cloud, Russia banned 1.8M Amazon and Google IP addresses, impacting many other online services — Roskomnadzor, Russia’s telecommunications watchdog, banned today over 1.8 million IP addresses belonging to Amazon and Google’s cloud infrastructure.

    Russia Bans 1.8 Million Amazon and Google IPs in Attempt to Block Telegram
    https://www.bleepingcomputer.com/news/government/russia-bans-18-million-amazon-and-google-ips-in-attempt-to-block-telegram/

    Roskomnadzor, Russia’s telecommunications watchdog, banned today over 1.8 million IP addresses belonging to Amazon and Google’s cloud infrastructure.

    The move to ban these IP blocks is a response to Telegram moving some of its infrastructure to Amazon Web Services and Google Cloud servers over the weekend.

    Roskomnadzor banned the Telegram instant messaging client inside Russia’s border on Friday, April 13, after Telegram refused to hand over customers’ encryption keys to the FSB, Russia’s main intelligence service.

    By moving servers to Amazon and Google servers, Telegram was able to skirt the initial ban and provide service to Russian users over the weekend.

    Many users ridiculed Roskomnadzor’s decision on social media, and for good reasons, as the move to mass-ban so many IP addresses had secondary repercussions, as it also blocked many legitimate web services. Users reported many online games, mobile apps, and cryptocurrency services going dark over the course of the day.

    Reply
  36. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    GrayKey, the tool law enforcement’s been buying to unlock iPhones, appears to work by brute forcing passcodes, another reason to use a strong alphanumeric code — Now that police agents can allegedly crack iPhones protected with passcodes made of six numbers, it’s time to use longer, harder to guess and crack alphanumeric passphrases.

    Stop Using 6-Digit iPhone Passcodes
    https://motherboard.vice.com/en_us/article/59jq8a/how-to-make-a-secure-iphone-passcode-6-digits

    Now that police agents can allegedly crack iPhones protected with passcodes made of six numbers, it’s time to use longer, harder to guess and crack alphanumeric passphrases.

    Reply
  37. Tomi Engdahl says:

    Russia Bans 1.8 Million Amazon and Google IPs in Attempt to Block Telegram
    https://www.bleepingcomputer.com/news/government/russia-bans-18-million-amazon-and-google-ips-in-attempt-to-block-telegram/#.WtY90k29Ixs.twitter

    Roskomnadzor, Russia’s telecommunications watchdog, banned today over 1.8 million IP addresses belonging to Amazon and Google’s cloud infrastructure.

    The move to ban these IP blocks is a response to Telegram moving some of its infrastructure to Amazon Web Services and Google Cloud servers over the weekend.

    Roskomnadzor banned the Telegram instant messaging client inside Russia’s border on Friday, April 13, after Telegram refused to hand over customers’ encryption keys to the FSB, Russia’s main intelligence service.

    Many users ridiculed Roskomnadzor’s decision on social media, and for good reasons, as the move to mass-ban so many IP addresses had secondary repercussions, as it also blocked many legitimate web services.

    Reply
  38. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer.com:
    Kaspersky Lab report: attacks spotted in Japan that hijack DNS settings of routers to reroute traffic to domains that could then infect some Android smartphones — Malware authors have hijacked DNS settings on vulnerable routers to redirect users to sites hosting Android malware.

    Crooks Hijack Router DNS Settings to Redirect Users to Android Malware
    https://www.bleepingcomputer.com/news/security/crooks-hijack-router-dns-settings-to-redirect-users-to-android-malware/

    Malware authors have hijacked DNS settings on vulnerable routers to redirect users to sites hosting Android malware.

    According to Kaspersky Labs telemetry data, these were small-scale attacks, as crooks only hijacked traffic from just 150 unique IP addresses, redirecting users to malicious sites around 6,000 times between February 9 and April 9, 2018.

    But while researchers weren’t able to determine how crooks managed to gain access to home routers to change DNS settings, they were able to get their hands on a sample of the Android malware used in these attacks —an unique strain they named Roaming Mantis.

    Reply
  39. Tomi Engdahl says:

    Drupal Sites Targeted With Backdoors, Miners in Drupalgeddon2 Attacks
    https://www.securityweek.com/drupal-sites-targeted-backdoors-miners-drupalgeddon2-attacks

    The recently patched Drupal vulnerability tracked as CVE-2018-7600 and dubbed Drupalgeddon2 has been exploited in the wild to deliver backdoors, cryptocurrency miners and other types of malware.

    While much of the online activity targeting CVE-2018-7600 still appears to represent scanning (i.e. attempts to find vulnerable systems), attackers have also started exploiting the flaw to install malware.

    The SANS Internet Storm Center has spotted attempts to deliver a cryptocurrency miner, a simple PHP backdoor that allows attackers to upload more files to the targeted server, and an IRC bot written in Perl.

