Google is launching .app domains, the first TLDs secured with built-in HTTPS
Sarah Perez
@sarahintampa / May 1, 2018
google-get-app-ios
Over three years after Google paid $25 million to gain the exclusive rights to the “.app” top-level domain, the company is at last making .app domains available to register starting today and running through May 7, at 9 AM PDT via Google’s Early Access Program. The following day, May 8, the domains will go on sale for the general public, including through other registrars.
The new top-level domain (TLD) is an obvious choice for app developers and others in the tech industry, as it serves as an easy-to-remember alternative to .com domains
In addition to the expected demand, Google is requiring HTTPS for all. app websites. This built-in security protects against ad malware, tracking injection by internet service providers, and safeguards against spying on open Wi-Fi networks, the company explains.
If you haven’t done so already after seeing the title of this article, please stop reading immediately and enable two-factor authentication (2FA) on every system and service you use that allows it. The reality is that no matter how strong your password is — even that 48-character one with uppercase and lowercase letters, numbers and symbols — it’s not strong enough if your desktop or browser is compromised and your credentials are stolen.
I’ve been deconstructing malware for over 20 years, and it turns out I’ve chosen a profession where it’s hard to feel in a rut — so much of what is happening with malware continues to feel dramatic and new to me. There’s always the latest malware inventiveness – “fileless” malware and cryptocurrency mining bots leap to mind at the moment – but more on my mind this week is the rise of the malware marketplace and the continued increase in “hyper-evasive” malware across the board.
Total annual malware volumes are up 7x globally over the last five years according to data from AV-Test.org, which means internet users and businesses are witnessing a rising flood of maliciousness in their email and web interactions.
One-third of Malware is “Hyper-Evasive”
Just how evasive is malware today? To get at this systematically, my team just concluded a study of malware sent to our cloud sandbox array during the first quarter of this year. Such malware has passed through several prior stages of automated analysis, and has still not been definitively categorized as benign or malicious. We discovered that over 98 percent of malware making it to the sandbox array uses at least one evasive tactic, and that 32 percent of malware samples making it to this stage were what we could classify as “hyper-evasive,” layering on six or more detection evasion techniques.
Historically, some malware uses multiples of that number, like Cerber ransomware, which is extremely “sandbox aware” and runs 28 processes to check if it is really running in a target environment, refusing to detonate if it finds debuggers installed to detect malware, the presence of virtual machines (a basic “tell” for traditional sandboxes), or loaded modules, file paths, etc., known to be used by different traditional sandboxing vendors
Personnel on US military bases can no longer buy phones and other gear manufactured by Chinese firms Huawei and ZTE, after the Pentagon said the devices pose an “unacceptable” security risk.
Two critical vulnerabilities have been discovered by a researcher in industrial device servers from Taiwan-based industrial networking solutions provider Lantech. The flaws can be exploited remotely even by an attacker with a low skill level, but the vendor has not released any patches.
According to Lantech, IDS 2102 is a device server designed to convert one RS232/422/485 serial port to two 10/100 Ethernet connections. The device, used worldwide in the critical manufacturing sector, can be managed and configured remotely over the Internet.
SynAck has become the first ransomware family to leverage the Process Doppelgänging technique in an attempt to bypass security products, Kaspersky Lab reports.
Discovered in September 2017, SynAck isn’t new malware, but started using the evasion method last month, Kaspersky’s security researchers warn. The technique isn’t new either, as it was first detailed in December 2017 by enSilo.
Similar to process hollowing, Process Doppelgänging abuses the Windows loader to execute code without writing it to disk, making detection more difficult. The malicious code is correctly mapped to a file on the disk, just as it would be in the case of a legitimate process.
As expected, SynAck leverages Process Doppelgänging to bypass modern security solutions (which would flag any unmapped code).
“The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one,” Kaspersky notes.
The first time I heard about distributed brute-force login attacks was from master web application firewall (WAF) administrator Marc LeBeau. At the time he was defending a hotel chain against attackers who were brute-force guessing customer passwords and withdrawing hotel points.
LeBeau had been brought in to administer a WAF to stop the bleeding, which topped $50,000 a month. His initial policy stymied the attackers . . . for about two weeks. Then they resumed their assault, this time trying each password from a different IP address. The distributed nature of this type of attack makes it difficult to differentiate between a legitimate user trying to remember his password and a gang of points thieves.
I checked back with LeBeau recently to see what he’s up to, because he’s always got some interesting insights into the attacker/defender landscape.
According to LeBeau, there’s a popular attack vector among brute-force attackers right now that takes advantage of the 90-day password expirations commonly used by enterprises. When a company becomes large enough, it accumulates several dudes who can’t ever remember their passwords and end up calling IT 200 times a year. To avoid becoming like the fabled B.O.F.H., admins assign these dudes a password like Spring2018 because it’s easy to remember and aligns to the 90-day expiration.
No limits
LeBeau says a modern WAF can prevent distributed brute-force login attempts with various levels of rate-limiting. If the authentication model is very open (little to no rate-limiting), then, yes—attackers spray the site with an identical password list. If a site has something worth getting, the attackers will hammer it in any and every way possible till there’s nothing left.
Russia’s telecom regulator Roskomnadzor has taken a more granular approach to its battle with Telegram: instead of deep-sixing IP addresses by the millions, it says it’s blocked 50 VPN providers from landing traffic in the country.
At the end of last week, the regulator’s deputy head Vadim Subbotin told state newsagency TASS that it had identified and blocked 50 VPNs and anonymisers “for the time being”.
Cops in Halifax, Nova Scotia, Canada, will not pursue charges against a 19-year-old fella who had dared to download a cache of public documents.
In a brief statement issued Monday, police said that, following nearly a month of investigation, there were “no grounds to lay charges” in a case that had drawn harsh criticism from digital rights groups. The young man had shown no criminal intent in fetching freely available files that anyone could have slurped, the plod admitted.
“This was a high-profile case that potentially impacted many Nova Scotians,” Superintendent Jim Perrin, Officer-in-Charge of Criminal Investigations said of the case.
“As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offence by accessing the information.”
A set of high-severity vulnerabilities in Drupal that were disclosed last month are now the target of widespread attacks by a malware campaign.
Researcher Troy Mursch of Bad Packets Report has spotted hundreds of compromised Drupal sites being used to host “cryptojacking” malware that uses the CPUs of visitors to mine cryptocurrency via CoinHive.
Juli Clover / MacRumors:
Apple’s iOS 11.4, currently in beta, introduces USB Restricted Mode that disables Lightning port after a week of not entering passcode — The iOS 11.4 update, currently being beta tested, includes a USB Restricted Mode that introduces a week-long expiration date on access to the Lightning port …
The iOS 11.4 update, currently being beta tested, includes a USB Restricted Mode that introduces a week-long expiration date on access to the Lightning port on your iOS devices if your phone hasn’t been unlocked, which has implications for law enforcement tools like the GrayKey box.
USB Restricted Mode was outlined this morning by Elcomsoft after testing confirmed that the feature has indeed been enabled. In Elcomsoft’s experience, after an iPhone or iPad has been updated to iOS 11.4, if it hasn’t been unlocked or connected to a paired computer in the last 7 days using a passcode, the Lightning port is useless for data access and limited to charging.
The goal of the European Union’s General Data Protection Regulation (GDPR) is, among other things, to standardize data protection laws applicable to EU data subjects. Aimed at enhancing privacy protection, the enforcement of the regulation becomes effective on May 25.
GDPR’s implementation on an issue relevant to the cybersecurity industry may well have negative consequences that, ironically, run contrary to its original intent.
What’s at Stake?
The central issue involves changes to accessing business contact information in the ICANN WHOIS database as a result of the current interpretation of the GDPR. WHOIS is a service that has readily provided basic information about a registered domain, such as domain owner contact information, domain availability status and the company with which the domain is registered. Registrants of new domains provide this information as part of the registration process.
We discovered a malware family called Maikspy — a multi-platform spyware that can steal users’ private data. The spyware targets Windows and Android users, and first posed as an adult game named after a popular U.S.-based adult film actress. Maikspy, which is an alias that combines the name of the adult film actress and spyware, has been around since 2016.
Lenovo has released patches for a High severity vulnerability impacting the Secure Boot function on some System x servers.
Exploitation of this security vulnerability could result in unauthenticated code being booted. Discovered by the computer maker’s internal testing team and tracked as CVE-2017-3775, the issue impacts a dozen models, including Flex System x240 M5, x280 X6, x480 X6, x880, x3xxx series, and NeXtScale nx360 M5 devices.
“Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code,” the manufacturer notes.
