Sysadmins: while you’re busy getting ready for the GDPR-regulated world, don’t forget what your servers are storing in their logfiles.
That advice comes courtesy of a draft mulled by the Internet Engineering Task Force’s Internet Area Working Group (IETF’s INTAREA).
The document, here, offered a handy checklist as a set of updates to RFC6302, “Logging Recommendations for Internet-Facing Servers.”
The IETF suggests sysadmins adopt a data minimisation approach to configuring their server logs:
Full IP addresses should only be stored for as long as needed to provide a service;
Logs should otherwise only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses;
Inbound IP address logs shouldn’t last longer than three days;
Unnecessary identifiers should not be logged – these include source port number, timestamps, transport protocol numbers, and destination port numbers; and
Logs should be protected against unauthorised access.
Why three days, by the way? Because that lets logging cover a weekend before it’s flushed.
The draft also suggested that if service providers plan to, or think they need to, store more than the data listed, they would probably need users’ permission.
The advice stretches beyond the purely European providers, since anybody offering services to anyone in the EU needs to comply with GDPR.
A group of researchers has demonstrated that smartphone batteries can offer a side-channel attack vector by revealing what users do with their devices through analysis of power consumption.
Both snitching and exfiltration were described in this paper (PDF), accepted for July’s Privacy Enhancing Technologies Symposium.
Nobody needs to panic yet, because the attack isn’t yet more than a decently tested theory,
In his latest book, New York Times correspondent David Sanger describes how cybersecurity firm Mandiant hacked into the devices of Chinese cyberspies during its investigation into the threat group known as APT1.
Mandiant, now owned by FireEye, published its famous report on APT1 back in 2013 when it was led by CEO Kevin Mandia. The company at the time released information apparently showing that the Chinese military had been conducting sophisticated cyber-espionage operations.
In a statement published on Monday, FireEye admitted that Sanger was given access to the methods used by Mandiant to gather evidence of APT1’s ties to the Chinese military, but claims the reporter’s description “resulted in a serious mischaracterization of our investigative efforts.”
“We did not do this, nor have we ever done this,” FireEye said regarding claims that its employees activated the cameras on the hackers’ own laptops. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.’”
“Hacking back,” the term used to describe a cyberattack victim – or someone hired by the victim – hacking into the systems of the attacker, is a controversial practice and only few cybersecurity firms have admitted doing it.
The cyber espionage group known as “Tick” has been targeting a secure USB drive built by a South Korean defense company, likely in an attempt to compromise air-gaped systems, Palo Alto Networks reports.
Also known as Bronze Butler, Tick is believed to be based in China and to have been active for at least a decade, although it was detailed for the first time only in April 2016. The group is mainly targeting Japan and South Korea, but variants of their malware were also observed in attacks on organizations in Russia, Singapore, and China.
A team of researchers has demonstrated that specially crafted batteries installed in a smartphone can allow malicious actors to harvest and exfiltrate sensitive information.
Researchers from Technion, UT Austin and Hebrew University showed that an attacker can use a malicious battery to obtain various types of information from a device by continuously monitoring power traces. Monitoring the GPU and DRAM can work, but the CPU and the touchscreen leak the most information, experts said.
A series of malicious Hangul Word Processor (HWP) documents used in recent attacks on cryptocurrency exchanges have been attributed to the North Korea-linked Lazarus group, AlienVault reports.
The attacks appear to include the recent assault on Bithumb, the largest virtual currency exchange in South Korea, with more than 1 million customers. As part of the incident, hackers managed to steal over $30 million worth of cryptocurrencies.
Lazarus, or BlueNoroff, is a state-sponsored hacking group believed to have launched the $81 million cyber heist from the Bangladesh Bank in 2016 and considered the most serious threat against banks. Earlier this year, the group was observed hitting an online casino in Central America and switching interest to crypto-currency.
Just before midnight last Sunday evening (June 17, 2018), Elon Musk sent an email to all staff. He was dismayed, he said, to learn about a Tesla employee “making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.”
This was a mainstream malicious insider attack — but there may be more to it than meets the eye. The motive, according to Musk, was revenge: “he wanted a promotion that he did not receive.” But this incident goes way beyond simple revenge sabotage, and includes the theft of sensitive data and the export of that data to unknown outside parties.
The incident could have been triggered by revenge and aggravated by bribery; but until and unless those outside parties can be identified for certain, the true cause of the attack will remain speculative.
A security vulnerability patched by Microsoft earlier this month in its Edge browser could be exploited via malicious or compromised websites to read restricted data.
Tracked as CVE-2018-8235, the flaw occurs in how “Microsoft Edge improperly handles requests of different origins,” Microsoft explains in an advisory. The issue results in Edge bypassing Same-Origin Policy (SOP) restrictions and allows for requests that should otherwise be ignored.
