Cyber security June 2018

This posting is here to collect security alert news in June 2018.

I post links to security vulnerability news to comments of this article.

282 Comments

  1. Tomi Engdahl says:

    Clipboard Hijacker Targeting Bitcoin & Ethereum Users Infects Over 300,0000 PCs
    https://www.bleepingcomputer.com/news/security/clipboard-hijacker-targeting-bitcoin-and-ethereum-users-infects-over-300-0000-pcs/

    A malware campaign spreading a clipboard hijacker has infected over 300,000 computers, according to Chinese security firm Qihoo 360 Total Security.

    Malware replaces BTC & ETH addresses in the clipboard

    The malware’s purpose is to intercept content recorded in the Windows clipboard, look for strings resembling Bitcoin and Ethereum addresses, and replace them with ones owned by the malware’s authors.

    ClipboardWalletHijacker’s end-plan is to hijack BTC and ETH transactions, so victims unwittingly send funds to the malware’s authors.

    Other cryptocoin-related threats

    But this is not the only cryptocurrency-focused malware campaign discovered these past weeks by Qihoo researchers.

    They’ve also stumbled upon TaksHostMiner, a malware strain that infected over 10,000 computers in one day, and which mines cryptocurrency on infected hosts. This malware’s shtick is that it ceases operation when the user opens the Windows Task Manager.

    Researchers also uncovered WagonlitSwfMiner, a coin-mining malware strain distributed via drive-by downloads that exploit an Adobe Flash vulnerability (CVE-2018-4878) to automatically infect victims.

    Qihoo also discovered the Bondat IoT/Linux worm that spreads among web servers and IoT devices, infecting devices with a hidden cryptocurrency miner and also using infected devices to brute-force WordPress sites.

    Reply
  2. Tomi Engdahl says:

    F-Secure Acquires MWR InfoSecurity for $106 Million
    https://www.securityweek.com/f-secure-acquires-mwr-infosecurity-%E2%82%AC91-million

    Finland-based F-Secure announced on Monday that it has entered an agreement to acquire cybersecurity consultancy MWR InfoSecurity for over €91.6 million ($106 million) in cash and the promise of a significant earn-out if business objectives are achieved until the end of 2019.

    Specifically, in addition to the €91.6 million ($106 million), which is subject to adjustments, F-Secure has agreed to pay up to €28.6 million ($33 million) if the agreed business target is achieved between July 1, 2018, and December 31, 2019.

    The acquisition is expected to be completed in early July. F-Secure is still evaluating the impact of the acquisition on the company’s financial outlook for 2018.

    MWR has nearly 400 employees across offices in the UK, the US, South Africa and Singapore. The company estimates that its revenue for the financial year ending on June 30 will be €31.1 million ($36 million).

    Reply
  3. Tomi Engdahl says:

    China-Linked APT15 Develops New ‘MirageFox’ Malware
    https://www.securityweek.com/china-linked-apt15-develops-new-miragefox-malware

    A cyber-espionage group believed to be operating out of China has developed a new piece of malware that appears to be based on one of the first tools used by the threat actor.

    The actor is known as APT15, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon, and its tools are tracked by various cybersecurity companies as Mirage, BS2005, RoyalCLI, RoyalDNS, TidePool, BMW and MyWeb. The group has been known to target organizations in the defense, high tech, energy, government, aerospace, manufacturing and other sectors.

    One of APT15’s more recent attacks was uncovered last year when the hackers targeted a UK-based customer of NCC Group.

    Reply
  4. Tomi Engdahl says:

    Trump-Kim Summit Attracts Wave of Cyber-Attacks on Singapore
    https://www.securityweek.com/trump-kim-summit-attracts-wave-cyber-attacks-singapore

    The number of cyber-attacks targeting Singapore skyrocketed from June 11 to June 12, during the meeting between U.S. President Donald Trump and North Korean President Kim Jong-un in a Singapore hotel, and most of these attacks originated from Russia, F5 Labs reports.

    “We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted VoIP phones and IoT devices, which appears to be more than a mere coincidence,” F5 says.

    Reply
  5. Tomi Engdahl says:

    French Nationals Arrested for ‘Rex Mundi’ Hacks
    https://www.securityweek.com/french-nationals-arrested-rex-mundi-hacks

    Europol announced this week that several French nationals were arrested in the past year on suspicion of being involved with Rex Mundi, a group that hacked into the systems of several organizations and attempted to blackmail them.

    Reply
  6. Tomi Engdahl says:

    Microsoft Patches Code Execution Vulnerability in wimgapi Library
    https://www.securityweek.com/microsoft-patches-code-execution-vulnerability-wimgapi-library

    Microsoft this week patched a remote code execution vulnerability affecting the wimgapi library, which is used to perform operations on Windows Imaging Format (WIM) files.

    Addressed as part of Microsoft’s June 2018 Patch Tuesday

    Reply
  7. Tomi Engdahl says:

    Facebook Claims 99% of Extremist Content Removed Without Users’ Help
    https://www.securityweek.com/facebook-claims-99-extremist-content-removed-without-users-help

    At this week’s International Homeland Security Forum (IHSF) hosted in Jerusalem by Israel’s minister of public security, Gilad Erdan, Facebook claimed growing success in its battle to remove extremist content from the network.