These systems ship with Secure Boot disabled by default, because signed code is relatively new in the data center environment, the company says, adding that standard operator configurations disable signature checking.
In its advisory, the computer maker published not only the complete list of affected models, but also links to the appropriate BIOS/UEFI update for each model. The company advises admins relying on Secure Boot to control physical access to systems prior to applying the updates.
Microsoft has fixed more than 60 vulnerabilities with its May 2018 Patch Tuesday updates, including two Windows zero-day flaws that can be exploited for remote code execution and privilege escalation.
The more serious of the zero-day vulnerabilities is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows.
The existence of the flaw was revealed last month by Chinese security firm Qihoo 360, which reported that a known advanced persistent threat (APT) actor had been exploiting the vulnerability via Internet Explorer and specially crafted Office documents.
Adobe has patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products, but the company believes it’s unlikely that the flaws will be exploited in the wild any time soon.
Only one vulnerability has been patched in Flash Player with the release of version 29.0.0.171 for Windows, Mac, Linux and Chrome OS. The issue, reported to Adobe by Jihui Lu of Tencent KeenLab, impacts Flash Player 29.0.0.140 and earlier versions.
The flaw is a critical type confusion that allows arbitrary code execution (CVE-2018-4944), but Adobe has assigned it a severity rating of “2,” which indicates that exploits are not considered imminent and there is no rush to install the update.
Telegram Channels Offer Great Anonymity and Are Being Increasingly Used by Cybercriminals
Serious criminals are abandoning the upper levels of the dark web. The reasons appear to be the relative ease with which such criminal forums are penetrated by law enforcement agents and security researchers — and the recent shut-downs of major criminal forums Hansa Market and AlphaBay.
Last month, Cybereason tested this idea, and concluded that serious criminals have migrated to the deeper, closed forums of the dark web. Published yesterday, researchers from Check Point now postulate an alternative destination for these criminals; that is, not to deep, dark, Tor-hidden forums, but to Telegram.
The Internet of Things (IoT) botnet known as Hide ‘N Seek that first emerged in January can now achieve persistence on infected devices, Bitdefender reports.
Discovered toward the end of April, the latest version of the malware also includes code that allows it to target more vulnerabilities and new types of devices, the security firm discovered, adding that it targets 10 different architectures and a broad range of models.
The botnet has so far infected 90,000 unique devices starting in January, and could become a major threat if weaponized.
The latest Hide ‘N Seek version can compromise more IPTV camera models by targeting vulnerabilities in Wansview NCS601W IP camera (a cloud-only device) and AVTECH IP Camera, NVR and DVR (the maker’s products have been targeted by other IoT malware as well).
The first time I heard about distributed brute-force login attacks was from master web application firewall (WAF) administrator Marc LeBeau. At the time he was defending a hotel chain against attackers who were brute-force guessing customer passwords and withdrawing hotel points.
LeBeau had been brought in to administer a WAF to stop the bleeding, which topped $50,000 a month. His initial policy stymied the attackers . . . for about two weeks. Then they resumed their assault, this time trying each password from a different IP address. The distributed nature of this type of attack makes it difficult to differentiate between a legitimate user trying to remember his password and a gang of points thieves.
I checked back with LeBeau recently to see what he’s up to, because he’s always got some interesting insights into the attacker/defender landscape.
Twitter has been adopting new trends at a snail’s pace. But it’s better to be late than never.
Since 2013 people were speculating that Twitter will bring end-to-end encryption to its direct messages, and finally almost 5 years after the encryption era began, the company is now testing an end-to-end encrypted messaging on Twitter.
Dubbed “Secret Conversation,” the feature has been spotted in the latest version of Android application package (APK) for Twitter by Jane Manchun Wong
Remember a young hacker who hacked jail systems in an attempt to release his prison inmate early?
Well, that hacker will now be joining his inmate behind bars.
Konrads Voits of Ypsilanti, Michigan, has been sentenced to seven years and three months in prison for attempting to hack the Washtenaw County Jail computer system and modifying prison records to get his friend released early.
Besides spending 87 months in prison, Voits has also been ordered to pay $235,488 in fine to Washtenaw County for the cost accrued in investigating and cleaning up the infiltration that resulted in the compromise of personal information of around 1,600 employees, the US Justice Department announced last week.
Between January 24th, 2017 and March 10th, 2017, Voits successfully tricked IT staff at Washtenaw County Jail into visiting a phony website at “ewashtenavv.org,” which mimics the official URL, “ewashtenaw.org.”
The malicious website then installed malware on the IT staff computer that eventually gave Voits complete control over the Jail’s network, allowing him to steal search warrant affidavits and personal details of over 1,600 employees, including names, email addresses, and passwords.
Liam Tung / ZDNet:
Multiple operating systems including Windows, macOS, and Linux were affected by a serious security flaw caused by developers misinterpreting debug documentation
OS and hypervisor makers patch flaw that attackers could use to crash systems or read data from memory.
Windows, macOS, major Linux distributions, FreeBSD, VMware, and Xen on x86 AMD and Intel CPUs are affected by a serious security flaw caused by operating system developers misinterpreting debug documentation from the two chip makers.
The affected OS and hypervisor makers on Tuesday released fixes for the common flaw that may allow an authenticated attacker “to read sensitive data in memory or control low-level operating system functions”, according to CERT.
Patches are available from Apple, DragonFly BSD, FreeBSD, Microsoft, Red Hat, SUSE Linux, Ubuntu, VMware, and Xen. In the case of Linux distributions, there are two separate issues that affect the Linux kernel and the kernel’s KVM hypervisor. Links to all available updates are available in the CERT advisory.
According to RedHat’s description, the flaw stems from the way operating systems and hypervisors handle certain debugging features in modern CPUs, in this case how debug exceptions are handled.
In the context of a Linux operating system, the flaw may allow an attacker to crash a system.
Microsoft says the vulnerability could allow an attacker to run arbitrary code in kernel mode.
“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-crafted application to take control of an affected system,”
Serverless application security firm Protego Labs announced Wednesday that it has raised $2 million seed funding from a group of investors led by Ron Gula of Gula Tech Adventures, Glilot Capital Partners, and the MetroSITE Group of security industry pioneers, including former RSA CTO, Tim Belcher.
The serverless approach — where the server being used is managed by a cloud provider rather than the application owner — offers great advantages in speed, simplicity and cost-savings. Gula believes it is a transformative step in leveraging the full potential of the public cloud.
Protego”But,” he adds, “but it also presents a host of new threats and security challenges that traditional application security cannot handle. Protego offers a security solution designed specifically with serverless in mind, putting it at the forefront of this major technology shift.”
Released on Wednesday, Firefox 60 allows IT administrators to customize the browser for employees, and is also the first browser to feature support for the Web Authentication (WebAuthn) standard.
The new application release also comes with various security patches, on-by-default support for the latest draft TLS 1.3, redesigned Cookies and Site Storage section in Preferences, and other enhancements.
To configure Firefox Quantum for their organization, IT professionals can either use Group Policy on Windows, or a JSON file that works across Mac, Linux, and Windows operating systems, Mozilla says. What’s more, enterprise deployments are supported for both the standard Rapid Release (RR) of Firefox or the Extended Support Release (ESR), which is now version 60.
While the standard Rapid Release automatically receives performance improvements and new features on a six-week basis, the Extended Support Release usually receives the features in a single update per year. Critical security updates are delivered to both releases as soon as possible.
Web browsers from Google, Microsoft, and Mozilla will soon provide users with a new, password-less authentication standard built by the FIDO Alliance and the World Wide Web Consortium (W3C) and currently in the final approval stages.
W3C has advanced a standard web API called Web Authentication (WebAuthn) to the Candidate Recommendation (CR) stage, the final step before the final approval of a web standard. Expected to deliver stronger web authentication to users worldwide, it is already being implemented for Windows, Mac, Linux, Chrome OS and Android platforms.
W3C’s WebAuthn API enables strong, unique, public key-based credentials for each site, thus eliminating the risk that passwords stolen on one site could be used on another. WebAuthn can be incorporated into browsers and web platform infrastructure, providing users with new methods to securely authenticate on the web, in the browser, and across sites and devices.
Along with FIDO’s Client to Authenticator Protocol (CTAP) specification, it is a core component of the FIDO2 Project, which enables “users to authenticate easily to online services with desktop or mobile devices with phishing-resistant security.”
Updates released this week by LG for its Android smartphones patch two high severity keyboard vulnerabilities that can be exploited for remote code execution.
