Cyber security June 2018

This posting is here to collect security alert news in June 2018.

I post links to security vulnerability news to comments of this article.

282 Comments

  1. Tomi Engdahl says:

    China has turned Xinjiang into a police state like no other
    https://www.economist.com/briefing/2018/05/31/china-has-turned-xinjiang-into-a-police-state-like-no-other

    Totalitarian determination and modern technology have produced a massive abuse of human rights

    Reply
  2. Tomi Engdahl says:

    OnePlus 6 Face Unlock Beat by Paper Printout
    https://www.pcmag.com/news/361482/oneplus-6-face-unlock-beat-by-paper-printout

    OnePlus 6 user Rik van Duijn said he tried the hack ‘for the lulz’ and it actually worked.

    Think the OnePlus 6 face unlock feature is all the security you need to keep shady people from getting into your phone? Think again.

    Reply
  3. Tomi Engdahl says:

    AWS outage killed some cloudy servers, recovery time is uncertain
    ‘Power event’ blamed, hit subset of kit in US-EAST-1
    https://www.theregister.co.uk/2018/06/01/aws_outage/

    Parts of Amazon Web Services’ US-East-1 region have experienced about half an hour of downtime, but some customers’ instances and data can’t be restored because the hardware running them appears to have experienced complete failure.

    Reply
  4. Tomi Engdahl says:

    Stuart Leavenworth / McClatchy Washington Bureau:
    As DNA testing sites like Ancestry.com amass the most sensitive data of millions of people, fears abound about data breaches and changing Terms of Service — DNA for Sale — LEHI, UTAH — It markets its DNA kits with promises that tug at the heartstrings: Discover ancestors. Strengthen family ties.

    Ancestry wants your spit, your DNA and your trust. Should you give them all three?
    http://www.mcclatchydc.com/news/nation-world/article210692689.html

    It markets its DNA kits with promises that tug at the heartstrings: Discover ancestors. Strengthen family ties. Understand your life.

    Aided by venture capital and a flood of savvy marketing, Ancestry LLC has grown to become the world’s largest DNA testing conglomerate. Since 2012, it has lured more than 5 million people to spit into tubes and add their genetic code to the world’s largest private database of DNA. It has also banked away the world’s largest collection of human spittle, numbering in the hundreds of gallons.

    In the age of Facebook and Google, consumers seem comfortable surrendering their personal information to corporations that aggregate it and monetize it. But Ancestry and other DNA testing companies have added an audacious tweak: Consumers are now paying to hand over their genetic code, their most sensitive individual identifier, to companies that could monetize it far into the future.

    But a three-month review by McClatchy, including visits to Ancestry’s headquarters and a main testing lab, reveals a pattern of breached promises to customers, security concerns and inflated marketing pledges that could give consumers some pause:

    Unidentified hackers last year accessed an Ancestry website, RootsWeb, compromising the sign-ins of 55,000 Ancestry customers who had the same log-in credentials with RootsWeb.

    Most Ancestry customers consent to have their DNA results, in a de-identified form, shared with the company’s research partners in the pursuit of sciences, including finding cures to diseases. But Ancestry’s main research partner is a secretive Google subsidiary called Calico Life Sciences, which is focused on ways to extend human longevity through biotechnology.

    Peter Pitts, a former associate commissioner for the Food and Drug Administration, said it was inevitable that private companies would one day commercialize DNA analysis. But the speed and scope of the industry’s rise is worrisome, he said, in part because few consumers read the fine print of a company’s terms and conditions.

    Reply
  5. Tomi Engdahl says:

    New York Times:
    Facebook’s data-sharing deals with 60+ device makers, including Apple, Amazon, and Samsung, allowed deeper access to users’ personal info than previously known — The company formed data-sharing partnerships with Apple, Samsung and dozens of other device makers, raising new concerns about its privacy protections.

    Facebook Gave Device Makers Deep Access to Data on Users and Friends
    https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html

    The company formed data-sharing partnerships with Apple, Samsung and dozens of other device makers, raising new concerns about its privacy protections.

    Reply
  6. Tomi Engdahl says:

    David Meyer / ZDNet:
    German court rules that country’s intelligence service BND can spy on the traffic flowing through Frankfurt’s De-Cix, world’s largest internet exchange point

    Spies win right to keep monitoring all traffic at world’s biggest internet hub
    https://www.zdnet.com/article/spies-win-right-to-keep-monitoring-all-traffic-at-worlds-biggest-internet-hub/

    Vital internet hub, De-Cix in Frankfurt, has lost its fight against German intelligence services’ mass surveillance.

    Reply
  7. Tomi Engdahl says:

    FireEye Offers Free Tool to Detect Malicious Remote Logins
    https://www.darkreading.com/analytics/fireeye-offers-free-tool-to-detect-malicious-remote-logins/d/d-id/1331923

    Open source GeoLogonalyzer helps to weed out hackers exploiting stolen credentials to log into their targets.

    FireEye today released an open source tool called GeoLogonalyzer for catching remote logins from hackers.

    Stolen enterprise user credentials are all the rage among hackers these days, but spotting the bad guys among legitimate users logging in remotely can be difficult due to the large volume of remote access links to an organization.

    “Once remote authentication activity is baselined across an environment, analysts can begin to identify authentication activity that deviates from business requirements and normalized patterns,” Pany said in a blog post today announcing the new free tool.

    Other anomalies that could indicate hackers are logging in include user accounts registered to a single physical location that have logons from locations where the user is not likely to be sitting, as well as logons from different source-host names or via multiple VPN clients.

