Cyber security May 2018

This posting is here to collect security alert news in May 2018.

I post links to security vulnerability news to comments of this article.

 

Security And Privacy

269 Comments

  1. Tomi Engdahl says:

    Evan Hill / BuzzFeed:
    Tech firms and governments can’t be trusted to preserve digital history, which adds import to the role of new archives like the Egyptian 858 and Syrian Archive

    Silicon Valley Can’t Be Trusted With Our History
    https://www.buzzfeed.com/evanhill/silicon-valley-cant-be-trusted-with-our-history?utm_term=.cb0a1G9mX#.ib3zng6pB

    We create almost everything on the internet, but we control almost none of it.

    Reply
  2. Tomi Engdahl says:

    Facebook Is Investigating a Claim That an Employee Used His Position to Stalk Women
    https://motherboard.vice.com/en_us/article/kzxdny/facebook-investigating-employee-stalking-women-online

    On Monday, a member of the information security community said they passed Facebook details concerning a security engineer allegedly using their work position to stalk women.

    Reply
  3. Tomi Engdahl says:

    Flawed routers with hardcoded passwords were manufactured by firm that posed “national security risk” to UK
    https://hotforsecurity.bitdefender.com/blog/flawed-routers-with-hardcoded-passwords-were-manufactured-by-firm-that-posed-national-security-risk-to-uk-19821.html?utm_source=SMGlobal&utm_medium=Facebook&utm_campaign=H4S

    Earlier this month the UK’s National Cyber Security Centre (NCSC) issued a warning to telecoms firms about the potential risks posed by devices manufactured by Chinese-state owned enterprise ZTE.

    “NCSC assess that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated,” said Dr Ian Levy, technical director of the NCSC.

    At the same time, which is headquartered in the city of Shenzhen, was fined over one billion dollars and banned from importing American component for seven years, after illegally shipping telecoms equipment to Iran and North Korea in violation of regulations, and misleading the US Department of Commerce.

    Reply
  4. Tomi Engdahl says:

    Privilege Escalation Bug Lurked in Linux Kernel for 8 Years
    https://www.securityweek.com/privilege-escalation-bug-lurked-linux-kernel-8-years

    A security vulnerability in a driver leading to local privilege escalation in the latest Linux Kernel version was introduced 8 years ago, Check Point reveals.

    The security flaw provides a local user with access to a vulnerable privileged driver with the possibility to read from and write to sensitive kernel memory. Tracked as CVE 2018-8781, the vulnerability could be exploited to escalate local privileges, Check Point’s researchers say.

    The bug impacts the internal mmap() function defined in the fb_helper file operations of the “udl” driver of “DisplayLink” and was discovered using a simple search.

    Because drivers commonly implement their own version of file operation functions, they are prone to implementation errors, and the discovery of this vulnerability is proof of that.

    According to Check Point, there are three checks that should be performed: Region start: 0 <= offset < buffer’s end; Region end: buffer’s start <= offset + length <= buffer’s end; and Region start <= Region End.

    The vulnerability was verified on an Ubuntu 64-bit virtual machine where a simulated vulnerable driver was uploaded. The driver’s mmap() handler included the implementation to check in each test.

    Additional checks revealed that it is possible for the user to read and write from/to the mapped pages. Thus, an attacker could eventually trigger code execution in kernel space, the researchers explain.

    The vulnerability was disclosed to the Linux Kernel on March 18 and a patch was issued the same day. After the patch was verified, the official Linux patch was issued for CVE 2018-8781 on March 21 and was integrated to the Linux Kernel the same day.

    Reply
  5. Tomi Engdahl says:

    Hackers Target Poorly Patched Oracle WebLogic Flaw
    https://www.securityweek.com/hackers-target-poorly-patched-oracle-weblogic-flaw

    Hackers have been scanning the Internet for Oracle WebLogic Server installations that can be taken over using a recently addressed vulnerability. While patched systems should be protected against attacks, experts claim the fix implemented by Oracle can be bypassed.

    One of the 254 issues resolved by Oracle with its April 2018 CPU is CVE-2018-2628, a critical remote command execution flaw affecting versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware) Java EE application server.

    Reply
  6. Tomi Engdahl says:

    Amazon Boosts Domain Protections in CloudFront
    https://www.securityweek.com/amazon-boosts-domain-protections-cloudfront

    Amazon Web Services (AWS) has unveiled a series of enhancements for the domain protections available in CloudFront, meant to ensure that all requests handled by the service come from legitimate domain owners.

    Integrated with AWS, the CloudFront global content delivery network service provides both network and application level protection, scales globally, negotiates TLS connections with high security ciphers, and includes distributed denial of service protections.

    Reply
  7. Tomi Engdahl says:

    Microsoft Unveils New Solution for Securing Critical Infrastructure
    https://www.securityweek.com/microsoft-unveils-new-solution-securing-critical-infrastructure

    Microsoft last week unveiled Trusted Cyber Physical Systems (TCPS), a new solution designed to help protect critical infrastructure against modern cyber threats.

    Microsoft provided the recent Triton and NotPetya attacks as examples of significant threats hitting critical infrastructure. Triton was used in a highly targeted campaign aimed at an organization in the Middle East, while NotPetya disrupted the operations of several major companies, with many reporting losses of hundreds of millions of dollars.

    Microsoft’s TCPS project aims to address these types of threats by providing end-to-end security through hardware, software and trust mechanisms that should help organizations ensure they don’t lose control over critical systems.

