Cyber security April 2018

This posting is here to collect security alert news in April 2018.

I post links to security vulnerability news to comments of this article.

 

252 Comments

  1. Tomi Engdahl says:

    Virtual Instagram celebrity ‘Lil Miquela’ has had her account hacked
    https://techcrunch.com/2018/04/17/virtual-instagram-celebrity-lil-miquela-has-had-her-account-hacked/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    The Instagram account for the virtual celebrity known as Lil Miquela has been hacked

    The multi-racial fashionista and advocate for multiculturalism, whose account is followed by nearly 1 million people, has had “her” account taken over by another animated Instagram account holder named “Bermuda.”

    Welcome to the spring of 2018.

    Reply
  2. Tomi Engdahl says:

    Was a Russian Facebook Troll Named Martha
    https://spectrum.ieee.org/view-from-the-valley/telecom/internet/i-was-a-russian-facebook-troll-named-martha

    Then last week, the notification emails started referring to me as Martha. Huh? And alerted me that I had changed my profile picture. And then came more, noting that I’d added two friends—one in the Ukraine, one in Tanzania—and suggesting a long list of possible friends, most of whom were tagged in Cyrillic. It looked like my dusty little Facebook account was turning into a Russian troll. (Ironically, my actual first name is of Russian origin—but I guess you can’t have a Russian troll with a Russian name.)

    I dug through all of Facebook’s reporting mechanisms—there wasn’t any option for “I’m a troll.” I couldn’t report my own profile for abuse, only report someone else’s profile, or posts someone else had made. The online menus sent me through circle after circle.

    Finally, I deactivated my account, giving “privacy concerns” as a reason. But I wonder how many other people who have dusty accounts

    Reply
  3. Tomi Engdahl says:

    How Netflix does failovers in 7 minutes flat
    https://opensource.com/article/18/4/how-netflix-does-failovers-7-minutes-flat?sc_cid=7016000000127ECAAY

    Netflix decreased the time it takes to respond to an outage from 45 minutes to seven with no additional cost.

    During winter 2012, Netflix suffered an extended outage that lasted for seven hours due to problems in the AWS Elastic Load Balancer service in the US-East region. (Netflix runs on Amazon Web Services [AWS]—we don’t have any data centers of our own.

    During the outage, none of the traffic going into US-East was reaching our services.

    To prevent this from happening again, we decided to build a system of regional failovers that is resilient to failures of our underlying service providers. Failover is a method of protecting computer systems from failure in which standby equipment automatically takes over when the main system fails.

    Reply
  4. Tomi Engdahl says:

    Experts Call for Global Data Sharing to Defend Against Cyberattacks
    https://spectrum.ieee.org/tech-talk/telecom/security/report-nextlevel-cyberattacks-demand-data-clearinghouse

    If they haven’t done so already, cyber attackers may soon be arming themselves with artificial intelligence and machine learning (ML) strategies and algorithms. Before long, it may not be a fair fight if defenders remain naive to what AI and ML can do on both sides of the battle. So suggests a new report by IEEE and the Canadian tech consulting firm Syntegrity.

    Specifically, it notes, both copyright and export control standards need to be modified to allow security researchers to investigate cutting-edge cybersecurity questions without worrying about running afoul of outdated laws and regulations.

    https://www.ieee.org/about/industry/confluence/feedback.html

    Reply
  5. Tomi Engdahl says:

    Man Arrested In Crowd Of 50,000 People Using Creepy, But Cutting Edge, Technology
    http://www.iflscience.com/technology/man-arrested-in-crowd-of-50000-people-using-creepy-but-cutting-edge-technology/

    A man wanted for “economic crimes” has been arrested after being picked out by police in a crowd of 50,000 people.

    The man, identified as “Ao”, was caught by the police during a Jacky Cheung gig in Nanchang in the Jiangxi province of China, the South China Morning Post reports. He told authorities he thought he was “safe” to attend the concert with his wife, due to the sheer numbers of other concert-goers making him near-impossible to spot.

    However the 31-year-old was spotted using cutting-edge facial recognition technology that managed to single him out from the crowd. He was arrested shortly after being spotted.

    Reply
  6. Tomi Engdahl says:

    Josh Constine / TechCrunch:
    Researchers: 3rd-party JavaScript trackers embedded on sites using Login With Facebook can grab Facebook user data; abusive scripts found on 434 of top 1M sites — Facebook confirms to TechCrunch that it’s investigating a security research report that shows Facebook user data can be grabbed …

    Login With Facebook data hijacked by JavaScript trackers
    https://techcrunch.com/2018/04/18/login-with-facebook-data-hijacked-by-javascript-trackers/

    Facebook confirms to TechCrunch that it’s investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user’s data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It’s unclear what these trackers do with the data, but many of their parent companies including Tealium, AudienceStream, Lytics, and ProPS sell publisher monetization services based on collected user data.

    Reply
  7. Tomi Engdahl says:

    Security Pros at Energy Firms Concerned About ‘Catastrophic’ Attacks
    https://www.securityweek.com/security-pros-energy-firms-concerned-about-catastrophic-attacks

    Many cybersecurity professionals working in the energy sector are concerned that an attack on their organization’s industrial control systems (ICS) could have “catastrophic” consequences, according to a study conducted recently by Dimensional Research on behalf of security and compliance solutions provider Tripwire.

    Of the more than 150 respondents, including IT and OT security professionals in energy and oil and gas companies, 91% say they are worried about the risk of attacks on ICS. Nearly all respondents are very concerned or somewhat concerned about an attack leading to operational shutdowns or downtime that impacts customers.

    Reply
  8. Tomi Engdahl says:

    iPhones, iPads Can Be Hacked via ‘Trustjacking’ Attack
    https://www.securityweek.com/iphones-ipads-can-be-hacked-trustjacking-attack

    A feature that allows users to wirelessly sync their iPhones and iPads with iTunes can be abused by hackers to take control of iOS devices in what researchers call a “Trustjacking” attack.

