Cyber security May 2018

This posting is here to collect security alert news in May 2018.

I post links to security vulnerability news to comments of this article.

 

Security And Privacy

269 Comments

  1. Tomi Engdahl says:

    One Year After WannaCry Outbreak, EternalBlue Exploit Still a Threat
    https://www.securityweek.com/one-year-after-wannacry-outbreak-eternalblue-exploit-still-threat

    One year after the WannaCry ransomware outbreak, the NSA-linked exploit used for propagation is still threatening unpatched and unprotected systems, security researchers say.

    The WannaCry infection started on May 12, 2017, disrupting Spanish businesses and dozens of hospitals in the U.K. The malware hit Windows 7 the most and was estimated to have infected nearly half a million computers and other types of devices within 10 days.

    The largest number of machines was hit in the first hours of the outbreak, before a security researcher discovered a kill-switch and slowed the spreading to a near stop.

    “WannaCry served as a cybersecurity wake-up call for many organizations that were falling behind in their routine IT responsibilities,” Ken Spinner, VP of Field Engineering, Varonis, told SecurityWeek in an emailed comment.

    “While WannaCry tore through organizations like the NHS, companies that kept their systems updated with the latest patches, performed backups and took proactive security measures emerged unscathed,” Spinner continued.

    Reply
  2. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer.com:
    Researchers at Symantec say seven malicious apps they detected and reported to Google slipped back into the Play Store after changing their name

    Malicious Apps Get Back on the Play Store Just by Changing Their Name
    https://www.bleepingcomputer.com/news/security/malicious-apps-get-back-on-the-play-store-just-by-changing-their-name/

    Security researchers are reporting that malicious Android apps they have detected and reported to Google the first time, have slipped back into the Play Store after changing their name.

    Seven of these apps have been “rediscovered,” said Symantec in a report published yesterday. The company’s experts say the author of the original malicious apps didn’t do anything special, but only changed the app’s names, without making modifications to the code, and re-uploaded the apps on the Play Store from a new developer account under a new name.

    Symantec says it detected seven of these re-uploaded apps on the Play Store, which it re-reported to Google’s security team and had them taken down again.

    Reply
  3. Tomi Engdahl says:

    Nigelthorn Malware Infects Over 100,000 Systems
    https://www.securityweek.com/nigelthorn-malware-infects-over-100000-systems

    A newly discovered malware family capable of credential theft, cryptomining, click fraud, and other nefarious actions has already infected over 100,000 computers, Radware reveals.

    Dubbed Nigelthorn because it abuses a Google Chrome extension called Nigelify, the malware is propagating via socially-engineered links on Facebook. The group behind the campaign has been active since at least March 2018 and has already managed to infect users in 100 countries.

    Victims are redirected to a fake YouTube page that asks them to install a Chrome extension to play the video. Once they accept the installation, the malicious extension is added to their browser, and the machine is enrolled in the botnet.

    Impacting both Windows and Linux machines, the malware depends on Chrome, which suggests that those who do not use this browser are not at risk, the security researchers point out.

    The actor behind the campaign uses the Bitly URL shortening service when redirecting victims to Facebook to trick users into revealing their login credentials. Based on statistics from Bitly and the Chrome web store, Radware determined that 75% of the infections occurred in the Philippines, Venezuela and Ecuador, with the remaining 25% distributed over 97 other countries.

    Reply
  4. Tomi Engdahl says:

    Code Execution Flaw in Electron Framework Could Affect Many Apps
    https://www.securityweek.com/code-execution-flaw-electron-framework-could-affect-many-apps

    GitHub’s open source development framework Electron is affected by a vulnerability that can allow remote code execution. Technical details and proof-of-concept (PoC) code were made public last week by the researcher who discovered the issue.

    Electron allows developers to create cross-platform desktop applications using HTML, CSS and JavaScript. The framework has been used in the development of hundreds of applications, including Skype, GitHub Desktop, Slack, WhatsApp, Signal, Discord and WordPress.com.

    Trustwave researcher Brendan Scarvell discovered earlier this year that certain applications created with Electron may allow remote code execution if they are affected by cross-site scripting (XSS) vulnerabilities and configured in a specific way.

    https://electronjs.org/apps

    Reply
  5. Tomi Engdahl says:

    Chrome 66 Update Patches Critical Security Flaw
    https://www.securityweek.com/chrome-66-update-patches-critical-security-flaw

    An updated version of Chrome 66 is now available, which addresses a Critical security vulnerability that could allow an attacker to take over a system.

    A total of 4 security vulnerabilities were addressed in the latest browser release, three of which were reported by external researchers.

    The most important of the vulnerabilities are two High severity flaws that chain together to result in a sandbox escape. The issues include CVE-2018-6121, a privilege escalation in extensions, and CVE-2018-6122, a type confusion in V8.

    The updated browser is available for download as version 66.0.3359.170 for Windows, Mac, and Linux devices.

    This is the second time Google patches a Critical bug in Chrome 66 since the browser’s release in the stable channel less than a month ago.

    Reply
  6. Tomi Engdahl says:

    Chili’s Restaurants Hit by Payment Card Breach
    https://www.securityweek.com/chilis-restaurants-hit-payment-card-breach

    People who recently paid with their credit or debit card at a Chili’s restaurant may have had their information stolen by cybercriminals, according to Dallas-based Brinker International.