A series of cyber-attacks targeting the Middle Eastern region use an encrypted downloader to deliver a Metasploit backdoor, AlienVault reports.
The attacks start with a malicious document containing parts of an article about the next Shanghai Cooperation Organization Summit, originally published at the end of May on a Middle Eastern news network.
The Red Alert 2.0 Android Trojan first detailed in September last year is currently available for rent on underground forums at $500 per month, Trustwave reports.
It is also capable of stealing information from the infected devices, including SMS messages and contact details, can block calls from banks, and can also keep in touch with bots via Twitter in the event its command and control (C&C) server is taken online.
When they detailed the threat in September last year, SfyLabs’ researchers said the malware included around 60 60 HTML overlays used to steal login credentials, but also revealed that the Trojan’s actor was constantly releasing updates for their malicious program.
The bugs impact multiple devices, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, Firepower 4100 and Firepower 9300 products, UCS 6100 to UCS 6300 Series Fabric Interconnects, and MDS 9000 Series Multilayer Switches.
Financial services have perhaps the largest cyber security budgets and are the best protected companies in the private sector. Since cyber criminals generally have little difficulty in obtaining a quick return on their effort, it would be unsurprising to find that financial services are less overtly targeted by average hackers than other, easier targets.
An analysis of this data showed that financial services displayed fewer criminal C&C communication behaviors than the overall industry average. This could be caused by the efficiency of large finserv budgets (Bank of America spends $600 million annually, with no upper limit, while JPMorgan Chase spends $500 million annually) warding off basic criminal activity.
Even the much smaller Equifax has a budget of $85 million. But Equifax, with its massive 2017 loss of 145.5 million social security numbers, around 17.6 million drivers’ license numbers, 20.3 million phone numbers, and 1.8 million email addresses, demonstrates that finserv is a target for, and can be successfully breached by, the more advanced hackers.
Google this week announced that it is adding a small amount of security metadata on top of APKs distributed by Google Play in order to verify their authenticity.
Initially announced in December 2017, the new change is designed to verify product authenticity from Google Play and is accompanied by an adjusted Google Play maximum APK size to take into account the small metadata addition.
Microsoft this week announced the public preview of new Azure tools designed help its customers eliminate easily guessable passwords from their environments.
Following a flurry of data breaches in recent years, it has become clear that many users continue to protect their accounts with weak passwords that are easy to guess or brute force. Many people also tend to reuse the same password across multiple services.
Attackers continually use leaked passwords in live attacks, Verizon’s 2017 Data Breach Investigations Report (DBIR) revealed, and Microsoft banned commonly used passwords in Azure AD a couple of years ago.
At a recent industry conference I heard some commentary about the “disappearance” of ransomware, but I’m here to assure you that that isn’t the case. It’s true that some criminal gangs have switched to distributing cryptocurrency miners instead of ransomware (for now, I emphasize), as such mining is currently more difficult for many security systems to detect, and it’s proving extremely profitable to the criminals, which is all that matters.
A May survey showed phishing has surpassed ransomware as a concern for IT security managers, and for understandable reasons—the number of phishing emails reaching users keeps rising, and phishing is the top source of breaches at companies.
But don’t think ransomware is going to go quietly or go away at all. The narrative of the decline of ransomware is being driven in part by the decrease in mass, botnet-driven mailings sent in the tens of millions, which are spectacular and generate headlines. But it’s important to balance that narrative, focused on the decline in the sheer volume of ransomware distributions, with the understanding that during this past year there has also been an increase in the overall number of ransomware variants in circulation and more varied distribution methods in use, with each campaign typically targeting smaller audiences in the tens of thousands.
Network attacks exploiting a recently patched Drupal vulnerability are attempting to drop Monero mining malware onto vulnerable systems, Trend Micro reports.
Tracked as CVE-2018-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year.
The flaw is dubbed Drupalgeddon3 and the patch for it only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) has been applied.
Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams.
Trend Micro now says they noticed network attacks exploiting CVE-2018-7602 to turn affected systems into Monero-mining bots.
The Intercept:
Documents and sources detail how the NSA taps into the data between AT&T, its partners, and customers, making the telco essential to US surveillance efforts — The secrets are hidden behind fortified walls in cities across the United States, inside towering, windowless skyscrapers …
Julie Creswell / New York Times:
Amid growing outcry from civil liberties groups, Orlando has ended its pilot project for police to use Amazon’s Rekognition facial recognition software for now — Amid a growing outcry about privacy concerns by civil liberties groups, officials in Orlando, Fla., said Monday …
Brian Brackeen / TechCrunch:
Brian Brackeen, CEO of facial recognition firm Kairos, on why the tech, given its abuse potential and bias against people of color, shouldn’t be used by police — Recent news of Amazon’s engagement with law enforcement to provide facial recognition surveillance (branded “Rekognition”) …
To be truly effective, the algorithms powering facial recognition software require a massive amount of information. The more images of people of color it sees, the more likely it is to properly identify them. The problem is, existing software has not been exposed to enough images of people of color to be confidently relied upon to identify them.
