Cyber security April 2018

This posting is here to collect security alert news in April 2018.

I post links to security vulnerability news to comments of this article.

 

252 Comments

  1. Tomi Engdahl says:

    UK’s National Cyber Security Centre warns use of ZTE equipment poses national security risk
    http://www.lightwaveonline.com/articles/2018/04/uk-s-national-cyber-security-centre-warns-use-of-zte-equipment-poses-national-security-risk.html?cmpid=enl_lightwave_lightwave_friday_5_2018-04-20&pwhid=6b9badc08db25d04d04ee00b499089ffc280910702f8ef99951bdbdad3175f54dcae8b7ad9fa2c1f5697ffa19d05535df56b8dc1e6f75b7b6f6f8c7461ce0b24&eid=289644432&bid=2076102

    As if ZTE wasn’t already having a bad week after the U.S. Department of Commerce imposed a seven-year ban on access to U.S. communications components (see “U.S. Commerce Dept. finds ZTE violated export disciplinary agreement, bans U.S. component supply”), the company’s reputation has been called into question by a UK cyber-security agency. A statement posted April 16, 2018, on the website of the National Cyber Security Centre (NCSC) advised against the use of ZTE equipment in UK telecommunications networks. The post is being backed by a letter addressed to the UK telecommunications community.

    The NCSC is part of the UK Government Communications Headquarters (GCHQ), a group that provides signal intelligence and related services to the UK government and military. NCSC aims to prevent cyber attacks, manage such incidents, and improve UK network security. And it doesn’t like the looks of ZTE.

    The NSCS concerns mirror those expressed on multiple occasions within U.S. political circles regarding Chinese telecommunications suppliers such as ZTE and Huawei, most recently by FCC Chairman Ajit Pai

    Reply
  2. Tomi Engdahl says:

    Nour Al Ali / Bloomberg:
    Middle Eastern ride-hailing app Careem says 14M users’ names, email addresses, phone numbers, and trip data was stolen in cyberattack; it became aware on Jan 14 — Customers’ names, email, phone number and trip data stolen — The platform has over 20 million users, according to website

    Middle East Ride-Hailing App Careem Reveals Major Cyber Attack
    https://www.bloomberg.com/news/articles/2018-04-23/middle-east-ride-hailing-app-careem-reveals-major-cyber-attack

    Customers’ names, email, phone number and trip data stolen
    The platform has over 20 million users, according to website

    Dubai-based ride-hailing app Careem Networks FZ has revealed a cyber incident in January where hackers gained access to systems that hold customer and driver account data.

    Passangers’ names, email address, phone number and trip data was stolen, the company said in a statement Monday. Careem is Uber Technologies Inc.’s largest rival in the Middle East.

    Reply
  3. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Avast outlines how hackers hid a backdoor in its PC cleanup tool CCleaner, which tainted ~2.27M downloads in 2017, as part of a targeted attack on tech firms — IN SEPTEMBER, SECURITY researchers at Cisco Talos and Morphisec made a worst nightmare-type disclosure: the ubiquitous computer …
    https://www.wired.com/story/inside-the-unnerving-supply-chain-attack-that-corrupted-ccleaner

    Reply
  4. Tomi Engdahl says:

    Ingrid Lunden / TechCrunch:
    Google confirms some of its services, including Google Search, Gmail, and Android push notifications, continue to suffer outages in Russia amid Telegram ban
    https://techcrunch.com/2018/04/22/google-confirms-some-of-its-own-services-are-now-getting-blocked-in-russia-over-the-telegram-ban/

    Reply
  5. Tomi Engdahl says:

    Gmail accounts appear to send out spam, and their owners are baffled
    https://mashable.com/2018/04/22/google-gmail-spam-telus/?utm_cid=hp-h-2#buYmbomC1kq6

    Something is not right in the land of Gmail.

    Numerous account holders woke up Sunday morning to discover a raft of spam emails sitting in their sent folders, and that even after changing their passwords the emails kept going out. At least some of these people, including a Mashable editor, had two-factor authentication enabled on their accounts.

    “My email account has sent out 3 spam emails in the past hour to a list of about 10 addresses that I don’t recongnize,” read an April 21 post to a Google Help Forum.

    As to the email going out? It’s vey much the definition of spam.

    Many people replied to the post saying the same thing was happening to them.

    So what’s going on here? A Google spokesperson admitted that the issue relates to a “spam campaign impacting a small subset of Gmail users” in a statement given to Mashable. You can read the full statement right here:

    We are aware of a spam campaign impacting a small subset of Gmail users and have actively taken measures to protect against it. This attempt involved forged email headers that made it appear as if users were receiving emails from themselves, which also led to those messages erroneously appearing in the Sent folder. We have identified and are reclassifying all offending emails as spam, and have no reason to believe any accounts were compromised as part of this incident.

    One thing the sent spam emails seem to have in common, other than the fact that they’re all garbage, is that many appear to be sent “via telus.com.” TELUS is a Canadian telecommunications company, and it’s not clear what role it plays in this mess.

    Reply
  6. Tomi Engdahl says:

    Drupal to Release Second Drupalgeddon2 Patch as Attacks Continue
    https://www.securityweek.com/drupal-release-second-drupalgeddon2-patch-attacks-continue

    Drupal developers announced on Monday that versions 7.x, 8.4.x and 8.5.x of the content management system (CMS) will receive a new security update later this week.