    Brinker, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries, issued a notice shortly after the data breach was discovered on May 11.

    While the investigation is ongoing, initial evidence suggests that a piece of malware collected payment card data from some Chili’s restaurants in March and April 2018.

    Reply
  7. Tomi Engdahl says:

    Symantec Stock Plunges After Firm Announces Internal Probe
    https://www.securityweek.com/symantec-stock-plunges-after-firm-announces-internal-probe

    Symantec announced its fourth quarter and full year financial results on Thursday and while its revenue has increased, the cybersecurity firm’s stock dropped roughly 20% after it revealed that an internal investigation will likely delay its annual report to the U.S. Securities and Exchange Commission (SEC).

    [Update - Shares of Symantec traded down more than 34% in early trading Friday, reaching levels below $19.00 per share.]

    Symantec reported a Q4 GAAP revenue of $1.22 billion, which represents a 10% year-over-year increase, and $1.23 billion in non-GAAP revenue, an increase of 5% year-over-year.

    Reply
  8. Tomi Engdahl says:

    Top Exploit Kit Activity Roundup Spring 2018
    https://www.zscaler.com/blogs/research/top-exploit-kit-activity-roundup-spring-2018
    This is the eighth in a series of blogs by the Zscaler ThreatLabZ
    research team collecting and analyzing the recent activity of the top
    exploit kits. Exploit kits (EKs) are rapidly deployable software
    packages designed to leverage vulnerabilities in web browsers and
    deliver a malicious payload to a victims computer.

    Reply
  9. Tomi Engdahl says:

    Anonymous hacks Russian Govt website against ongoing censorship
    https://www.hackread.com/anonymous-hacks-russian-govt-website-against-censorship/
    On May 10th, 2018, the online hacktivist group Anonymous conducted a
    cyber attack on the official website of Russias Federal Agency for
    International Cooperation (Rossotrudnichestvo)

    Reply
  10. Tomi Engdahl says:

    Security Flaw Impacts Electron-Based Apps Such as Skype, GitHub,
    Discord, Others
    https://www.bleepingcomputer.com/news/security/security-flaw-impacts-electron-based-apps-such-as-skype-github-discord-others/
    Security researchers have found a security flaw in Electron, a
    software framework that has been used in the past half-decade for
    building a wealth of popular desktop applications.. Apps built on top
    of Electron include Microsoft’s Skype and Visual Studio Code, GitHub’s
    Atom code editor, the Brave browser, along with official desktop apps
    for services like Signal, Twitch, Discord, Basecamp, Slack, Ghost,
    WordPress.com, and many more..

    Reply
  11. Tomi Engdahl says:

    Rejected by the FBI: 43 Norwegian top scientists vulnerable to hacker
    attacks from Iran (Google translated)
    https://www.nrk.no/norge/pst_-_-iran-bak-hacking-av-norske-universiteter-1.14044442
    Universities in Oslo and Bergen are informed by PST that tens of
    thousands of researchers have been subjected to targeted hacker
    attacks.

    Reply
  12. Tomi Engdahl says:

    Memory sticks, cards, and external storage media from outside the home are one of the biggest security risks in company networks. IBM has now decided to ban all of these external storage media from its employees.

    According to PC Magazine, IBM will in the future require that employees use cloud services, and in particular the company’s own File Sync and Share service for file transfer. The same service IBM also sells to its corporate customers.

    Source: http://www.etn.fi/index.php/13-news/7981-ibm-kielsi-tikut-ja-kortit

    Reply
  13. Tomi Engdahl says:

    F-Secure security technology for other wifi routers

    Finnish F-Secure introduced about a year ago a wifi network Sense router that protects all devices in the home wireless network. Now, FSecure brings Sense Technology as a software version for operators and router manufacturers. The company calls its solution as Connected Home Security.

    Connected Home Security, sold to operators and equipment manufacturers, combines network and cloud security features as well as router and terminal security as a single, end-user-friendly feature. It uses the features of the Sense router. Sense protects against malware, data loss and network scanning, and protects intelligence from cyber attacks.

    With F-Secure’s solution, router manufacturers and operators can add Sense capabilities to their devices. This can increase security of terminal equipment and other security solutions, allowing operators to tailor their services to their customers, such as family rules, where parents can set safe limits for their children’s online use.

    According to a recent study by Gartner, the number of devices connected to the Internet in homes will increase from the current 4.8 billion to 15 billion by 2021. According to Gartner, in 2021, up to 75 percent of these devices can be harnessed for denial of service attacks or IoT bottleneck attacks. Now the figure is 40 percent.

    Source: http://www.etn.fi/index.php/13-news/7980-f-securen-turvatekniikka-myos-muiden-wifi-reitittimiin

    Reply
  14. Tomi Engdahl says:

    The Wealthy Are Hoarding $10 Billion of Bitcoin in Bunkers
    https://www.bloomberg.com/news/articles/2018-05-09/bunkers-for-the-wealthy-are-said-to-hoard-10-billion-of-bitcoin

    Xapo’s Casares is Bitcoin’s ‘Patient Zero’ in Silicon Valley
    Fingerprint scanners prevent amputated hands from being used

    Argentine entrepreneur Wences Casares has spent the past several years persuading Silicon Valley millionaires and billionaires that Bitcoin is the global currency of the future, that they need to buy some, and that he’s the man to safeguard it. His startup, Xapo, has built a network of underground vaults on five continents, including one in a decommissioned Swiss military bunker.