The vulnerabilities were reported to LG late last year by Slava Makkaveev of Check Point Research. The electronics giant patched them with its May 2018 updates, which also include the latest security fixes released by Google for the Android operating system (security patch level 2018-05-01).
Researchers at Kaspersky Lab have identified a significant number of vulnerabilities in the OPC UA protocol, including flaws that could, in theory, be exploited to cause physical damage in industrial environments.
Developed and maintained by the OPC Foundation, OPC UA stands for Open Platform Communications Unified Automation. The protocol is widely used in industrial automation, including for control systems (ICS) and communications between Industrial Internet-of-Things (IIoT) and smart city systems.
Researchers at Kaspersky Lab, which is a member of the OPC Foundation consortium, have conducted a detailed analysis of OPC UA and discovered many vulnerabilities, including ones that can be exploited for remote code execution and denial-of-service (DoS) attacks.
New variants of the TreasureHunter point-of-sale (PoS) malware are expected to emerge after its source code was leaked online in March, Flashpoint warns.
Capable of extracting credit and debit card information from processes running on infected systems, the PoS malware family has been around since at least 2014. To perform its nefarious activities, it scans all processes on the machine to search for payment card data, and then sends the information to the command and control (C&C) servers.
The malware’s source code was posted on a top-tier Russian-speaking forum by an actor who also leaked the source code for the malware’s graphical user interface builder and administrator panel.
Patches have been released for the Linux kernel, Windows, Xen and various Linux distributions, but in most cases the issue has been classified only as “moderate” or “important.” Proof-of-concept (PoC) exploits have been created for both Windows and Linux.
This
is
a
serious
security
vulnerability
and
oversight
made
by
operating
system
vendors
due
to
unclear
and
perhaps
even
incomplete
documentation
on
the
caveats
of
the
POP
SS
and
MOV
SS
instructions
and
their
interactions
with
interrupt
gate
semantics.
The
following
depends
on
OSV
implementation,
but
most, if not all, implement
SWAPGS
the same way.
For
operating
systems
running
on
Intel
and
AMD
hardware,
an
attacker
is
able
to
run
the
INT
01
handler
on
a
user
stack
pointer.
Furthermore,
the
attacker
could
also
run
the
INT
01
handler
Siemens has released updates for many of its SINAMICS medium voltage converters to address two remotely exploitable denial-of-service (DoS) vulnerabilities.
According to advisories published by ICS-CERT and Siemens, the flaws impact SINAMICS GH150, GL150, GM150, SL150, SM120 and SM150 converters, which are used worldwide in the energy, chemical, critical manufacturing, water and wastewater, and food and agriculture sectors.Siemens patches two DoS vulnerabilities in SINAMICS medium voltage converters
The more serious of the flaws, identified as CVE-2017-12741 and classified “high severity,” can be exploited to cause a DoS condition by sending specially crafted packets to the device on UDP port 161.
Several botnet operators are targeting a popular but vulnerable fiber router, which can be easily hijacked thanks to two authentication bypass and command injection bugs.
ZDNet first reported the bugs last week. In case you missed it: two bugs allowed anyone to bypass the router’s login page and access pages within — simply by adding “?images/” to the end of the web address on any of the router’s configuration pages. With near complete access to the router, an attacker can inject their own commands, running with the highest “root” privileges.
In other words, these routers are prime targets for hijacking by botnet operators.
Now, a new report by China-based security firm Netlab 360 says at least five botnet families have been “competing for territory” to target the devices.
All five botnets — Muhstik, Mirai, Hajime, Satori, and Mettle — have developed exploits to target the fiber routers, but so far none of the botnets have successfully hacked and hijacked the routers.
Exclusive: Two researchers say a police breathalyzer, used across the US, can produce incorrect breath test results, but their work came to a halt after legal pressure from the manufacturer.
The source code behind a police breathalyzer widely used in multiple states — and millions of drunk driving arrests — is under fire.
It’s the latest case of technology and the real world colliding — one that revolves around source code, calibration of equipment, two researchers and legal maneuvering, state law enforcement agencies, and Draeger, the breathalyzer’s manufacturer.
This most recent skirmish began a decade ago when Washington state police sought to replace its aging fleet of breathalyzers. When the Washington police opened solicitations, the only bidder, Draeger, a German medical technology maker, won the contract to sell its flagship device, the Alcotest 9510, across the state.
But defense attorneys have long believed the breathalyzer is faulty.
The two experts wrote in a preliminary report that they found flaws capable of producing incorrect breath test results. The defense hailed the results as a breakthrough, believing the findings could cast doubt on countless drunk-driving prosecutions.
The two distributed their early findings to attendees at a conference for defense lawyers, which Draeger said was in violation of a court-signed protective order the experts had agreed to, and the company threatened to sue.
Their research was left unfinished, and a final report was never completed.
Draeger said in a statement the company was protecting its source code and intellectual property, not muzzling research.
The breathalyzer has become a staple in law enforcement, with more than a million Americans arrested each year for driving under the influence of alcohol — an offense known as a DUI. Drunk driving has its own economy: A multi-billion dollar business for lawyers, state governments, and the breathalyzer manufacturers — all of which have a commercial stake at play.
Yet, the case in Washington is only the latest in several legal battles where the breathalyzer has faced scrutiny about the technology used to secure convictions.
Breath temperature can fluctuate throughout the day, but, according to the report, can also wildly change the results of an alcohol breath test. Without correction, a single digit over a normal breath temperature of 34 degrees centigrade can inflate the results by six percent — enough to push a person over the limit.
The quadratic formula set by the Washington State Patrol should correct the breath temperature to prevent false results. The quadratic formula corrects warmer breath downward, said the report, but the code doesn’t explain how the corrections are made. The corrections “may be insufficient” if the formula is faulty, the report added.
Issues with the code notwithstanding, Washington chose not to install a component to measure breath temperature, according to testimony in a 2015 hearing, and later confirmed by Draeger.
The code is also meant to check to ensure the device is operating within a certain temperature range set by Draeger, because the device can produce incorrect results if it’s too hot or too cold.
But the report said a check meant to measure the ambient temperature was disabled in the state configuration.
President Donald Trump announced this week that the U.S. is withdrawing from the Iran nuclear deal and reimposing sanctions on the Middle Eastern country. Many experts fear that Iran will retaliate by launching cyberattacks on Western organizations.
Industry professionals contacted by SecurityWeek all say that there is a strong possibility of attacks, but they mostly agree that Iran will likely not try to cause too much damage as that could lead to massive response from the United States and its allies.
Steven Musil / CNET:
Symantec shares plummet after company warns its annual report could be delayed by an internal investigation into unspecified concerns by board — Symantec shares plummeted roughly 20 percent on Thursday after the antivirus maker warned an internal investigation could delay its annual report.
Mishaal Rahman / XDA Developers:
Google’s head of Android platform security says Google has started to include the requirements for security patching into its OEM agreements
At the annual Google I/O developer conference, the company holds several sessions about updates to the Android platform. During the “What’s new in Android Security” talk, Google‘s head of Android platform security David Kleidermacher talked about the upcoming security changes in the Android P release. Near the beginning of the talk, Mr. Kleidermacher discussed how the company was making it easier for OEMs to roll out security patches thanks to the architectural changes implemented with Project Treble. He followed this statement with a small, but incredibly important tidbit of information: Google has modified their OEM agreements to include provisions for regular security patches.
“We’ve also worked on building security patching into our OEM agreements. Now this will really … lead to a massive increase in the number of devices and users receiving regular security patches.” – David Kleidermacher, Google’s head of Android platform security
Nearly half a million elderly women in the United Kingdom missed mammography exams because of a scheduling error caused by one incorrect computer algorithm, and several hundred of those women may have died early as a result.
Last week, the U.K. Health Minister Jeremy Hunt announced that an independent inquiry had been launched to determine how a “computer algorithm failure” stretching back to 2009 caused some 450,000 patients in England between the ages of 68 to 71 to not be invited for their final breast cancer screenings.
The errant algorithm was in the National Health System’s (NHS) breast cancer screening scheduling software, and remained undiscovered for nine years.
He added that based on statistical modeling, the number who may have died prematurely as a result was estimated to be between 135 and 270 women.
Hunt’s announcement spread across the British press immediately, with the word “scandal”
“Tragically, there are likely to be some people in this group who would have been alive today if the failure had not happened.”
Exactly how the “algorithm failure” came about is clouded in controversy and contradictions. Right now, the NHS, PHE, and the software company Hitachi Consulting which maintains the software are pointing fingers at each other. However, it may eventually turn out that there is no fault to be assigned.