And misidentification could lead to wrongful conviction, or far worse.
There is no place in America for facial recognition that supports false arrests and murder.
In a social climate wracked with protests and angst around disproportionate prison populations and police misconduct, engaging software that is clearly not ready for civil use in law enforcement activities does not serve citizens, and will only lead to further unrest.
Whether or not you believe government surveillance is okay, using commercial facial recognition in law enforcement is irresponsible and dangerous.
Wall Street Journal:
Out of about 350 sampled public sector entities and municipalities, report says 38% will suffer ransomware attacks this year, up from 31% last year
Jacob Kastrenakes / The Verge:
Wi-Fi Alliance begins certifying products that support WPA3, the successor to the WPA2 security protocol that provides additional protections against attacks
Wi-Fi devices have been using the same security protocol for over a decade. But today, that’ll begin to change: the Wi-Fi Alliance, which oversees adoption of the Wi-Fi standard, is beginning to certify products that support WPA3, the successor to the WPA2 security protocol that’s been in use since 2004.
The new protocol provides a number of additional protections for devices connected over Wi-Fi. One big improvement makes it harder for hackers to crack your password by guessing it over and over again, and another limits what data hackers can see even once they’ve uncovered the passcode. Nothing will change as far as users see it; you’ll still just type in your password and connect to the network.
WPA3 protections won’t just flip on overnight — in fact, it’s going to be a many-years-long process.
The Wi-Fi Alliance expects WPA3 rollout to ramp up over the next year. For now, it won’t be mandatory in new products. But the next generation of Wi-Fi itself — 802.11ax — is also starting to come out and is expected to hit mass adoption in late 2019; as those devices become available, the Alliance expects the pace of WPA3 adoption to pick up.
Troy Hunt:
Have I Been Pwned breach data search now integrated in 1Password via Watchtower, will be trialed in Firefox via a new Firefox Monitor tool starting next week
New York Times:
Sources: top tech companies met intelligence officials to discuss midterm elections but neither the FBI nor DHS was willing to share specific threat information — SAN FRANCISCO — Eight of the tech industry’s most influential companies, in anticipation of a repeat of the Russian meddling …
Eight of the tech industry’s most influential companies, in anticipation of a repeat of the Russian meddling that occurred during the 2016 presidential campaign, met with United States intelligence officials last month to discuss preparations for this year’s midterm elections.
The meeting, which took place May 23 at Facebook’s headquarters in Menlo Park, Calif., was also attended by representatives from Amazon, Apple, Google, Microsoft, Oath, Snap and Twitter, according to three attendees of the meeting who spoke on condition of anonymity because of its sensitive nature.
The company officials met with Christopher Krebs, an under secretary for the Department of Homeland Security, as well as a representative of the Federal Bureau of Investigation’s newly formed “foreign influence” task force.
Neither the Department of Homeland Security nor the F.B.I. responded to a request for comment.
Tom Warren / The Verge:
Microsoft is integrating Adblock Plus into its Edge browser on iOS and Android, letting users enable it in settings, rolling out to beta testers now
Ava Kofman / The Intercept:
Interpol rolls out new international voice ID database, four years in the making, with 192 law enforcement agencies participating in audio clip sharing
Last week, Interpol held a final project review of its speaker identification system, a four-year, 10 million euro project that has recently come to completion. The Speaker Identification Integrated Project, what they call SiiP, marks a major development in the international expansion of voice biometrics for law enforcement uses — and raises red flags when it comes to privacy.
Speaker identification works by taking samples of a known voice, capturing its unique and behavioral features, and then turning these features into an algorithmic template that’s known as a voice print or voice model.
SiiP will join Interpol’s existing fingerprint and face databases, and its key advantage will be to facilitate a quick identification process — say, of a kidnapper making a phone call — even in the absence of other identifiers.
SiiP’s database will include samples from YouTube, Facebook, publicly recorded conversations, and other sources where individuals might not realize that their voices are being turned into biometric voice prints.
Tick is a cyberespionage group primarily targeting organizations in Japan and the Republic of Korea. The group is known to conduct attack campaigns with various custom malware such as Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader. Unit 42 last wrote about the Tick group in July 2017.
Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company. The USB drive and its management system have various features to follow security guidelines in South Korea.
The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet. In addition, our research shows that the malware used in these attacks will only try to infect systems running Microsoft Windows XP or Windows Server 2003. This is despite the fact that the malware appears to have been created when newer versions of Windows software were available. This would seem to indicate an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity. Air-gapped systems are common practice in many countries for government, military, and defense contractors, as well as other industry verticals.