    Reply
  40. Tomi Engdahl says:

    US, Britain Warn of Russian Campaign to Hack Networks
    https://www.securityweek.com/us-britain-warn-russian-campaign-hack-networks

    Russian government-sponsored hackers are compromising the key hardware of government and business computer networks like routers and firewalls, giving them virtual control of data flows, Britain and the United States warned Monday.

    The operation was “to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” Washington and London said in a joint statement.

    “Russian state-sponsored actors are using compromised routers to conduct spoofing ‘man-in-the-middle’ attacks to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations,” they said.

    “Whoever controls the routing infrastructure of a network essentially controls the data flowing through the network.”

    Reply
  41. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Facebook deleted almost 120 cybercrime private discussion groups, with ~300K members, that ranged from spam to ID theft, hours after tip from Brian Krebs — Hours after being alerted by KrebsOnSecurity, Facebook last week deleted almost 120 private discussion groups totaling more than 300,000 members …

    Deleted Facebook Cybercrime Groups Had 300,000 Members
    https://krebsonsecurity.com/2018/04/deleted-facebook-cybercrime-groups-had-300000-members/

    Reply
  42. Tomi Engdahl says:

    Natalia Drozdiak / Wall Street Journal:
    European Commission proposes rule to let national law enforcement request access to suspects’ data, such as email or photos, stored on EU and US firms’ servers

    Europe to Follow U.S. Lead in Sharing Data to Fight Crime
    https://www.wsj.com/articles/europe-to-follow-u-s-lead-in-sharing-data-to-fight-crime-1523973304

    Under EU proposal, tech firms would have to respond to data requests within 10 days, or in urgent cases, six hours

    Reply
  43. Tomi Engdahl says:

    UK’s National Cyber Security Centre warns use of ZTE equipment poses national security risk
    http://www.lightwaveonline.com/articles/2018/04/uk-s-national-cyber-security-centre-warns-use-of-zte-equipment-poses-national-security-risk.html?cmpid=enl_lightwave_lightwave_datacom_2018-04-17&pwhid=6b9badc08db25d04d04ee00b499089ffc280910702f8ef99951bdbdad3175f54dcae8b7ad9fa2c1f5697ffa19d05535df56b8dc1e6f75b7b6f6f8c7461ce0b24&eid=289644432&bid=2071061

    As if ZTE wasn’t already having a bad week after the U.S. Department of Commerce imposed a seven-year ban on access to U.S. communications components (see “U.S. Commerce Dept. finds ZTE violated export disciplinary agreement, bans U.S. component supply”), the company’s reputation has been called into question by a UK cyber-security agency. A statement posted April 16, 2018, on the website of the National Cyber Security Centre (NCSC) advised against the use of ZTE equipment in UK telecommunications networks. The post is being backed by a letter addressed to the UK telecommunications community.

    The NCSC is part of the UK Government Communications Headquarters (GCHQ), a group that provides signal intelligence and related services to the UK government and military. NCSC aims to prevent cyber attacks, manage such incidents, and improve UK network security. And it doesn’t like the looks of ZTE.

    “It is entirely appropriate and part of NCSC’s duty to highlight potential risks to the UK’s national security and provide advice based on our technical expertise,”according to Dr. Ian Levy, technical director of the NCSC, via the website post. “NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated.”

    Reply
  44. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Researcher discovers public unlisted AWS storage bucket containing 48M individual records scraped from public profiles, belonging to data firm Localblox — Exclusive: Profile data was scraped without user consent or knowledge to “build a three-dimensional picture” on millions of people.

    Data firm leaks 48 million user profiles it scraped from Facebook, LinkedIn, others
    https://www.zdnet.com/article/data-firm-leaks-48-million-user-profiles-it-scraped-from-facebook-linkedin-others/

    Exclusive: Profile data was scraped without user consent or knowledge to “build a three-dimensional picture” on millions of people.

    A little-known data firm was able to build 48 million personal profiles, combining data from sites and social networks like Facebook, LinkedIn, Twitter, and Zillow, among others — without the users’ knowledge or consent.

    Localblox, a Bellevue, Wash.-based firm, says it “automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks.” Since its founding in 2010, the company has focused its collection on publicly accessible data sources, like social networks Facebook, Twitter, and LinkedIn, and real estate site Zillow to name a few, to produce profiles.

    But earlier this year, the company left a massive store of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents.

    The bucket, labeled “lbdumps,” contained a file that unpacked to a single file over 1.2 terabytes in size. The file listed 48 million individual records, scraped from public profiles, consolidated, then stitched together.

    The data was subsequently found by Chris Vickery, director of cyber risk research at security firm UpGuard.

    The discovery is the latest twist among recent scandals involving tech companies and their data collection practices.