    The Drupal core updates, scheduled for April 25 between 16:00 and 18:00 UTC, will deliver a follow-up patch for the highly critical vulnerability tracked as CVE-2018-7600 and dubbed “Drupalgeddon2.”

    While Drupal developers have described the upcoming security releases as a follow-up to the updates that fixed Drupalgeddon2, a separate CVE identifier, namely CVE-2018-7602, has been assigned to the new vulnerability.

    Reply
  7. Tomi Engdahl says:

    Internet Society Calls on IXPs to Help Solve Internet Routing Problems
    https://www.securityweek.com/internet-society-calls-ixps-help-solve-internet-routing-problems

    The Internet Society is expanding its Mutually Agreed Norms for Routing Security (MANRS) initiative from just autonomous systems (AS) networks to include internet exchange points (IXPs).

    With its purpose to bring basic security to internet routing, MANRS was launched in 2014 with 9 founding members. Since its launch it has grown to 56 members, out of a total of around 60,000 ASs on the internet. Andrei Robachevsky, the Internet Society’s technology program manager, told SecurityWeek that the immediate target is between 700 and 800 actively conforming members. Since about 80% of all networks are stub networks with no knowledge of other networks, Robachevsky believes that 700 or 800 of the remaining networks will be enough to provide the tipping point necessary to seriously improve internet routing security.

    This basic lack of routing verification between different ASs is the root cause of both accidental and malicious internet routing problems. There are three primary issues: route hijacking, IP Address spoofing, and route leaks — and it is worth noting that there were 14,000 internet routing issues in 2017 alone.

    The classic example of route hijacking occurred in 2008, when YouTube became unavailable for around 2 hours.

    In April 2017, Robachevsky wrote in an Internet Society blog, “Large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services companies were briefly routed through a Russian telecom. For several minutes, Rostelecom was originating 50 prefixes for numerous other Autonomous Systems, hijacking their traffic.”

    IP address spoofing can be used for different malicious purposes. One of the most dramatic is a reflection/amplification DDoS attack.

    This year, memcached has been used to amplify DDoS attacks sufficient to set new records — first at 1.3Tbps and then within days at 1.7Tbps.

    Reply
  8. Tomi Engdahl says:

    Researchers Analyze Servers Compromised by Russian Hackers
    https://www.securityweek.com/researchers-analyze-servers-compromised-russian-hackers

    Researchers from Kaspersky Lab ICS CERT have analyzed servers compromised by the infamous threat actor known as Energetic Bear in recent years.

    Active since at least 2010, the group is also referred to as Dragonfly and Crouching Yeti, and has been mainly focused on companies in the energy and industrial sectors. Following an alert in October 2017 on ongoing attacks from the group, a March 2018 advisory from the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) linked the group to the Russian government.

    In a separate report last Month, endpoint security firm Cylance revealed that the hackers compromised a Cisco router and abused it to steal credentials that allowed them to set up attacks targeting energy companies in the United Kingdom.

    The servers Kaspersky researchers analyzed are distributed worldwide: Russia, Ukraine, UK, Germany, Turkey, Greece, and the United States. Most of the compromised servers were used to launch waterhole attacks, while the remaining ones were employed for collecting user data in the waterhole attack, and some also for tool hosting.

    Reply
  9. Tomi Engdahl says:

    Former SunTrust Employee Steals Details on 1.5 Million Customers
    https://www.securityweek.com/former-suntrust-employee-steals-details-15-million-customers

    A former employee stole data on 1.5 million customers, Atlanta-based SunTrust Banks announced on Friday.

    The employee appears to have stolen data from some of the company’s contact lists, the company says. SunTrust is already informing impacted clients and is working with outside experts and coordinating with law enforcement on investigations.

    The stolen information includes names, addresses, and phone numbers, along with certain account balances, as this was the data included in the contact lists, the company confirmed.

    Personally identifying information such as social security numbers, account numbers, PINs, User IDs, passwords, or driver’s license information wasn’t included in the lists.

    Reply
  10. Tomi Engdahl says:

    Oath Pays $400,000 in Bug Bounties in One Day
    https://www.securityweek.com/oath-pays-400000-bug-bounties-one-day

    Internet media company Oath paid more than $400,000 in bounties during the H1-415 one-day HackerOne event in San Francisco, where 41 hackers from 11 countries were present.

    Reply
  11. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Attackers successfully rerouted DNS requests for myetherwallet.com, showing visitors an unsigned SSL cert and apparently taking $13K+ in Ethereum in two hours

    Hackers emptied Ethereum wallets by breaking the basic infrastructure of the internet
    https://www.theverge.com/2018/4/24/17275982/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum

    At midnight ET last night, MyEtherWallet users started noticing something odd. Connecting to the service, users were faced with an unsigned SSL certificate, a broken link in the site’s verification. It was unusual, but it’s the kind of thing web users routinely click through without thinking.

    But anyone who clicked through this certificate warning was redirected to a server in Russia, which proceeded to empty the user’s wallet. Judging by wallet activity, the attackers appear to have taken at least $13,000 in Ethereum during two hours before the attack was shut down. The attackers’ wallet already contains more than $17 million in Ethereum.

    MyEtherWallet confirmed the attack in a statement on Reddit. “We are currently in the process of verifying which servers were targeted to help resolve this issue as soon possible,” the company told users. “We advise users to run a local (offline) copy of the MyEtherWallet.”