    This feature can be enabled by physically connecting an iOS device to a computer with iTunes and enabling the option to sync over Wi-Fi. The user is prompted to confirm that the computer is trusted when the mobile device is first connected to it, but no other approval is required to enable the syncing feature or to access the device over Wi-Fi at a later time.

    Researchers at Symantec have found a way to abuse the iTunes Wi-Fi sync feature. They discovered that if an attacker can convince the targeted user to connect their iPhone/iPad via a cable to a malicious or compromised device, the hacker gains persistent control over the phone/tablet as long as they are on the same wireless network as the victim.

    In one attack scenario described by the experts, the Trustjacking attack involves a malicious charger at an airport.

    While the easiest way to conduct a Trustjacking attack involves being on the same Wi-Fi network as the victim, Symantec researchers believe this requirement can be bypassed via what is known as a malicious profile attack.

    This method has been known since 2013 and it involves convincing the victim to install a malicious configuration file, or iOS profile, on their iPhone or iPad.

    Reply
  9. Tomi Engdahl says:

    Popular Android Apps Leak User Data via Third-Party SDKs
    https://www.securityweek.com/popular-android-apps-leak-user-data-third-party-sdks

    Popular mobile applications that use third-party, ready-to-go advertising Software Development Kits (SDKs) expose user data by transmitting it over the insecure HTTP protocol, Kaspersky Lab warns.

    While analyzing popular dating apps, the security firm discovered that user data is often transmitted unencrypted when SDKs from popular advertising networks are used. With some of the apps having several billion installations worldwide, security flaws put a gigantic amount of private data at risk.

    Consisting of development tools and often provided free of charge, SDKs allow app developers to immediately include some capabilities into their apps and save time while focusing on other, more important elements. However, it also means that developers don’t know that the used code may contain security issues.

    The advertising SDKs were designed to collect user data to show relevant ads and help developers monetize their product.

    Reply
  10. Tomi Engdahl says:

    Russia Says to Probe Facebook After Telegram Crackdown
    https://www.securityweek.com/russia-says-probe-facebook-after-telegram-crackdown

    Russia’s telecoms watchdog plans to probe Facebook before the end of the year after blocking access in the country to the popular messaging app Telegram, its head said on Wednesday.

    “We will conduct a probe of the company before the end of 2018,” the head of state regulator Roskomnadzor, Alexander Zharov, told pro-Kremlin newspaper Izvestia.

    Russia’s telecoms regulator has repeatedly warned Facebook it could be banned this year unless it complies with a law on the personal data of Russian nationals.

    Reply
  11. Tomi Engdahl says:

    Honeypot Shows the Power of Automation in the Hands of Hackers
    https://www.securityweek.com/honeypot-shows-power-automation-hands-hackers

    Honeypot Experiment Shows the Commoditization of Using Bots to Perform Low-level Hacking Tasks

    Next-gen endpoint detection and response firm Cybereason wanted to test two hypotheses: first, that hackers are ignoring free information in the underground forums; and second, that bots have become more sophisticated and dangerous than is often believed.

    To do this, it set up a sophisticated honeypot system that masqueraded as a financial services company. For the first hypothesis, it dropped remote desktop protocol (RDP) access credentials for three servers on dark markets and paste sites. The passwords were complex, but everything needed to break in was dropped in plaintext, with the cover story of a lucky skiddie who found the information but didn’t know what to do with it. He was giving away the information to build trust and foster goodwill.

    The first hypothesis was proven. Nobody touched or attempted to use the credentials.

    This part of the project had two phases. The first was to set up additional RDP services with weak passwords, and, writes Rustici in an associated blog, “we opened up several other services to see which ports were scanned the most and if there was a large difference in functionality once they broke in.”

    Attackers use botnets to break into networks faster
    https://www.cybereason.com/blog/botnets-honeypot-automation-cybersecurity

    Reply
  12. Tomi Engdahl says:

    Chrome 66 Distrusts Older Symantec Certificates
    https://www.securityweek.com/chrome-66-distrusts-older-symantec-certificates

    Released in the stable channel on Tuesday, Chrome 66 removes trusts in website certificates that Symantec issued before June 1, 2016, while also bringing a trial of Site Isolation, and patching 62 vulnerabilities.

    Symantec last year sold its Certificate Authority business to DigiCert, which revealed last month that over 99% of the top 1 million websites already replaced the Symantec certificates. DigiCert has been issuing trusted certificates for the Symantec, Thawte, GeoTrust and RapidSSL brands since Dec. 1, 2017.

    “Chrome 66 will not trust website certificates issued by Symantec’s legacy PKI before June 1st 2016, continuing the phased distrust outlined in our previous announcements,” Google now says.

    Reply
  13. Tomi Engdahl says:

    Few RSA Conference Exhibitors Implemented DMARC
    https://www.securityweek.com/few-rsa-conference-exhibitors-implemented-dmarc

    A vast majority of the companies present this week at the 2018 RSA Conference in San Francisco have not implemented the DMARC email authentication system on their domains, opening the door to fraudulent and fake emails.

    Valimail, a San Francisco-based company that provides email authentication solutions, has analyzed the primary domains of 553 RSA Conference exhibitors and discovered that only 5.1 percent (28 firms) have properly implemented DMARC (Domain-based Message Authentication, Reporting and Conformance).

    Valimail’s Domain Checker tool shows that the list of organizations whose domains are protected by DMARC includes Microsoft, F5 Networks, Splunk, Lookout, Malwarebytes, CrowdStrike, AlienVault, AWS and the U.S. Department of Justice.

    The fact that the Justice Department is on this list is not surprising considering that the DHS issued a Binding Operational Directive (BOD) last year instructing all federal agencies to start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

    Reply
  14. Tomi Engdahl says:

    Oracle Patches 254 Flaws With April 2018 Update
    https://www.securityweek.com/oracle-patches-254-flaws-april-2018-update

    Oracle’s Critical Patch Update (CPU) for April 2018 contains 254 new security fixes, 153 of which address vulnerabilities in business-critical applications.