At least for now, the government is blaming “administrative incompetence”
A new exploit allows hackers to spoof two-factor authentication requests by sending a user to a fake login page and then stealing the username, password, and session cookie.
“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, KnowBe4 CEO. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”
Personal privacy vs. public security: fight!
Jon Evans
@rezendi / May 6, 2018
david-goliath
Personal privacy is a fairly new concept. Most people used to live in tight-knit communities, constantly enmeshed in each other’s lives. The notion that privacy is an important part of personal security is even newer, and often contested, while the need for public security — walls which must be guarded, doors which must be kept locked — is undisputed. Even anti-state anarchists concede the existence of violent enemies and monsters.
Rich people can afford their own high walls and closed doors. Privacy has long been a luxury, and it’s still often treated that way; a disposable asset, nice-to-have, not essential.
Joseph Cox / Motherboard:
Hacker says he stole data from ZooPark hacking group, some say an Iran-linked APT, which ran a hacking campaign targeting Android devices across the Middle East
Earlier this month, Kaspersky published research on the so-called ZooPark group, which ran a hacking campaign towards Android devices across the Middle East. Now, a hacker has allegedly stolen ZooPark’s own data and provided it to Motherboard.
Adults will show shopkeepers passport or driving licence and get 16-digit card in return
High street newsagents are to sell so-called “porn passes” that will allow adults to visit over-18 websites anonymously.
The 16-digit cards will allow browsers to avoid giving personal details online when asked to prove their age.
The legislation is designed to stop children accessing online pornography.
But there are concerns that asking adults to hand over passport or driving licence details to view adult material could leave them open to data-hacking and blackmail.
Some 56 per cent of British adults admitted to watching pornography
A spokesman for the Department of Culture, Media and Sport, which is responsible for the new legislation, said: “We are in the process of implementing some of the strictest data protection laws in the world.
“A wide variety of online age verification solutions exist, or are in development, and they will have to abide by these high standards. We expect data security to be a high priority in the BBFC’s guidance on age verification arrangements.”
The BBFC will not create the new verification systems but is overseeing their implementation.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
269 Comments
Tomi Engdahl says:
Google is launching .app domains, the first TLDs secured with built-in HTTPS
https://techcrunch.com/2018/05/01/google-is-launching-app-domains-the-first-tlds-secured-with-built-in-https/?utm_source=tcfbpage&sr_share=facebook
AdChoices
Google is launching .app domains, the first TLDs secured with built-in HTTPS
Sarah Perez
@sarahintampa / May 1, 2018
google-get-app-ios
Over three years after Google paid $25 million to gain the exclusive rights to the “.app” top-level domain, the company is at last making .app domains available to register starting today and running through May 7, at 9 AM PDT via Google’s Early Access Program. The following day, May 8, the domains will go on sale for the general public, including through other registrars.
The new top-level domain (TLD) is an obvious choice for app developers and others in the tech industry, as it serves as an easy-to-remember alternative to .com domains
In addition to the expected demand, Google is requiring HTTPS for all. app websites. This built-in security protects against ad malware, tracking injection by internet service providers, and safeguards against spying on open Wi-Fi networks, the company explains.
Tomi Engdahl says:
Why You Should Drop Everything and Enable Two-Factor Authentication Immediately
https://securityintelligence.com/why-you-should-drop-everything-and-enable-two-factor-authentication-immediately/?cm_mmc=PSocial_Facebook-_-Security_Govern%20users%20and%20their%20access-_-WW_EP-_-24842201_Tracking%20Pixel&cm_mmca1=000000NP&cm_mmca2=10007507&cm_mmca4=24842201&cm_mmca5=52392205&cm_mmca6=d1a8089c-bb1d-46e9-a4bb-74372ea1aaab&cvosrc=social%20network%20paid.facebook.Learn%20Engagement%20LP%20StaticLinkAd%20%20%20%20%20Lookalike%20%20%20%20%20Hi%20Five_Prospecting_DesktopMobileTablet_1x1&cvo_campaign=000000NP&cvo_pid=24842201
If you haven’t done so already after seeing the title of this article, please stop reading immediately and enable two-factor authentication (2FA) on every system and service you use that allows it. The reality is that no matter how strong your password is — even that 48-character one with uppercase and lowercase letters, numbers and symbols — it’s not strong enough if your desktop or browser is compromised and your credentials are stolen.
Tomi Engdahl says:
Evasive Malware Now a Commodity
https://www.securityweek.com/evasive-malware-now-commodity
I’ve been deconstructing malware for over 20 years, and it turns out I’ve chosen a profession where it’s hard to feel in a rut — so much of what is happening with malware continues to feel dramatic and new to me. There’s always the latest malware inventiveness – “fileless” malware and cryptocurrency mining bots leap to mind at the moment – but more on my mind this week is the rise of the malware marketplace and the continued increase in “hyper-evasive” malware across the board.
Total annual malware volumes are up 7x globally over the last five years according to data from AV-Test.org, which means internet users and businesses are witnessing a rising flood of maliciousness in their email and web interactions.
One-third of Malware is “Hyper-Evasive”
Just how evasive is malware today? To get at this systematically, my team just concluded a study of malware sent to our cloud sandbox array during the first quarter of this year. Such malware has passed through several prior stages of automated analysis, and has still not been definitively categorized as benign or malicious. We discovered that over 98 percent of malware making it to the sandbox array uses at least one evasive tactic, and that 32 percent of malware samples making it to this stage were what we could classify as “hyper-evasive,” layering on six or more detection evasion techniques.
Historically, some malware uses multiples of that number, like Cerber ransomware, which is extremely “sandbox aware” and runs 28 processes to check if it is really running in a target environment, refusing to detonate if it finds debuggers installed to detect malware, the presence of virtual machines (a basic “tell” for traditional sandboxes), or loaded modules, file paths, etc., known to be used by different traditional sandboxing vendors
Tomi Engdahl says:
U.S. Military Bans Huawei, ZTE Phones
https://www.securityweek.com/us-military-bans-huawei-zte-phones
Personnel on US military bases can no longer buy phones and other gear manufactured by Chinese firms Huawei and ZTE, after the Pentagon said the devices pose an “unacceptable” security risk.
Tomi Engdahl says:
Unpatched Flaws Expose Lantech Industrial Device Servers to Attacks
https://www.securityweek.com/unpatched-flaws-expose-lantech-industrial-device-servers-attacks
Two critical vulnerabilities have been discovered by a researcher in industrial device servers from Taiwan-based industrial networking solutions provider Lantech. The flaws can be exploited remotely even by an attacker with a low skill level, but the vendor has not released any patches.
According to Lantech, IDS 2102 is a device server designed to convert one RS232/422/485 serial port to two 10/100 Ethernet connections. The device, used worldwide in the critical manufacturing sector, can be managed and configured remotely over the Internet.
Tomi Engdahl says:
SynAck Ransomware Uses Process Doppelgänging for Evasion
https://www.securityweek.com/synack-ransomware-uses-process-doppelg%C3%A4nging-evasion
SynAck has become the first ransomware family to leverage the Process Doppelgänging technique in an attempt to bypass security products, Kaspersky Lab reports.
Discovered in September 2017, SynAck isn’t new malware, but started using the evasion method last month, Kaspersky’s security researchers warn. The technique isn’t new either, as it was first detailed in December 2017 by enSilo.
Similar to process hollowing, Process Doppelgänging abuses the Windows loader to execute code without writing it to disk, making detection more difficult. The malicious code is correctly mapped to a file on the disk, just as it would be in the case of a legitimate process.
As expected, SynAck leverages Process Doppelgänging to bypass modern security solutions (which would flag any unmapped code).
“The main purpose of the technique is to use NTFS transactions to launch a malicious process from the transacted file so that the malicious process looks like a legitimate one,” Kaspersky notes.
https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
Tomi Engdahl says:
Spring 2018 Password Attacks
https://www.securityweek.com/spring-2018-password-attacks
The first time I heard about distributed brute-force login attacks was from master web application firewall (WAF) administrator Marc LeBeau. At the time he was defending a hotel chain against attackers who were brute-force guessing customer passwords and withdrawing hotel points.
LeBeau had been brought in to administer a WAF to stop the bleeding, which topped $50,000 a month. His initial policy stymied the attackers . . . for about two weeks. Then they resumed their assault, this time trying each password from a different IP address. The distributed nature of this type of attack makes it difficult to differentiate between a legitimate user trying to remember his password and a gang of points thieves.
I checked back with LeBeau recently to see what he’s up to, because he’s always got some interesting insights into the attacker/defender landscape.