Intel has, for now, no plans to specifically address a side-channel vulnerability in its processors that can be potentially exploited by malware to extract encryption keys and other sensitive info from applications.
A team of researchers at the Systems and Network Security Group at Vrije Universiteit Amsterdam, in the Netherlands, say they were able to leverage the security weakness to extract crypto keys from another running program in 99.8 of tests on an Intel Skylake Core i7-6700K desktop CPU; 98.2 percent of tests on an Intel Broadwell Xeon E5-2620 v4 server CPU; and 99.8 per cent of tests on a Coffeelake part.
Their code was able to lift a secret 256-bit key, used to cryptographically sign data, from another program while it performed a signing operation with libgcrypt’s Curve 25519 EdDSA implementation. It took roughly 17 seconds to determine each of the keys using machine-learning software and some brute force, according to a paper detailing the attack, seen by The Register this week.
“The end-to-end attack time is composed of: 2ms of capture time; 17 seconds of signals analysis with the trained classifier; and a variable amount of brute-force guessing with a median work factor of 213, taking a fraction of a second,” the team – Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida – stated in their paper.
he extraction technique is not reliant on speculative execution, and thus is unrelated to Spectre and Meltdown. Instead, it builds upon the exploitation of Intel’s Hyper-Threading technology and the processor caches to leak data
Cisco has informed users that a recently patched vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software has been exploited in denial-of-service (DoS) attacks.
The vulnerability, tracked as CVE-2018-0296 and classified “high severity,” was addressed with the patches released by Cisco in early June.
A new report quantifies what every manager instinctively knows: private messaging within collaboration tools can hide worrying content sent between employees. This can include confidential and sensitive data inappropriately shared, password sharing, and even toxic sentiment that could harm workplace productivity or highlight a nascent insider threat.
Wiretap, a firm that provides monitoring for collaboration tools such as Slack, Microsoft Teams, Yammer, Workplace by Facebook and Skype for Business, has analyzed (PDF) more than a million enterprise collaboration messages from tens of thousands of authors. The premise of the study is that without knowledge of the risks hidden in collaboration tools, organizations could become victims of their own staff, or possibly worse, eschew the undoubted benefits of collaboration tools altogether.
The Wiretap findings are categorized in three areas: sentiment, toxicity and insider threats.
Sentiment covers employees’ moods and feelings towards the company and its leadership.
“With an understanding of employee opinion, leaders can better determine where to invest in company culture, development, and workplace conditions,”
Toxicity covers behavior including sexual harassment, racism and bullying. “Toxic employees have a way of spreading their behavior to others around them, similar to a nasty virus; crippling others’ morale, performance, and productivity,”
Insider threats come from naive users, malicious users, and even whistleblowers (whose motives may be subject to interpretation). They “are one of the most prevalent threats in an enterprise environment,” says the report, “and are difficult to mitigate.”
A cyber espionage group that has remained undetected until recently, has been targeting South East Asia with two previously unknown malware families, according to Palo Alto Networks.
The group, referred to as RANCOR, has been targeting political entities in Singapore, Cambodia, and Thailand, but might have hit targets in other countries as well.
The Electronic Frontier Foundation (EFF) this week announced STARTTLS Everywhere, a new project aimed at improving the security of email delivery.
The EFF is already involved in initiatives aimed at encrypting the web, such as the Let’s Encrypt Certificate Authority, and is now determined to advance email encryption in a manner similar to that of browsing.
Designed for mailserver admins, STARTTLS Everywhere provides the software that allows email servers to automatically get a valid certificate from Let’s Encrypt. It also allows admins to configure their email server software to use STARTTLS, and presents the valid certificate to other email servers.
Researchers discovered several vulnerabilities in Sophos SafeGuard full-disk and file encryption products. The flaws allow an attacker to escalate privileges on a compromised device and execute arbitrary code with SYSTEM permissions.
Quantum Xchange Raises $10 Million, Launches Quantum Key Distribution Service
Bethesda, MD-based start-up Quantum Xchange has announced $10 Million Series A funding from New Technology Ventures, and the launch of the first commercial quantum key distribution (QKD) service in the U.S. The funding will support the deployment of a fiber network serving the Northeast Corridor from Washington D.C. to Boston, connecting the financial markets on Wall Street with back office operations in New Jersey.
The business premise is simple. The budding arrival of quantum computers will make current strong public key encryption immensely weak. Where current computing power would take too long or too many computers to make factoring large numbers feasible, one quantum computer could factor current public key lengths in a matter of minutes. Public key encryption will not provide security against quantum computers.
Malicious bots that abuse stolen credentials remain one of the biggest threats to online businesses.