    Reply
  15. Tomi Engdahl says:

    Security Outlook Darkens at RSA
    Thirty-four companies sign a cyber accord
    https://www.eetimes.com/document.asp?doc_id=1333195

    Hardware design needs to focus more on security and less on performance, according to some experts at the annual RSA Conference here. All sides agreed that the number and sophistication of threats are growing in a landscape where tech companies and governments can be both adversaries and partners.

    The past year revealed the dark side of social networks and brought the largest government-sponsored attacks to date. It also has shown that blockchain and quantum computing are neither immediate threats or panaceas for security, said experts.

    “The threat picture is getting darker,” said Kirstjen Nielsen, Secretary of the U.S. Department of Homeland Security (DHS), in a keynote at the event that attracted nearly 50,000 registrants. “In each morning briefing, I see digital threats multiplying faster than we can keep up.”

    Reply
  16. Tomi Engdahl says:

    Taiwan Has ‘Big-Data-Free’ Social Platform
    Can Taiwan answer France’s call for secure IM?
    https://www.eetimes.com/document.asp?doc_id=1333193

    Facebook CEO Mark Zuckerberg’s appearance at Congressional hearings in Washington last week has surfaced long-overdue questions about the ownership and privacy of data. This scrutiny now impinges on social media networks and messaging apps such as WhatsApp, owned by Facebook.

    The questions that linger are: Who owns the data, where is it stored, who gets to read it, and how is the system set up — or not set up — to protect user privacy?

    Reply
  17. Tomi Engdahl says:

    Login With Facebook data hijacked by JavaScript trackers
    https://techcrunch.com/2018/04/18/login-with-facebook-data-hijacked-by-javascript-trackers/

    Facebook could have identified these trackers and prevented these exploits with sufficient API auditing. It’s currently ramping up API auditing as it hunts down other developers that might have improperly shared, sold, or used data

    Revelations like this are likely to beckon a bigger data backlash. Over the years, the public had became complacent about the ways their data was exploited without consent around the web. While it’s Facebook in the hot seat, other tech giants like Google rely on user data and operate developer platforms that can be tough to police. And news publishers, desperate to earn enough from ads to survive, often fall in with sketchy ad networks and trackers.

    Zuckerberg makes an easy target because the Facebook founder is still the CEO, allowing critics and regulators to blame him for the social network’s failings. But any company playing fast and loose with user data should be sweating.

    Reply
  18. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Google’s App Engine can no longer be used for domain-fronting, which let services use its network to avoid state-level internet blocks — Domain-fronting is now a thing of the past — App developers won’t be able to use Google to get around internet censorship anymore.

    A Google update just created a big problem for anti-censorship tools
    Domain-fronting is now a thing of the past
    https://www.theverge.com/2018/4/18/17253784/google-domain-fronting-discontinued-signal-tor-vpn

    App developers won’t be able to use Google to get around internet censorship anymore. The Google App Engine is discontinuing a practice called domain-fronting, which let services use Google’s network to get around state-level internet blocks.

    A recent change in Google’s network architecture means the trick no longer works. First spotted by Tor developers on April 13th, the change has been rolling out across Google services and threatens to disrupt services for a number of anti-censorship tools, including Signal, GreatFire.org and Psiphon’s VPN services.

    Reached by The Verge, Google said the changes were the result of a long-planned network update. “Domain fronting has never been a supported feature at Google,” a company representative said, “but until recently it worked because of a quirk of our software stack. We’re constantly evolving our network, and as part of a planned software update, domain fronting no longer works. We don’t have any plans to offer it as a feature.”

    Reply
  19. Tomi Engdahl says:

    Advice from the Triton cybersecurity incident
    https://www.controleng.com/single-article/advice-from-the-triton-cybersecurity-incident/ff45641b315e192fc76714047a4d488f.html?OCVALIDATE&[email protected]&ocid=101781

    Cybersecurity incident: Human errors enabled it, but the Triconex safety controller shut down the plant as designed, say experts with Schneider Electric and ARC Advisory Group. But it’s still a call to action for industry. Have you implemented changes since then?

    Breach of an industrial, triple-redundant safety controller should dispel any thought hackers might not care about industrial facilities or that process controls are low-risk cybersecurity targets. All facilities, even if already heeding advice from Schneider Electric and ARC Advisory Group, need to have a response plan in place. The Aug. 4, 2017, cyberattack on a on a Triconex safety system that included the first instance of process safety system-specific malware, dubbed TRITON, was described in a media and analyst lunch on Feb. 13. That triple-redundant safety controller brand is part of the Schneider Electric EcoStruxure Triconex safety instrumented system (SIS). A summary of advice from each expert follows.

    Collaborative cybersecurity effort

    Peter G. Martin, vice president, innovation, Schneider Electric, said industry is facing a new geo-political climate where malicious actors have unlimited resources to carry out cyber-attacks; it’s time for end users, standards bodies, vendors, and government agencies to collaborate to combat the threat. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaThe industry has a problem; hackers can reach instrumentation. Peter G. Martin, vice president, innovation, Schneider Electric, said a cybersecurity incident that resulted in attackers injecting malware into a safety controller is a call to action for the industry because it heralds a new geopolitical climate where malicious actors have specialized knowledge, as well as unlimited resources, to carry out their cyberattacks. These attacks can reach the instruments in a control system, especially if organizations are not compliant with industry standards, best practices and cybersecurity procedures. That means industry end users, standards bodies, vendors, and government agencies need to come together to combat the threat. The industry shouldn’t think there’s no problem because the equipment performed as it was supposed to by safely shutting down the targeted plant.

    Cybersecurity wake-up call

    Gary Williams, senior director, technology, cybersecurity and communications, Schneider Electric, explained that because of how the Triton cyberattack was executed– the attack vector– it is a call to action for everyone associated with this industry. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaMultiple cybersecurity lapses allowed a safety controller breach. Gary Williams, senior director, technology, cybersecurity and communications, Schneider Electric, said this is an industry call to action. A Triconex controller model 3008, brought to market in 2001 and installed as part of a large automation project in 2007, was affected by a security breach. When the controller picked up an anomaly in the malware the attackers injected into its code, the controller reacted as it was intended: It safely brought the plant to a safe state via a shutdown on Aug. 4, 2017.