    The attackers don’t seem to have compromised MyEtherWallet itself. Instead, they attacked the infrastructure of the internet, intercepting DNS requests for myetherwallet.com to make the Russian server seem like the rightful owner of the address. Most of the affected users were employing Google’s 8.8.8.8 DNS service. However, because Google’s service is recursive, the bad listing was likely obtained through Amazon’s “Route 53” system.

    To intercept those requests, the hackers used a technique known as BGP hijacking, which spreads bad routing information as a way of intercepting traffic in transit.

    Thus far, MyEtherWallet is the only confirmed service to have been attacked, although a number of other services were likely also affected by the redirect.

    BGP hijacking has long been known as a fundamental weakness in the internet
    DNS attacks are also common, and they were used by the Syrian Electronic Army for a string of website defacements in 2013.

    Still, it’s highly unusual for both BGP and DNS vulnerabilities to be used in concert, particularly in such a high-profile theft. “This is the largest scale attack I have seen which combines both,”

    Reply
  12. Tomi Engdahl says:

    Sarah Frier / Bloomberg:
    Facebook gives its definition of terrorism, says it took action on 1.9M pieces of ISIS and al-Qaeda content in Q1, ~2x the previous quarter, finding 99% itself

    Facebook Removes More ISIS Content by Actively Looking for It
    https://www.bloomberg.com/news/articles/2018-04-23/facebook-removes-more-isis-content-by-actively-looking-for-it

    Facebook Inc. said it was able to remove a larger amount of content from the Islamic State and al-Qaeda in the first quarter of 2018 by actively looking for it.

    The company has trained its review systems — both humans and computer algorithms — to seek out posts from terrorist groups. The social network took action on 1.9 million pieces of content from those groups in the first three months of the year, about twice as many as in the previous quarter. And, 99 percent of that content wasn’t reported first by users, but was flagged by the company’s internal systems, Facebook said Monday.

    Facebook, like Twitter Inc. and Google’s YouTube, has historically put the onus on its users to flag content that its moderators need to look at. After pressure from governments to recognize its immense power over the spread of terrorist propaganda, Facebook started about a year ago to take more direct responsibility.

    Reply
  13. Tomi Engdahl says:

    Kif Leswing / Business Insider:
    SEC says Altaba, the holding company that owns the remains of Yahoo, must pay a $35M fine to settle charges that it misled investors over 2014 hack by Russians — – In 2014, Yahoo was hacked by a state-sponsored actor identified as Russia. — Investors didn’t learn about the incident until 2016.

    The remains of Yahoo just got hit with a $35 million fine because it didn’t tell investors about Russian hacking
    http://www.businessinsider.com/yahoo-hack-35-million-sec-fine-for-not-telling-investors-about-russian-hack-2018-4?op=1&r=US&IR=T&IR=T

    In 2014, Yahoo was hacked by a state-sponsored actor identified as Russia.
    Investors didn’t learn about the incident until 2016.
    The US Securities and Exchange Commission fined Altaba, the holding company that owns the remains of Yahoo, to settle accusations the company did not properly consider whether to inform investors at the time.

    Reply
  14. Tomi Engdahl says:

    Kyle Orland / Ars Technica:
    Researchers reveal seemingly unpatchable vulnerability in Nvidia Tegra chips that make all currently available Nintendo Switch consoles hackable — Newly published Tegra bootROM exploit could be a big headache for Nintendo and others. — A newly published “exploit chain” …

    The “unpatchable” exploit that makes every current Nintendo Switch hackable [Updated]
    https://arstechnica.com/gaming/2018/04/the-unpatchable-exploit-that-makes-every-current-nintendo-switch-hackable/

    Newly published Tegra bootROM exploit could be a big headache for Nintendo and others.

    A newly published “exploit chain” for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they’re calling the Fusée Gelée coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch.

    “Fusée Gelée isn’t a perfect, ‘holy grail’ exploit—though in some cases it can be pretty damned close,” Temkin writes in an accompanying FAQ.

    The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1′s USB recovery mode, circumventing the lock-out operations that would usually protect the chip’s crucial bootROM. By sending a bad “length” argument to an improperly coded USB control procedure at the right point, the user can force the system to “request up to 65,535 bytes per control request.” That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.

    On the Switch, the hardest part of the exploit seems to be forcing the system into USB recovery mode. To do this without opening the system requires shorting out a certain pin on the right Joy-Con connector

    Unpatchable?

    What makes this exploit particularly worrisome for Nintendo and other Tegra vendors is that it apparently can’t be fixed via a simple downloadable patch; the flawed bootROM in question can’t be modified once the Tegra chip leaves the factory.

    Nintendo, which has already shipped more than 14.8 million apparently vulnerable Switch systems to the public. Previous software-level exploits of Nintendo systems (including one for the Switch) could be mitigated via downloable system updates

    ut Nintendo isn’t completely powerless in this situation. Even if and when the exploit is spread widely, Nintendo may still be able to detect “hacked” systems when they sign on to Nintendo’s servers. The company could then ban those systems from using the Switch’s online functions.

    While the potential to aid software pirates is likely of primary concern to Nintendo, there are plenty of legal and handy reasons to make use of an exploit like this.

    Why now?

    Right now, the general public’s use of this exploit is limited to a “proof of concept” python program and payload that can be used to display usually protected information from the Switch’s boot instruction ROM

    In the FAQ, Temkin says she has previously notified Nvidia and vendors like Nintendo about the existence of this exploit, providing what she considers an “adequate window [for Nvidia] to communicate with [its] downstream customers and to accomplish as much remediation as is possible for an unpatchable bootROM bug.”