According to LeBeau, there’s a popular attack vector among brute-force attackers right now that takes advantage of the 90-day password expirations commonly used by enterprises. When a company becomes large enough, it accumulates several dudes who can’t ever remember their passwords and end up calling IT 200 times a year. To avoid becoming like the fabled B.O.F.H., admins assign these dudes a password like Spring2018 because it’s easy to remember and aligns to the 90-day expiration.
No limits
LeBeau says a modern WAF can prevent distributed brute-force login attempts with various levels of rate-limiting. If the authentication model is very open (little to no rate-limiting), then, yes—attackers spray the site with an identical password list. If a site has something worth getting, the attackers will hammer it in any and every way possible till there’s nothing left.
Tomi Engdahl says:
Kremlin’s war on Telegram sees 50 VPNs stopped at the border
Viber said to be next target of stop-terrorists-talking effort
https://www.theregister.co.uk/2018/05/08/russia_blocks_50_vpns/
Russia’s telecom regulator Roskomnadzor has taken a more granular approach to its battle with Telegram: instead of deep-sixing IP addresses by the millions, it says it’s blocked 50 VPN providers from landing traffic in the country.
At the end of last week, the regulator’s deputy head Vadim Subbotin told state newsagency TASS that it had identified and blocked 50 VPNs and anonymisers “for the time being”.
Tomi Engdahl says:
Hacking charge dropped against Nova Scotia teen who slurped public records from the web
Police opt to end charade over document download row
https://www.theregister.co.uk/2018/05/07/canadian_teen_hacker/
Cops in Halifax, Nova Scotia, Canada, will not pursue charges against a 19-year-old fella who had dared to download a cache of public documents.
In a brief statement issued Monday, police said that, following nearly a month of investigation, there were “no grounds to lay charges” in a case that had drawn harsh criticism from digital rights groups. The young man had shown no criminal intent in fetching freely available files that anyone could have slurped, the plod admitted.
“This was a high-profile case that potentially impacted many Nova Scotians,” Superintendent Jim Perrin, Officer-in-Charge of Criminal Investigations said of the case.
“As the investigation evolved, we have determined that the 19-year-old who was arrested on April 11 did not have intent to commit a criminal offence by accessing the information.”
Tomi Engdahl says:
Equifax reveals full horror of that monstrous cyber-heist of its servers
https://www.theregister.co.uk/2018/05/08/equifax_breach_may_2018/
146 million people, 99 million addresses, 209,000 payment cards, 38,000 drivers’ licenses and 3,200 passports
Tomi Engdahl says:
That Drupal bug you were told to patch weeks ago? Cryptominers hope you haven’t bothered
Cryptocoin malware outfit takes aim at ‘Drupalgeddon’ bug
https://www.theregister.co.uk/2018/05/07/drupal_bug_exploits/
A set of high-severity vulnerabilities in Drupal that were disclosed last month are now the target of widespread attacks by a malware campaign.
Researcher Troy Mursch of Bad Packets Report has spotted hundreds of compromised Drupal sites being used to host “cryptojacking” malware that uses the CPUs of visitors to mine cryptocurrency via CoinHive.
Tomi Engdahl says:
Richard Stallman: Dangers of IoT and Amazon Alexa
https://www.youtube.com/watch?v=AAP4N3KyLmM
Tomi Engdahl says:
Juli Clover / MacRumors:
Apple’s iOS 11.4, currently in beta, introduces USB Restricted Mode that disables Lightning port after a week of not entering passcode — The iOS 11.4 update, currently being beta tested, includes a USB Restricted Mode that introduces a week-long expiration date on access to the Lightning port …
iOS 11.4 Disables Lightning Connector After 7 Days, Limiting Law Enforcement Access
https://www.macrumors.com/2018/05/08/ios-11-4-usb-restricted-mode/
The iOS 11.4 update, currently being beta tested, includes a USB Restricted Mode that introduces a week-long expiration date on access to the Lightning port on your iOS devices if your phone hasn’t been unlocked, which has implications for law enforcement tools like the GrayKey box.
USB Restricted Mode was outlined this morning by Elcomsoft after testing confirmed that the feature has indeed been enabled. In Elcomsoft’s experience, after an iPhone or iPad has been updated to iOS 11.4, if it hasn’t been unlocked or connected to a paired computer in the last 7 days using a passcode, the Lightning port is useless for data access and limited to charging.
Tomi Engdahl says:
WHOIS Behind Cyberattacks? Under GDPR, We May Not Know
https://securityintelligence.com/whois-behind-cyberattacks-under-gdpr-we-may-not-know/
The goal of the European Union’s General Data Protection Regulation (GDPR) is, among other things, to standardize data protection laws applicable to EU data subjects. Aimed at enhancing privacy protection, the enforcement of the regulation becomes effective on May 25.
GDPR’s implementation on an issue relevant to the cybersecurity industry may well have negative consequences that, ironically, run contrary to its original intent.
What’s at Stake?
The central issue involves changes to accessing business contact information in the ICANN WHOIS database as a result of the current interpretation of the GDPR. WHOIS is a service that has readily provided basic information about a registered domain, such as domain owner contact information, domain availability status and the company with which the domain is registered. Registrants of new domains provide this information as part of the registration process.
Tomi Engdahl says:
Maikspy Spyware Poses as Adult Game, Targets Windows and Android Users
https://blog.trendmicro.com/trendlabs-security-intelligence/maikspy-spyware-poses-as-adult-game-targets-windows-and-android-users/
We discovered a malware family called Maikspy — a multi-platform spyware that can steal users’ private data. The spyware targets Windows and Android users, and first posed as an adult game named after a popular U.S.-based adult film actress. Maikspy, which is an alias that combines the name of the adult film actress and spyware, has been around since 2016.
Tomi Engdahl says:
Lenovo Patches Secure Boot Vulnerability in Servers
https://www.securityweek.com/lenovo-patches-secure-boot-vulnerability-servers
Lenovo has released patches for a High severity vulnerability impacting the Secure Boot function on some System x servers.
Exploitation of this security vulnerability could result in unauthenticated code being booted. Discovered by the computer maker’s internal testing team and tracked as CVE-2017-3775, the issue impacts a dozen models, including Flex System x240 M5, x280 X6, x480 X6, x880, x3xxx series, and NeXtScale nx360 M5 devices.
“Lenovo internal testing discovered some System x server BIOS/UEFI versions that, when Secure Boot mode is enabled by a system administrator, do not properly authenticate signed code before booting it. As a result, an attacker with physical access to the system could boot unsigned code,” the manufacturer notes.
These systems ship with Secure Boot disabled by default, because signed code is relatively new in the data center environment, the company says, adding that standard operator configurations disable signature checking.
In its advisory, the computer maker published not only the complete list of affected models, but also links to the appropriate BIOS/UEFI update for each model. The company advises admins relying on Secure Boot to control physical access to systems prior to applying the updates.
Tomi Engdahl says:
Microsoft Patches Two Windows Zero-Day Vulnerabilities
https://www.securityweek.com/microsoft-patches-two-windows-zero-day-vulnerabilities
Microsoft has fixed more than 60 vulnerabilities with its May 2018 Patch Tuesday updates, including two Windows zero-day flaws that can be exploited for remote code execution and privilege escalation.
The more serious of the zero-day vulnerabilities is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows.
The existence of the flaw was revealed last month by Chinese security firm Qihoo 360, which reported that a known advanced persistent threat (APT) actor had been exploiting the vulnerability via Internet Explorer and specially crafted Office documents.
Tomi Engdahl says:
Critical Code Execution Flaw Patched in Flash Player
https://www.securityweek.com/critical-code-execution-flaw-patched-flash-player
Adobe has patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products, but the company believes it’s unlikely that the flaws will be exploited in the wild any time soon.
Only one vulnerability has been patched in Flash Player with the release of version 29.0.0.171 for Windows, Mac, Linux and Chrome OS. The issue, reported to Adobe by Jihui Lu of Tencent KeenLab, impacts Flash Player 29.0.0.140 and earlier versions.
The flaw is a critical type confusion that allows arbitrary code execution (CVE-2018-4944), but Adobe has assigned it a severity rating of “2,” which indicates that exploits are not considered imminent and there is no rush to install the update.
Tomi Engdahl says:
Telegram Rivaling Tor as Home to Criminal ‘Forums’
https://www.securityweek.com/telegram-rivaling-tor-home-criminal-forums
Telegram Channels Offer Great Anonymity and Are Being Increasingly Used by Cybercriminals
Serious criminals are abandoning the upper levels of the dark web. The reasons appear to be the relative ease with which such criminal forums are penetrated by law enforcement agents and security researchers — and the recent shut-downs of major criminal forums Hansa Market and AlphaBay.