    Upon being notified of the shutdown, Schneider Electric worked closely with the end user, independent cybersecurity organizations and the U.S. Department of Homeland Security/ICS-CERT and others to investigate the incident. The evidence they gathered indicates multiple security lapses allowed the breach to occur.

    Don’t panic; assess risks

    Larry O’Brien, vice president research for process automation, ARC Advisory Group, said there are ways to execute a response to and defend against a systemic, multiphase cybersecurity attack. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaReconsider cybersecurity processes, procedures, and training. Larry O’Brien, vice president research for process automation, ARC Advisory Group, said the industry shouldn’t panic, but it should reconsider best practices regarding processes, procedures, and people. There are ways to execute a response to and defend against a systemic, multiphase attack.

    In this same incident, the attack(s) breached another vendor’s distributed control system (DCS); so while the shutdown was initiated as designed, it’s better not to suffer a breach and shut down a process.

    Other human errors on site, including leaving the controller’s keyswitch in program mode while it was in operation and leaving the controller cabinets unlocked, added significant risk for a cybersecurity attack. To lower the risks of such incidents, customers should continue to apply cybersecurity best practices across their operations

    Program mode, cybersecurity standards

    Eric Cosman, contributing consultant, ARC Advisory Group and co-chair of ISA99 Industrial Automation and Control Systems Security committee, said leaving a controller key in program position is inexcusable. Courtesy: Mark T. Hoske, Control Engineering, CFE MediaHave any of your controllers been left in program mode?

    Eric Cosman, contributing consultant, ARC Advisory Group and co-chair of ISA99 Industrial Automation and Control Systems Security committee, said the Triton attack was not unprecedented. He advised we shouldn’t underestimate the hazards posed by human denial.

    Three best practices follow.

    Gary Freburger, president, process automation, Schneider Electric, said attacks on industrial systems are an international threat to public safety that can only be addressed and resolved through transparency and collaboration that go beyond borders and competitive interests. Courtesy: Mark T. Hoske, Control Engineering, CFE Media1. Commit to educate and address people, processes, and technologies with a relentless drive to publish and standardize best practices and share information.

    2. Use common standards across all equipment and across multiple providers, with feedback and guidance from those involved.

    3. Ensure collaboration through transparency. Don’t say or believe anything is secure. A lot of people are trying to get into these systems. Everyone needs to respond correctly knowing what was done before, to know how to correct it.

    Reply
  20. Tomi Engdahl says:

    Threat intelligence is a critical organizational need
    https://www.controleng.com/single-article/threat-intelligence-is-a-critical-organizational-need/0d47784cf1e2ab0a4429dc6e0cee1ffa.html

    Cover story: Continuous threat intelligence collection, analysis, and optimization can help organizations improve cybersecurity measures.

    Cybersecurity managers face many challenges, with corporate boards demanding awareness of cyber risks, faster processing of complex data, and efficiently managed services for an increasing number of intelligent devices. Security teams are in a better position to defend their organizations against threats if they take the proper preventive measures. Tools and staff need to be augmented with threat intelligence.

    Threat intelligence is no longer just for large, well-funded organizations. It is now required to be an overall component of mitigation strategies for all businesses that operate within this evolving technological environment. Small businesses are able to access credible threat intelligence sources that can be based on an organization’s profile and supply chain. Critical data that used to be in a secured data center now moves across an increasingly complex ecosystem of networked environments including the Industrial Internet of Things (IIoT), Internet of Things (IoT), cloud servers, virtualized environments, and mobile devices.

    Reply
  21. Tomi Engdahl says:

    Data Aggregator LocalBlox Exposes 48 Million Records
    https://www.securityweek.com/data-aggregator-localblox-exposes-48-million-records

    48 million records containing detailed personal information of tens of millions of people were exposed to the Internet after data-gathering company LocalBlox left a cloud storage repository publicly available.

    The personal and business data search service gathered and scraped the exposed data from multiple sources, UpGuard security researchers discovered. The exposed information includes individuals’ names, physical addresses, and dates of birth, along with data scraped from LinkedIn, Facebook, Twitter, and more.

    LocalBlox co-founder Ashfaq Rahman has already confirmed that the exposed information indeed belongs to the company.

    Because the exposed information combines personal data with details on the people’s Internet usage, it builds “a three-dimensional picture of every individual affected,” UpGuard says.

    http://localblox.com/

    Reply
  22. Tomi Engdahl says:

    Microsoft Launches Windows Defender Extension for Chrome
    https://www.securityweek.com/microsoft-launches-windows-defender-extension-chrome

    Microsoft has rolled out a new Windows Defender Browser Protection extension to help Chrome users stay safe from malware and phishing websites.

    Aimed at delivering real-time protection, the browser extension can prevent online threats such as links in phishing emails, as well as websites that trick users into downloading and installing malicious software.

    The manner in which Windows Defender Browser Protection works is pretty straightforward: it checks the accessed websites against a list of malicious URLs, to ensure that users stay secure when navigating the Internet using Chrome.

    Reply
  23. Tomi Engdahl says:

    Cybersecurity Tech Accord: Marketing Move or Serious Security?
    https://www.securityweek.com/cybersecurity-tech-accord-marketing-move-or-serious-security

    Cybersecurity Tech Accord Comprises Fine Words With No Defined Deliverables and Perhaps Impossible Intentions

    Thirty-four major tech and security companies have aligned themselves and signed the Cybersecurity Tech Accord, what they claim is a “watershed agreement among the largest-ever group of companies agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states.”

    “The devastating attacks from the past year demonstrate that cybersecurity is not just about what any single company can do but also about what we can all do together,” said Microsoft President Brad Smith. “This tech sector Accord will help us take a principled path towards more effective steps to work together and defend customers around the world.”