    Reply
  8. Tomi Engdahl says:

    Pwned with ’4 lines of code’: Researchers warn SCADA systems are still hopelessly insecure
    How Shamoon and Stuxnet et al ran riot
    https://www.theregister.co.uk/2018/06/18/physically_hacking_scada_infosec/

    Industrial control systems could be exposed not just to remote hackers, but to local attacks and physical manipulation as well.

    A presentation at last week’s BSides conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.

    The talk – Hacking SCADA: How We Attacked a Company and Lost them £1.6M with Only 4 Lines of Code – reviewed 25 years of industrial control kit, going back to the days of proprietary equipment and X21 connections before discussing proof-of-concept attacks.

    Historically everything was “air-gapped” but this has changed as the equipment has been adapted to incorporate internet functionality. This facilitates remote monitoring

    Godfrey explained that security has never been a design criteria for industrial control kit and this hasn’t changed with the advent of IoT in the domain of SCADA systems. As a result, issues such as default hard-coded credentials and lack of encryption abound.

    Worse yet, most systems are running either old or hopelessly obsolete versions of Windows. Most terminals are running Windows 7 but some run Windows 98

    “Industrial control setups certainly don’t have the maturity of enterprise environments,”

    Industrial control systems run water supply, power grid and gas distribution systems as well as factories, building management systems and more.

    Denial-of-service in industrial control environments is easy and fuzzing (trying a range of inputs to see which causes an undesigned effect) also offers a straightforward way to uncover hacks.

    INSINIA has developed a device that automatically scans networks and shuts down components. The “weaponised” Arduino micro-controller looks like a regular programmable logic controller (PLC) to other devices on the network. If it is physically planted on a targeted environment, it can quickly enumerate networks before sending stop commands. It can “kill industrial processes with only four lines of code”, according to Godfrey.

    The wider security community has recognised the risk posed to industrial control systems from malware in the wake of high-profile attacks such as the Shamoon assault on Saudi Aramco and the BlackEnergy attacks on electricity distribution facilities in Ukraine.

    The famous Stuxnet attack on Iran’s uranium-enrichment facilities

    large number of industrial control systems exposed to the internet, which are easily found using Shodan, the search engine for the IoT.

    Reply
  9. Tomi Engdahl says:

    Android emulator Andy OS seems to be secretly installing a Bitcoin miner
    https://betanews.com/2018/06/18/andy-os-bitcoin-miner/

    Cryptocurrency mining malware has become a serious problem recently, and it seems the latest people to fall victim to the threat are users of the Android emulator Andy OS — also referred to as AndY and Andyroid.

    The emulator makes it possible to run Android software within Windows or macOS, but it appears that the installation harbors a dark secret — a GPU miner trojan that secretly mines for Bitcoin. Over on Reddit there are large numbers of upset users trying to find out what’s going on.

    The issue was discovered over the weekend by Reddit user TopWire who became suspicious about GPU usage after installing Andy.

    Reporting the issue to the developers of the emulator resulted in a mixture of stories

    As Andy uses a third-party installer, there are suggestions that this is to blame for the miner rather than the emulator itself, but the concern is about the development team’s apparent lack of interest in — and transparency about — the matter.

    Andy OS Android Emulator Reportedly Installing a GPU Miner
    https://www.bleepingcomputer.com/news/security/andy-os-android-emulator-reportedly-installing-a-gpu-miner/

    Reply
  10. Tomi Engdahl says:

    New Telegram-abusing Android RAT discovered in the wild
    Entirely new malware family discovered by ESET researchers
    https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

    Reply
  11. Tomi Engdahl says:

    Vendor Patches Seven Vulnerabilities Across 392 Camera Models
    https://www.bleepingcomputer.com/news/security/vendor-patches-seven-vulnerabilities-across-392-camera-models/

    Axis Communications AB, a Swedish manufacturer of network cameras for physical security and video surveillance, has patched seven security flaws across nearly 400 security camera models.

    The vulnerabilities came to light following an analysis of Axis firmware by VDOO, a cyber-security firm. VDOO experts analyzed the vendor’s firmware as part of an internal initiative focused on the security of IP cameras, named Project Vizavis.

    The vulnerabilities are not overly dangerous when taken one by one, but VDOO says that by chaining three of them —CVE-2018-10660, CVE-2018-10661, and CVE-2018-10662— an attacker would be able to take over vulnerable devices without knowing their credentials.

    Reply
  12. Tomi Engdahl says:

    75% of Malware Uploaded on “No-Distribute” Scanners Is Unknown to Researchers
    https://www.bleepingcomputer.com/news/security/75-percent-of-malware-uploaded-on-no-distribute-scanners-is-unknown-to-researchers/

    Three-quarters of malware samples uploaded to “no-distribute scanners” are never shared on “multiscanners” like VirusTotal, and hence, they remain unknown to security firms and researchers for longer periods of time.

    Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.

    Reply
  13. Tomi Engdahl says:

    DHS, FBI Share Details of North Korea’s ‘Typeframe’ Malware
    https://www.securityweek.com/dhs-fbi-share-details-north-koreas-typeframe-malware

    The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published another report on the US-CERT website detailing a piece of malware allegedly used by the North Korean government.