This is according to a new report by Akamai, based on the analysis of almost 112 billion bot requests and 3.9 billion malicious login attempts targeting travel and hospitality industries.
Almost 40 per cent of the traffic across hotel and travel sites is labelled as “impersonators of known browsers”, which is a known vector for fraud.
These attacks originate mostly from Russia, China and Indonesia, it was said, with roughly half of all traffic coming from these countries.
“These countries have historically been large centres for cyberattacks, but the attractiveness of the hospitality industry appears to have made it a significant target for hackers to carry out bot-driven fraud,”
Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia.
According to researchers from Palo Alto, the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia.
Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called “Firefox Monitor”.
This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream. You can read Mozilla’s announcement of the new feature and how they plan to conduct the testing and rollout.
1Password
My relationship with 1Password stretches all the way back to 2011 when I came to the realisation that the only secure password is the one you can’t remember.
Microsoft will soon enable multi-factor authentication (MFA) for all high-privileged Azure AD accounts, the company said on Friday.
The MFA feature will be part of Microsoft Azure AD’s “baseline policy,” a set of security features that are enabled for accounts to support a minimum of security measures.
YOU’VE PROBABLY NEVER heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there’s also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look.
Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn’t clear—and the leak doesn’t seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children.
“It seems like this is a database with pretty much every US citizen in it,”
In the Open
While it’s far from clear if any criminal or malicious hackers have accessed the database, Troia says it would have been easy enough for them to find. Troia himself spotted the database while using the search tool Shoda
So he simply used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. That returned about 7,000 results.
“I’m not the first person to think of scraping ElasticSearch servers,” he says. “I’d be surprised if someone else didn’t already have this.”
Troia contacted both Exactis and the FBI about his discovery last week, and he says the company has since protected the data so that it’s no longer accessible.
Troia contacted both Exactis and the FBI about his discovery last week, and he says the company has since protected the data so that it’s no longer accessible.
While the lack of financial information or Social Security numbers means the database isn’t a straightforward tool for identity theft, the depth of personal info nonetheless could help scammers with other forms of social engineering
A Database Dilemma
Massive leaks of user databases that are accidentally left accessible on the public internet have nearly reached epidemic status, affecting everything from health information to password caches stored by software firms. One particularly prolific researcher, security firm UpGuard’s Chris Vickery, has discovered those database leaks again and again, from 93 million Mexican citizens’ voter registration records to a list of 2.2 million “high-risk” people suspected of crime or terrorism, known as the World Check Risk Screening database.
But if the Exactis leak does in fact include 230 million people’s information, that would make it one of the largest in years, bigger even than 2017′s Equifax breach of 145.5 million people’s data, though smaller than the Yahoo hack that affected 3 billion accounts
Hackers from Russia are infecting Ukrainian companies with malicious software to create “back doors” for a large, coordinated attack, Ukraine’s cyber police chief told Reuters on Tuesday.
The hackers are targeting companies, including banks and energy infrastructure firms
UK customers of Ticketmaster have been warned they could be at risk of fraud or identity theft after the global ticketing group revealed a major data breach that has affected tens of thousands of people.
The company could face questions over whether there was a delay in disclosing the breach after it emerged that some UK banks have known about the incident since early April.
The Guardian understands that a number of Ticketmaster customers have already had fraudulent transactions debited from their accounts,
The company said less than 5% of its global customer base had been caught up in the breach, and indicated the number directly affected was fewer than 40,000. However, Ticketmaster claims to serve more than 230 million customers a year globally.
“If you are concerned or notice any suspicious activity on your account, you should contact your bank(s) and any credit card companies.”
The malware has reached Ticketmaster data – the company invites its customers to change the password and observe account transactions
Ticketmaster says it has found a malware on its international website that uses Inbenta system.
Event tickets selling Ticketmaster says some of its customers’ personal and placing the payment information fall into the hands of an unknown third party.
Behind the data leak is a malicious program that Ticketmaster says has found in Inbenta Technologies’s customer support system. This is a third party application provider used by Ticketmaster.
The Inbenta system is used on Ticketmaster’s international website.
Ticketmaster invites all of its customers to change their Ticketmaster Account password as the pre-requisite for the next login.
In addition, Ticketmaster recommends that customers monitor their account transactions for misuse or identity theft. Customers should contact their bank or credit card company if they notice any deviations from their usual account.
Finnish Ticketmaster does not comment on a break-in
The security team and technical experts will investigate how the information has affected the customer data.
Ticketmaster reports that they have blocked Inbenta products that have been targeted by malware on all Ticketmaster websites immediately after detection of malware.
Ticketmaster has admitted that it has suffered a security breach, which the BBC understands has affected up to 40,000 UK customers.
Malicious software on third-party customer support product Inbenta Technologies caused the hack, the firm said on Twitter.
“Some personal or payment information may have been accessed by an unknown third party”, it added.