    Remote Authentication GeoFeasibility Tool – GeoLogonalyzer
    https://www.fireeye.com/blog/threat-research/2018/05/remote-authentication-geofeasibility-tool-geologonalyzer.html

    Once remote authentication activity is baselined across an environment, analysts can begin to identify authentication activity that deviates from business requirements and normalized patterns, such as:

    User accounts that authenticate from two distant locations, and at times between which the user probably could not have physically travelled the route.
    User accounts that usually log on from IP addresses registered to one physical location such as a city, state, or country, but also have logons from locations where the user is not likely to be physically located.
    User accounts that log on from a foreign location at which no employees reside or are expected to travel to, and your organization has no business contacts at that location.
    User accounts that usually log on from one source IP address, subnet, or ASN, but have a small number of logons from a different source IP address, subnet, or ASN.
    User accounts that usually log on from home or work networks, but also have logons from an IP address registered to cloud server hosting providers.
    User accounts that log on from multiple source hostnames or with multiple VPN clients.

    IP Address GeoFeasibility Analysis

    For a remote authentication log that records a source IP address, it is possible to estimate the location each logon originated from using data such as MaxMind’s free GeoIP database. With additional information, such as a timestamp and username, analysts can identify a change in source location over time to determine if that user could have possibly traveled between those two physical locations to legitimately perform the logons.

    Cloud Data Hosting Provider Analysis

    Attackers understand that organizations may either be blocking or looking for connections from unexpected locations. One solution for attackers is to establish a proxy on either a compromised server in another country, or even through a rented server hosted in another country by companies such as AWS, DigitalOcean, or Choopa.

    Fortunately, Github user “client9” tracks many datacenter hosting providers in an easily digestible format. With this information, we can attempt to detect attackers utilizing datacenter proxy to thwart GeoFeasibility analysis.

    Usable Log Sources

    GeoLogonalyzer is designed to process remote access platform logs that include a timestamp, username, and source IP. Applicable log sources include, but are not limited to:

    VPN
    Email client or web applications
    Remote desktop environments such as Citrix
    Internet-facing applications

    Reply
  8. Tomi Engdahl says:

    GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources.
    https://github.com/fireeye/GeoLogonalyzer

    Reply
  9. Tomi Engdahl says:

    Experiment: How easy is it to spy on a smartwatch wearer?
    https://www.kaspersky.com/blog/smart-watch-research/22536/

    Can a smartwatch be used to spy on its owner? Sure, and we already know lots of ways. But here’s another: A spying app installed on a smartphone can send data from the built-in motion sensors (namely, accelerometer and gyroscope) to a remote server, and that data can be used to piece together the wearer’s actions — walking, sitting, typing, and so on.

    How extensive is the threat in practice, and what data can really be siphoned off? We decided to investigate.

    Experiment: Can smartwatch movements reveal a password?

    It’s also easy to see when a person is typing on a computer. But working out what they are typing is way more complex. Everyone has a specific way of typing: the ten-finger method, the one- or two-digit keyboard stab, or something in-between. Basically, different people typing the same phrase can produce very different accelerometer signals — although one person entering a password several times in a row will produce pretty similar graphs.

    So, a neural network trained to recognize how a particular individual enters text could make out what that person types.

    And therein lies trouble for a would-be spy: The constant upload of accelerometer readings consumes a fair bit of Internet traffic and zaps the smartwatch battery in a matter of hours (six, to be precise, in our case). Both of those telltale signs are easy to spot, alerting the wearer that something is wrong. Both, however, are easily minimized by scooping up data selectively, for example when the target arrives at work, a likely time for password entry.

    In short, your smartwatch can be used to identify what you’re typing. But it’s hard, and accurate recovery relies on repeat text entry. In our experiment, we were able to recover a computer password with 96% accuracy and a PIN code entered at an ATM with 87% accuracy.

    It could be worse

    For cybercriminals, however, such data is not all that useful. To use it, they’d still need access to your computer or credit card. The task of determining a card number or CVC code is way trickier.

    Who should worry about smartwatches?

    Our research has shown that data obtained from a smartwatch acceleration sensor can be used to recover information about the wearer: movements, habits, some typed information (for example, a laptop password).

    Reply
  10. Tomi Engdahl says:

    An acoustic attack can bluescreen your Windows computer
    https://www.welivesecurity.com/2018/05/30/acoustic-attack-blue-screen-windows-computer/?

    Security researchers have demonstrated how attackers could cause physical damage to hard drives, and cause PCs to crash, just by playing sounds through a computer’s speaker.

    Reply
  11. Tomi Engdahl says:

    Trends 2018: Critical infrastructure attacks on the rise
    https://www.welivesecurity.com/2018/05/30/trends-2018-critical-infrastructure-attacks/?

    Healthcare sectors, critical manufacturing, food production and transportation also said to be targets for cybercriminals

    Cyberthreats to critical infrastructure jumped into the headlines in 2017, starting with a Reuters report in January that a recent power outage in Ukraine “was a cyber-attack”. In last year’s Trends report we said that we expected infrastructure attacks to “continue to generate headlines and disrupt lives in 2017”. Sadly, we were right, and unfortunately, I have to say that the same trend is likely to continue in 2018 for reasons outlined in this update. It should be noted that critical infrastructure is more than just the power grid and includes the defense and healthcare sectors, critical manufacturing and food production, water, and transportation.

    Reply
  12. Tomi Engdahl says:

    Windows ‘Double Kill’ Attack Code Found in RIG Exploit Kit
    https://www.darkreading.com/analytics/windows-double-kill-attack-code-found-in-rig-exploit-kit/d/d-id/1331925?

    Microsoft issued a fix for the remote code execution zero-day vulnerability in May, but research shows businesses have slowed their patching processes post-Meltdown.