    That said, Temkin writes that she’s publicizing the exploit now in part because of “the potential for a lot of bad to be done by any parties who independently discover these vulnerabilities.” There are also hints that other groups were threatening to publish a similar exploit ahead of Team ReSwitched’s planned summer rollout, forcing today’s “early” disclosure.

    Shortly after this piece went live, Fail0verflow alleged that it had been holding to “a 90-day responsible disclosure window for ShofEL2 ending on April 25.

    https://twitter.com/fail0verflow/status/988521626319798272

    Reply
  15. Tomi Engdahl says:

    Jenna McLaughlin / CNN:
    CIA says foreign spies in about 30 countries use digital surveillance to monitor agents and that it is pursuing ~140 AI projects to help agents evade cameras

    CIA agents in ‘about 30 countries’ being tracked by technology, top official says
    https://edition.cnn.com/2018/04/22/politics/cia-technology-tracking/

    But the CIA is spying back, she said. As of six months ago, the agency has been pursuing nearly 140 artificial intelligence projects.

    When fitness company Strava published data from users wearing fitness trackers, including near potentially classified sites and war zones, military and intelligence agencies expressed concern about the digital footprints left by their employees.

    “Even if you turn your phone off 10 minutes before you get to your place of employment, do you think anyone’s fooled by where you’re going?” Meyerriecks asked, not referring specifically to the Strava incident.

    That is forcing CIA officials to “live their cover” even more than before, she said — and take steps to trick the digital trackers. Meyerriecks didn’t elaborate on how they might fool the technology, but officials could potentially fake their location digitally, or “spoof” it, a growing area of research. They could also possibly leave devices in other locations intentionally.

    Reply
  16. Tomi Engdahl says:

    Thomas Fox-Brewster / Forbes:
    Symantec: hacker group called Orangeworm is targeting equipment in US healthcare, like X-Ray and MRI machines, as well manufacturing, agriculture, IT devices

    Advanced Hackers Infect X-Ray Machines In Healthcare Espionage
    https://www.forbes.com/sites/thomasbrewster/2018/04/23/x-ray-machines-taken-over-by-healthcare-hackers/#3cb360e644c8

    Yet another hacker crew has been battering the healthcare industry in recent months. But rather than just aim for the PCs, its also gotten footholds on the computers controlling X-Ray, MRI and other medical machines, according to a report from Symantec on Thursday.

    The hacker group, dubbed Orangeworm, is mainly targeting American healthcare organizations, though there are a number of victims worldwide, including in Asia and Europe. But rather than do anything destructive, Orangeworm is likely using leverage on those medical devices – designed to process and view images from X-Ray and MRI machines – to learn more about them as part of an ongoing corporate espionage operation, Symantec said.

    “Due to the fact that the attacks attempted to keep infections active for long periods of time on these devices, it’s more likely the group are interested in learning how these devices operate. We have not collected any evidence to suggest the attackers have planned to perform any sabotage type activities at this time,” said Alan Neville, Symantec researcher.

    That’s not to say the attackers couldn’t carry out more aggressive attacks.

    But Orangeworm hasn’t just targeted healthcare. Secondary targets included manufacturing, information technology, agriculture and logistics. Many had links to the healthcare industry, Symantec added.

    The researchers haven’t been able to track down Orangeworm’s nationality.

    This isn’t the first time hackers have found their way onto medical devices. Back when the WannaCry ransomware hit hospitals across the world, it found its way onto Bayer Medrad radiology equipment.
    And cybersecurity researchers have long warned about the vulnerability of medical machines, with even pacemakers and insulin pumps easily prized open by researchers.

    Reply
  17. Tomi Engdahl says:

    Safe Browsing Now On by Default on Android
    https://www.securityweek.com/safe-browsing-now-default-android

    Google is taking another step to protect Android users when browsing the Internet by making Safe Browsing in WebView set by default.

    Launched in 2007, Google Safe Browsing was designed as an extra layer of protection against phishing and malware attacks, and is available for all users across the web. According to Google, the technology delivers protection to more than three billion devices.

    Over the past several years, the search giant has made various improvements to Safe Browsing, and also made the technology available to Android and macOS. Safe Browsing also includes protections from unwanted software across both desktop and mobile platforms.

    Reply
  18. Tomi Engdahl says:

    New Tool Detects Evil Maid Attacks on Mac Laptops
    https://www.securityweek.com/new-tool-detects-evil-maid-attacks-mac-laptops

    A security researcher has developed a simple tool that helps Mac laptop owners detect unauthorized physical access to their device, also known as an evil maid attack, by monitoring its lid.

    The free tool, named DoNotDisturb (DND), was created by Patrick Wardle, co-founder and chief research officer at enterprise macOS security company Digita Security.

    Leaving a laptop unattended – for example, leaving it in the hotel room while traveling – puts the device at risk of evil maid attacks. An attacker who has physical access to the targeted device may steal data from it or install malicious software without leaving any obvious evidence behind.

    The DND tool attempts to address this issue on Mac laptops by monitoring lid events. A majority of evil maid attacks require the attacker to open the device’s lid. However, there are some types of physical attacks that do not require opening the device’s lid, and the tool works based on the premise that the user closes the device’s lid when leaving it unattended.

    Reply
  19. Tomi Engdahl says:

    $35 Million Penalty for Not Telling Investors of Yahoo Hack
    https://www.securityweek.com/35-million-penalty-not-telling-investors-yahoo-hack

    US securities regulators on Tuesday announced that Altaba will pay a $35 million penalty for not telling them hackers had stolen Yahoo’s “crown jewels.”