All affected customers have been contacted.
In the email to those customers, Ticketmaster said it had set up a website to answer any questions and advised them to reset their passwords. It also offered them a free 12-month identity monitoring service.
The UK’s National Cyber Security Centre – a division of GCHQ – said it was monitoring the situation.
Adults today have witnessed video stores becoming streaming services, book stores vanishing into cyberspace. Traditional, even beloved, consumer brands are being supplanted by digital replacements. Even interpersonal relationships now occur largely online.
Digital transformation is not only making the anonymous personal. It is significantly affecting all industries and sectors — oil and gas, power and utilities, insurance, banking and securities, the public sector, real estate, the media and telecommunications.
With each entity, process or service that moves from the physical world into cyberspace, there is a corresponding transformation to the threat landscape. Digital transformation doesn’t just change the business model or the supply chain dynamic. It also introduces significant new threats that go beyond monitoring web traffic and securing networks.
Those threats take a variety of forms known as “CHEW”: criminal, hacktivism, espionage and (cyber) warfare.
As industrial IoT continues to grow in the years to come, the types of deployments will be divided into two major categories:
● Fixed-function devices – Connected devices that exist on the outer edge of the typical IT purview, such as building components (cameras, lighting, locks, etc.) and collaboration tools (video conferencing, smart TVs, etc.).
● Operational Technology (OT/IIoT) – Industrial and operations technologies such as Supervisory Control and Data Acquisition systems (SCADA) and Distributed Control Systems (DCS) that run the business behind the scenes.
The UK government’s Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes ‘organizations, agencies, Arm’s Length Bodies and contractors’); but provides an excellent security checklist/framework for all commercial organizations.
It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover.
Encrypted email provider ProtonMail was hit by a significant distributed denial-of-service (DDoS) attack that appears to have been carried out by a group linked to Russia.
ProtonMail informed customers on Wednesday morning that its network was targeted in a sustained attack. The organization said that while emails would be delayed, they were not lost as a result of the incident. Some users reported that the attack impacted the ProtonVPN VPN service as well.
DoublePulsar, one of the hacking tools the Shadow Brokers supposedly stole from the National Security Agency (NSA)-linked Equation Group, can now run on Windows Embedded devices.
The backdoor was released publicly in April last year along with a variety of Windows exploits that Microsoft had patched the month before. It is a sophisticated, multi-architecture SMB (Server Message Block) backdoor that can stay well hidden on infected machines.
In addition to SMB, it is also used as the primary payload in RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software (an exploitation framework that resembles Rapid7’s Metasploit).
Cisco’s Talos team this week announced the availability of a free decryption tool to help victims of the Thanatos ransomware recover their files without paying the ransom.
Lithuania’s proposal that the European Union create an international cyber-force has been endorsed, and the effort already has seven countries on board.
As well as Lithuania, which leads the project, participants currently include Croatia, Estonia, France, Finland, the Netherlands, Romania, and Spain. Belgium, Germany, Greece, and Slovenia are observers, and another four countries are expected to sign on by the end of the year.
Karoblis said to take part, countries will need an existing “standing cyber security unit” able to help investigate serious incidents.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
282 Comments
Tomi Engdahl says:
Katosiko kannettava pc? Sen löytämiseen on helppo keino
https://www.is.fi/digitoday/art-2000005729406.html?ref=rss
https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1529935729&rver=6.7.6643.0&wp=SAPI&wreply=https%3A%2F%2Faccount.microsoft.com%2Fauth%2Fcomplete-signin%3Fru%3Dhttps%253A%252F%252Faccount.microsoft.com%252Fdevices%253Frefd%253Dwww.is.fi&lc=1033&id=292666&lw=1&fl=easi2
Tomi Engdahl says:
IETF: GDPR compliance means caring about what’s in your logfiles
Don’t log too much, nor keep the files for too long, to stay on right side of Euro privacy rules
https://www.theregister.co.uk/2018/04/24/ietf_gdpr_compliance_advice/
Sysadmins: while you’re busy getting ready for the GDPR-regulated world, don’t forget what your servers are storing in their logfiles.
That advice comes courtesy of a draft mulled by the Internet Engineering Task Force’s Internet Area Working Group (IETF’s INTAREA).
The document, here, offered a handy checklist as a set of updates to RFC6302, “Logging Recommendations for Internet-Facing Servers.”
The IETF suggests sysadmins adopt a data minimisation approach to configuring their server logs:
Full IP addresses should only be stored for as long as needed to provide a service;
Logs should otherwise only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses;
Inbound IP address logs shouldn’t last longer than three days;
Unnecessary identifiers should not be logged – these include source port number, timestamps, transport protocol numbers, and destination port numbers; and
Logs should be protected against unauthorised access.