    In the rarefied world of wealth management, Xapo is known for a client list studded with family offices, and for occasionally letting a journalist peek into a stronghold to write about its security. But one secret has proven elusive: how much digital cash does it really hold?

    Two Xapo clients said it houses roughly $10 billion of Bitcoin. Another person close to the venture called the figure an accurate approximation. Bitcoin’s price, after all, is hardly steady.

    Even in the colorful world of crypto the cache is remarkable — amounting to about 7 percent of the global Bitcoin supply. It would mean Xapo, just 4 years old, has more “deposits” than 98 percent of the roughly 5,670 banks in the U.S. But as a custodian it’s regulated differently. The Swiss subsidiary is overseen by the self-regulating Financial Services Standards Association, which audits members to ensure they comply with anti-money-laundering rules. Xapo serves U.S. customers through a Delaware corporation that’s registered with the U.S. Treasury Department’s Financial Crimes Enforcement Network and is licensed in several states.

    Reply
  15. Tomi Engdahl says:

    The highly-promoted Finnish-born foilChat was revealed as a peculiar feature when anyone who could search any registered e-mail address was able to find out. FoilChat’s developers acknowledge that the feature was not thought out until the very end.

    Previously, the program has been able to search users with combinations of three characters, and enough to find them through all the email addresses registered for the service. The company has published a bulletin saying that “this is not an error, but a feature of the development of the system”.

    There is an update that prompts users to sign in to check in or disable access to search results when signing in.

    Source: https://www.tivi.fi/Kaikki_uutiset/nolo-aukko-loytyi-huipputurvallisena-mainostettu-suomalaispalvelu-vastaa-ei-mietitty-loppuun-asti-6724616

    Reply
  16. Tomi Engdahl says:

    Ring doorbell flaw lets others watch after password changes (updated)
    At one point, the camera was exposed for months.
    https://www.engadget.com/2018/05/12/ring-doorbell-password-flaw/

    You’d expect a smart doorbell to instantly boot out everyone the moment you change your password, but that isn’t necessarily the case. The Information has learned that the app for Ring’s video doorbell wasn’t forcing users to sign-in after password changes, regardless of how much time had elapsed

    The flaw provides something of a headache for Amazon, which only acquired Ring in February. If it’s going to use Ring’s doorbells as part of delivery solutions like Amazon Key, it needs to know that the devices are reasonably secure against exploits like this. This is also a reminder that smart home security needs to be particularly tight — a loose policy can easily lead to privacy violations.

    Reply
  17. Tomi Engdahl says:

    The US smokes Chinese network device and telephone manufacturers relying on their national security market. There has been little debate in Europe and Finland.
    The United States has put in place hard measures against Chinese telephone and network equipment manufacturers. This has been noted by both Huawei and ZTE, who have had a strong counterattack in the US.

    US intelligence officials have advised citizens not to use the products of either manufacturer. Huawei’s new handsets have also not been sold by American operators. This is a big blow to a Chinese manufacturer, as most of the phone sales in the US are through operators.

    Huawein technology is also widely used in Finnish networks. Elisa’s networks include Nokia, Ericsson and Huawei devices, says Sami Komulainen, Senior Vice President, Operations Network Services. Elisa has separate contracts for security with network equipment suppliers and the operator is operating on their own. According to him, there was no need for separate discussions on the safety of equipment suppliers.

    - Technology is technology. Of course, security can be done on many levels, but we do not distinguish between our three suppliers, Komulainen says.

    Jarkko Laari, Director of DNA Radio Broadcasting, says that the operator’s own networks in South, Central and Western Finland are based on Ericsson’s technology in Sweden. The joint network in Eastern and Northern Finland with Telia, on the other hand, is based on Huawei’s equipment.

    The code for the network device software is primarily the business secret of its manufacturer and the operator can not see what it ultimately does.

    Authority: No worries
    Rauli Paananen, Deputy Director of the Finnish Cypriot Security Center, says the security situation in Finland in the following mobile networks through Britain. Huawei is a very critical supplier for UK network infrastructure, and a large Huawu Research Center is located in the country, which works in close cooperation with the British authorities.

    According to Paananen, the Center’s authorities and external parties are auditing, that is, they are examining the Center’s reliability on a regular basis. According to Paananen, the fact that the authorities have instructed to stop using certain program code snippets, according to Paananen,

    Paananen does not want to speculate whether the debate in the United States is more politically motivated or more security-oriented.

    Source: https://www.is.fi/digitoday/tietoturva/art-2000005675820.html

    Reply
  18. Tomi Engdahl says:

    PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor
    Users advised to stop using and/or uninstall plugins ASAP to stop Pretty Grievous Pwnage
    https://www.theregister.co.uk/2018/05/14/pgp_s_mime_flaws_allow_plaintext_email_access/

    A professor of Computer Security at the Münster University of Applied Sciences‏ has warned that popular email encryption tool Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage thanks to bugs that can allow supposedly encrypted emails to be read as plaintext.