    The 2014 breach blamed on Russian hackers affected hundreds of millions of Yahoo accounts, with stolen ‘crown jewel’ data including usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions, according to the Securities and Exchange Commission.

    While Yahoo discovered the data breach quickly, it remained mum about it until more than two years later when it was being acquired by telecom giant Verizon Communications, the SEC case maintained.

    “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach,” SEC San Francisco regional office director Jina Choi said in a release.

    Reply
  20. Tomi Engdahl says:

    Closing the Gaps that Result in Compromised Credentials
    https://www.securityweek.com/closing-gaps-result-compromised-credentials

    Closing Gaps in Credential Security Requires Awareness of What Gaps Exist and How to Mitigate Them

    On March 23rd, 2018, the United States brought charges against nine Iranians for their alleged state-sponsored attacks against 100,000 university professors worldwide, and in the US. The attackers’ target was “valuable intellectual property and data”, but their tactic was the compromising of email accounts using spear phishing attacks.

    Separately, in January 2018, VeriClouds released the results of research that indicated that 2.7 million credentials of Fortune 500 employees were compromised and available for sale at an average of 2.3 data sources on the dark web. That constitutes 10% of all employed by the Fortune 500.

    The Fortune 500 were just the tip of the iceberg, though. On December 5th 2017, 4iQ shared that a database of 1.4 billion credentials were found on the dark web. Going further back to last April, the 2017 Verizon Data Breach Investigation Report found that 81% of breaches in the previous year leveraged either stolen and/or weak passwords.

    Notice a theme?

    All this leads to the question – what can we do to close the gaps in credential security?

    Reply
  21. Tomi Engdahl says:

    Vlad Savov / The Verge:NEW
    Google rolls out a visual and security revamp of Gmail with confidential mode, email snoozing, nudging for time-sensitive emails, 2FA per message, IRM, more — Snoozing, nudging, hover actions, and a new sidebar — it’s a mobile app on the web! — The world’s most popular email service is getting a big overhaul today.

    Gmail’s biggest redesign is now live
    https://www.theverge.com/2018/4/25/17277360/gmail-redesign-live-features-google-update

    Snoozing, nudging, hover actions, and a new sidebar — it’s a mobile app on the web!

    Reply
  22. Tomi Engdahl says:

    Hackers emptied Ethereum wallets by breaking the basic infrastructure of the internet
    https://www.theverge.com/2018/4/24/17275982/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum

    Reply
  23. Tomi Engdahl says:

    Hijack of Amazon’s internet domain service used to reroute web traffic for two hours unnoticed
    https://doublepulsar.com/hijack-of-amazons-internet-domain-service-used-to-reroute-web-traffic-for-two-hours-unnoticed-3a6f0dda6a6f

    Between 11am until 1pm UTC today, DNS traffic — the phone book of the internet, routing you to your favourite websites — was hijacked by an unknown actor.

    The attackers used BGP — a key protocol used for routing internet traffic around the world — to reroute traffic to Amazon’s Route 53 service, the largest commercial cloud provider who count major websites such as Twitter.com as customers.

    They re-routed DNS traffic using a man in the middle attack using a server at Equinix in Chicago.

    Reply
  24. Tomi Engdahl says:

    Justin Baragona / Contemptor:
    Infosec expert for Joy Reid says significant evidence exists that her old blog was compromised and some recently circulated posts were not on site at any time — Earlier this week, Mediaite published a bombshell report on the discovery of a large number of homophobic posts that had been discovered …

    Joy Reid’s Cyber-Security Expert: ‘Significant Evidence’ Her Old Blog Was ‘Compromised’
    http://contemptor.com/2018/04/24/joy-reids-cyber-security-expert-significant-evidence-her-old-blog-was-compromised/

    Reid’s expert has responded to allegations the MSNBC host wrote a number of homophobic posts on her defunct blog.

    Earlier this week, Mediaite published a bombshell report on the discovery of a large number of homophobic posts that had been discovered on MSNBC host Joy Reid’s now-defunct blog, The Reid Report. The blog posts were different than the ones on former Florida Governor Charlie Crist that surfaced this past December, posts that Reid had already apologized for.

    Reid provided a statement to Mediaite in which she said the posts had been “fabricated” and the “manipulated material seems to be part of an effort to taint my character with false information by distorting a blog that ended a decade ago.” She also noted she was working with a cyber-security expert.

    On Tuesday, the Internet Archive published a blog post stating that they saw no evidence that supported Reid’s claims that her blog was hacked.

    We discovered that login information used to access the blog was available on the Dark Web and that fraudulent entries – featuring offensive statements – were entered with suspicious formatting and time stamps. The posts included hate speech targeting marginalized communities and Ms. Reid has been explicit in condemning them.

    However, we have significant evidence indicating that not only was Ms. Reid’s old blog compromised, some of the recently circulated posts were not even on the site at any time, suggesting that these instances may be the result of screenshot manipulation with the intent to tarnish Ms. Reid’s character.

    Reply
  25. Tomi Engdahl says:

    Microsoft Releases More Microcode Patches for Spectre Flaw
    https://www.securityweek.com/microsoft-releases-more-microcode-patches-spectre-flaw

    Microsoft this week released another round of software and microcode updates designed to address the CPU vulnerability known as Spectre Variant 2.

    Microsoft has been releasing software mitigations for the Spectre and Meltdown vulnerabilities since January, shortly after researchers disclosed the flaws.