    A dozen reports have been published by the DHS and the FBI over the past year on the North Korea-linked threat group tracked by the U.S. government as Hidden Cobra. The list of tools detailed by the agencies includes Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

    Reply
  14. Tomi Engdahl says:

    Critical Flaws Expose 400 Axis Cameras to Remote Attacks
    https://www.securityweek.com/critical-flaws-expose-400-axis-cameras-remote-attacks

    Roughly 400 security cameras from Axis Communications are affected by several vulnerabilities, including critical flaws that can be chained to take complete control of a device and access its video stream.

    As part of its research into IoT devices, cybersecurity firm VDOO has uncovered a total of seven vulnerabilities in cameras made by Axis. The vendor has identified nearly 400 affected models and released patches for each of them.

    Reply
  15. Tomi Engdahl says:

    Compromised GitHub Account Spreads Malicious Syscoin Installers
    https://www.securityweek.com/compromised-github-account-spreads-malicious-syscoin-installers

    Malware-laden Syscoin releases were up for download on an official GitHub repository after hackers managed to compromise an account and replace legitimate Windows installers.

    The malicious releases were posted on the Syscoin GitHub release page on June 9 and remained there until June 13. Only the Windows Syscoin 3.0.4.1 installers (syscoincore-3.0.4-win32-setup.exe and syscoincore-3.0.4-win64-setup.exe) were affected.

    Reply
  16. Tomi Engdahl says:

    Google Increases Visibility Into Endpoints Accessing G Suite Data
    https://www.securityweek.com/google-increases-visibility-endpoints-accessing-g-suite-data

    A newly added “Endpoint Verification” feature in G Suite provides administrators with increased visibility into the computers that have access to corporate data.

    Released for ChromeOS, macOS, and Windows, the new feature requires a Chrome extension to be installed. On macOS and Windows, the feature also requires a native application that works with the extension.

    Users can install the extensions and the apps individually and admins can deploy them centrally, if needed, Google reveals.

    Once it has been set up on user devices, Endpoint Verification provides admins with access to an inventory of desktop and laptop devices within the enterprise environment that can access corporate data. Additionally, it offers information such as screen lock, disk encryption, and OS version.

    https://gsuiteupdates.googleblog.com/2018/06/new-desktop-device-reporting-in-admin.html

    Reply
  17. Tomi Engdahl says:

    Multi-Layered Infection Attack Installs Betabot Malware
    https://www.securityweek.com/multi-layered-infection-attack-installs-betabot-malware

    The Betabot Trojan is being spread in a multi-stage attack that starts with malicious Office documents attempting to exploit a 17-year old vulnerability.

    Reply
  18. Tomi Engdahl says:

    Cyber Attack Aims to Manipulate Mexican Election
    https://www.securityweek.com/cyber-attack-aims-manipulate-mexican-election

    On Wednesday June 13, in the run-up to Mexico’s July 1 presidential election, a website operated by the rightist National Action Party (PAN) was taken off-line for several hours by a DDoS attack. The outage occurred at the time of a televised presidential debate, and just following a point at which the PAN candidate held up a placard with the website address claiming it held proof of potential corruption.

    The source of the DDoS attack is unknown and possibly unknowable — but it is a reminder of the extent to which the internet can be used to influence or even control public opinion.

    The accusations of Russian involvement in both the Trump election in the U.S. and the UK Brexit referendum are still fresh. Perhaps more directly relevant is the controversy over the DDoS attack on the FCC website just as it was gathering public comment on the (then) proposed elimination of the net neutrality rules.

    Reply
  19. Tomi Engdahl says:

    Fraudster admits she was OPM dealer: Leaked US govt staff files used to bag cash, car loans
    https://www.theregister.co.uk/2018/06/19/opm_leak_fraudster_guilty/

    Woman cops to using stolen records to open bank accounts

    A woman has fessed up to using people’s personal information, leaked online from the US government’s Office of Personnel Management mega-hack, to take out loans and open bank accounts.

    Cross admitted to working with other fraudsters

    Reply
  20. Tomi Engdahl says:

    Verizon stops selling customer location to two data brokers after one is caught leaking it
    https://techcrunch.com/2018/06/19/verizon-stops-selling-customer-location-to-two-data-brokers-after-one-is-caught-leaking-it/?utm_source=tcfbpage&sr_share=facebook

    Verizon is cutting off access to its mobile customers’ real-time locations to two third-party data brokers “to prevent misuse of that information going forward.”

    Verizon sold bulk access to its customers’ locations to the brokers in question, LocationSmart and Zumigo, which then turned around and resold that data to dozens of other companies. This isn’t necessarily bad

    it was found that LocationSmart had exposed an API that allowed anyone to request mobile locations freely and anonymously, and without collecting consent.

    “We conducted a comprehensive review of our location aggregator program,” wrote Verizon CTO Karen Zacharia. “As a result of this review, we are initiating a process to terminate our existing agreements for the location aggregator program.”