    Professor Sebastian Schinzel took to Twitter with the news early on Monday, European time.

    We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4

    “Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email,” the EFF’s post said.

    Reply
  19. Tomi Engdahl says:

    Rowhammer strikes networks, Bolton strikes security jobs, and Nigel Thornberry strikes Chrome, and more
    Hacking laws in the limelight in Georgia and DC, plus new iPhone anti-tampering
    https://www.theregister.co.uk/2018/05/12/security_roundup/

    Researchers have poked a hole in the 7-Zip archiving tool, and you’ll want to update the software as soon as possible.

    The bug, discovered by researcher landave, allows remote code execution by way of poisoned RAR files, though the RAR payload can also be disguised as other archive formats.

    Russian positioned to hack US voting systems

    The US Senate Intelligence Committee said this week that Kremlin-linked hackers at least tried to “alter or delete voter registration data” for a small number of America’s states before the 2016 presidential election.
    Most the “attacks” were scans for vulnerabilities and open services, but against at least six states, Moscow’s miscreants “conducted malicious access attempts on voting-related websites.”

    Rowhammer swings again with network-based attacks

    It has been three years since the infamous ‘Rowhammer’ technique was first disclosed, and the menace of the bit-slamming memory attack is still being exploited in new and devious ways.

    This time it is network connections that have been found vulnerable to brute-force memory corruption trick. Researchers from Vrije Universiteit in Amsterdam found [PDF] that network packets can be used to trigger the address error conditions on any machine that has remote direct memory access (RDMA) enabled.

    This means that, for the first time, Rowhammer has been shown to be remotely exploitable and an attacker no longer requires local access to a machine in order to take advantage of the vulnerability.

    https://www.cs.vu.nl/~herbertb/download/papers/throwhammer_atc18.pdf

    Georgia comes to its senses, kills stupid ‘hacking’ bill

    The infamous Georgia state legislation that would have criminalized many forms of white hat hacking has been put on ice.

    Governor Nathan Deal on Tuesday vetoed SB315 amidst pressure from the software and IT industries in the state.

    Reply
  20. Tomi Engdahl says:

    UK adults may soon have to buy “porn passes” from corner shops to prove their age online
    https://thenextweb.com/uk/2018/05/13/uk-adults-may-soon-have-to-buy-porn-passes-from-corner-shops-to-prove-their-age-online/

    Later this year, new UK legislation will require visitors to adult websites to prove that they’re over the legal age of 18. The logistics of how this will work, however, are proving trickier than thought.

    It’s likely most porn sites will verify user ages through credit cards.

    The problem is, around 40-percent of Brits don’t hold a credit card.

    To get around this, the government department responsible for enforcing this law, the BBFC, has proposed another method of age verification that’ll see adults buy “porn passes” from high-street stores.

    When they’re satisfied you’re over the age of 18, they’ll give you a sixteen-digit code, which you can use online to prove your age on X-rated websites. According to The Telegraph, these passes will cost around £10 (roughly $14).

    Crucially, you can do this without revealing any details about yourself to the website — like your name, age, address, or passport details.

    That’s something that’s understandable. It’s never pretty when adult websites leak user data. When hackers dumped Ashley Madison’s database to the public in 2015, the aftermath included break-ups and suicides. It was ugly.

    It’s also believed they’ll have a use outside of porn. The Telegraph reports that the passes will also be used to buy alcohol and knives online — the sales of both being tightly restricted in the UK.

    Reply
  21. Tomi Engdahl says:

    Security
    Hacking train Wi-Fi may expose passenger data and control systems
    Researcher finds security hotspots on some rail networks
    https://www.theregister.co.uk/2018/05/11/train_wifi_hackable_on_some_networks/

    Vulnerabilities on the Wi-Fi networks of a number of rail operators could expose customers’ credit card information, according to infosec biz Pen Test Partners this week.

    The research was conducted over several years, said Pen Test’s Ken Munro. “In most cases they are pretty secure, although whether the Wi-Fi works or not is another matter,” he added.

    But in a handful of cases Munro was able to bridge the wireless network to the wired network and find a database server containing default credentials, enabling him to access the credit card data of customers paying for the Wi-Fi, including the passenger’s name, email address and card details.

    He said he was not aware of any incidents of networks being compromised but warned in the worst-case scenario it might be possible for miscreants to take control of the train. “It might be possible, and this is speculation, to lock the braking system.”

    Munro refused to name the operators affected by the weak security set-up – the vulnerabilities still exist.

    Part of the problem is a lack of segregation between the Wi-Fi networks.

    Hacking train passenger Wi-Fi
    https://www.pentestpartners.com/security-blog/hacking-train-passenger-wi-fi/

    Reply
  22. Tomi Engdahl says:

    Hacker Kevin Mitnick shows how to bypass 2FA
    https://techcrunch.com/2018/05/10/hacker-kevin-mitnick-shows-how-to-bypass-2fa/?utm_source=tcfbpage&sr_share=facebook

    A new exploit allows hackers to spoof two-factor authentication requests by sending a user to a fake login page and then stealing the username, password, and session cookie.

    By convincing a victim to visit a typo-squatting domain liked “LunkedIn.com” and capturing the login, password, and authentication code, the hacker can pass the credentials to the actual site and capture the session cookie. Once this is done the hacker can login indefinitely. This essentially uses the one time 2FA code as a way to spoof a login and grab data.