Last month, Cybereason tested this idea, and concluded that serious criminals have migrated to the deeper, closed forums of the dark web. Published yesterday, researchers from Check Point now postulate an alternative destination for these criminals; that is, not to deep, dark, Tor-hidden forums, but to Telegram.
Tomi Engdahl says:
Hide ‘N Seek IoT Botnet Can Survive Device Reboots
https://www.securityweek.com/hide-n-seek-iot-botnet-can-survive-device-reboots
The Internet of Things (IoT) botnet known as Hide ‘N Seek that first emerged in January can now achieve persistence on infected devices, Bitdefender reports.
Discovered toward the end of April, the latest version of the malware also includes code that allows it to target more vulnerabilities and new types of devices, the security firm discovered, adding that it targets 10 different architectures and a broad range of models.
The botnet has so far infected 90,000 unique devices starting in January, and could become a major threat if weaponized.
The latest Hide ‘N Seek version can compromise more IPTV camera models by targeting vulnerabilities in Wansview NCS601W IP camera (a cloud-only device) and AVTECH IP Camera, NVR and DVR (the maker’s products have been targeted by other IoT malware as well).
Hide and Seek IoT Botnet resurfaces with new tricks, persistence
https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/
Tomi Engdahl says:
Spring 2018 Password Attacks
https://www.securityweek.com/spring-2018-password-attacks
The first time I heard about distributed brute-force login attacks was from master web application firewall (WAF) administrator Marc LeBeau. At the time he was defending a hotel chain against attackers who were brute-force guessing customer passwords and withdrawing hotel points.
LeBeau had been brought in to administer a WAF to stop the bleeding, which topped $50,000 a month. His initial policy stymied the attackers . . . for about two weeks. Then they resumed their assault, this time trying each password from a different IP address. The distributed nature of this type of attack makes it difficult to differentiate between a legitimate user trying to remember his password and a gang of points thieves.
I checked back with LeBeau recently to see what he’s up to, because he’s always got some interesting insights into the attacker/defender landscape.
Tomi Engdahl says:
Twitter is Testing End-to-End Encrypted Direct Messages
Monday, May 07, 2018 Mohit Kumar
https://thehackernews.com/2018/05/encrypted-twitter-direct-messages.html
Twitter has been adopting new trends at a snail’s pace. But it’s better to be late than never.
Since 2013 people were speculating that Twitter will bring end-to-end encryption to its direct messages, and finally almost 5 years after the encryption era began, the company is now testing an end-to-end encrypted messaging on Twitter.
Dubbed “Secret Conversation,” the feature has been spotted in the latest version of Android application package (APK) for Twitter by Jane Manchun Wong
Tomi Engdahl says:
Man Who Hacked Jail Systems to Release His Friend Early Gets 7-Years in Prison
Monday, April 30, 2018 Mohit Kumar
https://thehackernews.com/2018/04/jail-network-hacking.html
Remember a young hacker who hacked jail systems in an attempt to release his prison inmate early?
Well, that hacker will now be joining his inmate behind bars.
Konrads Voits of Ypsilanti, Michigan, has been sentenced to seven years and three months in prison for attempting to hack the Washtenaw County Jail computer system and modifying prison records to get his friend released early.
Besides spending 87 months in prison, Voits has also been ordered to pay $235,488 in fine to Washtenaw County for the cost accrued in investigating and cleaning up the infiltration that resulted in the compromise of personal information of around 1,600 employees, the US Justice Department announced last week.
Between January 24th, 2017 and March 10th, 2017, Voits successfully tricked IT staff at Washtenaw County Jail into visiting a phony website at “ewashtenavv.org,” which mimics the official URL, “ewashtenaw.org.”
The malicious website then installed malware on the IT staff computer that eventually gave Voits complete control over the Jail’s network, allowing him to steal search warrant affidavits and personal details of over 1,600 employees, including names, email addresses, and passwords.
Tomi Engdahl says:
FBI Releases the IC3 2017 Internet Crime Report and Calls for Increased Public Awareness
https://www.fbi.gov/news/pressrel/press-releases/fbi-releases-the-ic3-2017-internet-crime-report-and-calls-for-increased-public-awareness
The FBI Reminds the Public that Reporting Internet Crime is Necessary to Combating Internet Crime
https://pdf.ic3.gov/2017_IC3Report.pdf
Tomi Engdahl says:
FBI: Number of Ransomware Complaints Went Down in 2017
https://www.bleepingcomputer.com/news/security/fbi-number-of-ransomware-complaints-went-down-in-2017/
Tomi Engdahl says:
Liam Tung / ZDNet:
Multiple operating systems including Windows, macOS, and Linux were affected by a serious security flaw caused by developers misinterpreting debug documentation
Microsoft Windows, Apple macOS, Linux, BSD: All hit by same ‘serious’ security flaw
https://www.zdnet.com/article/microsoft-windows-apple-macos-linux-bsd-all-hit-by-same-serious-security-flaw/
OS and hypervisor makers patch flaw that attackers could use to crash systems or read data from memory.
Windows, macOS, major Linux distributions, FreeBSD, VMware, and Xen on x86 AMD and Intel CPUs are affected by a serious security flaw caused by operating system developers misinterpreting debug documentation from the two chip makers.
The affected OS and hypervisor makers on Tuesday released fixes for the common flaw that may allow an authenticated attacker “to read sensitive data in memory or control low-level operating system functions”, according to CERT.
Patches are available from Apple, DragonFly BSD, FreeBSD, Microsoft, Red Hat, SUSE Linux, Ubuntu, VMware, and Xen. In the case of Linux distributions, there are two separate issues that affect the Linux kernel and the kernel’s KVM hypervisor. Links to all available updates are available in the CERT advisory.
According to RedHat’s description, the flaw stems from the way operating systems and hypervisors handle certain debugging features in modern CPUs, in this case how debug exceptions are handled.
In the context of a Linux operating system, the flaw may allow an attacker to crash a system.
Microsoft says the vulnerability could allow an attacker to run arbitrary code in kernel mode.
“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-crafted application to take control of an affected system,”
Vulnerability Note VU#631579
Hardware debug exception documentation may result in unexpected behavior
https://www.kb.cert.org/vuls/id/631579
Tomi Engdahl says:
Microsoft Windows, Apple macOS, Linux, BSD: All hit by same ‘serious’ security flaw
Windows security: Microsoft issues fix for critical Docker tool flaw, so patch now
https://www.zdnet.com/article/windows-security-microsoft-issues-fix-for-critical-docker-tool-flaw-so-patch-now/
Microsoft has patched a bug in an open-source tool it developed to help Docker containers run on Windows.
Tomi Engdahl says:
https://www.zdnet.com/video/new-spectre-class-flaws-in-intel-cpus-might-be-revealed-soon-use/
Tomi Engdahl says:
Google and Microsoft Debut: Replacing Passwords with FIDO2 Authentication
https://www.youtube.com/watch?v=M30aZ2cxElo
Tomi Engdahl says:
Protego Labs Raises $2 Million in Seed Funding
https://www.securityweek.com/protego-labs-raises-2-million-seed-funding
Serverless application security firm Protego Labs announced Wednesday that it has raised $2 million seed funding from a group of investors led by Ron Gula of Gula Tech Adventures, Glilot Capital Partners, and the MetroSITE Group of security industry pioneers, including former RSA CTO, Tim Belcher.
The serverless approach — where the server being used is managed by a cloud provider rather than the application owner — offers great advantages in speed, simplicity and cost-savings. Gula believes it is a transformative step in leveraging the full potential of the public cloud.
Protego”But,” he adds, “but it also presents a host of new threats and security challenges that traditional application security cannot handle. Protego offers a security solution designed specifically with serverless in mind, putting it at the forefront of this major technology shift.”
Tomi Engdahl says:
Firefox 60 Brings Support for Enterprise Deployments
https://www.securityweek.com/firefox-60-brings-support-enterprise-deployments
Released on Wednesday, Firefox 60 allows IT administrators to customize the browser for employees, and is also the first browser to feature support for the Web Authentication (WebAuthn) standard.
The new application release also comes with various security patches, on-by-default support for the latest draft TLS 1.3, redesigned Cookies and Site Storage section in Preferences, and other enhancements.
To configure Firefox Quantum for their organization, IT professionals can either use Group Policy on Windows, or a JSON file that works across Mac, Linux, and Windows operating systems, Mozilla says. What’s more, enterprise deployments are supported for both the standard Rapid Release (RR) of Firefox or the Extended Support Release (ESR), which is now version 60.