    Reply
  21. Tomi Engdahl says:

    Caroline O’Donovan / BuzzFeed:
    Medium and GitHub scrub posts and database containing ICE employee LinkedIn data citing rules against doxxing; Twitter suspends bot tweeting info from database

    Medium Just Took Down A Post It Says Doxed ICE Employees
    https://www.buzzfeed.com/carolineodonovan/heres-why-medium-and-github-just-took-down-a-post

    Medium and GitHub say posting the LinkedIn data of a targeted group of employees constitutes doxing. The artist who made the database disagrees.

    Reply
  22. Tomi Engdahl says:

    Wolfie Zhao / CoinDesk:
    Bithumb, one of South Korea’s largest cryptocurrency exchanges, suspends asset deposit and withdrawal services after ~$31M hack, promises full reimbursement

    Crypto Exchange Bithumb Halts Withdrawals Amid $31 Million Hack
    https://www.coindesk.com/crypto-exchange-bithumb-halts-services-amid-31-million-hack/

    Bithumb, one of the largest cryptocurrency exchanges in South Korea by trading volume, is halting asset deposit and withdrawal services after hackers stole 35 billion won (or $31 million) from the platform.

    The company said in an announcement today that the hack happened between late Tuesday night until early Wednesday morning Korean time. Though Bithumb has yet to disclose which cryptocurrency or in what amount had been damaged, it said in the announcement that the loss will be covered by the platform.

    Reply
  23. Tomi Engdahl says:

    Frederic Lardinois / TechCrunch:
    VirusTotal launches Monitor aimed at helping developers mitigate false positives by letting them upload and scan new code against their 70+ antivirus partners

    VirusTotal now protects developers from becoming false positives
    https://techcrunch.com/2018/06/19/virustotal-now-protects-developers-from-becoming-false-positives/

    It’s been six years since Google acquired VirusTotal, a service that allows users to upload any file to check it for malware and viruses against the databases and algorithms of 70 antivirus and domain blacklisting services. Over the years, VirusTotal, which is now part of Alphabet’s Chronicle, has established itself as a neutral public service that has the trust of both users and developers, who can also access its service through an API.

    Today, the company is expanding on its core services by launching a new tool that allows developers to scan new code against the systems of its antivirus partners to help ensure that those partners don’t mistakenly identify their code as malware. These kind of false positives are surprisingly common and can obviously create massive headaches for developers who aren’t in the malware business.

    Launching VirusTotal Monitor, a service to mitigate false positives
    http://blog.virustotal.com/2018/06/vtmonitor-to-mitigate-false-positives.html

    False positives impact antivirus vendors, software developers and end-users. For example, let us imagine a popular streaming service app that allows in-app digital content purchases. We will call it Filmorrific.

    Note that in this context, a software developer is not only a company creating an app or program distributed to thousands of machines and including some kind of monetisation strategy. Today, almost every organization builds internal tools that their finance, accounts payable, HR, etc. teams use. All of these tools are prone to false positives, and while this might not have a revenue impact, it certainly has a cost in terms of productivity hours lost because the workforce can’t access a given app.

    What if we could kill these three birds with the same stone? Enter VirusTotal Monitor. VirusTotal already runs a multi-antivirus service that aggregates the verdicts of over 70 antivirus engines to give users a second opinion about the maliciousness of the files that they check. Why not take advantage of this setup not only to try to detect badness, but also to flag mistaken detections of legit software?

    VirusTotal Monitor is a new service that allows software developers to upload their creations to a private cloud store in VirusTotal. Files in this private bucket are scanned with all 70+ antivirus vendors in VirusTotal on a daily basis, using the latest detection signature sets. Files also remain absolutely private, not shared with third-parties. It is only in the event of a detection that the file will be shared with the antivirus vendor producing the alert. As soon as the file is detected, both the software developer and the antivirus vendor are notified, the antivirus vendor then has access to the file and its metadata (company behind the file, software developer contact information, etc.) so that it can act on the detection and remediate it if it is indeed considered a false positive. The entire process is automatic.

    For antivirus vendors this is a big win, as they can now have context about a file: who is the company behind it? when was it released? in which software suites is it found?

    In particular, software vendors use a Google-drive like interface where they can upload their software collections and provide details about the files

    VirusTotal Monitor is not a free pass to get any file whitelisted, sometimes vendors will indeed decide to keep detections for certain software, however, by having contextual information about the author behind a given file, they can prioritize work and take better decisions, hopefully leading to a world with less false positives. The idea is to have a collection of known source software, then each antivirus can decide what kind of trust-based relationship they have with each software publisher.

    As Marc Andreessen once said, “software is eating the world”, however, there is not much it can eat unless it can actually execute — let’s make sure that legit software can run.

    Reply
  24. Tomi Engdahl says:

    Joseph Menn / Reuters:
    Symantec: a hacking campaign launched from China, with the likely intention of espionage, breached satellite and defense companies in the US and Southeast Asia — SAN FRANCISCO (Reuters) – A sophisticated hacking campaign launched from computers in China burrowed deeply into satellite operators …

    China-based campaign breached satellite, defense companies: Symantec
    https://www.reuters.com/article/us-china-usa-cyber/china-based-campaign-breached-satellite-defense-companies-symantec-idUSKBN1JF2X0

    Reply
  25. Tomi Engdahl says:

    HeroRat Controls Infected Android Devices via Telegram
    https://www.securityweek.com/herorat-controls-infected-android-devices-telegram

    A newly detailed Android remote access Trojan (RAT) is leveraging Telegram’s bot functionality to control infected devices, ESET reveals.