Why three days, by the way? Because that lets logging cover a weekend before it’s flushed.
The draft also suggested that if service providers plan to, or think they need to, store more than the data listed, they would probably need users’ permission.
The advice stretches beyond the purely European providers, since anybody offering services to anyone in the EU needs to comply with GDPR.
Tomi Engdahl says:
A volt out of the blue: Phone batteries reveal what you typed and read
Power trace sniffing, a badly-designed API and some cloudy AI spell potential trouble
https://www.theregister.co.uk/2018/06/25/the_battery_is_the_smartphones_ibesti_snitch_boffins/
A group of researchers has demonstrated that smartphone batteries can offer a side-channel attack vector by revealing what users do with their devices through analysis of power consumption.
Both snitching and exfiltration were described in this paper (PDF), accepted for July’s Privacy Enhancing Technologies Symposium.
Nobody needs to panic yet, because the attack isn’t yet more than a decently tested theory,
https://sites.google.com/site/silbersteinmark/Home/popets18power.pdf?attredirects=1
Tomi Engdahl says:
FireEye Denies Hacking Back Against Chinese Cyberspies
https://www.securityweek.com/fireeye-denies-hacking-back-against-chinese-cyberspies
In his latest book, New York Times correspondent David Sanger describes how cybersecurity firm Mandiant hacked into the devices of Chinese cyberspies during its investigation into the threat group known as APT1.
Mandiant, now owned by FireEye, published its famous report on APT1 back in 2013 when it was led by CEO Kevin Mandia. The company at the time released information apparently showing that the Chinese military had been conducting sophisticated cyber-espionage operations.
In a statement published on Monday, FireEye admitted that Sanger was given access to the methods used by Mandiant to gather evidence of APT1’s ties to the Chinese military, but claims the reporter’s description “resulted in a serious mischaracterization of our investigative efforts.”
“We did not do this, nor have we ever done this,” FireEye said regarding claims that its employees activated the cameras on the hackers’ own laptops. “To state this unequivocally, Mandiant did not employ ‘hack back’ techniques as part of our investigation of APT1, does not ‘hack back’ in our incident response practice, and does not endorse the practice of ‘hacking back.’”
“Hacking back,” the term used to describe a cyberattack victim – or someone hired by the victim – hacking into the systems of the attacker, is a controversial practice and only few cybersecurity firms have admitted doing it.
Tomi Engdahl says:
China-linked Hackers Targeting Air-Gapped Systems: Report
https://www.securityweek.com/china-linked-hackers-targeting-air-gapped-systems-report
The cyber espionage group known as “Tick” has been targeting a secure USB drive built by a South Korean defense company, likely in an attempt to compromise air-gaped systems, Palo Alto Networks reports.
Also known as Bronze Butler, Tick is believed to be based in China and to have been active for at least a decade, although it was detailed for the first time only in April 2016. The group is mainly targeting Japan and South Korea, but variants of their malware were also observed in attacks on organizations in Russia, Singapore, and China.
Tomi Engdahl says:
Mobile Devices Exposed to Spying via Malicious Batteries: Researchers
https://www.securityweek.com/mobile-devices-exposed-spying-malicious-batteries-researchers
A team of researchers has demonstrated that specially crafted batteries installed in a smartphone can allow malicious actors to harvest and exfiltrate sensitive information.
Researchers from Technion, UT Austin and Hebrew University showed that an attacker can use a malicious battery to obtain various types of information from a device by continuously monitoring power traces. Monitoring the GPU and DRAM can work, but the CPU and the touchscreen leak the most information, experts said.
Tomi Engdahl says:
North Korean Hackers Exploit HWP Docs in Recent Cyber Heists
https://www.securityweek.com/north-korean-hackers-exploit-hwp-docs-recent-cyber-heists
A series of malicious Hangul Word Processor (HWP) documents used in recent attacks on cryptocurrency exchanges have been attributed to the North Korea-linked Lazarus group, AlienVault reports.
The attacks appear to include the recent assault on Bithumb, the largest virtual currency exchange in South Korea, with more than 1 million customers. As part of the incident, hackers managed to steal over $30 million worth of cryptocurrencies.
Lazarus, or BlueNoroff, is a state-sponsored hacking group believed to have launched the $81 million cyber heist from the Bangladesh Bank in 2016 and considered the most serious threat against banks. Earlier this year, the group was observed hitting an online casino in Central America and switching interest to crypto-currency.
Tomi Engdahl says:
Tesla Breach: Malicious Insider Revenge or Whistleblowing?
https://www.securityweek.com/tesla-breach-malicious-insider-revenge-or-whistleblowing
Just before midnight last Sunday evening (June 17, 2018), Elon Musk sent an email to all staff. He was dismayed, he said, to learn about a Tesla employee “making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.”