    Cyber-physical systems (CPS) are referred to as Internet-of-Things (IoT) in an industrial context. TCPS is based on four main principles: separating critical from non-critical operations through hardware isolation; ensuring that the code responsible for critical operations can be audited; the ability of each component to process data only from trustworthy sources and each component being able to attest its trustworthiness to other components; and reducing the attack surface by reducing the number of trusted entities.

    One crucial component in providing end-to-end security involves trusted execution environments (TEE), Microsoft said. TEE includes Secure Elements (e.g. chip on a credit card), Intel’s Software Guard Extensions (SGX), ARM TrustZone, and Trusted Platform Modules (TPMs) and DICE-capable microcontrollers from the Trusted Computing Group.

    TEE offers several advantages from a security viewpoint, including the fact that code running in a TEE is small and thus has a minimal attack surface, the code is considered trusted, all the data is encrypted, and the TEE hardware ensures that software running outside the trusted environment cannot break in.

    Reply
  8. Tomi Engdahl says:

    Microsoft Brings Application Guard to Windows 10 Pro
    https://www.securityweek.com/microsoft-brings-application-guard-windows-10-pro

    Microsoft of Monday made Windows 10 April 2018 Update available to users, which brings new features, enhancements and security updates, along with improvements to Windows Defender Security Center.

    One of the main changes in the update is the availability of Windows Defender Application Guard (WDAG), which allows users to browse the Internet while being protected from sophisticated browser attacks.

    First detailed in January last year, Windows Defender Security Center is receiving various enhancements to provide increased ease-of-use. The Center was designed to simplify the manner in which users view and control the security protections the platform, as well as to help people better understand and leverage the security features protecting them.

    Reply
  9. Tomi Engdahl says:

    Has Your Company’s Infrastructure Been Hijacked by Bitcoin Miners?
    https://www.securityweek.com/has-your-companys-infrastructure-been-hijacked-bitcoin-miners

    Crypto-mining Malware Exposes Organizations to a Host of Monetary and Reputational Risks

    With Bitcoin prices reaching a record high in December, cryptocurrencies have been dominating media headlines. While most choose to invest or trade in cryptocurrencies and bide their time while the prices rise, others find that the real money lies in mining it. And with the current reward at 12.5 bitcoins for mining one block of bitcoin transactions, it is clear why crypto-mining is a lucrative pursuit.

    However, due to the enormous amount of required computing power, it’s almost impossible to profitably mine Bitcoin on commodity hardware such as laptops, smartphones, or desktop computers. It takes much too long and, in most cases, the cost of electricity is higher than the anticipated revenue. Profits from crypto-mining are therefore inextricably tied to the cost of electricity, with higher energy costs meaning a cut in profit margins.

    Across these incidents, we’ve seen eager crypto-mining attackers surreptitiously penetrate corporate networks by spear phishing, or sneakily planting malware on websites, allowing the malware to spread laterally through a network. Irrespective of the threat vector, the end-goal is the mobilization of an army of crypto-mining machines – a cyber-threat that is notoriously difficult to catch.

    Crypto-mining incidents happen daily.

    Reply
  10. Tomi Engdahl says:

    Maritime Cybersecurity: Securing Assets at Sea
    https://www.securityweek.com/maritime-cybersecurity-securing-assets-sea

    The Nature of the Shipping Industry Presents Unique Challenges for Hardening Cybersecurity

    By the end of the decade, it is expected that the world’s first autonomous container ship will have embarked on its maiden voyage, moving goods around the coastline of Norway. Together with other initiatives currently underway, such as the development of remote controlled vessels, this will mark a new era of connected shipping technology and demonstrate that the $210 billion industry is ready to embrace the future.

    These advances are to be celebrated, but simultaneously they bring with them a high element of risk, as more on-board elements become exposed to the kinds of cybersecurity concerns that we’re more familiar with on land.

    Much has been written about the dangers of Operational Technology (OT) in industrial environments, and we’re used to the traditional challenges of doing business at sea, from piracy to bottlenecks at container ports. What we’re not used to is recognizing that a container ship is an OT environment just like any other, and at risk of targeted and generic cyberattacks.

    The challenges of integrating new technologies in shipping

    One of the most difficult challenges with maritime cybersecurity is that every ship is different. There’s little standardisation, especially when it comes to on-board control systems, and a high mix of legacy systems – many of which were never designed with security in mind – and additional networked technologies which have been added over time.

    When integrating new on-board systems, not enough attention has been paid to the principles of “secure by design”. As a result, many vessels have a ‘flat’ network structure, in which new internet connected systems for navigation and communications have been placed on the same networks as older control hardware. This introduces multiple vulnerabilities into systems which do not have adequate built-in protections.

    In addition, the operating environment is also much more challenging than typical industrial setups. Most ships rely on Very Small Aperture Terminal (VSAT) satellite communications for connectivity, which is low bandwidth and high latency. It can carry some communications, such as email and navigational data, but isn’t reliable enough for the most effective security measures recommended to shore bound industries: regular patching and updates.

    Manual patching can still take place, but the current nature of the industry means that ships spend as little time in port as possible. When they are docked, and bandwidth is available, security updates come a long way down the list of priorities, behind upgrades to navigational software and downloading new digital entertainment for the crew.