    Dubbed HeroRat, the malware has been spreading since at least August 2017. As of March 2018, the Trojan’s source code has been available for free on Telegram hacking channels, resulting in hundreds of variants emerging in attacks.

    New Telegram-abusing Android RAT discovered in the wild
    Entirely new malware family discovered by ESET researchers
    https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

    Reply
  26. Tomi Engdahl says:

    Inside the Legislative and Regulatory Minefield Confronting Cybersecurity Researchers
    https://www.securityweek.com/inside-legislative-and-regulatory-minefield-confronting-cybersecurity-researchers

    Legislation – especially complex legislation – often comes with unintended consequences. The EU’s General Data protection Regulation (GDPR), which came into force May 25, 2018, is an example of complex legislation.

    GDPR, and other cybersecurity laws, are designed to protect privacy and property in the cyber domain. There is, however, concern that many of these laws have a common unintended consequence: in protecting people from cybercriminals, the laws also protect cybercriminals from security researchers.

    The question is whether security research an unintended but inevitable collateral damage of cybersecurity legislation. While focusing on GDPR, this examination will also consider other legislation, such as the CLOUD Act, the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act (CMA).

    The WHOIS issue

    One immediate example involves GDPR, the Internet Corporation for Assigned Names and Numbers (ICANN) and the WHOIS database/protocol. ICANN maintains a global database of internet domain registrations that has been readily available to security vendors and security researchers.

    Researchers with one known malicious domain have been able to cross-reference details via WHOIS to locate, at speed, potentially thousands of other malicious domains registered at the same time or by the same person or with the same contact details.

    However, registrant details of EU residents is now protected data under GDPR. ICANN can no longer share that data with third parties – effectively meaning that researchers can no longer access WHOIS data to discover potentially malicious domains and protect the public from spam or phishing campaigns involving those domains.

    Reply
  27. Tomi Engdahl says:

    Ex-CIA Employee Charged With Leaking Agency’s Hacking Tools
    https://www.securityweek.com/ex-cia-employee-charged-leaking-agencys-hacking-tools

    A former employee of the U.S. Central Intelligence Agency (CIA) has been charged with stealing classified national defense information from the agency and sharing it with WikiLeaks.

    The man reportedly became the main suspect for the Vault 7 leaks one week after WikiLeaks started releasing files. However, when investigators searched his apartment and devices, they uncovered a file sharing server hosting child pornography.

    Reply
  28. Tomi Engdahl says:

    Winning the Cyber Arms Race with Machine Learning
    https://www.securityweek.com/winning-cyber-arms-race-machine-learning

    Despite advances in cybersecurity technology, the number of days to detect a breach has increased from an average of 201 days in 2016 to an average of 206 days just a year later, according to the 2017 Ponemon Cost of Data Breach Study. While organizations are getting increasingly better at discovering data breaches on their own, 53 percent of breaches were discovered by an external source in 2017, meaning organizations had no idea their data had been compromised. Part of the problem is that there is no easy way for many organizations to automatically correlate and analyze all of the data being collected by the various security solutions that have been deployed across the network. That problem is compounded by the fact that many of these tools operate in isolation. The result is that IT teams have to hand correlate data collected from different sources looking for a needle in the haystack. The opportunity for human error is high and log files simply scroll by too quickly for anyone to be able to gather actionable information from them.

    Reply
  29. Tomi Engdahl says:

    ‘Olympic Destroyer’ Malware Spotted in New Attacks
    https://www.securityweek.com/olympic-destroyer-malware-spotted-new-attacks

    Olympic Destroyer, the malware involved in a campaign targeting this year’s Olympic Winter Games in Pyeongchang, South Korea, has been used recently in attacks aimed at organizations in Germany, France, the Netherlands, Russia, Switzerland and Ukraine.

    Olympic Destroyer is designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. The malware was used during the Olympics in an attack that disrupted IT systems, including the official event website, display monitors, and Wi-Fi connections.

    Reply
  30. Tomi Engdahl says:

    Where There’s a Will, There’s a Way; Beyond Dark Web Marketplaces
    https://www.securityweek.com/where-theres-will-theres-way-beyond-dark-web-marketplaces

    Nearly a year has passed since the takedowns of AlphaBay and Hansa by law enforcement efforts that left many speculating about the future of dark web marketplaces. Expectations of an older, established market replacing AlphaBay, or the emergence of a new marketplace, have fallen short. Dream Market and Olympus are among those to have made a play, but no single marketplace has risen to the top, at least among the English-speaking community. And mistrust, fear and high barriers to entry are preventing new marketplaces from flourishing. But as the adage goes, “where there’s a will there’s a way.” So instead, we’re seeing cybercriminals rely on a patchwork of alternative solutions to conduct illegal, online trade.

    Users are retrenching to more specialized forums dedicated to hacking and security, which often act as a platform for trade. Sites like CrimeNet, HPC, and Exploit[.]in contain many examples of threat actors offering products such as ransomware variants, exploit kits, compromised accounts and payment card data.