    A new standalone security update (4078407) enables by default the mitigations against Spectre Variant 2 in all supported versions of Windows 10 and Windows Server 2016. Alternatively, advanced users can manually enable these mitigations through registry settings.

    Reply
  26. Tomi Engdahl says:

    Drupal Patches New Flaw Related to Drupalgeddon2
    https://www.securityweek.com/drupal-patches-new-flaw-related-drupalgeddon2

    Drupal developers have released updates for versions 7 and 8 of the content management system (CMS) to address a new vulnerability related to the recently patched flaw known as Drupalgeddon2.

    The new vulnerability, tracked as CVE-2018-7602, has been described as a highly critical issue that can be exploited for remote code execution. The flaw has been patched with the release of versions 7.59, 8.4.8 and 8.5.3.

    Reply
  27. Tomi Engdahl says:

    Internet Exposure, Flaws Put Industrial Safety Controllers at Risk of Attacks
    https://www.securityweek.com/internet-exposure-flaws-put-industrial-safety-controllers-risk-attacks

    SINGAPORE — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE | SINGAPORE — Researchers have discovered a potentially serious vulnerability in industrial safety controllers and a significant number of the impacted devices are directly exposed to the Internet, making it easy for malicious actors to launch attacks and possibly cause damage.

    Safety systems are designed to prevent incidents in industrial environments by restoring processes to a safe state or shut them down if parameters indicate a potentially hazardous situation. While these devices play an important role in ensuring physical safety, they can and have been targeted by malicious hackers. The best example is the Triton/Trisis/Hatman attack, which leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers.

    Researchers at industrial cybersecurity firm Applied Risk have analyzed safety controllers from several major vendors, including Siemens, ABB, Rockwell Automation’s Allen Bradley, Pilz, and Phoenix Contact.

    The research is ongoing, but they have identified a denial-of-service (DoS) flaw that may affect several products.

    Reply
  28. Tomi Engdahl says:

    Authorities Take Down Largest DDoS Services Marketplace
    https://www.securityweek.com/authorities-take-down-largest-ddos-services-marketplace

    The world’s largest marketplace for selling Distributed Denial of Service (DDoS) attacks, was taken down this week following a complex joint operation, authorities announced.

    The site, Webstresser.org, offered DDoS for hire services for as little as $14.99 per month, and had over 136,000 egistered users and 4 million attacks measured as of April 2018. The service was available to any wannabe criminal, and didn’t require technical knowledge to launch crippling DDoS attacks across the world.

    Reply
  29. Tomi Engdahl says:

    Casino’s Aquarium Leaks High Rollers’ Personal Data
    Posted by Robert Vamosi on April 17, 2018
    https://blogs.synopsys.com/from-silicon-to-software/2018/04/17/casinos-aquarium-leaks-high-rollers-personal-data/

    It might have been a deleted scene from one of the Ocean’s Eleven movies. Data thieves hack into a major casino. They attack not through the main but a secondary network and, once inside, bootstrap their way into other parts of the casino network until they get lucky and find a cache of sensitive data that they proceed to steal.

    Unfortunately, the above scenario has happened in the real world.

    Speaking at the Wall Street Journal CEO Council in London last Thursday Nicole Eagan, the CEO of cybersecurity company Darktrace, retold the story of how an aquarium thermometer in an unnamed North American casino’s lobby contained an exploitable vulnerability that allowed remote attackers to get onto the casino’s corporate network. “They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud,” she said during the panel discussion.

    The story about the casino was widely reported last summer. “Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,”

    “There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices,” Eagan said on Thursday. “There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”

    In general, internet connected devices are very basic by design. Beyond using basic Wi-Fi protocols, which encrypt data in transit, IoT devices do not have very sophisticated security. Nor do many of them allow for updates and upgrades of their firmware or software. This creates a challenge: If a vulnerability were found, how would the vendor push out a fix? And, sadly, how many IoT vendors even bother to continue their software development lifecycle beyond release?

    Reply
  30. Tomi Engdahl says:

    Microsoft sends e-waste recycler to PRISON for a YEAR!
    https://www.youtube.com/watch?v=FaoJErxYLtM

    Reply
  31. Tomi Engdahl says:

    Game Decides if Students Are Fit for Cybersecurity-Related Jobs
    https://www.eeweb.com/profile/nicole-digiose/articles/game-decides-if-students-are-fit-for-cybersecurity-related-jobs

    Due to the lack of youth taking an interest in IT and computer security, either as a hobby or a potential career path, the U.S. is facing a shortage of skilled cybersecurity professionals. As an attempt to overcome this challenge, SANS Institute, a cyber security training provider, has created CyberStart, a project that offers a suite of challenges, tools, and games aimed at introducing young people to the field of cybersecurity.

    Introducing students to Linux, programming, web attacks, binary attacks, cryptography, and forensics via gamification and game-design techniques, CyberStart is accessible to those without any previous cybersecurity knowledge. What’s more, it spans various skill levels and players can log in from home, school, or wherever they have internet access to play.