    The Accord makes commitments in four specific areas.

    https://cybertechaccord.org/

    Reply
  24. Tomi Engdahl says:

    AlienVault Launches Free Endpoint Scanning Service
    https://www.securityweek.com/alienvault-launches-free-endpoint-scanning-service

    Unified security management and threat intelligence provider AlienVault this week announced the launch of a free scanning service that allows organizations to identify threats and risks in their environments.

    The new OTX Endpoint Threat Hunter service is part of the AlienVault Open Threat Exchange (OTX) platform, which allows private firms, security researchers, and government agencies to openly collaborate and share information on emerging threats, attack methods, and malicious actors.

    OTX can be accessed for free by anyone and provides more than 19 million threat indicators contributed by over 80,000 users. The new Endpoint Threat Hunter service is available to any registered OTX user.

    https://www.alienvault.com/blogs/security-essentials/new-free-threat-hunting-service-from-alienvault-otx-endpoint-threat-hunter

    Reply
  25. Tomi Engdahl says:

    Drupal 8 Updated to Patch Flaw in WYSIWYG Editor
    https://www.securityweek.com/drupal-8-updated-patch-flaw-wysiwyg-editor

    Updates released on Wednesday for Drupal 8 patch a moderately critical cross-site scripting (XSS) vulnerability affecting a third-party JavaScript library.

    The flaw impacts CKEditor, a WYSIWYG HTML editor included in the Drupal core. CKEditor exposes users to XSS attacks due to a flaw in the Enhanced Image (image2) plugin.

    Reply
  26. Tomi Engdahl says:

    Patrick Howell O’Neill / Cyberscoop:
    Twitter bans Kaspersky Lab from advertising on its network, pointing to DHS’ September notice of vendor’s ties to Russian intelligence services — Russian cybersecurity company Kaspersky Lab has been banned from advertising on Twitter due to its allegedly close and active ties between …
    https://www.cyberscoop.com/kaspersky-twitter-ban/

    Reply
  27. Tomi Engdahl says:

    Millions of Chrome Users Have Installed Malware Posing as Ad Blockers
    https://motherboard.vice.com/en_us/article/59jakq/chrome-ad-blockers-malware

    Andrey Meshkov, the cofounder of ad-blocker AdGuard, took a look at the script in some popular ad-blocking knockoffs and found some shady business.

    Reply
  28. Tomi Engdahl says:

    How to save your privacy from the Internet’s clutches
    https://techcrunch.com/2018/04/14/how-to-save-your-privacy-from-the-internets-clutches/?utm_source=tcfbpage&sr_share=facebook

    Practical tips to fight surveillance capitalism

    Reply
  29. Tomi Engdahl says:

    Thomas Fox-Brewster / Forbes:
    A look at surveillance companies like Area SpA, IPS, and Terrogence, which covertly infiltrate and manipulate social media

    Beyond Cambridge Analytica — The Surveillance Companies Infiltrating And Manipulating Social Media
    https://www.forbes.com/sites/thomasbrewster/2018/04/18/cambridge-analytica-and-surveillance-companies-manipulate-facebook-and-social-media/#d2796d440535

    If it hasn’t already been made clear by Facebook’s moves to cut off AggregateIQ and Cambridge Analytica from the platform following the data privacy fiasco that exploded last month, there are multiple companies who don’t play by the social network’s rules and abuse its users’ privacy.

    But in recent years a batch of surveillance companies, operating in a far more clandestine manner to Cambridge Analytica and its partners, have been infiltrating all kinds of social media platforms. These spytech vendors are offering services not only to co-opt and influence social media groups with sockpuppet accounts, but will even deliver spyware via the fake profiles they create and hone across different platforms. And at least one of those businesses has been caught out shipping to a regime with a dubious human rights record.

    Privacy activists are calling for action. “The idea that former spooks are available to buy to infiltrate political groups online is alarming. Imagine how such powers can be used to infiltrate pro-democracy or human rights groups in authoritarian states,”

    Reply
  30. Tomi Engdahl says:

    Emilia Petrarca / The Cut:
    Two computer-generated Instagram influencers had an orchestrated feud where one “hacked” the other’s account and “revealed” she was not a real person

    Everything We Know About the Feud Between These Two Computer-Generated Instagram Influencers
    https://www.thecut.com/2018/04/lil-miquela-hack-instagram.html

    If you need any further proof that we’re living in The Matrix, here it is.

    On Tuesday, the Instagram account of Miquela Sousa — also known as @LilMiquela, a 19-year-old Brazilian-American model, singer, and Instagram personality with almost a million followers — appeared to have been hacked by a blonde, pro-Trump troll named Bermuda, or @BermudaIsBae. Over the course of about eight hours, Bermuda wiped Lil Miquela’s account clean, posting photos of herself instead with threatening captions like: “You can’t have your account back until you promise to tell people the truth.”

    But wait, it gets wilder: Neither Lil Miquela nor Bermuda are real people. They’re computer-generated avatars with anonymous creators.

    Drama is drama, though! And the best gossip is the kind that has zero consequences on real peoples’ lives. Except our lives, of course, which have been turned completely up-side down by the Orwellian antics that transpired on Tuesday. If you have a lot of questions, you are not alone. So do we.

    Reply
  31. Tomi Engdahl says:

    Christopher Mims / Wall Street Journal:
    A look at the many ways Google harvests user info via Gmail, apps on devices, its Analytics service, more; Google likely knows more about us than Facebook

    Who Has More of Your Personal Data Than Facebook? Try Google
    Google gathers more personal data than Facebook does, by almost every measure—so why aren’t we talking about it?
    https://www.wsj.com/articles/who-has-more-of-your-personal-data-than-facebook-try-google-1524398401

    Reply
  32. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    UK judge sentences Kane Gamble, a teen who hacked online accounts of the director of CIA and other prominent US government employees, to two years in prison

    Teen Who Hacked Ex-CIA Director John Brennan Gets Sentenced to 2 Years of Prison
    https://motherboard.vice.com/en_us/article/pax87v/kane-gamble-crackas-with-attitude-cwa-sentence-prison

    A judge in London sentenced a British teenager who was part of the hacking group Crackas With Attitude, which targeted prominent US government employees.