    But here are five general tips that can help reduce the chances of your data falling into the wrong hands:

    1. Know where your most sensitive data resides, and then understand how a cybercriminal would monetize that data.

    2. Monitor the open, deep and dark web for mentions of your business, brand or personal information.

    3. Increase your monitoring to cover peer-to-peer platforms and messaging channels that are increasingly being used by cybercriminals.

    4. Use unique and strong passwords on your most sensitive or personal accounts and enable multifactor authentication to prevent account takeovers.

    5. Don’t forget about third parties. Contractors and suppliers with privileged access to your sensitive information are also a weak point. Monitor and secure your supply chain networks in the same way you would your own employees and assets.

    Reply
  31. Tomi Engdahl says:

    ’90s hacker collective man turned infosec VIP: Internet security hasn’t improved in 20 years
    L0pht luminary Chris Wysopal talks to The Reg
    https://www.theregister.co.uk/2018/06/18/l0pht_chris_wysopal_interview/

    It has been 20 years since Chris Wysopal (AKA Weld Pond) and his colleagues at the Boston-based L0pht* hacker collective famously testified before the US Senate that the internet was hopelessly insecure.

    El Reg: I started writing about security around that time. L0pht had the slogan of making the theoretical possible.

    Wysopal: Microsoft were saying “this is a theoretical vulnerability” so what they were saying was you’re going to have to write an exploit or we’re not going to fix it.

    So we started to get notoriety for calling out big corporations like Microsoft, IBM [and] Oracle.

    he called the FBI and said: “I know there are some good hackers out there, they’re not all criminals, do you know of any good hackers?” And the FBI said: “You’ve got to go talk to the L0pht guys”.

    We were on their radar.

    We were vetted as good guys, so Richard Clarke felt comfortable coming from the National Security Council

    The manufacturers say: “This is just how software is, it’s vulnerable and… you’re always going to have bugs”… We were saying that that’s not the case. If we can find the bugs, then they can find the bugs and they can fix them before they ship the software.

    Wysopal: The main idea was there were two root causes of all these [cybersecurity] problems. One was software isn’t secure. The vulnerabilities in software are the root cause of most of the problems.

    Vendors have no liability, so they can ship vulnerable software with impunity. There’s no reason they can’t ship. And they can know about it.

    They can knowingly ship vulnerabilities. They’re like “we didn’t have time to fix that” so they can knowingly ship it.

    The internet wasn’t made for business
    That was one message. The other one was the foundations of the internet have big vulnerabilities. It was never designed [for business]. These are the systems we have.

    Wysopal: We talked about an attack that would make all the major network peering points send traffic to the wrong place. That would quickly saturate the network and it would fall apart. That has happened but people now are using it as more of a tactical attack.

    El Reg: What was the outcome from your testimony?

    Wysopal: I think we raised a lot of awareness. I think it did cause people to start to ask questions of their their vendors.

    From what I hear one of the final straws that caused the Trustworthy Computing movement at Microsoft to start was the Air Force CIO saying: “I can’t just constantly be patching and fixing my systems, guys. You need to deliver something more secure or I’m going to go to Linux.”

    Wysopal: Space Rogue and I got together and we said 20 years later, it seems like enough time that we should get together and have a look back. We should do a formal look back and we should be doing it on Capitol Hill and not just be renting a hotel in Boston. We’re all distributed anyway.

    What we talked about was about how fundamentally not much has changed. On the internet side, the BGP protocol hasn’t been improved, there’s [just] more people watching. As opposed to having prevention with a secure protocol, it’s more a response where people are looking for these BGP changes and they’re hoping someone notices it if something looks wrong.

    This works if it’s an attack but it doesn’t work in a DDoS situation. In a DDoS situation it’d quickly cascade and the whole internet would be down.

    I don’t know enough about it to know how quickly they could recover. It could be down for 30 minutes. It could be done for an hour but that would be really bad

    El Reg: Is there a secure BGP protocol?

    Wysopal: There is a secure BGP protocol where the messages are signed and there’s a whole certificate infrastructure. It just hasn’t been implemented.

    There’s a secure DNS but that hasn’t been implemented. We still have the problem with fake certificates or people accepting certificates that they shouldn’t, like self-signed certificates.

    Wysopal: Essentially what we’re doing is we’re tolerating a certain amount of damage. We’re tolerating a certain amount as a society or as, you know, an economy or as a government – however you want to put it. We’re tolerating a certain amount of damage.

    Reply
  32. Tomi Engdahl says:

    7 open source VPN tools for businesses
    https://opensource.com/article/18/6/vpn-alternatives?sc_cid=7016000000127ECAAY

    Check out these enterprise-ready, open source VPN solutions to meet the needs of any corporation, large or small.

    Reply
  33. Tomi Engdahl says:

    Marketing ‘spyware’ caught in PC games but makers reject that label
    Ad campaign tracker Red Shell removed from about 20 games anyway
    https://www.polygon.com/2018/6/20/17485762/red-shell-spyware-pc-games-controversy-steam

    About 20 PC games — including The Elder Scrolls Online and Conan Exiles — have removed a piece of third-party spyware tracking users’ activity outside of the game, and dozens more are said to still have it more than a week after it came to light on Reddit and Steam forums.