    So how does it work? By accessing over 300 hours of content, players drive and measure their progress as they work through challenges by themselves.

    https://www.youtube.com/watch?v=Ivjj3DGyGQY

    Reply
  32. Tomi Engdahl says:

    Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-004
    https://www.drupal.org/sa-core-2018-004

    A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

    Reply
  33. Tomi Engdahl says:

    LEAK: British EU Commissioner: ID check & prior approval for online posts
    By Joe McNamee
    https://edri.org/leak-british-eu-commissioner-id-check-prior-approval-online-posts/

    In a letter to Commissioner Mariya Gabriel obtained by EDRi1, the British European Commissioner, Sir Julian King, makes it clear that, not alone does he no longer find it acceptable that people should be able to communicate online without prior approval, he also objects to people communicating without being identified. Commissioner King is pushing the European Union towards an internet where freedom of expression is strangled by filtering and ID checks.

    Reply
  34. Tomi Engdahl says:

    If You Use Your Web Browser’s Incognito Mode We’ve Got Bad News
    http://www.iflscience.com/technology/if-you-use-your-web-browsers-incognito-mode-weve-got-bad-news-/

    We’ve got bad news for all those who use their web browser’s private browsing mode – such as Chrome’s Incognito Mode – in order to covertly Google their poop-related medical questions, search for other jobs while at work, or, as is most likely the case – look at porn.

    Firstly, none of the private modes offered by the major browsers can protect your online history from being viewed by Internet service providers or government agencies, block third-party groups from tracking your activity or determining your geographical location, nor prevent viruses and malware from infecting your computer. Instead, the modes are designed to simply stop cookies and autofill details from being saved on the user’s local device.

    And secondly, while these limitations are not actually newsworthy in and of themselves

    Reply
  35. Tomi Engdahl says:

    IS web media targeted in EU-led attack
    http://www.bbc.com/news/world-europe-43921120?SThisFB

    The EU police agency Europol says an international operation has struck a major blow against the internet propaganda of the Islamic State group.

    Cyber specialists in various European countries, Canada and the US targeted online sites including the Amaq News Agency, seen as the main IS mouthpiece.

    Europol co-ordinated a “simultaneous multinational takedown” of IS media, seizing digital evidence and servers. IS jihadists may now be identified.

    IS broadcasts in several languages.

    International operations have targeted Amaq web systems previously.

    Europol’s head, Rob Wainwright, said the latest operation had “punched a big hole” in IS’s capability to spread propaganda and radicalise young people.

    Reply
  36. Tomi Engdahl says:

    Dutch Police Shut Notorious ‘Revenge Porn’ Site, Three Arrested
    https://www.securityweek.com/dutch-police-shut-notorious-revenge-porn-site-three-arrested

    Dutch police said Thursday they have arrested three men for stealing explicit pictures of girls and young women from their cloud data, and shut down a globally notorious “revenge porn” site.

    After a year-long complex cyber-crime investigation following a complaint by a woman in March 2017, the police and prosecution service said they had found “enormous amounts of women’s personal data and images” on the three men’s phones and computers.

    “With the confiscation of a server, the police have taken a hackers forum offline,” they said in a statement identifying the forum as Anon-IB.

    Reply
  37. Tomi Engdahl says:

    Amazon Alexa Can Be Used for Snooping, Researchers Say
    https://www.securityweek.com/amazon-alexa-can-be-used-snooping-researchers-say

    Amazon’s Alexa cloud-based virtual assistant for Amazon Echo can be abused to eavesdrop on users, Checkmarx security researchers have discovered.

    Present on more than 31 million devices around the world, Alexa enables user interaction after a wake-up word (specifically, “Alexa”) activates it. Next, the Intelligent Personal Assistant (IPA) launches the requested capability or application – called skill, it either comes built-in or is installed from the Alexa Skills Store.

    Checkmarx researchers built a malicious skill application capable of recording user’s speech in the background and then exfiltrating the recording, all without alerting the user.

    Because of the required wake-up word, the recording would have to be performed after the activation. However, the listening session would normally end after a response is delivered to the user, to protect privacy, yet the researchers found a way to keep the session alive and to hide that from the user.

    A shouldEndSession flag allows a session to stay alive for another cycle, after reading back the service’s text as a response. However, reading back the text would reveal to the user that the device is still listening.

    Reply
  38. Tomi Engdahl says:

    Mozilla Adding New CSRF Protection to Firefox
    https://www.securityweek.com/mozilla-adding-new-csrf-protection-firefox

    Mozilla announced this week that the upcoming Firefox 60 will introduce support for the same-site cookie attribute in an effort to protect users against cross-site request forgery (CSRF) attacks.

    CSRF attacks allow malicious actors to perform unauthorized activities on a website on behalf of authenticated users by getting them to visit a specially crafted webpage. These types of attacks leverage the fact that every request to a website includes cookies and many sites rely on these cookies for authentication purposes.

    Mozilla has pointed out that the current web architecture does not allow websites to reliably determine if a request has been initiated legitimately by the user or if it comes from a third-party script.

    “To compensate, the same-site cookie attribute allows a web application to advise the browser that cookies should only be sent if the request originates from the website the cookie came from,”

    Reply
  39. Tomi Engdahl says:

    Researchers Dissect Tool Used by Infamous Russian Hacker Group
    https://www.securityweek.com/researchers-dissect-tool-used-infamous-russian-hacker-group

    ESET security researchers have taken a deep dive into one of the tools heavily used by the Russian threat actor Sofacy over the past couple of years.

    Dubbed Zebrocy, the tool serves as a first-stage malware in attacks and is comprised of a Delphi downloader, an AutoIt downloader and a Delphi backdoor. Used in multiple attacks, the malicious program often acts as a downloader for the actor’s main backdoor, Xagent.