    Reply
  13. Tomi Engdahl says:

    Visa Card Payment Systems Go Down Across Europe
    https://www.bleepingcomputer.com/news/technology/visa-card-payment-systems-go-down-across-europe/

    The Visa card payment system is currently down across Europe. Users across the continent have reported problems during the day when attempting to make payments using their Visa cards.

    A Visa spokesperson confirmed the outage but did not reveal any other details, such as its cause or its scale. Bank social media accounts also confirmed the outage and informed customers of the issue.

    Users across the UK, Germany, France, Italy, Romania, and Hungary have confirmed problems with payments, but the problems are believed to affect all European countries.

    Fellow payment card systems MasterCard and Maestro are not affected.

    Reply
  14. Tomi Engdahl says:

    Around 75% of Open Redis Servers Are Infected With Malware
    https://www.bleepingcomputer.com/news/security/around-75-percent-of-open-redis-servers-are-infected-with-malware/

    The vast majority of Redis servers left open on the Internet without any authentication system in place are most likely harboring malware, an Imperva spokesperson said.

    The company’s experts reached this conclusion after running Redis-based honeypot servers for the last few months.

    It’s through these honeypot servers that Imperva had previously discovered ReddisWannaMine, a botnet operation that was secretly mining cryptocurrency on open Redis servers left exposed online.

    But as time went by and as honeypot data racked up, the Imperva team has also started noticing some trends in compromises of their Redis tests servers.

    Reuse of SSH keys reveals botnet operations

    The most obvious pattern to spot was that attackers kept installing SSH keys on the compromised Redis server so they could access it at a later time.

    “We noticed that different attackers use the same keys and/or values to carry out attacks,” Imperva said, “a shared key or value between multiple servers is a clear sign of a malicious botnet activity.”

    Imperva experts than took the SSH keys they’ve collected through their honeypot and scanned all Redis servers that were left exposed online for the presence of these keys.

    Around 75% of tested Redis servers were compromised

    There are over 72,000 Redis servers available online today, and according to Imperva, over 10,000 of these responded to its scan request without an error, allowing researchers to determine locally installed SSH keys.

    Experts said they’ve found that over 75% of these servers were featuring an SSH key known to be associated with a malware botnet operation.

    Reply
  15. Tomi Engdahl says:

    OMG, that’s downright Wicked: Botnet authors twist corpse of Mirai into new threats
    Infamous IoT menace lives on in its hellspawn
    https://www.theregister.co.uk/2018/06/01/mirai_respun_in_new_botnets/

    Cybercrooks are using the infamous Mirai IoT botnet as a framework to quickly add in new exploits and functionalities, it has emerged.

    The work looks at four Mirai variants – Satori, JenX, OMG and Wicked – to illustrate how their authors have built upon Mirai and added their own flair:

    Satori leveraged remote code injection exploits to enhance the Mirai code
    JenX removed several features from the core code and instead relies on external tools for scanning and exploitation
    OMG adds a novel feature in the form of an HTTP and SOCKS proxy. These enable the infected IoT device to act as a pivot to connected private networks
    Wicked can target Netgear routers and CCTV-DVR devices that happen to be vulnerable to remote code execution flaws. Within the exploit, Wicked includes instructions to download and execute a copy of the Owari bot. The scanning and exploitation of devices can often be automated, resulting in any susceptible devices becoming part of the zombie network

    Reply
  16. Tomi Engdahl says:

    Google Plans Not to Renew Its Contract for Project Maven, a Controversial Pentagon Drone AI Imaging Program
    https://gizmodo.com/google-plans-not-to-renew-its-contract-for-project-mave-1826488620

    Google will not seek another contract for its controversial work providing artificial intelligence to the U.S. Department of Defense for analyzing drone footage after its current contract expires.

    Reply
  17. Tomi Engdahl says:

    How hackers can exploit devices used at home
    http://thehill.com/policy/cybersecurity/389481-how-hackers-can-exploit-devices-used-at-home

    As Americans increasingly fill their homes with smart technology, the risk of hackers exploiting their devices is growing.

    Experts say the expanding ecosystem of internet-connected devices such as smart thermostats, home security systems and electric door locks are increasingly susceptible to hackers, including those trying to leverage voice-command devices.

    This risk is further compounded if an individual stores sensitive data on certain internet-connected products, like a credit card number or mailing address, which a hacker may be able to gain access to through other connected devices.

    One incident that drew particular attention this week highlighted some of the privacy fears surrounding voice-controlled devices and how they can operate seemingly independently of their owners’ intentions.

    Reply
  18. Tomi Engdahl says:

    FUD Crypters Recycling Old Malware
    https://www.securityweek.com/fud-crypters-recycling-old-malware

    As a quick summary, FUD crypters are tools providing automatic detection evasion enhancements for any malware file and have become readily available “as-a-service” online. They have evolved to user-friendly web sites providing point-and-click file obfuscation, and typically offer the visitor up to a couple dozen evasion techniques to pick and choose from for a customized result. Recently we’ve noticed that crypters offering sandbox and virtual machine evasion have been more and more popular.

    Advanced Coding Skills No Longer Required

    If you haven’t been entirely following these developments and want to have your eyes opened, just type “fud crypter” into your preferred search engine. You’ll find results for best free FUD crypters, best paid FUD crypters, crypter YouTube tutorials, crypter reviews, and crypter directories to help you navigate the competing offerings.

    In short, cybercrime is another industry previously the somewhat exclusive domain of the cognoscenti which is moving to a more democratized, frictionless service model, where even duffers can go to quickly pull together the elements necessary to launch attacks. Practically all it takes is a browser and a cryptocurrency account.