    There is also a lack of skills among on-board crew. All too often the person responsible for IT combines the role with another position, leaving little opportunity to monitor for, and respond effectively to, a cybersecurity incident. Remote monitoring for issues that could indicate a security breach is an option, but difficult thanks to the lack of reliable bandwidth while at sea.

    Propelling maritime security into the future

    While a change in the approach to cybersecurity is needed, it will have to come from the maritime industry itself. Regulations and government interventions of the kind we’ve seen relating to critical infrastructure on land will be harder to enforce at sea, especially given the preference for low-regulation flags of convenience many merchant shipping lines show.

    Indeed, it’s likely to be insurance companies rather than governments that provide the motivation for shipping companies to invest seriously in better protection. Specialist insurers are developing policies based on their exposure to cyberattack and are likely to act as a prime driver for better practice. There will be a tightening of due diligence before policies are issued and claims processed.

    The industry does recognise the issue. Last year, the International Maritime Organization (IMO) published excellent guidelines on cybersecurity to enable safe and secure shipping. These guidelines are sound and advocate a risk management approach to cybersecurity.

    Reply
  11. Tomi Engdahl says:

    Over a Million Dasan Routers Vulnerable to Remote Hacking
    https://www.securityweek.com/over-million-dasan-routers-vulnerable-remote-hacking

    Researchers have disclosed the details of two unpatched vulnerabilities that expose more than one million home routers made by South Korea-based Dasan Networks to remote hacker attacks.

    In a blog post published on Monday, vpnMentor revealed that many Gigabit-capable Passive Optical Network (GPON) routers, which are used to provide fiber-optic Internet, are affected by critical vulnerabilities. The company told SecurityWeek that the impacted devices are made by Dasan Networks.

    One of the flaws, tracked as CVE-2018-10561, allows a remote attacker to bypass a router’s authentication mechanism simply by appending the string “?images/” to a URL in the device’s web interface.

    The second vulnerability, identified as CVE-2018-10562, allows an authenticated attacker to inject arbitrary commands.

    Reply
  12. Tomi Engdahl says:

    Schneider Electric Development Tools Affected by Critical Flaw
    https://www.securityweek.com/schneider-electric-development-tools-affected-critical-flaw

    Security firm Tenable has disclosed the details of a critical remote code execution vulnerability affecting Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition products.

    InduSoft Web Studio is a toolset designed for developing human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems and embedded instrumentation solutions, and InTouch Machine Edition is an HMI/SCADA development tool that can be used for both advanced applications and small-footprint embedded devices. The products are used worldwide in the manufacturing, oil and gas, water and wastewater, automotive, building automation, and renewable energy sectors.

    Reply
  13. Tomi Engdahl says:

    Industry CMO on the Downstream Risks of “Logo Disclosures”
    https://www.securityweek.com/industry-cmo-downstream-risks-logo-disclosures

    The basic premise is that failures in the coordinated approach to vulnerability disclosures can seem attractive from an initial marketing perspective, but are damaging to both the industry and its users. The ultimate problem comes from the different missions between security product development and sales teams: the first is purposed to reduce harm, while the latter is purposed to sell product.

    In between these teams sit the researchers, whose function is to find weaknesses in security products so that they can be strengthened, and their users better protected. Researchers wish to have their expertise acknowledged, while developers wish to fix their products securely. Between them they have evolved the process known as coordinated disclosure: researchers report their findings to the developer who fixes the faults, and both coordinate simultaneous disclosure of the vulnerability and its fix.

    Logos for VulnerabilitiesIt’s a process — when it works — that ensures the developer fixes the product as rapidly as possible, while the vulnerability does not become a zero-day exploit for use by cybercriminals, overseen by a CERT ‘referee’. The problem comes from undue pressure from marketers, possibly supported by the firm’s business leaders. This is the subject of Leggio’s keynote presentation: the violation of disclosure process to try to diminish competitors, sell more product, or unethically highlight research prowess.

    Reply
  14. Tomi Engdahl says:

    Chrome Browser Now Enforces Certificate Transparency
    https://www.securityweek.com/chrome-browser-now-enforces-certificate-transparency

    Effective May 1, Google’s Chrome browser will display a warning when encountering certificates that are not compliant with the Chromium Certificate Transparency (CT) Policy.

    The Google-backed CT attempts to tackle the issue of fraudulently issued certificates by requiring Certificate Authorities (CAs) to log all newly issued certificates. Once the certificate has been reported to the log server, the CA receives a signed certificate timestamp (SCT), which is proof of the submission.

    In early 2016, Google announced the addition of a new CT log for CAs removed from trusted root certificate programs and for the ones in the process of being included. In November 2016, the company announced plans to make the CT policy in Chrome mandatory.

    Reply
  15. Tomi Engdahl says:

    North Korea Denies it Hacked UN Sanctions Committee Database
    https://www.securityweek.com/north-korea-denies-it-hacked-un-sanctions-committee-database

    North Korea on Wednesday denied hacking the database of a UN committee tasked with monitoring sanctions against Pyongyang, and called on Washington to focus on peace efforts ahead of a planned summit between the countries’ leaders.

    In a statement, the North Korean mission at the UN said Pyongyang “has never recognized the illegal and unlawful Security Council’s ‘sanctions resolutions’” and “is not interested in what the Sanctions Committee does,” adding the idea that it had carried out a hacking operation was “nonsense.”

    “The US and hostile forces should squarely recognize the trend of the times and make efforts to do the work helpful to detente and (the) peace process on the Korean peninsula rather than manipulating plots with that hacking incident,” the statement concluded.