    Called Red Shell (yes, it’s named for the Mario Kart item), the spyware sells itself as a means for video game makers to “uncover where their players come from through reliable attribution.” It “matches” whether players with Red Shell installed on their games visited a market’s campaign, whether Facebook and Twitter, YouTube, a web page or others.

    To do this, Red Shell has to follow what users are doing outside of the game. But the company said it does not collect any player’s personal information, and only collects information about their browsers and devices “for purposes of attribution.” No data is sold to a third party, Red Shell said.

    According to this list there are many more games using the tracker, some familiar, others obscure.

    https://redshell.io/home

    Reply
  34. Tomi Engdahl says:

    Two Critical U.S. Dams at High Risk From Insider Cyber Threats
    https://spectrum.ieee.org/riskfactor/computing/it/two-critical-us-dams-at-high-risk-from-insider-threats

    The U.S. Bureau of Reclamation, a part of the Interior Department, operates more than 600 of the some 100,000 dams in the United States, five of which are considered part of the national critical infrastructure. This means that the incapacitation or destruction of either the Glen Canyon Dam in Arizona, the Shasta or Folsom Dams in California, the Hoover Dam in Nevada, or the Grand Coulee Dam in Washington State would, in the Department of Homeland Security’s words, “have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

    Reply
  35. Tomi Engdahl says:

    https://www.securityfocus.com/archive/1/542094
    Package : libgcrypt20
    CVE ID : CVE-2018-0495

    It was discovered that Libgcrypt is prone to a local side-channel attack
    allowing recovery of ECDSA private keys.

    For the stable distribution (stretch), this problem has been fixed in
    version 1.7.6-2+deb9u3.

    Reply
  36. Tomi Engdahl says:

    Script kiddie goes from ‘Bitcoin Baron’ to ‘Lockup Lodger’ after DDoSing 911 systems
    US bloke gets 20 months for knackering city govt IT
    http://www.theregister.co.uk/2018/06/20/bitcoin_baron_gets_20_months/

    A 23-year-old Arizona man was thrown in the cooler this week after he admitted being the not-quite-infamous website-rattling “Bitcoin Baron”.

    Randall Charles Tucker was given a 20-month sentence Tuesday after pleading guilty earlier this year to one count of felony intentional damage to a protected computer.

    The man had been charged with running a March 2015 distributed denial-of-service (DDoS) attack that had rendered the US city of Madison Wisconsin’s government networks inaccessible various times over a five day period.

    “His DDoS attacks against the City of Madison seriously affected public safety, and his crime spree of computer attacks and extortion affected numerous victims,

    Reply
  37. Tomi Engdahl says:

    Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases
    Thursday, June 21, 2018
    https://thehackernews.com/2018/06/mobile-security-firebase-hosting.html?m=1

    Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions.
    Google’s Firebase service is one of the most popular back-end development platforms for mobile and web applications that offers developers a cloud-based database, which stores data in JSON format and synced it in the real-time with all connected clients.

    Reply
  38. Tomi Engdahl says:

    SNEAKY WEB TRACKING TECHNIQUE UNDER HEAVY SCRUTINY BY GDPR
    https://threatpost.com/sneaky-web-tracking-technique-under-heavy-scrutiny-by-gdpr/132995/

    What will new General Data Protection Regulation laws mean for websites that use sneaky web trackers such as browser fingerprinting to profile visitors? Privacy experts say the practice is likely illegal under the newly-enacted GDPR regulation. But they also say don’t expect the method of tracking users to disappear anytime soon, said the Electronic Frontier Foundation in a report issued Tuesday.

    Reply
  39. Tomi Engdahl says:

    Early Hackers Used Whistles From Cap’n Crunch Cereal Boxes
    You can draw a line from the tiny toys to Apple Inc.
    https://www.atlasobscura.com/articles/capn-crunch-whistle?utm_source=facebook.com&utm_medium=ieee

    Reply
  40. Tomi Engdahl says:

    Anomaly Detection & Threat Hunting with Anomalize
    https://isc.sans.edu/diary/rss/23772

    Matt specifically before shifting context: “Our client had a challenging problem: detecting anomalies in time series on daily or weekly data at scale. Anomalies indicate exceptional events, which could be increased web traffic in the marketing domain or a malfunctioning server in the IT domain. Regardless, it’s important to flag these unusual occurrences to ensure the business is running smoothly. One of the challenges was that the client deals with not one time series but thousands that need to be analyzed for these extreme events.”

    Reply
  41. Tomi Engdahl says:

    ’90s hacker collective man turned infosec VIP: Internet security hasn’t improved in 20 years
    L0pht luminary Chris Wysopal talks to The Reg
    https://www.theregister.co.uk/2018/06/18/l0pht_chris_wysopal_interview/

    Reply
  42. Tomi Engdahl says:

    NKB Group Proposes Answer to DNS Hacking in Windows
    Cutting through the hype, NKB Group believes that blockchain technology could help combat the type of server-side DNS hacking that affected MyEtherWallet recently.