    Old Malware Getting Recycled

    This FUD crypter service industry is giving a second life to a lot of old and kind-of-old malware, which can be pulled off the shelf by just about anybody with confused ethics and a Bitcoin account; run through a FUD crypter service in minutes; and then sent back into circulation in email campaigns or for download. We are seeing evidence of this in many samples being pulled from malware detected in our sandboxing array.

    Reply
  19. Tomi Engdahl says:

    Punycode Makes SMiShing Attacks More Deceiving
    https://www.securityweek.com/punycode-makes-smishing-attacks-more-deceiving

    Phishing attacks carried out via text messages that use the “Punycode” technique to make nefarious URLs look legitimate are becoming more popular, cloud security firm Zscaler says.

    Referred to as SMiShing, SMS phishing is a technique where attackers use text messages in an attempt to trick users into clicking a link that usually leads to malware or asks for sensitive information from the victims.

    Reply
  20. Tomi Engdahl says:

    Thousands of Organizations Expose Sensitive Data via Google Groups
    https://www.securityweek.com/thousands-organizations-expose-sensitive-data-google-groups

    Google has issued a warning to G Suite users after researchers discovered that thousands of organizations expose sensitive information through misconfigured Google Groups instances.

    The Google Groups service allows users to create mailing lists, host internal discussions, and process support tickets. These types of communications can include highly sensitive information, which is why it’s important for companies to ensure that privacy and security settings are configured properly.

    When a group is configured, its creator has to set sharing options for “Outside this domain – access to groups” to either “Private” or “Public on the Internet.” While the default option is “Private,” many organizations have set it to “Public on the Internet,” in many cases likely not realizing that anyone can access the group.

    Researchers at Kenna Security have conducted an analysis of roughly 2.5 million domains and identified more than 9,600 organizations that had allowed public access to their groups. After taking a closer look at a random sample of 171 groups, the company estimated that nearly 3,000 of the over 9,600 companies leaked some type of sensitive information.

    Reply
  21. Tomi Engdahl says:

    WordPress Disables Plugins That Expose e-Commerce Sites to Attacks
    https://www.securityweek.com/wordpress-disables-plugins-expose-e-commerce-sites-attacks

    Researchers discovered vulnerabilities in ten WordPress plugins made by a company for e-commerce websites powered by the WooCommerce platform. WordPress disabled many of them after the developer failed to release patches.

    WordPress security firm ThreatPress reported on Thursday that its researchers discovered various types of flaws in ten plugins from Multidots. The impacted plugins are available through WordPress.org and they allow WooCommerce users to manage different aspects of their online shops.

    Reply
  22. Tomi Engdahl says:

    The Current Limitations and Future Potential of AI in Cybersecurity
    https://www.securityweek.com/current-limitations-and-future-potential-ai-cybersecurity

    A recent NIST study shows the current limitations and future potential of machine learning in cybersecurity.

    Published Tuesday in the Proceedings of the National Academy of Sciences, the study focused on facial recognition and tested the accuracy of a group of 184 humans and the accuracy of four of the latest facial recognition algorithms. The humans comprised 87 trained professionals, 13 so-called ‘super recognizers’ (who simply have an exceptional natural ability), and a control group of 84 untrained individuals.

    “Our data show that the best results come from a single facial examiner working with a single top-performing algorithm,” commented NIST electronic engineer P. Jonathon Phillips. “While combining two human examiners does improve accuracy, it’s not as good as combining one examiner and the best algorithm.”

    Reply
  23. Tomi Engdahl says:

    North Korea-Linked Group Stops Targeting U.S.
    https://www.securityweek.com/north-korea-linked-group-stops-targeting-us

    A threat actor linked to North Korea’s Lazarus Group has stopped targeting organizations in the United States, but remains active in Europe and East Asia.

    The group, tracked by industrial cybersecurity firm Dragos as Covellite, has been known to target civilian electric energy organizations in an effort to collect intellectual property and information on industrial operations.

    Unlike some of the other actors whose activities have been monitored by Dragos, Covellite does not currently have the capability to disrupt industrial control systems (ICS). However, the security firm does see it as a primary threat to the ICS industry.

    “Technical analysis of COVELLITE malware indicates an evolution from known LAZARUS toolkits. However, aside from technical overlap, it is not known how the capabilities and operations between COVELLITE and LAZARUS are related,” explained Sergio Caltagirone, director of threat intelligence at Dragos.

    Reply
  24. Tomi Engdahl says:

    Operator of World’s Top Internet Hub Sues German Spy Agency
    https://www.securityweek.com/operator-worlds-top-internet-hub-sues-german-spy-agency

    Berlin – The operator of the world’s largest internet hub challenged the legality of sweeping telecoms surveillance by Germany’s spy agency, a German court heard Wednesday.

    The BND foreign intelligence service has long tapped international data flows through the De-Cix exchange based in the German city of Frankfurt.

    But the operator argues the agency is breaking the law by also capturing German domestic communications.

    “We have grave doubts about the legality of the current practice,” said a statement Wednesday on the website of De-Cix Management GmbH, which is owned by European internet industry body the eco association.

    Reply
  25. Tomi Engdahl says:

    http://www.etn.fi/index.php/13-news/8076-yli-puoli-miljoonaa-uutta-haittaohjelmaa-paivassa

    Over half a million new malware per day

    - New malware is already running over 500,000 daily. Their handling of human power has been impossible for many years now, said F-Secure’s Managing Director Samu Konttinen yesterday at the Information Security Finland seminar in Helsinki. In practice, fighting cybercrime has long required artificial intelligence.