    The mission added the US had made the hacking accusations during a closed-door Sanctions Committee meeting.

    Reply
  16. Tomi Engdahl says:

    Microsoft Patches Critical Flaw in Open Source Container Library
    https://www.securityweek.com/microsoft-patches-critical-flaw-open-source-container-library

    Microsoft informed users on Wednesday that an update for the Windows Host Compute Service Shim library patches a critical remote code execution vulnerability.

    Introduced in January 2017, the Windows Host Compute Service (HCS) is a low level container management API for Microsoft’s Hyper-V hypervisor. The tech giant has made available two open source wrappers that allow users to call the HCS from higher level programming languages instead of the C API directly.

    One of these wrappers is the Windows Host Compute Service Shim (hcsshim), which supports launching Windows Server containers from the Go language. Hcsshim is mainly used in the Docker Engine project, but Microsoft says it can be freely used by others as well.

    Reply
  17. Tomi Engdahl says:

    US military base stores pull Huawei, ZTE kit off the shelves
    ‘Hang on, we’re selling what? In our stores? To our people?
    https://www.theregister.co.uk/2018/05/03/huawei_zte_military_sales_ban/

    1 Reg comments SHARE ▼

    America’s Department of Defense has banned all Huawei and ZTE devices from sale in all Defense Exchanges – the shops offered to military personnel and veterans.

    The ban was confirmed by DoD spokesperson David Eastburn, who told Stars & Stripes the Defense Department’s undersecretary for personnel and readiness issued a ban covering the two companies’ phones, mobile broadband modems and “related products from locations worldwide”.

    Eastburn was quoted as saying “it was not prudent for the Department’s exchange services to continue selling these products to our personnel”, because of US intelligence concerns at their security.

    Reply
  18. Tomi Engdahl says:

    Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin
    Stolen PC locator plays double agent, say researchers
    https://www.theregister.co.uk/2018/05/02/lojack_fancy_bear_allegation/

    LoJack for Laptops, a software tool designed to rat on computer thieves, appears to be serving a double purpose – by seemingly working with a Russian state-sponsored hacking team.

    The application allows administrators to remotely lock and locate, and remove files from, stolen personal computers. It’s primarily aimed at corporate IT types who want to protect stuff that gets nicked, but anyone can use it, and it is installed by default on various notebooks.

    Just recently, several LoJack executables were found to be unexpectedly communicating with servers that are suspected to be under the control of Fancy Bear, a hacking group associated with Russia’s GRU military intelligence agency.

    It is feared someone has secretly backdoored certain copies of LoJack so that it acts as remote-controlled spyware for the Kremlin.

    “Our analysis has revealed a small number of modified agents,” said Hardik Modi, director of Arbor’s Security Engineering & Response Team (ASERT), in an email to The Register. “This is consistent with a targeted operation. We’re cooperating with numerous parties on this matter.”

    ASERT observes that many anti-virus vendors mark LoJack executables as “not-a-virus” or “Risk Tool” rather than flagging them as potential malware. Russian state-backed hackers allegedly used Kaspersky Lab’s security software for similar ends.

    Reply
  19. Tomi Engdahl says:

    Vlad that’s over: Remote code flaws in Schneider Electric apps whacked
    Putin the patch, critical infrastructure firms warned
    https://www.theregister.co.uk/2018/05/02/security_firm_uncovers_zeroday_exploit_in_critical_infrastructure_software/

    Infosec researchers at Tenable Security have unearthed a remote code execution flaw in critical infrastructure software made by energy management multinational Schneider Electric.

    The vulnerability could have allowed miscreants to control underlying critical infrastructure systems, researchers said.

    The apps affected – used widely in oil and gas, water and other critical infrastructure facilities – were InduSoft Web Studio and InTouch Machine Edition.

    Reply
  20. Tomi Engdahl says:

    China shuts down Player Unknown cheat code gang
    http://www.bbc.com/news/technology-43949292

    Chinese police have arrested 15 people suspected of creating cheat programs for the popular Player Unknown Battleground (PUBG) game.

    The cheats helped people survive longer, aim more accurately and spot foes in the competitive shooting game.

    The 15 suspects have also been fined about 30m yuan (£3.45m) for profiting from the cheats.

    Chinese police are expected to make more arrests as they break up the gang that made and sold the programs.

    Reply
  21. Tomi Engdahl says:

    More than half of web traffic is encrypted

    Measuring and testing company Keysight Ixia has released this year’s security report based on the results of its own research center. The report reveals many interesting things about security. Like the fact that the top half of all web data traffic is encrypted.

    Encryption is Ixian’s double-edged sword, as it can also be used by cybercriminals. An encrypted code can be hidden in encrypted bit streams.

    Last year, cybercriminals netted most by the report as their report. Now the focus has shifted to the crushing of the cryptographic currency. At this time, half a million PCs are used for crypto mining without their owner’s knowledge.

    Source: http://www.etn.fi/index.php/13-news/7941-yli-puolet-webin-liikenteesta-on-salattu

    More:
    2018 Security Report
    https://www.ixiacom.com/resources/2018-security-report

    Reply
  22. Tomi Engdahl says:

    Many door code systems are open to hackers – USU: companies are having fun playing their own secret police

    FICORA warns that Finland has 2000 unbuilt building automation devices connected to the Internet. Web magazine News finnish (USU) reports that the equipment is being used as a building engineer in residential and commercial real estate. They can, for example, adjust the heating or locking of door opening.