    White hat hacker Kuba Gretzky created the system, called evilginx, and describes its implementation in a wonderfully thorough post on his site.

    Sjouwerman notes that anti-phishing education is deeply important and that a hack like this is impossible to complete if the victim is savvy about security and the dangers of clicking links that come into your email box.

    Evilginx – Advanced Phishing with Two-factor Authentication Bypass
    https://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass/

    Reply
  23. Tomi Engdahl says:

    Anne Davies / The Guardian:
    Australian regulator probes Google’s harvesting of data from Android phones, after Oracle claimed Google could be collecting ~1GB of data from devices per month

    Australian regulator investigates Google data harvesting from Android phones
    https://www.theguardian.com/technology/2018/may/14/australian-regulator-investigates-google-data-harvesting-from-android-phones

    Australians are reportedly paying their telco providers for the data harvested by tech giant

    Reply
  24. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Researchers warn about critical flaws in PGP and S/MIME that can reveal the plaintext of encrypted emails, recommend uninstalling those tools from email clients

    Critical PGP and S/MIME bugs can reveal encrypted emails—uninstall now [Updated]
    The flaws can expose emails sent in the past and “pose an immediate threat.”
    https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/

    The Internet’s two most widely used methods for encrypting email—PGP and S/MIME—are vulnerable to hacks that can reveal the plaintext of encrypted messages, a researcher warned late Sunday night. He went on to say there are no reliable fixes and to advise anyone who uses either encryption standard for sensitive communications to remove them immediately from email clients.

    The flaws “might reveal the plaintext of encrypted emails, including encrypted emails you sent in the past,” Sebastian Schinzel, a professor of computer security at Münster University of Applied Sciences, wrote on Twitter. “There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now.”

    Schinzel referred people this blog post published late Sunday night by the Electronic Frontier Foundation. It said: “EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

    Both Schinzel and the EFF blog post referred those affected to EFF instructions for disabling plugins in Thunderbird, macOS Mail, and Outlook.

    Reply
  25. Tomi Engdahl says:

    S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats
    If a hacker can get into your inbox of ciphered messages, they may be able to read the content
    https://www.theregister.co.uk/2018/05/14/smime_pgp_encryption_flaw_emails_vulnerable_to_snooping/

    Security researchers have gone public with vulnerabilities in some secure mail apps that can be exploited by miscreants to decrypt intercepted PGP-encrypted messages.

    The flaw, dubbed EFAIL, is present in the way some email clients handle PGP and S/MIME encrypted messages. By taking advantage of the way the applications handle HTML content of these messages, an attacker could potentially see encrypted messages as plaintext.

    In other words, decrypt your secret emails.

    The research team that uncovered the flaw claimed the only way to fully protect against EFAIL, right now, is to stop handling PGP and S/MIME decryption in your mail client, and fully patching it will require updates to the encryption standards themselves. Disabling the viewing of HTML content will help a lot.

    https://efail.de/

    EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.

    Reply
  26. Tomi Engdahl says:

    PGP Vulnerability Pre-announced by Security Researcher
    https://hackaday.com/2018/05/14/pgp-vulnerability-pre-announced-by-security-researcher/

    From the gaping maw of the infosec Twitterverse comes horrifying news. PGP is broken. How? We don’t know. When will there be any information on this vulnerability? Tomorrow. It’s the most important infosec story of the week, and it’s only Monday. Of course, this vulnerability already has a name. Everyone else is calling it eFail, but I’m calling it Fear, Uncertainty, and Doubt.

    Update: eFail site and paper now available. This was released ahead of Tuesday’s planned announcement when the news broke ahead of a press embargo.

    Update 2: The report mentions two attacks. The Direct Exfiltration attack wraps the body of a PGP-encrypted email around an image tag. If a mail client automatically decrypts this email, the result will be a request to a URL containing the plaintext of the encrypted email. The second attack only works one-third of the time. Mitigation strategies are to not decrypt email in a client, disable HTML rendering, and in time, update the OpenPGP and S/MIME standards. This is not the end of PGP, it’s a vulnerability warranting attention from those with a very specific use case.

    Reply
  27. Tomi Engdahl says:

    Hackers Divert Funds From Mexico Banks, Amount Unclear: Official
    https://www.securityweek.com/hackers-divert-funds-mexico-banks-amount-unclear-official

    Hackers have stolen an unknown amount of money from banks in Mexico in a series of cyber attacks on the country’s interbank payments system, an official said Monday.

    At least five attacks on the Mexican central bank’s Interbank Electronic Payments System (SPEI) were carried out in April and May, said Lorenza Martinez, director general of the corporate payments and services system at the central bank.

    “Some transactions were introduced that were not recognized by the issuing bank,” she told Radio Centro.

    “In some cases these transfers made it through to the destination bank and were withdrawn in cash.”

    Some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but Martinez denied those reports.

    The interbank payments system allows banks to make real-time transfers to each other.