    - Utilizing and deepening understanding of new technologies such as artificial intelligence is of utmost importance in all sectors. For Finland, it is now very important to invest in education and research with sufficient artificial intelligence and ensure that we do not fall into the ride when the world is rapidly changing with digitalisation.

    According to Kontti, cure security in this development is a prerequisite. – The cyber-security industry is growing rapidly globally, and here is Finland’s ability to create national competitiveness and thousands of new jobs.

    According to Konttinen, Finland should be self-sufficient in terms of security. – From Edward Snowden’s revelations, we learn how certain superpowers work in co-operation with technology companies in their own countries. If the geopolitical situation gives rise to the interest of such a country in accessing Finnish information networks, it is not sensible that cyber defense in Finland is solely dependent on products of such a country.

    Reply
  26. Tomi Engdahl says:

    Cyber insurance: Is it worth the investment?
    https://www.cio.com/article/3276658/cyber-attacks-espionage/cyber-insurance-is-it-worth-the-investment.html

    While cyber liability insurance policies are complex and proving claims can be daunting, CIOs in the midmarket space agree access to resources provided in the policies make the investment worthwhile.

    Last year, Aon Inpoint reported about 80 percent of buyers of stand-alone cyber premiums were medium-sized to large companies. However, smaller firms are increasingly assessing their cyber exposure risk as concerns about the potential impact of a cyber incident continue to rise.

    “The majority of breaches worldwide occur at companies with 1,000 employees or less because they’re low-hanging fruit for hackers,” explained Ed McGuire, director of specialty insurance at FBinsure. “These companies have minimal IT staff and moderate budgets.”

    Prior to this month’s long-anticipated GDPR laws going into effect, the healthcare, financial, and retail industries have been the most frequent targets for highly publicized cyber attacks. Nearly a third of global breaches occur in the healthcare field because patient data is so valuable, and fines for failing to disclose a known breach can climb well into the millions.

    Reply
  27. Tomi Engdahl says:

    CSS Is So Overpowered It Can Deanonymize Facebook Users
    https://www.bleepingcomputer.com/news/security/css-is-so-overpowered-it-can-deanonymize-facebook-users/#.WxQ_bQSu9Dc.facebook

    Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook.

    Information leaked via this attack could aid some advertisers link IP addresses or advertising profiles to real-life persons, posing a serious threat to a user’s online privacy.

    The actual vulnerability resides in the browser implementation of a CSS feature named “mix-blend-mode,” added in 2016 in the CSS3 web standard.

    The technique relies on luring users to a malicious site where the attacker embeds iframes to other sites.

    The attack consists of overlaying a huge stack of DIV layers with different blend modes on top of the iframe. These layers are all 1×1 pixel-sized, meaning they cover just one pixel of the iframe.

    Habalov and Weißer say that depending on the time needed to render the entire stack of DIVs, an attacker can determine the color of that pixel shown on the user’s screen

    Reply
  28. Tomi Engdahl says:

    ActiveX Zero-Day Discovered in Recent North Korean Hacks
    https://www.bleepingcomputer.com/news/security/activex-zero-day-discovered-in-recent-north-korean-hacks/

    A North Korean cyber-espionage group has exploited an ActiveX zero-day to infect South Korean targets with malware or steal data from compromised systems, local media and security researchers have reported.

    The perpetrators of these attacks are known as the Andariel Group. According to a report authored by South Korean cyber-security firm AhnLab, the Andariel Group is a smaller unit of the larger and more well-known Lazarus Group —North Korea’s cyber-espionage apparatus, believed to be a unit of its military.

    Zero-day connected to Samsung SDS Acube attacks

    A South Korean security researcher who did not want his name revealed told Bleeping Computer the ActiveX zero-day is connected to attacks on Samsung SDS Acube installations.

    Reply
  29. Tomi Engdahl says:

    Court says ‘nyet’ to Kaspersky’s US govt computer ban appeal
    Russian security house to stay locked out of Uncle Sam’s networks, for now
    https://www.theregister.co.uk/2018/05/30/us_court_kaspersky_ban_appeal/

    Reply
  30. Tomi Engdahl says:

    Medical Imaging AI Software Is Vulnerable to Covert Attacks
    https://spectrum.ieee.org/the-human-os/biomedical/imaging/medical-imaging-ai-software-vulnerable-to-covert-attacks

    Artificial intelligence systems meant to analyze medical images are vulnerable to attacks designed to fool them in ways that are imperceptible to humans, a new study warns.

    There may be enormous incentives to carry out such attacks for healthcare fraud and other nefarious ends, the researchers say.

    “The most striking thing to me as a researcher crafting these attacks was probably how easy they were to carry out,”

    Reply
  31. Tomi Engdahl says:

    ISP Questions Impartiality of Judges in Copyright Troll Cases
    https://torrentfreak.com/isp-questions-impartiality-of-judges-in-copyright-troll-cases-180602/

    As a staunch defender of privacy and serial critic of copyright trolling activities, Bahnhof has carved out a niche as one of the most customer-friendly ISPs in Sweden. The company certainly isn’t scared of speaking its mind and in a new broadside, it targets several of the country’s judges, questioning their impartiality for supporting pro-copyright groups while presiding over important copyright cases.

    Reply
  32. Tomi Engdahl says:

    5 Years on, US Government Still Counting Snowden Leak Costs
    https://news.slashdot.org/story/18/06/04/1652244/5-years-on-us-government-still-counting-snowden-leak-costs?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    National Security Agency contractor Edward Snowden blew the lid off U.S. government surveillance methods five years ago, but intelligence chiefs complain that revelations from the trove of classified documents he disclosed are still trickling out

    https://www.apnews.com/f8424471585f44da95918c0e784e83af

    Reply
  33. Tomi Engdahl says:

    Google Password Protects Pixel 2 Firmware
    https://www.securityweek.com/google-password-protects-pixel-2-firmware

    Google has made the firmware of Pixel 2 devices resistant to unauthorized attempts to upgrade it by password protecting it.