    Just last month, Facebook was embroiled in a privacy row after London-based data firm Cambridge Analytica obtained data on as many as 87 million users, according to a “conservative estimate” by the social networking giant

    Reply
  45. Tomi Engdahl says:

    Dan Thorp-Lancaster / Windows Central:
    Microsoft adds support for FIDO2 passwordless authentication to Windows Hello, following last week’s announcement of Yubico’s FIDO2 USB Security Key

    Windows Hello adding support for FIDO2 Security Keys
    Microsoft is stepping Windows Hello up a notch with support for FIDO2 security keys.
    https://www.windowscentral.com/windows-hello-adding-support-fido2-security-keys

    If you’re looking to ditch your passwords for something a little more secure, it’s been a good week. After the debut of the new WebAuthn standard last week, Yubico followed things up with a new security key built to work with FIDO2 and WebAuthn API authentication standards. Now, Microsoft is taking things a step further by announcing Windows Hello will support FIDO2 security keys as well.

    Windows Hello’s support for FIDO2 keys will work specifically with Yubico’s USB FIDO2 Security Key, along with additional form factors from other partners. The feature is currently available as part of a limited preview via the Windows Technology Adoption Program, and it works with both Windows 10 and for Azure Active Directory users.

    Reply
  46. Tomi Engdahl says:

    Crooks Hijack Router DNS Settings to Redirect Users to Android Malware
    https://www.bleepingcomputer.com/news/security/crooks-hijack-router-dns-settings-to-redirect-users-to-android-malware/

    Malware authors have hijacked DNS settings on vulnerable routers to redirect users to sites hosting Android malware.

    According to Kaspersky Labs telemetry data, these were small-scale attacks, as crooks only hijacked traffic from just 150 unique IP addresses, redirecting users to malicious sites around 6,000 times between February 9 and April 9, 2018.

    But while researchers weren’t able to determine how crooks managed to gain access to home routers to change DNS settings, they were able to get their hands on a sample of the Android malware used in these attacks —an unique strain they named Roaming Mantis.

    Crooks hid malware in Chrome and Facebook clones

    For these attacks, crooks redirected users to pages peddling clones of Android apps like Google Chrome for Android (chrome.apk) and Facebook (facebook.apk).

    Both the websites hosting the fake apps and the apps themselves were available in five languages —Korean, Traditional Chinese, Simplified Chinese, Japanese, and English.

    Routers becoming more popular with malware authors

    But while its source code is nothing spectacular or out of the ordinary, its distribution method —of hijacking DNS settings on home routers— is something that has not seen before with Android malware.

    The use of compromised routers for malware distribution fits a recent trend where hacked routers have become the favorite playing ground of IoT botnets, proxy networks, and cyber-espionage groups.

    Reply
  47. Tomi Engdahl says:

    Fix Your Insecure Amazon Fire TV Stick
    https://hackaday.com/2018/04/18/fix-your-insecure-amazon-fire-tv-stick/

    I recently spent a largely sleepless night at a hotel, and out of equal parts curiosity and boredom, decided to kill some time scanning the guest network to see what my fellow travelers might be up to. As you’d probably expect, I saw a veritable sea of Samsung and Apple devices. But buried among the seemingly endless number of smartphones charging next to their sleeping owners, I found something rather interesting. I was as picking up a number of Amazon-made devices, all of which had port 5555 open.

    As a habitual Android tinkerer, this struck me as very odd. Port 5555 is used for Android Debug Bridge (ADB), a development tool used to control and perform various administrative tasks on an Android device over the network or (more commonly) locally over USB.

    Reply
  48. Tomi Engdahl says:

    Russia’s Telegram ban that knocked out 15M Google, Amazon IP addresses had a precedent in Zello
    https://techcrunch.com/2018/04/17/russias-telegram-ban-that-knocked-out-15m-google-amazon-ip-addresses-had-a-precedent-in-zello/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    AdChoices

    Russia’s Telegram ban that knocked out 15M Google, Amazon IP addresses had a precedent in Zello
    Ingrid Lunden
    @ingridlunden / 12 hours ago

    Russian network operators to block Zello walkie-talkie application
    Russia blocking access to Telegram after the messaging app refused to give it access to encrypted messages has picked up an unintended casualty: we’re now up to over 15 million IP addresses from Amazon and Google getting shut down by the regulators in the process, taking various other (non-Telegram) services down with it.

    Telegram’s CEO Pavel Durov earlier today said that its reach in the country has yet to see an impact from the ban 24 hours on, with VPNs, proxies and third-party cloud services

    Reply
  49. Tomi Engdahl says:

    This “Obama” Video Should Absolutely Terrify You
    http://www.iflscience.com/technology/this-fake-obama-video-highlights-the-growing-danger-of-deepfake-videos/

    A video produced by BuzzFeed has highlighted the growing problem of DeepFake videos, as it becomes easier than ever to make celebrities appear to say and do anything.

    “This is now going to be the new reality, surely by 2020, but potentially as early as this year.”

    And this Obama video highlights that, while the technology is still fairly complex, it is getting both easier and better. Remember that if something you watch seems unbelievable, well, it just might be.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*