    The lack of protection causes several problems. Devices can be controlled remotely from outside the house via the network or their data can be stolen in the wrong hands. For example, a security camera can be spied.

    The condo company does not have permission to shred out information about the system for small casualties on its own. The use and retention of data from building technology is covered by the Data Protection Regulation. In the case of criminal suspects, only the pre-investigative authority has the right to examine the information.

    Sources:
    https://www.tivi.fi/Kaikki_uutiset/moni-ovikoodijarjestelma-on-avoinna-hakkereille-usu-taloyhtioilla-on-hinkuja-leikkia-omin-pain-salapoliisia-6723328

    Reply
  23. Tomi Engdahl says:

    Facebook Needs to Stop Bad VR Apps Before They Start
    https://www.wired.com/story/facebook-f8-oculus-go-privacy-and-safety

    Facebook really, really wants you to give VR a go—no pun intended. That’s the message the company communicated yesterday during day one of F8, its annual developers conference in San Jose, California. The F8 keynote was filled with assurances that VR headsets like the new Oculus Go won’t create a barrier between you and the people around you. Instead, the company believes that wearing a face computer will be even more social, because you’ll be playing games, taking meetings, and video chatting with friends and family.

    And since the apps that have already been created for Samsung’s Oculus-based Gear headset can be ported over to the Oculus Go headset, there are already more than a thousand apps available for the new $200 Oculus Go. What else do you need at this point in order to embrace VR?

    For one, maybe a little reassurance that VR apps—as well as AR apps—are being designed with user privacy and reasonable data-sharing practices in mind.

    Reply
  24. Tomi Engdahl says:

    Hacktivists, Tech Giants Protest Georgia’s ‘Hack-Back’ Bill
    https://it.slashdot.org/story/18/05/02/2248223/hacktivists-tech-giants-protest-georgias-hack-back-bill?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to ‘hack back’ with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure. Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill.

    Hacktivists, Tech Giants Protest Georgia’s ‘Hack-Back’ Bill
    https://threatpost.com/hacktivists-tech-giants-protest-georgias-hack-back-bill/131628/

    As Georgia Governor Nathan Deal considers whether to sign a controversial piece of legislation that would allow companies to “hack back” with offensive initiatives in the face of a cyberattack, companies from across the tech spectrum are lining up to protest the measure.

    Also, a hacktivist group has targeted Georgia Southern University, two restaurants and a church to protest the bill.

    Opponents have twin beefs when it comes to Senate Bill 315: Some are questioning whether legitimizing offensive attacks will open the door to a new kind of corporate warfare; and others are concerned that the law will have a chilling effect on cyber-research by criminalizing white-hat activity like vulnerability research and pen-testing.

    Google and Microsoft are in the former camp, and have asked Deal to veto the bill, which was passed by the Georgia General Assembly in March and which is nearing its deadline for signing into law. The two giants take issue with a provision in the bill that allows “active defense measures that are designed to prevent or detect unauthorized computer access.”

    Reply
  25. Tomi Engdahl says:

    Check Point Research:
    North Korea’s state antivirus software, SiliVaccine, contained a decade-old copy of Trend Micro’s scan engine and also came bundled with the Jaku malware

    SiliVaccine: Inside North Korea’s Anti-Virus
    https://research.checkpoint.com/silivaccine-a-look-inside-north-koreas-anti-virus/

    Reply
  26. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    Coalition representing Apple, Google, Facebook, and others criticize law enforcement backdoors in devices, after Wired profile of Ray Ozzie’s key escrow idea

    Tech giants hit by NSA spying slam encryption backdoors
    https://www.zdnet.com/article/coalition-of-tech-giants-hit-by-nsa-spying-slams-encryption-backdoors/

    The tech coalition includes Apple, Facebook, Google, Microsoft, and Verizon and Yahoo’s parent company Oath — all of which were hit by claims of complicity with US government’s surveillance.

    Reply
  27. Tomi Engdahl says:

    Phishing alert: GDPR-themed scam wants you to hand over passwords, credit card details
    https://www.zdnet.com/article/phishing-alert-gdpr-themed-scam-wants-you-to-hand-over-passwords-credit-card-details/

    Attackers know that companies are sending a lot of emails to customers about GDPR – and that makes them prime opportunity for phishing attacks.

    Reply
  28. Tomi Engdahl says:

    86% of Passwords are Terrible (and Other Statistics)
    https://www.troyhunt.com/86-of-passwords-are-terrible-and-other-statistics/

    A couple of months ago, I launched version 2 of Pwned Passwords. This is a collection of over half a billion passwords which have previously appeared in data breaches and the intention is that they’re used as a black list; these are the “secrets” that NIST referred to in their recent guidance:

    When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.

    In other words, once a password has appeared in a data breach and it ends up floating around the web for all sorts of nefarious parties to use, don’t let your customers use that password! Now, as I say in the aforementioned blog post (and in the post launching V1 before it), it’s not always that black and white and indeed outright blocking every pwned password has all sorts of usability ramifications as well. But certainly, many organisations have taken precisely this approach and have used the service to keep known bad passwords out of their systems.

    In total, there were 1,910,144 passwords out of 2,232,284 already in the Pwned Passwords set. In other words, 86% of subscribers were using passwords already leaked in other data breaches and available to attackers in plain text.