    Gamble was arrested in February of 2016 and he pleaded guilty to ten hacking charges in October of last year. Now 18 years old, he was finally sentenced on Friday afternoon local time in the Old Bailey, the central criminal court in London after his first sentencing hearing in January was postponed.

    Reply
  33. Tomi Engdahl says:

    Researchers Rickrolled Emergency Alert Sirens in Proof-of-Concept Hack
    https://motherboard.vice.com/en_us/article/9kgn4v/hackers-take-over-san-franciscos-emergency-sirens

    Security researchers found that it was relatively easy to hijack the signal of the emergency alert siren system in San Francisco.

    “You could set off multiple siren networks repeatedly,” Balint Seeber, director of vulnerability research at Bastille and the one who found the vulnerability, told Motherboard in a phone call. “Say a military base or residential area near a nuclear power plant—you could set them off repeatedly and scare a large portion of the population.”

    Bastille made a video to show how a hacker would attack sirens taking advantage of this flaw. In the video, Seeber makes sirens play a test message, as well as Rick Astley’s Never Gonna Give You Up.

    ATI confirmed the existence the flaw to Motherboard, but downplayed Bastille’s findings, saying that the flaw is “largely theoretical” and stressed that it’s not easy to exploit it in the wild.

    “A very sophisticated observer may be able to deduce much of the packet format, but it is not trivial to do so,” a company representative said in an email to Motherboard. “We are adding additional encryption to make the commands as secure as possible.”

    Reply
  34. Tomi Engdahl says:

    New Ransomware Locks Your Files Unless You Play ‘PUBG’
    ‘I don’t want money! Just play PUBG 7 hours!’ the ransomware says.
    https://motherboard.vice.com/en_us/article/7xdene/pubg-ransomware

    Everyone loves PlayerUnknown’s Battlegrounds, and one piece of ransomware seems to love it so much it’s willing to lock down your computer’s files until you spend quality time with the game. First spotted by MalwareHunterTeam and first reported by BleepingComputer, PUBG Ransomware is a bizarre program that encrypts a user’s desktop files—including all subdirectories—with a .PUBG extension.

    “Your files is encrypted by PUBG Ransomware! but don’t worry! It is not hard to unlock it,” splash screen for the program says. “I don’t want money! Just play PUBG 1 hours!” The program also offers up a code that allows users to unlock their files without slogging through hours of the battle royale shooter.

    According to BleepingComputer, the program monitors the computer to see if the TsLGame executable ever runs. Seven hours of gameplay aren’t required, and once the program starts up the files start to unlock. It’s not a very sophisticated piece of software as any old .exe renamed to TslGame will work.

    Reply
  35. Tomi Engdahl says:

    Google confirms some of its own services are now getting blocked in Russia over the Telegram ban
    https://techcrunch.com/2018/04/22/google-confirms-some-of-its-own-services-are-now-getting-blocked-in-russia-over-the-telegram-ban/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    AdChoices

    Google confirms some of its own services are now getting blocked in Russia over the Telegram ban
    Ingrid Lunden
    @ingridlunden / 6 hours ago

    Paper Plane
    A shower of paper airplanes darted through the skies of Moscow and other towns in Russia today, as users answered the call of entrepreneur Pavel Durov to send the blank missives out of their windows at a pre-appointed time in support of Telegram, a messaging app he founded that was blocked last week by Russian regulator Roskomnadzor (RKN) that uses a paper airplane icon. RKN believes the service is violating national laws by failing to provide it with encryption keys to access messages on the service (Telegram has refused to comply).

    The paper plane send-off was a small, flashmob turn in a “Digital Resistance” — Durov’s preferred term — that has otherwise largely been played out online: currently, nearly 18 million IP addresses are knocked out from being accessed in Russia, all in the name of blocking Telegram.

    And in the latest development, Google has now confirmed to us that its own services are now also being impacted. From what we understand, Google Search, Gmail and push notifications for Android apps are among the products being affected.

    “We are aware of reports that some users in Russia are unable to access some Google products, and are investigating those reports,”

    Reply
  36. Tomi Engdahl says:

    City of Atlanta Ransomware Attack Proves Disastrously Expensive
    https://www.securityweek.com/city-atlanta-ransomware-attack-proves-disastrously-expensive

    City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not

    Over the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 — which (at the time of writing) is still without resolution.

    Precise details on the Atlanta contracts are confused and confusing — but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn’t include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

    The ransomware used in the attack was SamSam.

    SecureWorks makes two specific points about Gold Lowell that might be pertinent to the Atlanta incident. Firstly, “In some cases where the victim paid the initial ransom, GOLD LOWELL revised the demand, significantly increasing the cost to decrypt the organization’s files in an apparent attempt to capitalize on a victim’s willingness to pay a ransom.” Atlanta officials have always declined to comment on whether they paid, or attempted to pay, the ransom

    Secondly, “GOLD LOWELL is motivated by financial gain, and there is no evidence of the threat actors using network access for espionage or data theft.” Atlanta officials were quick to claim that no personal data was lost in the attack.

    Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers — which sound like the Gold Lowell group — had previously compromised them.

    The extended dwell time by the Gold Lowell group prior to encrypting files and making a ransom demand would explain the extreme difficulty that Atlanta is experiencing in trying to recover from the attack. The Hancock incident suggests that rapid payment might have resulted in file recovery, but SecureWorks also suggests it might have led to a further demand.

    However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else’s money, makes it reasonable to question the decision.

    There is no simple answer.

    “By bringing in emergency support,” he continued, “they probably now have a much better picture of their security posture, most likely have cleaned up a number of issues, and are now on track to pay more attention to this business risk.” His only criticism is that the money should have been spent to prevent ransomware rather than to recover from it. “The real lesson,” he said, “is for probably 10-20% of the cost of the emergency support they could have brought in the same people to help with the same issues prior to the incident. Would that guarantee it would not happen? No — but it would improve the odds greatly, would limit the damage done, and improve recovery efforts if it happened.”