    They connect via their own computer systems or an external provider — the point where the attacks appear to have taken place

    Reply
  28. Tomi Engdahl says:

    Kaspersky Lab to Move Core Infrastructure to Switzerland
    https://www.securityweek.com/kaspersky-lab-move-core-infrastructure-switzerland

    Company Will Open Transparency Center in Zurich by 2019; Data From Customers in North America Will be Stored and Processed in Switzerland

    As part of its Global Transparency Initiative, Russia-based Kaspersky Lab today announced that it will adjust its infrastructure to move a number of “core processes” from Russia to Switzerland.

    The security firm has had problems with the U.S. government. In September 2017, the U.S. Department of Homeland Security (DHS) instructed government departments and agencies to stop using products from the Russia-based firm.

    There is no hard evidence that Kaspersky has ever colluded with the Russian government; and the lost U.S. government market is small in global terms. The bigger problem, however, is the knock-on effect that U.S. government criticism has on trust levels in the wider market.

    Reply
  29. Tomi Engdahl says:

    Adobe Patches Two Dozen Critical Flaws in Acrobat, Reader
    https://www.securityweek.com/adobe-patches-two-dozen-critical-flaws-acrobat-reader

    Updates released on Monday by Adobe for its Acrobat, Reader and Photoshop products patch nearly 50 vulnerabilities, including critical flaws that allow arbitrary code execution.

    A total of 47 security holes have been addressed in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017. The flaws have been resolved with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.

    The vulnerabilities include 24 critical memory corruptions that allow arbitrary code execution in the context of the targeted user, and various types of “important” issues that can lead to information disclosure or security bypasses.

    Reply
  30. Tomi Engdahl says:

    Behind the Scenes in the Deceptive App Wars
    https://www.securityweek.com/behind-scenes-deceptive-app-wars

    All is not well in the app ecosphere. That ecosphere comprises a large number of useful apps that benefit users, and an unknown number of apps that deceive users. The latter are sometimes described potentially unwanted programs, or PUPs. Both categories need to make money: good apps are upfront with how this is achieved; deceptive apps hide the process.

    In recent years there has been an increasing effort to cleanse the ecosphere of deceptive apps. The anti-virus (AV) industry has taken a more aggressive stance in flagging and sometimes removing what it calls PUPs; the Clean Software Alliance (CSA) was founded to help guide app developers away from the dark side; and a new firm, AppEsteem, certifies good apps and calls out bad apps in its ‘Deceptor’ program.

    Reply
  31. Tomi Engdahl says:

    Detecting Cloned Cards at the ATM, Register
    https://krebsonsecurity.com/2018/05/detecting-cloned-cards-at-the-atm-register/

    Much of the fraud involving counterfeit credit, ATM debit and retail gift cards relies on the ability of thieves to use cheap, widely available hardware to encode stolen data onto any card’s magnetic stripe. But new research suggests retailers and ATM operators could reliably detect counterfeit cards using a simple technology that flags cards which appear to have been altered by such tools.

    Researchers at the University of Florida found that account data encoded on legitimate cards is invariably written using quality-controlled, automated facilities that tend to imprint the information in uniform, consistent patterns.

    Cloned cards, however, usually are created by hand with inexpensive encoding machines, and as a result feature far more variance or “jitter” in the placement of digital bits on the card’s stripe.

    Gift cards can be extremely profitable and brand-building for retailers, but gift card fraud creates a very negative shopping experience for consumers and a costly conundrum for retailers.

    Traynor and a team of five other University of Florida researchers partnered with retail giant WalMart to test their technology, which Traynor said can be easily and quite cheaply incorporated into point-of-sale systems at retail store cash registers. They said the WalMart trial demonstrated that researchers’ technology distinguished legitimate gift cards from clones with up to 99.3 percent accuracy.

    While impressive, that rate still means the technology could still generate a “false positive” — erroneously flagging a legitimate customer as using a fraudulently obtained gift card in a non-trivial number of cases. But Traynor said the retailers they spoke with in testing their equipment all indicated they would welcome any additional tools to curb the incidence of gift card fraud.

    Reply
  32. Tomi Engdahl says:

    Shane Harris / Washington Post:
    Sources: US government identified a former CIA employee as a suspect in last year’s Vault 7 leak of a large portion of the CIA’s computer hacking arsenal
    https://www.washingtonpost.com/?utm_term=.6a66256026d7

    Reply
  33. Tomi Engdahl says:

    Signal Flaw Allowed Code Execution With No User Interaction
    https://www.securityweek.com/signal-flaw-allowed-code-execution-no-user-interaction

    An update released over the weekend for the desktop version of the privacy-focused communications app Signal patches a critical vulnerability that could have been exploited for remote code execution with no user interaction required.

    Several researchers were looking at an unrelated cross-site scripting (XSS) vulnerability when they noticed that the XSS payload was triggered in the Signal desktop application.

    The white hat hackers discovered that they could execute arbitrary code in the app simply by sending a specially crafted message containing specific HTML elements to the targeted user.

    “The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the and tags can be used to include remote or local resources,” the researchers explained in an advisory.

    Reply
  34. Tomi Engdahl says:

    Dutch Govt Dropping Kaspersky Software Over Spying Fears
    https://www.securityweek.com/dutch-govt-dropping-kaspersky-software-over-spying-fears

    The Dutch government is phasing out the use of anti-virus software made by Russian firm Kaspersky Lab amid fears of possible spying, despite vehement denials by the Moscow-based cyber security company.