    So, what sort of passwords are we talking about here? All the usual terrible ones you’d expect people to choose which, by order of prevalence in the Pwned Password data set, means passwords like these:

    123456
    123456789
    qwerty
    password
    111111
    12345678
    abc123
    password1
    1234567
    12345

    The FTC’s message is loud and clear: If customer data was put at risk by credential stuffing, then being the innocent corporate victim is no defence to an enforcement case. Rather, in the FTC’s view companies holding sensitive customer information should be taking affirmative action to reduce the risk of credential stuffing.

    Reply
  29. Tomi Engdahl says:

    Pwned Passwords
    https://haveibeenpwned.com/Passwords

    Pwned Passwords are half a billion real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts. They’re searchable online below as well as being downloadable for use in other online system. Read more about how HIBP protects the privacy of searched passwords.

    Reply
  30. Tomi Engdahl says:

    Twitter: Keeping your account secure
    https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

    When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.

    Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.

    We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.

    Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

    there are a few steps you can take to help us keep your account safe:

    Change your password on Twitter and on any other service where you may have used the same password.
    Use a strong password that you don’t reuse on other websites.
    Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.
    Use a password manager to make sure you’re using strong, unique passwords everywhere.

    Reply
  31. Tomi Engdahl says:

    Commodity Ransomware Declines as Corporate Attacks Increase
    https://www.securityweek.com/commodity-ransomware-declines-corporate-attacks-increase

    2017 was a landmark year for ransomware, with WannaCry and NotPetya grabbing headlines around the world. Ransomware attacks grew by more than 400% over the year, while the number unique families and variants increased by 62%. These statistics, however, disguise an apparent change in the ransomware industry following the summer of 2017.

    The figures and analysis come from F-Secure’s upstream telemetry and are published in a new report: The Changing State of Ransomware (PDF). It is the sheer size of the WannaCry outbreak that started in May 2017 that distorts the figures. “While the initial wave of infections was quickly rendered inert with the discovery of an apparent ‘kill switch’,” notes F-Secure, “it did not actually stop the malware from spreading.”

    https://fsecurepressglobal.files.wordpress.com/2018/05/ransomware_report.pdf

    Reply
  32. Tomi Engdahl says:

    Evasive Malware Now a Commodity
    https://www.securityweek.com/evasive-malware-now-commodity

    I’ve been deconstructing malware for over 20 years, and it turns out I’ve chosen a profession where it’s hard to feel in a rut — so much of what is happening with malware continues to feel dramatic and new to me. There’s always the latest malware inventiveness – “fileless” malware and cryptocurrency mining bots leap to mind at the moment – but more on my mind this week is the rise of the malware marketplace and the continued increase in “hyper-evasive” malware across the board.

    Reply
  33. Tomi Engdahl says:

    MassMiner Attacks Web Servers With Multiple Exploits
    https://www.securityweek.com/massminer-attacks-web-servers-multiple-exploits

    A recently discovered crypto-currency mining malware family is using multiple exploits in an attempt to increase its chances of successfully compromising web servers, AlienVault has discovered.

    Dubbed MassMiner, the malware includes a fork of internet scanning tool MassScan, which in this case passes a list of private and public IP ranges to scan during execution. After compromising a target, the malware first attempts to spread to other hosts on the local network, and then attempts propagation over the Internet.

    Reply
  34. Tomi Engdahl says:

    The Unhackable Envelope
    https://spectrum.ieee.org/tech-talk/computing/hardware/the-unhackable-envelope

    In a high-security computer center, there’s one machine that’s nearly impossible to break into. The systems that store and serve up cryptographic keys are physically protected from even the kinds of subtle attacks that belong in spy movies: x-rays, drill bits a fraction of a millimeter wide, electromagnetic snooping.

    These so-called hardware security modules (HSMs) are protected by a battery-powered mesh of micrometer-scale wires embedded in special resin, and they store cryptographic keys in volatile memory that is automatically wiped if the mesh experiences even a minute amount of damage. The tiniest drill bit, for example, will result in open circuits, short circuits, or other changes in resistance that the system instantly detects.

    It’s hard to say if anyone has ever succeeded in penetrating an HSM

    In today’s HSMs, a resistance-changing penetration “destroys any secret material stored inside the circuitry,”

    Their solution, called B-Trepid, replaces the stored key with one that is generated by the structure of the envelope itself. Instead of relying on resistances in the envelope’s mesh, B-Trepid calculates the capacitances between the mesh’s wires. These femtofarad capacitances vary from envelope to envelope in unpredictable ways

    When B-Trepid is attached to its computer network and turned on, the external mesh generates a unique key that is used to encrypt all the data within the system. When it’s off, there’s no key and therefore nothing to steal. So there’s no need for a battery. And if the envelope is penetrated, which Sigl’s team did using a 0.3-mm drill, its capacitances shift. This alters the PUF, automatically rendering any data within the system unreadable.

    Reply
  35. Tomi Engdahl says:

    A cyberattack knocked a Tennessee county’s election website offline during voting
    https://techcrunch.com/2018/05/04/tennessee-election-ddos-knox-county-voting/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    After a distributed denial-of-service attack knocked some servers offline during a local election in Tennessee this week, Knox County is working with an outside security contractor to investigate the cause. The attack took the Knox County Election Commission site displaying results of the county mayoral primary offline during Tuesday night voting. The county resorted to distributing printed results during the outage.

    “Election results were not affected, as our election machines are never connected to the Internet.”