    Reply
  37. Tomi Engdahl says:

    Google Discloses Windows Lockdown Policy Zero-Day
    https://www.securityweek.com/google-discloses-windows-lockdown-policy-zero-day

    Google Discloses Unpatched Windows Lockdown Policy Bypass

    A Windows 10 vulnerability that could bypass Windows Lockdown Policy and result in arbitrary code execution remains unpatched 90 days after Microsoft has been informed on the bug’s existence.

    On systems with User Mode Code Integrity (UMCI) enabled, a .NET bug can be exploited to bypass the Windows Lockdown Policy check for COM Class instantiation, security researcher James Forshaw of Google’s Project Zero team.

    The issue was reproduced on Windows 10S, but is said to impact all Windows 10 versions with UMCI enabled.

    The vulnerability, the security researcher explains, resides in the manner in which the WLDP COM Class lockdown policy behaves when a .NET COM object is instantiated.

    The policy contains a hardcoded list of 8 to 50 COM objects which enlightened scripting engines can instantiate. Thus, even if one would be able to register an existing DLL under one of the allowed COM CLSIDs, a good implementation should check the CLSID passed to DllGetObject against said internal list, and prevent attacks.

    Because of that, an attacker can add registry keys, including to HKCU, to load an arbitrary COM visible class under one of the allowed CLSIDs.

    For a successful exploitation, an attacker could use tools such as Forshaw’s DotNetToJScript, a free tool that allows users to generate a JScript which bootstraps an arbitrary .NET Assembly and class.

    The flaw was reported to Microsoft on January 19, when the company acknowledged the flaw. As per Project Zero’s policy, vendors are given 90 days to patch flaws before they are made public, and Microsoft didn’t meet the deadline for this issue.

    Considering that there are known Device Guard bypasses in the .NET framework that haven’t been fixed and continue to be usable, the security vulnerability is less serious than it would have been if all known avenues for bypass were fixed, Forshaw concludes.

    Reply
  38. Tomi Engdahl says:

    Surge in Anonymous Asia Twitter Accounts Sparks Bot Fears
    https://www.securityweek.com/surge-anonymous-asia-twitter-accounts-sparks-bot-fears

    Hong Kong – It has been jokingly referred to as “Botmageddon”. But a surge in new, anonymous Twitter accounts across swathes of Southeast and East Asia has deepened fears the region is in the throes of US-style mass social media manipulation.

    Maya Gilliss-Chapman, a Cambodian tech entrepreneur currently working in Silicon Valley, noticed something odd was happening in early April.

    Her Twitter account @MayaGC was being swamped by a daily deluge of follows from new users.

    “I acquired well over 1,000 new followers since the beginning of March. So, that’s approximately a 227 percent increase in just a month,” she told AFP.

    While many might delight in such a popularity spike, Gilliss-Chapman, who has previously worked for tech companies to root out spam, was immediately suspicious.

    The vast majority of these new accounts contained no identifying photograph and had barely tweeted since their creation.

    But they all seemed to be following prominent Twitter users in Cambodia including journalists, business figures, academics and celebrities.

    Reply
  39. Tomi Engdahl says:

    Microsoft Announces New Windows Platform Security Technology
    https://www.securityweek.com/microsoft-announces-new-windows-platform-security-technology

    Microsoft on Thursday announced Windows Defender System Guard runtime attestation, a new Windows platform security technology set to roll out to all editions of Windows.

    Meant to mitigate attacks in software, the runtime attestation takes advantage of the same hardware-rooted security technologies in virtualization-based security (VBS) as Credential Guard, Microsoft says.

    The new security technology can provide supplementary signals for endpoint detection and response (EDR) and antivirus vendors, and can detect artifacts of kernel tampering, rootkits, and exploits. Moreover, it can be used for preventing cheating in games, protecting sensitive transactions (banking apps, trading platforms), and providing conditional access (enabling device security-based access policies).

    The first phase of Windows Defender System Guard runtime attestation will arrive with the next Windows 10 update to lay the groundwork for future innovation, Microsoft says. It will allow for the building of new operating system features to detect and communicate violations of security promises in the event of a full system compromise, such as through a kernel-level exploit.

    Reply
  40. Tomi Engdahl says:

    FDA Reveals New Plans for Medical Device Security
    https://www.securityweek.com/fda-reveals-new-plans-medical-device-security

    The U.S. Food and Drug Administration (FDA) this week announced its medical device safety action plan, which includes seeking additional funding and authorities that would help it improve cybersecurity in the healthcare industry.

    The FDA’s plan focuses on five key areas and medical device cybersecurity is one of them. As part of its efforts to keep up with emerging threats and vulnerabilities, the agency wants the authority to require medical device manufacturers to include updating and patching capabilities into the design of their products.

    The organization also wants vendors to create a “Software Bill of Materials,” which should help medical device customers and users determine which systems may be impacted by vulnerabilities.

    “The additional authorities we seek are to further strengthen medical device security by directly addressing challenges healthcare delivery organizations and providers have encountered as a result of cyber campaigns and attacks such as WannaCry,” an FDA spokesperson told SecurityWeek.

    The agency would require that “new devices entering the market have a demonstrated capability of patchability and updatability built into the design architecture of the device, and that a patch management process and plan is provided by the manufacturer for premarket review,” the spokesperson said.

    As for the Software Bill of Materials, the measure is inspired by one of the recommendations made recently by the Health Care Industry Cybersecurity Task Force.

    https://www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProductsandTobacco/CDRH/CDRHReports/UCM604690.pdf

    Reply
  41. Tomi Engdahl says:

    Unpatched Flaw Exposes LG NAS Devices to Remote Attacks
    https://www.securityweek.com/unpatched-flaw-exposes-lg-nas-devices-remote-attacks

    Researchers claim hackers can remotely exploit an unpatched command injection vulnerability to take control of network-attached storage (NAS) devices from LG.