    Also referred to as APT28, Fancy Bear, Pawn Storm, Sednit, and Strontium, and active since around 2007, the group is focused on cyber espionage and has hit government, military, and defense organizations worldwide.

    Supposedly the actor behind attacks targeting the 2016 presidential election in the United States, Sofacy has been known to target Ukraine and NATO countries, and has recently switched focus to targets in Asia.

    Coexisting with another Sofacy first-stage tool, Seduploader, the Zebrocy malware has been used in attacks against victims in Azerbaijan, Bosnia and Herzegovina, Egypt, Georgia, Iran, Kazakhstan, Korea, Kyrgyzstan, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay and Zimbabwe, ESET reveals.

    Zebrocy is usually delivered via emails carrying malicious attachments and users are lured into opening them. These are either Microsoft Office documents that deliver the payload via VBA macros, exploits, or Dynamic Data Exchange (DDE), or archives containing executables with an icon and a document-like filename.

    Sednit update: Analysis of Zebrocy
    Zebrocy heavily used by the Sednit group over last two years
    https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/

    Reply
  40. Tomi Engdahl says:

    Western Digital Cloud Storage Device Exposes Files to All LAN Users
    https://www.securityweek.com/western-digital-cloud-storage-device-exposes-files-all-lan-users

    The default configuration on the new Western Digital My Cloud EX2 storage device allows any users on the network to retrieve files via HTTP requests, Trustwave has discovered.

    WD’s My Cloud represents a highly popular storage/backup device option, allowing users to easily backup important data (including documents, photos, and media files) and store it on removable media.

    The new drive, however, exposes data to any unauthenticated local network user, because of a Universal Plug and Play (UPnP) media server that the device automatically starts when powered on.

    By default, it allows any users capable of sending HTTP requests to the drive to grab any files from the device. Thus, any permissions or restrictions set by the owner or administrator are completely bypassed, Trustwave’s security researchers warn.

    Reply
  41. Tomi Engdahl says:

    France seizes France.com from man who’s had it since ‘94, so he sues
    Jean-Noël Frydman: “If it happened to me, it can happen to anyone.”
    https://arstechnica.com/tech-policy/2018/04/france-seizes-france-com-from-man-whos-had-it-since-94-so-he-sues/?comments=1

    A French-born American has now sued his home country because, he claims, the Ministry of Foreign Affairs has illegally seized a domain that he’s owned since 1994: France.com.

    In the mid-1990s, Jean-Noël Frydman bought France.com from Web.com and set up a website to serve as a “digital kiosk” for Francophiles and Francophones in the United States.

    For over 20 years, Frydman built up a business (also known as France.com), often collaborating with numerous official French agencies, including the Consulate General in Los Angeles and the Ministry of Foreign Affairs.

    However, sometime around 2015, that very same ministry initiated a lawsuit in France in an attempt to wrest control of the France.com domain away from Frydman.

    By September 2017, the Paris Court of Appeals ruled that France.com was violating French trademark law. Armed with this ruling, lawyers representing the French state wrote to Web.com demanding that the domain be handed over.

    Finally, on March 12, 2018, Web.com abruptly transferred ownership of the domain to the French Ministry of Foreign Affairs. The company did so without any formal notification to Frydman and no compensation.

    On April 19, Frydman filed a federal lawsuit in Virginia in an attempt to get his domain name back. The suit names the French Republic, Atout France (a government tourism agency), the Ministry of Foreign Affairs, the minister himself (Jean-Yves Le Drian), and VeriSign as defendants.

    Web.com, the original registrar, is not a party to the lawsuit.

    The lawsuit accuses France of cybersquatting France.com and “reverse domain-name hijacking,” among other allegations.

    Reply
  42. Tomi Engdahl says:

    Chinese government admits collection of deleted WeChat messages
    https://techcrunch.com/2018/04/30/chinese-government-admits-collection-of-deleted-wechat-messages/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    Chinese authorities revealed over the weekend that they have the capability of retrieving deleted messages from the almost universally used WeChat app. The admission doesn’t come as a surprise to many, but it’s rare for this type of questionable data collection tactic to be acknowledged publicly.

    As noted by the South China Morning Post, an anti-corruption commission in Hefei province posted Saturday to social media that it has “retrieved a series of deleted WeChat conversations from a subject” as part of an investigation.

    Reply
  43. Tomi Engdahl says:

    IRS Warned Congress of “Catastrophic System Failure” Six Months Before Tax Day Outage
    https://spectrum.ieee.org/riskfactor/computing/it/irs-predicted-tax-filing-failure

    On 17 April 2018, the final day for U.S. citizens to file 2017 tax returns, the U.S. Internal Revenue Service (IRS) suffered a major system failure related to the hardware supporting its 58-year old, 20-million line Cobol-based Individual Master File system (pdf) which is still being used today to process the vast majority of individual tax returns. As a result of the failure, the IRS extended by a day the filing due date.

    Reply
  44. Tomi Engdahl says:

    The Pentagon is working on a radio wave weapon that stops a speeding car in its tracks
    https://techcrunch.com/2018/04/30/pentagon-radio-frequency-vehicle-stopper/?utm_source=tcfbpage&sr_share=facebook

    Vehicular terrorism is on the rise, but technology under development by the U.S. Department of Defense could save lives by disabling a weaponized car before it ever reaches its target. The Pentagon’s Joint Non-Lethal Weapons Program (JNLWD) is working on a device called a Radio Frequency Vehicle Stopper to address the prevalence of vehicle-based attacks targeting civilians, Defense One reports.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*