    The day after the incident, Knox County Mayor Tim Burchett reassured voters that the attack did not compromise the vote. Election systems that can go online are far less secure than systems that are not able to connect to the internet.

    “extremely heavy and abnormal network traffic” consistent with a DDoS attack and observed that the IP addresses involved originated from both domestic and international locations.

    DDoS attacks are sometimes used as a diversionary tactic to create chaos.

    To protect election systems from hacking, states are getting cozier with Homeland Security

    Reply
  36. Tomi Engdahl says:

    IRS Warned Congress of “Catastrophic System Failure” Six Months Before Tax Day Outage
    https://spectrum.ieee.org/riskfactor/computing/it/irs-predicted-tax-filing-failure

    The tax system failure seemed to have been foreshadowed last October in testimony before Congress by Jeffrey Tribiano, IRS Deputy Commissioner for Operations Support and CIO Silvana Gina Garza. In their testimony (pdf), they stated that the increasing age of IT infrastructure was also increasing “the potential for a catastrophic system failure.”

    Reply
  37. Tomi Engdahl says:

    Black teen girl scientists in NASA competition targeted by hackers for their race
    https://www.usatoday.com/story/news/nation-now/2018/05/03/teen-finalists-nasa-competition-targeted-hackers/577969002/

    Hackers tried to sway a NASA challenge in order to attack grade school students based on their race, the administration confirmed.

    NASA said on April 29 it had to shut down the voting portion after learning hackers attempted to alter the final vote totals.

    “It was brought to NASA’s attention … that some members of the public used social media, not to encourage students and support STEM, but to attack a particular student team based on their race and encouraged others to disrupt the contest and manipulate the vote, and the attempt to manipulate the vote occurred shortly after those posts,” NASA said in a statement.

    Reply
  38. Tomi Engdahl says:

    Devin Coldewey / TechCrunch:
    Office of the Director of National Intelligence report: NSA collected 534M metadata records from US communications providers in 2017, up 3x from 2016 — The National Security Agency revealed a huge increase in the amount of call metadata collected, from about 151 million call records in 2016 …

    NSA triples metadata collection numbers, sucking up over 500 million call records in 2017
    https://techcrunch.com/2018/05/04/nsa-triples-metadata-collection-numbers-sucking-up-over-500-million-call-records-in-2017/

    The National Security Agency revealed a huge increase in the amount of call metadata collected, from about 151 million call records in 2016 to more than 530 million last year — despite having fewer targets. But officials say nothing is different about the year but the numbers.

    Although the NSA’s surveillance apparatus was dealt a check with the 2013 Snowden leaks and subsequent half-hearted crackdowns by lawmakers, it clearly is getting back into its stride.

    Reply
  39. Tomi Engdahl says:

    Drew Harwell / Washington Post:
    Facebook says its facial recognition technology, the company’s solution to spot fake accounts, looks for impostors only within a user’s limited social circle

    When a stranger takes your face: Facebook’s failed crackdown on fake accounts
    https://www.washingtonpost.com/business/economy/when-a-stranger-takes-your-face-facebooks-failed-crackdown-on-fake-accounts/2018/05/04/d3318838-4f1a-11e8-af46-b1d6dc0d9bfe_story.html?utm_term=.6067d0c0aa93

    Katie Greenman’s Facebook profile mirrors all the things the 21-year-old Texas college student loves: cute animals, exotic travel and left-leaning political issues such as immigration reform and gun control.

    But there is another Katie Greenman on Facebook — created by strangers and copying her full name, photos, home town and old workplace — that shares only ideas celebrated by President Trump, including an image showing Hillary Clinton and President Barack Obama in federal prison. The fake account’s profile picture: a selfie of the real Greenman, sunbathing.

    “My gosh, what the heck? That’s scary,” Greenman said when a Washington Post reporter showed her the fake account. “That’s me, but I never posted any of this stuff.”

    Facebook in December offered a bold solution for its worsening scourge of fake accounts: new ­facial-recognition technology to spot when a phony profile tries to use someone else’s photos.

    Reply
  40. Tomi Engdahl says:

    Dan Primack / Axios:
    Cybersecurity company Carbon Black closes up 26% on its first day of trading after raising $152M in its IPO and is now valued at $2B

    Carbon Black’s long road to IPO
    https://www.axios.com/carbon-black-is-the-1525460593-0d0d56c2-1e14-44cb-8851-cd630d6930dd.html

    Cybersecurity company Carbon Black went public on Friday, raising $152 million in its IPO and closing its first day of trading up 26%.

    Big picture: This was one of the first companies created on the thesis that traditional anti-virus software didn’t work, but for a while it looked as if it had actually launched too early.

    Reply
  41. Tomi Engdahl says:

    Warren Strobel / Reuters:
    US officially elevates Cyber Command to independent unified command status as Lt. Gen. Paul Nakasone takes over as new head, also becoming the director of NSA

    Pentagon’s Cyber Command gets upgraded status, new leader
    https://www.reuters.com/article/us-usa-defense-cyber/pentagons-cyber-command-gets-upgraded-status-new-leader-idUSKBN1I52MS

    Reply
  42. Tomi Engdahl says:

    Twitter Urges Password Changes After Exposing ‘Unmasked’ Credentials
    https://www.securityweek.com/twitter-urges-password-changes-after-exposing-unmasked-credentials

    Twitter on Thursday warned its users that an internal software bug unintentionally exposed “unmasked” passwords by storing them in an internal log.