    VPN specialists at vpnMentor discovered that many LG NAS models are impacted by a flaw that can be exploited without authentication.

    According to researchers, the password parameter in the login page is vulnerable to command injection. An attacker can abuse this parameter to execute arbitrary commands, including for adding a new user account and dumping the database containing existing usernames and passwords.

    Reply
  42. Tomi Engdahl says:

    Nordic, Baltic stock exchange openings delayed by knockout of Nasdaq data centre
    https://yle.fi/uutiset/osasto/news/nordic_baltic_stock_exchange_openings_delayed_by_knockout_of_nasdaq_data_centre/10165591

    The head of Nasdaq Helsinki said that no one in the Nordics on Nasdaq exchanges has been able to buy or sell shares during Wednesday’s outage.

    Trading at the Helsinki Stock Exchange and Nasdaq exchanges across the Nordic and Baltic equity and fixed-income markets did not open on Wednesday morning on time due to a fire alarm system knocking out the exchange’s data centre in Väsby, north of Stockholm, Sweden. As of publication time at 2:46 pm Wednesday Helsinki’s Nasdaq exchange remained closed.

    Update: Trading was resumed on the Helsinki Stock Exchange a little before 4 pm on Wednesday.

    Regulators to probe incident

    Maria Rekola of Finland’s Financial Supervisory Authority told Bloomberg that there is a backup system but that it appears to be taking a long time to get it operational, saying the authority plans to investigate the delay.

    The outage affected trades in Copenhagen, Helsinki, Reykjavik, Riga, Stockholm, Tallinn and Vilnius.

    Nasdaq Reviews Nordic Shutdown as Regulators Question Backups
    https://www.bloomberg.com/news/articles/2018-04-18/nasdaq-postpones-opening-of-nordic-bourses-after-fire-alarm

    The long delay in getting trading back up sparked concerns at financial regulators. Finland’s Financial Supervisory Authority will investigate why it took so long for Nasdaq to start up its backup system, according to Maria Rekola, market supervisor at the regulator in Helsinki.

    “The stock exchange is at all times obligated to ensure its systems operate and that there is a working backup system,” she said by phone. “In our investigation we’ll be looking into whether preparations were as good as possible.”

    After the issues have been resolved, Nasdaq needs to be transparent about what happened to regain investors’ trust, Heikkinen said. Arne Bergvik, chief analyst at Swedish utility Jamtkraft AB, said a repeat of today’s outage, which also halted power trading, would be “serious” and called on the exchange to take action to ensure it doesn’t happen again.

    Finland’s FSA said penalties may be considered if Nasdaq wasn’t adequately prepared for the events.

    Reply
  43. Tomi Engdahl says:

    Fire suppression failure at DigiPlex brings down Nordic Nasdaq
    http://www.datacenterdynamics.com/content-tracks/security-risk/fire-suppression-failure-at-digiplex-brings-down-nordic-nasdaq/100048.fullarticle

    Update: the facility’s fire suppression system was triggered, taking one data hall offline; backup systems were slow to respond

    Helsinki’s Nasdaq Nordic stock exchange was closed until 4pm on Wednesday due to a problem in a DigiPlex data center.

    As a result, trades were halted in Copenhagen, Helsinki, Reykjavik, Riga, Stockholm, Tallinn and Vilnius. Oslo’s exchange was spared, however, as it operates independently from Nasdaq.

    A gas-based fire suppression system was triggered at the DigiPlex data center in Väsby, 30km (18.6 miles) north of Stockholm, taking a data hall occupied by the Nasdaq Nordic stock exchange offline. DigiPlex has contacted DCD to tell us no other customers were affected – and there was no actual fire.

    A company spokesperson told Bloomberg that that the incident was caused by an “errant fire extinguisher system,” which engendered “connectivity issues” at the facility.

    The data center’s backup system should have kicked in immediately, but according to Maria Rekola of Finland’s Financial Supervisory Authority, it took some time for this to happen.

    Of technical problems on April 18
    https://www.nasdaqcsd.com/the-news/about-technical-problems-on-april-18/

    April 20, 2018 – On Wednesday, April 18, an errant fire extinguisher system in a third-party data center caused connectivity issues that led us to halt the opening of all Nasdaq Nordic and Baltic Equity and Fixed Income markets as well as Nasdaq Commodities. Since yesterday, all markets are back in operation from our back up facility at Nasdaq PORT and will continue to operate from that facility.

    Nasdaq CSD has accomplished failover of the core CSD system to our backup data center and is providing all the core CSD services to its clients. Work to restore some surrounding systems of the Nasdaq CSD is still ongoing.

    Reply
  44. Tomi Engdahl says:

    Can a Loud Noise Really Bring Down a Data Center?
    https://gizmodo.com/can-a-loud-noise-really-bring-down-a-data-center-1825419462

    This week, a Nasdaq Nordic stock exchange data center in Finland was taken down by its fire suppression system. But these systems don’t use water to quench the flames, so how can they knock out a bunch of hard drives?

    The answer, most likely, is loud noise.

    It wouldn’t be the first time this happened. Similar incidents occurred last year at a Microsoft’s Azure data center in Europe and an ING Bank center in Romania in 2016. “When those systems go off there’s a shockwave that can disrupt the technology,” Greg Schulz, founder of technology advisory and consulting firm StorageIO, told Gizmodo.

    When a fire starts in a data center, it wouldn’t make sense to dump water on all of the machinery. So these centers rely instead on a special kind of gas, usually consisting of carbon bonded to halogen elements like chlorine or fluorine. The gas usually serves to prevent oxygen from fueling the fire.

    But, explained Schulz, the release of the gas can come with a shockwave. Sound is ultimately just vibrations in the air

    A recent study by Siemens found that vibrations from sound as loud as 110 decibels could damage a hard drive. The fire extinguisher nozzles could be as loud as 130 decibels.

    Decibels, the rather obtuse unit of sound intensity, don’t work quite the way inches or degrees do. I

    So yes, sound really can disrupt a hard drive (or an entire data center). So don’t fly your jet planes near your hard disks.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*