    Specifically, anyone interested in upgrading the firmware of a Pixel 2 device needs to supply the user password to successfully complete the process and still have access to user data.

    Google has been demanding full-disk encryption for new Android devices since 2015, and the newly implemented protection is meant to complement that security feature. Google Pixel devices also encrypt all user data, and keep the encryption key protected in secure hardware.

    “The secure hardware runs highly secure firmware that is responsible for checking the user’s password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack,” Google explains in a blog post.

    Insider Attack Resistance
    https://android-developers.googleblog.com/2018/05/insider-attack-resistance.html

    Our smart devices, such as mobile phones and tablets, contain a wealth of personal information that needs to be kept safe. Google is constantly trying to find new and better ways to protect that valuable information on Android devices. From partnering with external researchers to find and fix vulnerabilities, to adding new features to the Android platform, we work to make each release and new device safer than the last. This post talks about Google’s strategy for making the encryption on Google Pixel 2 devices resistant to various levels of attack—from platform, to hardware, all the way to the people who create the signing keys for Pixel devices.

    We encrypt all user data on Google Pixel devices and protect the encryption keys in secure hardware. The secure hardware runs highly secure firmware that is responsible for checking the user’s password. If the password is entered incorrectly, the firmware refuses to decrypt the device. This firmware also limits the rate at which passwords can be checked, making it harder for attackers to use a brute force attack.

    To prevent attackers from replacing our firmware with a malicious version, we apply digital signatures. There are two ways for an attacker to defeat the signature checks and install a malicious replacement for firmware: find and exploit vulnerabilities in the signature-checking process or gain access to the signing key and get their malicious version signed so the device will accept it as a legitimate update. The signature-checking software is tiny, isolated, and vetted with extreme thoroughness. Defeating it is hard. The signing keys, however, must exist somewhere, and there must be people who have access to them.

    Reply
  34. Tomi Engdahl says:

    New Backdoor Based on HackingTeam’s Surveillance Tool
    https://www.securityweek.com/new-backdoor-based-hackingteam%E2%80%99s-surveillance-tool

    A recently discovered backdoor built by the Iron cybercrime group is based on the leaked source code of Remote Control System (RCS), HackingTeam’s infamous surveillance tool, security firm Intezer reports.

    The Iron group is known for the Iron ransomware (which a rip-off Maktub malware) and is believed to have been active for around 18 months.

    During this time, the cybercriminals built various malware families, including backdoors, crypto-miners, and ransomware, and targeted Windows, Linux, and Android devices. To date, the group is believed to have infected at least a few thousand victims.

    Their new backdoor, the security researchers say, was first observed in April this year and features an installer protected with VMProtect and compressed using UPX.

    Reply
  35. Tomi Engdahl says:

    26 Million Users Hit by Ticketfly Hack
    https://www.securityweek.com/26-million-users-hit-ticketfly-hack

    Ticketfly, the ticket distribution service owned by Eventbrite, has started restoring services after its website was defaced by a hacker who also gained access to user information.

    The attack took place on or around May 30, when a hacker decided to exploit a vulnerability he had found in Ticketfly systems. The attacker, using the online moniker “IsHaKdZ,” reportedly asked the company to pay 1 bitcoin for information on the security hole. Since Ticketfly did not comply with his request, IsHaKdZ defaced ticketfly.com and the websites of several music venues.

    The hacker also stole and leaked the details of Ticketfly customers and employees. Troy Hunt, the owner of the Have I Been Pwned data breach notification service, has analyzed the data and determined that over 26 million unique users are impacted. The compromised data includes email addresses, names, physical addresses and phone numbers.

    The hack appears to have targeted Ticketfly’s WordPress-based assets. WordPress is also used for Ticketfly-powered websites provided to music venues, which would explain how the hacker managed to deface several sites.

    Reply
  36. Tomi Engdahl says:

    VPNFilter Continues Targeting Routers in Ukraine
    https://www.securityweek.com/vpnfilter-continues-targeting-routers-ukraine

    Despite their infrastructure being disrupted, the hackers behind the VPNFilter botnet continue targeting routers located in Ukraine, which is believed to be the campaign’s primary target.

    When Cisco Talos brought the existence of VPNFilter to light last month, the botnet had ensnared at least 500,000 routers and network-attached storage (NAS) devices across 54 countries.

    The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

    Reply
  37. Tomi Engdahl says:

    Federal Agencies Respond to 2017 Cybersecurity Executive Order
    https://www.securityweek.com/federal-agencies-respond-2017-cybersecurity-executive-order

    The U.S. Department of State, the Department of Homeland Security (DHS), the Department of Commerce, and the Office of Management and Budget (OMB) last week published reports in response to the cybersecurity executive order signed by President Donald Trump last year in an effort to improve the protection of federal networks and critical infrastructure against cyberattacks.

    Industry Reactions to Trump’s Cybersecurity Executive Order
    https://www.securityweek.com/industry-reactions-trumps-cybersecurity-executive-order

    Reply
  38. Tomi Engdahl says:

    New York Times:
    Facebook has had data-sharing partnerships with Huawei, Lenovo, Oppo, and TCL since at least 2010 and will wind down the Huawei deal by the end of the week — Facebook has data-sharing partnerships with at least four Chinese electronics companies, including a manufacturing giant …

    Facebook Gave Data Access to Chinese Firm Flagged by U.S. Intelligence
    https://www.nytimes.com/2018/06/05/technology/facebook-device-partnerships-china.html

    Facebook has data-sharing partnerships with at least four Chinese electronics companies, including a manufacturing giant that has a close relationship with China’s government, the social media company said on Tuesday.