    Twitter CTO, Parag Agrawal, explained that Twitter hashes passwords using the popular bcrypt function, which replaces an actual password with a random set of numbers and letters, allowing Twitter’s systems to validate credentials without revealing passwords, while also masking them so Twitter employees can’t see them.

    “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Agrawal wrote in a blog post.

    Keeping your account secure
    https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

    Reply
  43. Tomi Engdahl says:

    Researchers Link Several State-Sponsored Chinese Spy Groups
    https://www.securityweek.com/researchers-link-several-state-sponsored-chinese-spy-groups

    Researchers have discovered links between several cyber espionage groups believed to be sponsored by the Chinese government and found that at least some of them may be working from the Xicheng District of Beijing.

    A report published last week by 401TRG, the threat research and analysis team at ProtectWise, revealed links between several campaigns conducted over the past decade. Researchers claim that various threat groups previously attributed to Chinese-speaking actors are all connected to China’s state intelligence apparatus under what they call the “Winnti umbrella.”

    Threat actors such as Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, and ShadowPad are all believed to be part of the Winnti umbrella based on the use of similar tactics, techniques, and procedures (TTPs), and overlaps in infrastructure and operations. Experts believe they are “the work of individual teams, including contractors external to the Chinese government, with varying levels of expertise, cooperating on a specific agenda.”

    Reply
  44. Tomi Engdahl says:

    Hackers Target Flaws Affecting a Million Internet-Exposed Routers
    https://www.securityweek.com/hackers-target-flaws-affecting-million-internet-exposed-routers

    Just a few days after they were disclosed, malicious actors started targeting a couple of flaws affecting routers made by South Korea-based Dasan Networks. There are roughly one million potentially vulnerable devices accessible directly from the Internet.

    vpnMentor on Monday disclosed the details of two vulnerabilities in Gigabit-capable Passive Optical Network (GPON) routers made by Dasan and distributed to users by ISPs that provide fiber-optic Internet.

    One of the flaws (CVE-2018-10561) allows a remote attacker to bypass a router’s authentication mechanism simply by appending the string “?images/” to a URL in the device’s web interface. The second vulnerability (CVE-2018-10562) can be exploited by an authenticated attacker to inject arbitrary commands.

    https://www.securityweek.com/over-million-dasan-routers-vulnerable-remote-hacking

    Reply
  45. Tomi Engdahl says:

    Backdoored Module Removed from npm Registry
    https://www.securityweek.com/backdoored-module-removed-npm-registry

    A malicious package masquerading as a cookie parsing library but delivering a backdoor instead was unpublished from the npm Registry along with three other packages.

    Reply
  46. Tomi Engdahl says:

    GandCrab Ransomware Breaks Windows 7 Systems
    https://www.securityweek.com/gandcrab-ransomware-breaks-windows-7-systems

    The latest variant of the GandCrab ransomware breaks infected Windows 7 systems, Fortinet warns.

    Discovered at the end of last month, version 3 of the ransomware forces a system reboot, attempting to change the PC’s desktop wallpaper. Because of a coding bug, however, only Windows 10 and Windows 8 systems would fully load, while Windows 7 machines would hang at a point before the Windows Shell is completely loaded.

    GandCrab spreads via spam emails, and Fortinet last week observed an uptick in messages distributing the ransomware. The emails carried version 2.1 of the malware and most of them (75%) targeted users in the United States, with those in the United Kingdom, Canada, Romania, and South Africa also impacted.

    Reply
  47. Tomi Engdahl says:

    Microsoft Makes Hyper-V Debugging Symbols Public
    https://www.securityweek.com/microsoft-makes-hyper-v-debugging-symbols-public

    In an attempt to improve Hyper-V technology, which Microsoft considers central to the security of its cloud services, the software giant has released Hyper-V debugging symbols to the public.

    Microsoft is now offering access to most Hyper-V-related symbols through the public symbol servers, starting with symbols for Windows Server 2016 with an installed April 2018 cumulative update.

    “We would like to share with the security community that we have now released debugging symbols for many of the core components in Hyper-V, with some exceptions such as the hypervisor where we would like to avoid our customers taking a dependency on undocumented hypercalls for instance,” Microsoft announced.

    This move, the company says, should prove handy for partners building solutions leveraging Hyper-V, for developers attempting to debug specific issues, and to security researchers to better analyze Hyper-V’s implementation and report any vulnerabilities as part of the Microsoft Hyper-V Bounty Program.

    Hyper-V Debugging Symbols Are Publicly Available
    https://blogs.technet.microsoft.com/srd/2018/05/03/hyper-v-debugging-symbols-are-publicly-available/

    Reply
  48. Tomi Engdahl says:

    Stats on the Cybersecurity Skills Shortage: How Bad Is It, Really?
    https://www.darkreading.com/stats-on-the-cybersecurity-skills-shortage-how-bad-is-it-really/d/d-id/1331504?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

    Is it just a problem of too few security professionals, or are there other reasons enterprises struggle to build infosec teams?

    While plenty of CISOs today find ways to successfully build out effective cybersecurity teams, most industry pundits agree that the process is a bear. One of the biggest complaints is that there just aren’t enough experienced, talented security professionals to fill the roles available – but there is talent for the taking if organizations know where to look for it. Nevertheless, the numbers support the fact that market constraints on security brainpower are a very real factor. Here’s what the most recent data shows.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*