While the standard Rapid Release automatically receives performance improvements and new features on a six-week basis, the Extended Support Release usually receives the features in a single update per year. Critical security updates are delivered to both releases as soon as possible.
New Authentication Standard Coming to Major Web Browsers
https://www.securityweek.com/new-authentication-standard-coming-major-web-browsers
Web browsers from Google, Microsoft, and Mozilla will soon provide users with a new, password-less authentication standard built by the FIDO Alliance and the World Wide Web Consortium (W3C) and currently in the final approval stages.
W3C has advanced a standard web API called Web Authentication (WebAuthn) to the Candidate Recommendation (CR) stage, the final step before the final approval of a web standard. Expected to deliver stronger web authentication to users worldwide, it is already being implemented for Windows, Mac, Linux, Chrome OS and Android platforms.
W3C’s WebAuthn API enables strong, unique, public key-based credentials for each site, thus eliminating the risk that passwords stolen on one site could be used on another. WebAuthn can be incorporated into browsers and web platform infrastructure, providing users with new methods to securely authenticate on the web, in the browser, and across sites and devices.
Along with FIDO’s Client to Authenticator Protocol (CTAP) specification, it is a core component of the FIDO2 Project, which enables “users to authenticate easily to online services with desktop or mobile devices with phishing-resistant security.”
Tomi Engdahl says:
LG Patches Serious Vulnerabilities in Smartphone Keyboard
https://www.securityweek.com/lg-patches-serious-vulnerabilities-smartphone-keyboard
Updates released this week by LG for its Android smartphones patch two high severity keyboard vulnerabilities that can be exploited for remote code execution.
The vulnerabilities were reported to LG late last year by Slava Makkaveev of Check Point Research. The electronics giant patched them with its May 2018 updates, which also include the latest security fixes released by Google for the Android operating system (security patch level 2018-05-01).
Tomi Engdahl says:
Many Vulnerabilities Found in OPC UA Industrial Protocol
https://www.securityweek.com/many-vulnerabilities-found-opc-ua-industrial-protocol
Researchers at Kaspersky Lab have identified a significant number of vulnerabilities in the OPC UA protocol, including flaws that could, in theory, be exploited to cause physical damage in industrial environments.
Developed and maintained by the OPC Foundation, OPC UA stands for Open Platform Communications Unified Automation. The protocol is widely used in industrial automation, including for control systems (ICS) and communications between Industrial Internet-of-Things (IIoT) and smart city systems.
Researchers at Kaspersky Lab, which is a member of the OPC Foundation consortium, have conducted a detailed analysis of OPC UA and discovered many vulnerabilities, including ones that can be exploited for remote code execution and denial-of-service (DoS) attacks.
Tomi Engdahl says:
TreasureHunter PoS Malware Source Code Leaked Online
https://www.securityweek.com/treasurehunter-pos-malware-source-code-leaked-online
New variants of the TreasureHunter point-of-sale (PoS) malware are expected to emerge after its source code was leaked online in March, Flashpoint warns.
Capable of extracting credit and debit card information from processes running on infected systems, the PoS malware family has been around since at least 2014. To perform its nefarious activities, it scans all processes on the machine to search for payment card data, and then sends the information to the command and control (C&C) servers.
The malware’s source code was posted on a top-tier Russian-speaking forum by an actor who also leaked the source code for the malware’s graphical user interface builder and administrator panel.
Tomi Engdahl says:
Microsoft Windows, Apple macOS, Linux, BSD: All hit by same ‘serious’ security flaw
OS and hypervisor makers patch flaw that attackers could use to crash systems or read data from memory.
https://www.zdnet.com/article/microsoft-windows-apple-macos-linux-bsd-all-hit-by-same-serious-security-flaw/
Misinterpretation of Intel Docs Leads to Flaw in Hypervisors, OSs
https://www.securityweek.com/misinterpretation-intel-docs-leads-flaw-hypervisors-oss
Patches have been released for the Linux kernel, Windows, Xen and various Linux distributions, but in most cases the issue has been classified only as “moderate” or “important.” Proof-of-concept (PoC) exploits have been created for both Windows and Linux.
Tomi Engdahl says:
POP SS/MOV SS Vulnerability
https://everdox.net/popss.pdf
This
is
a
serious
security
vulnerability
and
oversight
made
by
operating
system
vendors
due
to
unclear
and
perhaps
even
incomplete
documentation
on
the
caveats
of
the
POP
SS
and
MOV
SS
instructions
and
their
interactions
with
interrupt
gate
semantics.
The
following
depends
on
OSV
implementation,
but
most, if not all, implement
SWAPGS
the same way.
For
operating
systems
running
on
Intel
and
AMD
hardware,
an
attacker
is
able
to
run
the
INT
01
handler
on
a
user
stack
pointer.
Furthermore,
the
attacker
could
also
run
the
INT
01
handler
Tomi Engdahl says:
Siemens Patches DoS Flaws in Medium Voltage Converters
https://www.securityweek.com/siemens-patches-dos-flaws-medium-voltage-converters
Siemens has released updates for many of its SINAMICS medium voltage converters to address two remotely exploitable denial-of-service (DoS) vulnerabilities.
According to advisories published by ICS-CERT and Siemens, the flaws impact SINAMICS GH150, GL150, GM150, SL150, SM120 and SM150 converters, which are used worldwide in the energy, chemical, critical manufacturing, water and wastewater, and food and agriculture sectors.Siemens patches two DoS vulnerabilities in SINAMICS medium voltage converters
The more serious of the flaws, identified as CVE-2017-12741 and classified “high severity,” can be exploited to cause a DoS condition by sending specially crafted packets to the device on UDP port 161.
Tomi Engdahl says:
Botnets ‘competing’ to attack vulnerable GPON fiber routers
Vulnerable fiber internet routers now under attack from competing botnet herders.
https://www.zdnet.com/article/botnets-competing-to-attack-vulnerable-gpon-fiber-routers/
Several botnet operators are targeting a popular but vulnerable fiber router, which can be easily hijacked thanks to two authentication bypass and command injection bugs.
ZDNet first reported the bugs last week. In case you missed it: two bugs allowed anyone to bypass the router’s login page and access pages within — simply by adding “?images/” to the end of the web address on any of the router’s configuration pages. With near complete access to the router, an attacker can inject their own commands, running with the highest “root” privileges.
In other words, these routers are prime targets for hijacking by botnet operators.
Now, a new report by China-based security firm Netlab 360 says at least five botnet families have been “competing for territory” to target the devices.
All five botnets — Muhstik, Mirai, Hajime, Satori, and Mettle — have developed exploits to target the fiber routers, but so far none of the botnets have successfully hacked and hijacked the routers.
Tomi Engdahl says:
Researchers say a breathalyzer has flaws, casting doubt on countless convictions
https://www.zdnet.com/article/draeger-breathalyzer-breath-test-convictions/
Exclusive: Two researchers say a police breathalyzer, used across the US, can produce incorrect breath test results, but their work came to a halt after legal pressure from the manufacturer.
The source code behind a police breathalyzer widely used in multiple states — and millions of drunk driving arrests — is under fire.
It’s the latest case of technology and the real world colliding — one that revolves around source code, calibration of equipment, two researchers and legal maneuvering, state law enforcement agencies, and Draeger, the breathalyzer’s manufacturer.
This most recent skirmish began a decade ago when Washington state police sought to replace its aging fleet of breathalyzers. When the Washington police opened solicitations, the only bidder, Draeger, a German medical technology maker, won the contract to sell its flagship device, the Alcotest 9510, across the state.
But defense attorneys have long believed the breathalyzer is faulty.
The two experts wrote in a preliminary report that they found flaws capable of producing incorrect breath test results. The defense hailed the results as a breakthrough, believing the findings could cast doubt on countless drunk-driving prosecutions.
The two distributed their early findings to attendees at a conference for defense lawyers, which Draeger said was in violation of a court-signed protective order the experts had agreed to, and the company threatened to sue.
Their research was left unfinished, and a final report was never completed.
Draeger said in a statement the company was protecting its source code and intellectual property, not muzzling research.
The breathalyzer has become a staple in law enforcement, with more than a million Americans arrested each year for driving under the influence of alcohol — an offense known as a DUI. Drunk driving has its own economy: A multi-billion dollar business for lawyers, state governments, and the breathalyzer manufacturers — all of which have a commercial stake at play.
Yet, the case in Washington is only the latest in several legal battles where the breathalyzer has faced scrutiny about the technology used to secure convictions.