    The agreements, which date to at least 2010, gave private access to some user data to Huawei, a telecommunications equipment company that has been flagged by American intelligence officials as a national security threat, as well as to Lenovo, Oppo and TCL.

    The four partnerships remain in effect, but Facebook officials said in an interview that the company would wind down the Huawei deal by the end of the week.

    Facebook gave access to the Chinese device makers along with other manufacturers — including Amazon, Apple, BlackBerry and Samsung — whose agreements were disclosed by The New York Times on Sunday.

    Facebook officials said the agreements with the Chinese companies allowed them access similar to what was offered to BlackBerry, which could retrieve detailed information on both device users and all of their friends — including religious and political leanings, work and education history and relationship status.

    https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html

    Reply
  39. Tomi Engdahl says:

    Natasha Lomas / TechCrunch:
    Europe’s top court rules that administrators of fan pages on Facebook are jointly responsible with Facebook for the processing of users’ data

    Europe’s top court takes a broad view of privacy responsibilities around platforms
    https://techcrunch.com/2018/06/05/europes-top-court-takes-a-broad-view-on-privacy-responsibilities-around-platforms/

    An interesting ruling by Europe’s top court could have some major implications for data mining tech giants like Facebook and Google, along with anyone who administers pages that allow platforms to collect and process their visitors’ personal data — such as a Facebook fan page or even potentially a site running Google Analytics.

    Passing judgement on a series of legal questions referred to it, the CJEU has held that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of the data of visitors to the page — aligning with the the Advocate General’s opinion to the court, which we covered back in October.

    In practical terms the ruling means tech giants could face more challenges from European data protection authorities. While anyone piggybacking on or plugging into platform services in Europe shouldn’t imagine they can just pass responsibility to the platforms for ensuring they are compliant with privacy rules.

    The CJEU deems both parties to be responsible (aka, ‘data controllers’ in the legal jargon), though the court also emphasizes that “the existence of joint responsibility does not necessarily imply equal responsibility of the various operators involved in the processing of personal data”,

    The original case dates back to 2011, when a German education and training company with a fan page on Facebook was ordered by a local data protection authority to deactivate the page because neither it nor Facebook had informed users their personal data was being collected.

    “The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data,” the court writes today, handing down its judgement.

    “In those circumstances, the recognition of joint responsibility of the operator of the social network and the administrator of a fan page hosted on that network in relation to the processing of the personal data of visitors to that page contributes to ensuring more complete protection of the rights of persons visiting a fan page, in accordance with the requirements of Directive 95/46.”

    Facebook unsurprisingly expressed disappointment at the CJEU’s decision when contacted for a response.

    Reply
  40. Tomi Engdahl says:

    Joseph Cox / Motherboard:
    Israel-based DNA testing service MyHeritage discloses security breach, says account info for 92M+ users exposed, including email addresses and hashed passwords — On Monday MyHeritage announced a security researcher had uncovered tens of millions of account details for recent customers, including email addresses and hashed passwords.

    Hacked: 92 Million Account Details for DNA Testing Service MyHeritage
    https://motherboard.vice.com/en_us/article/vbqyvx/myheritage-hacked-data-breach-92-million

    On Monday MyHeritage announced a security researcher had uncovered tens of millions of account details for recent customers, including email addresses and hashed passwords.

    When you sign up to a website handling sensitive information, perhaps a medical service or social network, one of the basic things you’re probably hoping for is that the site can keep control of its users’ data. Unfortunately for customers of MyHeritage, a genealogy and DNA testing service, a researcher uncovered 92 million account details related to the company sitting on a server, according to an announcement from MyHeritage.

    The data relates to users who signed up to MyHeritage up to and including October 26, 2017—the date of the breach—the announcement adds.

    Users of the Israeli-based company can create family trees and search through historical records to try and uncover their ancestry. In January 2017, Israeli media reported the company has some 35 million family trees on its website.

    In all, the breach impacted 92,283,889 users, according to MyHeritage’s disclosure.

    The lesson: Although it appears that hackers have not accessed MyHeritage accounts themselves, as the company notes, this is still a good opportunity to remember not to use the same password on multiple sites and services.

    Reply
  41. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Homeland Security plans to test facial recognition for vehicles’ drivers crossing the border into Mexico this August, at the Anzalduas Port of Entry in Texas

    New Homeland Security system will bring facial recognition to land borders this summer
    https://www.theverge.com/2018/6/5/17427150/facial-recognition-vehicle-face-system-homeland-security-immigration-customs

    The Vehicle Face System is planned for testing in August at the Anzalduas Port of Entry in Texas

    Reply
  42. Tomi Engdahl says:

    Alfred Ng / CNET:
    Amazon stops selling CloudPets toys after researchers disclose new vulnerabilities, following Walmart and Target; CloudPets’ database had been hacked in 2017

    Amazon will stop selling connected toy filled with security issues
    Cybersecurity isn’t child’s play.
    https://www.cnet.com/news/amazon-will-stop-selling-connected-toy-cloud-pets-filled-with-security-issues/

    That soft teddy bear seems harmless — until hackers can use it to spy on your kids.

    Amazon said it has pulled CloudPets, a smart toy that researchers said was riddled with security flaws, from its online store. Last week, Walmart and Target stopped selling the toy. Amazon began removing CloudPets on Tuesday morning.