    The Dutch Justice and Security ministry said in a statement late Monday the decision had been taken as a “precautionary measure” in order “to guarantee national security”.

    But Kaspersky Lab, whose anti-virus software is installed on some 400 million computers worldwide, said Tuesday it was “very disappointed” by the move.

    Reply
  35. Tomi Engdahl says:

    Severe DoS Flaw Discovered in Siemens SIMATIC PLCs
    https://www.securityweek.com/severe-dos-flaw-discovered-siemens-simatic-plcs

    Siemens informed customers on Tuesday that some of its SIMATIC S7-400 CPUs are affected by a high severity denial-of-service (DoS) vulnerability.

    SIMATIC S7-400 is a family of programmable logic controllers (PLCs) designed for process control in industrial environments. The product is used worldwide in the automotive, mechanical equipment manufacturing, building engineering, steel, power generation and distribution, chemical, warehousing, food, and pharmaceutical sectors.

    Siemens discovered that these devices fail to properly validate S7 communication packets, allowing a remote attacker to trigger a DoS condition that causes the system to enter DEFECT mode and remain so until it’s manually restarted.

    Reply
  36. Tomi Engdahl says:

    White House Cuts Cybersecurity Coordinator Role
    https://www.securityweek.com/white-house-cuts-cybersecurity-coordinator-role

    The White House has eliminated the role of cybersecurity coordinator following the departure of Rob Joyce, and many lawmakers and cybersecurity experts are not happy with the decision.

    After news broke that Joyce was leaving his post and returning to the National Security Agency (NSA), cybersecurity professionals were hoping to see someone at least equally competent fill the position. However, president Donald Trump’s new national security adviser, John Bolton, has announced that the role will be eliminated from the National Security Council (NSC).

    Reply
  37. Tomi Engdahl says:

    Ex-CIA Employee Suspected in WikiLeaks ‘Vault7′ Leak
    https://www.securityweek.com/ex-cia-employee-suspected-wikileaks-vault-7-leak

    A former employee of the U.S. Central Intelligence Agency (CIA) is believed to have provided WikiLeaks the files made public by the whistleblower organization as part of its ‘Vault 7’ leak, which focuses on hacking tools used by the CIA.

    According to The New York Times and The Washington Post, the suspect is 29-year-old software engineer Joshua Adam Schulte. The man’s LinkedIn profile shows that he worked for the NSA for five months in 2010 as a systems engineer, and then joined the CIA as a software engineer. He left the CIA in November 2016, when he moved to New York City and started working as a senior software engineer for Bloomberg.

    While authorities reportedly started suspecting Schulte of providing files to WikiLeaks roughly one week after the first round of Vault 7 documents were released in March 2017, he still has not been charged in connection to the leaks. Instead, he has been jailed for possessing child pornography.

    Reply
  38. Tomi Engdahl says:

    Ecuador Spied on Assange at London Embassy: Report
    https://www.securityweek.com/ecuador-spied-assange-london-embassy-report

    Ecuador spied on WikiLeaks founder Julian Assange at its London embassy where he has been living since 2012, initially to support him but things changed after he hacked the mission’s computers, the Guardian reported Wednesday.

    The newspaper said Ecuador employed an international security company and undercover agents to monitor his visitors, embassy staff and even the British police at the embassy in London’s luxury Knightsbridge area.

    It estimated the budget spent on the operation, referred to initially as “Operation Guest” and later “Operation Hotel” at $5.0 million (4.2 million euros).

    The snooping was initially intended to protect Assange from the risk of being taken away by British police but later became a full-blown spying operation.

    Reply
  39. Tomi Engdahl says:

    Thieves suck millions out of Mexican banks in transfer heist
    https://www.reuters.com/article/us-mexico-cyber/thieves-suck-millions-out-of-mexican-banks-in-transfer-heist-idUSKCN1IF1X7

    Thieves siphoned hundreds of millions of pesos out of Mexican banks, including No. 2 Banorte, by creating phantom orders that wired funds to bogus accounts and promptly withdrew the money, two sources close to the government’s investigation said. Hackers sent hundreds of false orders to move amounts ranging from tens of thousands to hundreds of thousands of pesos from banks including Banorte, to fake accounts in other banks

    Reply
  40. Tomi Engdahl says:

    California teen faces 14 felony counts in phishing attack against school district
    https://www.techspot.com/news/74624-california-teen-faces-14-felony-counts-phishing-attack.html

    A Concord California high school student has been arrested for targeting teachers with a phishing scam in order to change his and other students’ grades.

    Sixteen-year-old David Rotaro, who attends Ygnacio Valley High School in the Bay Area, was taken into custody last Wednesday after authorities discovered that he was responsible for hacking into the school district’s computer systems and changing the grades of several students including himself.

    According to Fox affiliate KTVU, Rotaro allegedly set up a webpage that looked identical to the school’s teacher portal. He then sent out emails to several teachers with links to the page in an attempt to gain their access credentials. At least one staff member fell for the ruse.

    Reply
  41. Tomi Engdahl says:

    Facebook Deleted 583 Million Fake Accounts in the First Three Months of 2018
    https://tech.slashdot.org/story/18/05/15/1954227/facebook-deleted-583-million-fake-accounts-in-the-first-three-months-of-2018?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Facebook said Tuesday that it had removed more than half a billion fake accounts and millions of pieces of other violent, hateful or obscene content over the first three months of 2018.