Breath temperature can fluctuate throughout the day, but, according to the report, can also wildly change the results of an alcohol breath test. Without correction, a single digit over a normal breath temperature of 34 degrees centigrade can inflate the results by six percent — enough to push a person over the limit.
The quadratic formula set by the Washington State Patrol should correct the breath temperature to prevent false results. The quadratic formula corrects warmer breath downward, said the report, but the code doesn’t explain how the corrections are made. The corrections “may be insufficient” if the formula is faulty, the report added.
Issues with the code notwithstanding, Washington chose not to install a component to measure breath temperature, according to testimony in a 2015 hearing, and later confirmed by Draeger.
The code is also meant to check to ensure the device is operating within a certain temperature range set by Draeger, because the device can produce incorrect results if it’s too hot or too cold.
But the report said a check meant to measure the ambient temperature was disabled in the state configuration.
Tomi Engdahl says:
Industry Reactions to Iran Cyber Retaliation Over U.S. Nuclear Deal Exit
https://www.securityweek.com/industry-reactions-iran-cyber-retaliation-over-us-nuclear-deal-exit
President Donald Trump announced this week that the U.S. is withdrawing from the Iran nuclear deal and reimposing sanctions on the Middle Eastern country. Many experts fear that Iran will retaliate by launching cyberattacks on Western organizations.
Industry professionals contacted by SecurityWeek all say that there is a strong possibility of attacks, but they mostly agree that Iran will likely not try to cause too much damage as that could lead to massive response from the United States and its allies.
Tomi Engdahl says:
Hacker Shuts Down Copenhagens Public City Bikes System
https://www.bleepingcomputer.com/news/security/hacker-shuts-down-copenhagen-s-public-city-bikes-system/
An unidentified hacker has breached Bycyklen Copenhagen’s city bikes
network and deleted the organization’s entire database, disabling the
public’s access to bicycles over the weekend.
Tomi Engdahl says:
Steven Musil / CNET:
Symantec shares plummet after company warns its annual report could be delayed by an internal investigation into unspecified concerns by board — Symantec shares plummeted roughly 20 percent on Thursday after the antivirus maker warned an internal investigation could delay its annual report.
Symantec stock tanks after warning its annual report may be delayed by probe
Shares of the antivirus software company drop more than 20 percent.
https://www.cnet.com/news/symantec-stock-tanks-after-warning-annual-report-may-be-delayed-by-probe/
Tomi Engdahl says:
Mishaal Rahman / XDA Developers:
Google’s head of Android platform security says Google has started to include the requirements for security patching into its OEM agreements
Google is starting to require that OEMs roll out regular security patches
https://www.xda-developers.com/google-require-oem-regular-security-patches/
At the annual Google I/O developer conference, the company holds several sessions about updates to the Android platform. During the “What’s new in Android Security” talk, Google‘s head of Android platform security David Kleidermacher talked about the upcoming security changes in the Android P release. Near the beginning of the talk, Mr. Kleidermacher discussed how the company was making it easier for OEMs to roll out security patches thanks to the architectural changes implemented with Project Treble. He followed this statement with a small, but incredibly important tidbit of information: Google has modified their OEM agreements to include provisions for regular security patches.
“We’ve also worked on building security patching into our OEM agreements. Now this will really … lead to a massive increase in the number of devices and users receiving regular security patches.” – David Kleidermacher, Google’s head of Android platform security
Tomi Engdahl says:
450,000 Women Missed Breast Cancer Screenings Due to “Algorithm Failure”
https://spectrum.ieee.org/riskfactor/computing/it/450000-woman-missed-breast-cancer-screening-exams-in-uk-due-to-algorithm-failure
Nearly half a million elderly women in the United Kingdom missed mammography exams because of a scheduling error caused by one incorrect computer algorithm, and several hundred of those women may have died early as a result.
Last week, the U.K. Health Minister Jeremy Hunt announced that an independent inquiry had been launched to determine how a “computer algorithm failure” stretching back to 2009 caused some 450,000 patients in England between the ages of 68 to 71 to not be invited for their final breast cancer screenings.
The errant algorithm was in the National Health System’s (NHS) breast cancer screening scheduling software, and remained undiscovered for nine years.
He added that based on statistical modeling, the number who may have died prematurely as a result was estimated to be between 135 and 270 women.
Hunt’s announcement spread across the British press immediately, with the word “scandal”
“Tragically, there are likely to be some people in this group who would have been alive today if the failure had not happened.”
Exactly how the “algorithm failure” came about is clouded in controversy and contradictions. Right now, the NHS, PHE, and the software company Hitachi Consulting which maintains the software are pointing fingers at each other. However, it may eventually turn out that there is no fault to be assigned.
At least for now, the government is blaming “administrative incompetence”
Tomi Engdahl says:
Researchers show Siri and Alexa can be exploited with ‘silent’ commands hidden in songs
https://techcrunch.com/2018/05/10/researchers-show-siri-and-alexa-can-be-exploited-with-silent-commands-hidden-in-songs/?sr_share=facebook&utm_source=tcfbpage
Tomi Engdahl says:
Hacker Kevin Mitnick shows how to bypass 2FA
https://techcrunch.com/2018/05/10/hacker-kevin-mitnick-shows-how-to-bypass-2fa/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
A new exploit allows hackers to spoof two-factor authentication requests by sending a user to a fake login page and then stealing the username, password, and session cookie.
“A white hat hacker friend of Kevin’s developed a tool to bypass two-factor authentication using social engineering tactics – and it can be weaponized for any site,” said Stu Sjouwerman, KnowBe4 CEO. “Two-factor authentication is intended to be an extra layer of security, but in this instance, we clearly see that you can’t rely on it alone to protect your organization.”
Tomi Engdahl says:
Personal privacy vs. public security: fight!
https://techcrunch.com/2018/05/06/personal-privacy-vs-public-security-fight/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
AdChoices
Personal privacy vs. public security: fight!
Jon Evans
@rezendi / May 6, 2018
david-goliath
Personal privacy is a fairly new concept. Most people used to live in tight-knit communities, constantly enmeshed in each other’s lives. The notion that privacy is an important part of personal security is even newer, and often contested, while the need for public security — walls which must be guarded, doors which must be kept locked — is undisputed. Even anti-state anarchists concede the existence of violent enemies and monsters.
Rich people can afford their own high walls and closed doors. Privacy has long been a luxury, and it’s still often treated that way; a disposable asset, nice-to-have, not essential.
Tomi Engdahl says:
Joseph Cox / Motherboard:
Hacker says he stole data from ZooPark hacking group, some say an Iran-linked APT, which ran a hacking campaign targeting Android devices across the Middle East
Vigilante Hacks Government-Linked Cyberespionage Group
https://motherboard.vice.com/en_us/article/qvn4kq/vigilante-hacks-government-zoopark-cyberespionage
Earlier this month, Kaspersky published research on the so-called ZooPark group, which ran a hacking campaign towards Android devices across the Middle East. Now, a hacker has allegedly stolen ZooPark’s own data and provided it to Motherboard.
Tomi Engdahl says:
Newsagents to sell ‘porn passes’ to visit X-rated websites anonymously under new government plans
https://www.independent.co.uk/news/uk/home-news/porn-passes-newsagents-shops-online-pornography-website-id-uk-government-a8349281.html?utm_campaign=Echobox&utm_medium=Social&utm_source=Twitter#link_time=1526211659
Adults will show shopkeepers passport or driving licence and get 16-digit card in return
High street newsagents are to sell so-called “porn passes” that will allow adults to visit over-18 websites anonymously.
The 16-digit cards will allow browsers to avoid giving personal details online when asked to prove their age.
The legislation is designed to stop children accessing online pornography.
But there are concerns that asking adults to hand over passport or driving licence details to view adult material could leave them open to data-hacking and blackmail.
Some 56 per cent of British adults admitted to watching pornography
A spokesman for the Department of Culture, Media and Sport, which is responsible for the new legislation, said: “We are in the process of implementing some of the strictest data protection laws in the world.
“A wide variety of online age verification solutions exist, or are in development, and they will have to abide by these high standards. We expect data security to be a high priority in the BBFC’s guidance on age verification arrangements.”
The BBFC will not create the new verification systems but is overseeing their implementation.
Tomi Engdahl says:
Malicious Package Found on the Ubuntu Snap Store
https://www.bleepingcomputer.com/news/linux/malicious-package-found-on-the-ubuntu-snap-store/
An attentive Ubuntu user has spotted today a cryptocurrency miner
hidden in the source code of an Ubuntu snap package hosted on the
official Ubuntu Snap Store. The app’s name is 2048buntu, a clone of
the popular 2024 game,