    The decision comes a day after Mozilla contacted Amazon with research showing new vulnerabilities on CloudPets.

    “In a world where data leaks are becoming more routine and products like CloudPets still sit on store shelves, I’m increasingly worried about my kids’ privacy and security,” Ashley Boyd, Mozilla’s vice president of advocacy, said in a statement.

    This isn’t the first time that Amazon has stopped selling products over privacy concerns. Last July, the online retailer giant suspended Blu phones — its top selling phone at the time — because researchers found spyware on the popular devices.

    Connected devices tend to be open to attacks for a multitude of reasons, whether it’s default passwords, developers who never send security updates or owners who never install them. The US Consumer Product Safety Commission opened an investigation into the dangers of connected gadgets, also known as the Internet of Things, in March, while lawmakers introduced a bill to regulate smart devices.

    CloudPets, made by Spiral Toys, is a talking toy that’s connected online, uses voice recordings and an online app through Bluetooth.

    But in 2017, hackers were able to access CloudPets’ database, containing email addresses, passwords and voice recordings from children, which cybercriminals held for ransom at least twice. The breach affected more than 800,000 people.

    CloudPets’ Bluetooth vulnerabilities first demonstrated more than a year ago are still open.

    The firm conducted its tests for vulnerabilities in March, and found that CloudPets did not meet security standards. Spiral Toys did not respond to a request for comment.

    “The company clearly does not care about their users’ security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users,” the researchers wrote in their report.

    The researchers also discovered that CloudPets’ mobile app refers users to a website called “mycloudpets.com/tour,” a domain that is currently for sale and can be redirected by potential criminals in online scams.

    CloudPets’ security issues calls into question what smart toys stores decide to stock their shelves with, as vulnerabilities continue to surface.

    Reply
  43. Tomi Engdahl says:

    Report: World’s largest Internet exchange sues German spy agency for tapping data center’s fiber-optic lines
    https://www.cablinginstall.com/articles/pt/2018/05/report-world-s-largest-internet-exchange-sues-german-spy-agency-for-tapping-data-center-s-fiber-opti.html?cmpid=enl_cim_cim_data_center_newsletter_2018-06-05&pwhid=6b9badc08db25d04d04ee00b499089ffc280910702f8ef99951bdbdad3175f54dcae8b7ad9fa2c1f5697ffa19d05535df56b8dc1e6f75b7b6f6f8c7461ce0b24&eid=289644432&bid=2127371

    The operator of the world’s largest Internet hub, the German Commercial Internet Exchange (DE-CIX), has taken the German government to court over mass surveillance.

    DE-CIX claims that since 2009 Germany’s foreign intelligence agency, the BND, has intercepted and copied all traffic going into its Frankfurt data center – including data on domestic citizens’ communications.

    World’s largest Internet exchange sues German spy agency for tapping data center
    http://www.datacenterdynamics.com/content-tracks/security-risk/worlds-largest-internet-exchange-sues-german-spy-agency-for-tapping-data-center/100204.article

    Reply
  44. Tomi Engdahl says:

    ‘Power event’ at AWS data center disrupts US-EAST-1
    http://www.datacenterdynamics.com/content-tracks/security-risk/power-event-at-aws-data-center-disrupts-us-east-1/100213.article

    The company says hardware was ruined, some instances might never recover

    Amazon Web Services suffered disruption to its operations in the US, with a “power event” affecting one of its cloud data centers in Northern Virginia, comprising the US-EAST-1 region.

    A single Availability Zone saw connectivity issues, impacting services like RDS, Redshift, WorkSpaces, EC2 and EBS for approximately 30 minutes.

    The issue was made worse by the fact that around the same time, customers were experiencing minor problems with US-EAST-2 region located in Ohio – affecting services including EC2 and EFS.

    Northern Virginia, where US-EAST-1 is located, is the largest data center market in the United States. It is home to hyperscale facilities by Google and Microsoft, and an upcoming $1 billion data center campus by Facebook.

    Reply
  45. Tomi Engdahl says:

    Understanding data security concerns in remote data centers
    https://www.cablinginstall.com/articles/print/volume-26/issue-5/features/data-center/understanding-data-security-concerns-in-remote-data-centers.html?cmpid=enl_cim_cim_data_center_newsletter_2018-06-05&pwhid=6b9badc08db25d04d04ee00b499089ffc280910702f8ef99951bdbdad3175f54dcae8b7ad9fa2c1f5697ffa19d05535df56b8dc1e6f75b7b6f6f8c7461ce0b24&eid=289644432&bid=2127371

    With security breaches on the rise, compliance with regulations keeps a tight leash on enterprises.

    In 2017, recorded U.S. data breaches hit a new all-time high of 1,579, up almost 50 percent over the previous year, according to the Identity Theft Resource Center. This should come as no surprise, considering that also last year, data has taken the place of oil as the world’s most valuable resource.

    For data centers, privacy and physical security of servers and switches have always been a critical priority, but increased migration toward remote edge compute sites and multitenant data centers (MTDC) has made remote management and access control of the data center cabinet more complex and challenging.

    Furthermore, growing data privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS), Federal Information Security Management Act (FISMA), and the upcoming General Data Protection Regulation (GDPR) are driving the need for more-stringent cybersecurity measures, including closely controlled access to cabinets where servers and switches reside.

    Regulations and physical security compliance

    Certain segments of the industry—particularly healthcare and financials—look at cabinet access control more strictly, requiring a detailed report of who, when and why the cabinet was accessed. Generally though, all regulations simply require physical access control measures to be in place, but it is up to enterprises to decide which specific method or technology to use.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*