    Facebook deleted 583 million fake accounts in the first three months of 2018
    That’s more than a quarter of Facebook’s 2.2 billion monthly active users.
    https://www.cnet.com/news/facebook-deleted-583-million-fake-accounts-in-the-first-three-months-of-2018/

    Facebook is in a state of constant deletion.

    The social network released its Community Standards Enforcement Report for the first time on Tuesday, detailing how many spam posts it’s deleted and how many fake accounts it’s taken down in the first quarter of 2018. In a blog post on Facebook, Guy Rosen, Facebook’s vice president of product management, said the social network disabled about 583 million fake accounts during the first three months of this year — the majority of which, it said, were blocked within minutes of registration.

    That’s an average of over 6.5 million attempts to create a fake account every day from Jan. 1 to March 31. Facebook boasts 2.2 billion monthly active users, and if Facebook’s AI tools didn’t catch these fake accounts flooding the social network, its population would have swelled immensely in just 89 days.

    Reply
  42. Tomi Engdahl says:

    Interpol’s New Software Will Recognize Criminals by Their Voices
    https://spectrum.ieee.org/tech-talk/consumer-electronics/audiovideo/interpols-new-automated-platform-will-recognize-criminals-by-their-voice

    The world’s largest police network is evaluating software that would match samples of speech taken from phone calls or social media posts to voice recordings of criminals stored within a massive database shared by law enforcement agencies.

    The platform, as described by developers, would employ several speech analysis algorithms to filter voice samples by gender, age, language, and accent. It will be managed by Interpol at its base in Lyon, France

    Reply
  43. Tomi Engdahl says:

    Joseph Cox / Motherboard:
    Hacker breaches Securus, a controversial firm enabling real-time warrantless cell location tracking for cops, and gives access to clients’ data to reporter — A hacker has provided Motherboard with the login details for a company that buys phone location data from major telecom companies and then sells it to law enforcement.

    Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US
    https://motherboard.vice.com/en_us/article/gykgv9/securus-phone-tracking-company-hacked

    A hacker has provided Motherboard with the login details for a company that buys phone location data from major telecom companies and then sells it to law enforcement.

    A hacker has broken into the servers of Securus, a company that allows law enforcement to easily track nearly any phone across the country, and which a US Senator has exhorted federal authorities to investigate. The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus’ law enforcement customers.

    Although it’s not clear how many of these customers are using Securus’s phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveill individuals.

    The hacker who breached Securus provided Motherboard with several internal company files.

    Most of the users in the spreadsheet are from US government bodies, including sheriff departments, local counties, and city law enforcement.

    Motherboard verified the data by using Securus’ website’s forgotten password feature.

    “Track mobile devices even when GPS is turned off,” the Securus website reads. “Call detail records providing call origination and call termination geo-location data,” it adds. This is the same product that is being abused by some law enforcement officials.

    “Securus was enabling tracking without a warrant and allowing users of their system to claim authority to do so without checking it. That’s a problem,” Andrew Crocker, staff attorney at campaign group the Electronic Frontier Foundation told Motherboard in a phone call.

    “The PII [personally identifying information] exposure in the (still) public user guide raises on question: does Securus have the culture and the procedures in place to protect sensitive PII? The answer appears to be no,” Rid told Motherboard.

    Reply
  44. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Alphabet’s Jigsaw will expand its free Project Shield service, which helps protects against DDoS attacks, to US political campaigns ahead of midterms — WITH MIDTERM ELECTIONS looming and primaries already underway in many states, anxiety has been building over the possibility of cyberattacks that could impact voting.

    Jigsaw’s Project Shield Will Protect Campaigns From Online Attacks
    https://www.wired.com/story/jigsaw-protect-campaigns-from-online-attacks

    With midterm elections looming and primaries already underway in many states, anxiety has been building over the possibility of cyberattacks that could impact voting. Though officials and election security researchers alike are adamant that voters can trust the United States election system, they also acknowledge shortcomings of the current security setup.

    Reply
  45. Tomi Engdahl says:

    Charlie Warzel / BuzzFeed:
    Investigation shows buying fake Facebook accounts is easy and affordable; one seller says there are always thousands in stock as marketplaces thrive — Thirty minutes and a little bitcoin can buy you an army of believable Facebook users. — Audrey Mitchell is a 23-year-old New York City transplant from London.

    Shady Marketplaces Selling Fake Facebook Profiles Operate In Plain Sight
    https://www.buzzfeed.com/charliewarzel/heres-how-easy-it-is-to-buy-fake-facebook-profiles?utm_term=.sfBpDbgV3#.uoxA9NGBM

    Thirty minutes and a little bitcoin can buy you an army of believable Facebook users.

    Reply
  46. Tomi Engdahl says:

    RedHat admins, patch now – don’t let your servers get pwned!
    https://nakedsecurity.sophos.com/2018/05/16/redhat-admins-patch-now-dont-let-your-servers-get-pwned/
    DHCP Client Script Code Execution Vulnerability – CVE-2018-1111
    https://access.redhat.com/security/vulnerabilities/3442151
    Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.
    A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*