    Read more: https://cryptovest.com/news/nkb-group-proposes-answer-to-dns-hacking-in-windows/

    Reply
  43. Tomi Engdahl says:

    Nellie Bowles / New York Times:
    Experts say domestic abusers increasingly use connected home devices like smart locks, security cameras, and lighting to scare or spy on victims — SAN FRANCISCO — The people who called into the help hotlines and domestic violence shelters said they felt as if they were going crazy.

    Thermostats, Locks and Lights: Digital Tools of Domestic Abuse
    https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html

    In training sessions on domestic violence and technology, people have started asking about how to handle the use of connected home devices in abuse situations, said Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence.Credit

    Reply
  44. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer.com:
    Google says it is adding a file signature to the header of Android app metadata, helping users determine the authenticity of an app not from the Play Store

    Google Updates File Signature Checks for Android Apps
    https://www.bleepingcomputer.com/news/microsoft/google-updates-file-signature-checks-for-android-apps/

    Google is changing how the Play Store app is verifying the authenticity of Android apps before installation. The company plans to modify the header of APK (Android app) files to include a new metadata field that contains the app’s file signature.

    Apps previously didn’t include this field because they didn’t need it, as Google-approved apps could be installed only via the official Play Store app, which handled all these checks in the background, before the app’s installation.

    With the addition of an app file signature to the APK itself, Google is now allowing users to download official apps from the Play Store and distribute them via other channels, lest they not modify the apps in any way.

    Reply
  45. Tomi Engdahl says:

    Smartphone batteries can reveal what you typed and read
    Power trace sniffing, a badly-designed API and some cloudy AI spell potential trouble
    https://www.theregister.co.uk/2018/06/25/the_battery_is_the_smartphones_ibesti_snitch_boffins/

    A group of researchers has demonstrated that smartphone batteries can offer a side-channel attack vector by revealing what users do with their devices through analysis of power consumption.

    Both snitching and exfiltration were described in this paper (PDF), accepted for July’s Privacy Enhancing Technologies Symposium.

    Nobody needs to panic yet, because the attack isn’t yet more than a decently-tested theory and it would be hard to execute. But there’s also a real-world implication because the paper shows how a too-free API can help attackers in ways its designers never imagined.

    In their research, the boffins turned a battery into a snitch by implanting a microcontroller to sample power flowing in and out at a 1 kHz sample rate.

    The battery, they wrote, is a very attractive attack vector because “all the phone activity is exposed”. An attacker can correlate power flows with a keystroke, the context of the keystroke (is someone visiting a Website at the time?) and “the events that preceded or followed it”, such as taking a photo or making a phone call.

    https://sites.google.com/site/silbersteinmark/Home/popets18power.pdf?attredirects=1

    Reply
  46. Tomi Engdahl says:

    Software engineer fired, shut out of office for three weeks by machine
    HAL 9000 is here – and it’s plugged into your HR system
    https://www.theregister.co.uk/2018/06/22/software_engineer_fired_by_machine/

    It was only a matter of time before the machines started fighting back. And let’s be honest, we all knew the software engineers would be the first to fall.

    And so it was that Ibrahim Diallo, in California, USA, found himself fired from his job, had his network access and his entry card killed, and was unable to get himself reinstated despite his own manager, and even his manager’s boss, assuring him that he was still employed.

    our plucky engineer was fired by an automated system and the humans were unable to do anything about it.

    Incredibly, it took three weeks for the issue to be resolved and for the not-fired Diallo to get back at his desk. Funnily enough, he decided at that point to quit, and take his expertise elsewhere. What the hell happened?

    Well, according to Diallo, in a blog post he put up this week, no one knew. All he knew was that one day his key card stopped working, leading to a series of embarrassing appeals to the security guy and a series of temporary passes.

    We’ve all been there. Except then he started getting calls from his recruiter asking why he’d been fired. He went to his manager who assured him he was still in a job – just eight months into his three-year contract – but slowly he was shut out of all the systems he needed to work on.

    The manager kept insisting he come in until one day – prompted by a stern email – security turned up and escorted him from the building.

    As it turned out, some time-saving sysadmin had written a script to automatically shut out an employee with the trigger being the official employee termination email.

    The automation extended to the point that the non-renewal of the contract – requiring human intervention – led to the termination email, which led to that employee’s key card being disabled, and their network access cut off on each system that they had privileges on.

    “What I called job security was only an illusion,” he writes nervously.

    The Machine Fired Me
    No human could do a thing about it!
    https://idiallo.com/blog/when-a-machine-fired-me

    Reply
  47. Tomi Engdahl says:

    India tells its banks to get Windows XP off ATMs – in 2019!
    And do some pretty basic security hygiene before then
    https://www.theregister.co.uk/2018/06/25/indian_banks_on_notice_windows_xp_must_die/

    The Reserve Bank of India has given that country’s banking sector a hard deadline to get Windows XP out of its ATMs: June 2019.

    That’s more than five years beyond the May 2014 end of support for the OS.

    In a notice to the nation’s banks, issued last on June 21st, 2018, the Reserve Bank makes it clear that XP “and other unsupported operating systems” have been on its mind since at least April 2017, when it issued a circular outlining its concerns.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*