This was a mainstream malicious insider attack — but there may be more to it than meets the eye. The motive, according to Musk, was revenge: “he wanted a promotion that he did not receive.” But this incident goes way beyond simple revenge sabotage, and includes the theft of sensitive data and the export of that data to unknown outside parties.
The incident could have been triggered by revenge and aggravated by bribery; but until and unless those outside parties can be identified for certain, the true cause of the attack will remain speculative.
Tomi Engdahl says:
“Wavethrough” Bug in Microsoft Edge Leaks Sensitive Information
https://www.securityweek.com/wavethrough-bug-microsoft-edge-leaks-sensitive-information
A security vulnerability patched by Microsoft earlier this month in its Edge browser could be exploited via malicious or compromised websites to read restricted data.
Tracked as CVE-2018-8235, the flaw occurs in how “Microsoft Edge improperly handles requests of different origins,” Microsoft explains in an advisory. The issue results in Edge bypassing Same-Origin Policy (SOP) restrictions and allows for requests that should otherwise be ignored.
Tomi Engdahl says:
New Encrypted Downloader Delivers Metasploit Backdoor
https://www.securityweek.com/new-encrypted-downloader-delivers-metasploit-backdoor
A series of cyber-attacks targeting the Middle Eastern region use an encrypted downloader to deliver a Metasploit backdoor, AlienVault reports.
The attacks start with a malicious document containing parts of an article about the next Shanghai Cooperation Organization Summit, originally published at the end of May on a Middle Eastern news network.
Tomi Engdahl says:
Red Alert Android Trojan for Rent at $500 Per Month
https://www.securityweek.com/red-alert-android-trojan-rent-500-month
The Red Alert 2.0 Android Trojan first detailed in September last year is currently available for rent on underground forums at $500 per month, Trustwave reports.
It is also capable of stealing information from the infected devices, including SMS messages and contact details, can block calls from banks, and can also keep in touch with bots via Twitter in the event its command and control (C&C) server is taken online.
When they detailed the threat in September last year, SfyLabs’ researchers said the malware included around 60 60 HTML overlays used to steal login credentials, but also revealed that the Trojan’s actor was constantly releasing updates for their malicious program.
Tomi Engdahl says:
Cisco Patches Critical Flaws in NX-OS Software
https://www.securityweek.com/cisco-patches-critical-flaws-nx-os-software
The bugs impact multiple devices, including Nexus 3000 Series Switches to Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules, Firepower 4100 and Firepower 9300 products, UCS 6100 to UCS 6300 Series Fabric Interconnects, and MDS 9000 Series Multilayer Switches.
Tomi Engdahl says:
Hidden Tunnels: A Favored Tactic to Evade Strong Access Controls
https://www.securityweek.com/hidden-tunnels-favored-tactic-evade-strong-access-controls
Financial services have perhaps the largest cyber security budgets and are the best protected companies in the private sector. Since cyber criminals generally have little difficulty in obtaining a quick return on their effort, it would be unsurprising to find that financial services are less overtly targeted by average hackers than other, easier targets.
An analysis of this data showed that financial services displayed fewer criminal C&C communication behaviors than the overall industry average. This could be caused by the efficiency of large finserv budgets (Bank of America spends $600 million annually, with no upper limit, while JPMorgan Chase spends $500 million annually) warding off basic criminal activity.
Even the much smaller Equifax has a budget of $85 million. But Equifax, with its massive 2017 loss of 145.5 million social security numbers, around 17.6 million drivers’ license numbers, 20.3 million phone numbers, and 1.8 million email addresses, demonstrates that finserv is a target for, and can be successfully breached by, the more advanced hackers.
Could an Equifax-
sized data breach
happen again?
https://info.vectra.ai/hubfs/Vectra-Hidden-Tunnels-Report-052418.pdf
Tomi Engdahl says:
Google Marks APKs Distributed by Google Play
https://www.securityweek.com/google-marks-apks-distributed-google-play
Google this week announced that it is adding a small amount of security metadata on top of APKs distributed by Google Play in order to verify their authenticity.
Initially announced in December 2017, the new change is designed to verify product authenticity from Google Play and is accompanied by an adjusted Google Play maximum APK size to take into account the small metadata addition.
Tomi Engdahl says:
Microsoft Combats Bad Passwords With New Azure Tools
https://www.securityweek.com/microsoft-combats-bad-passwords-new-azure-tools
Microsoft this week announced the public preview of new Azure tools designed help its customers eliminate easily guessable passwords from their environments.
Following a flurry of data breaches in recent years, it has become clear that many users continue to protect their accounts with weak passwords that are easy to guess or brute force. Many people also tend to reuse the same password across multiple services.
Attackers continually use leaked passwords in live attacks, Verizon’s 2017 Data Breach Investigations Report (DBIR) revealed, and Microsoft banned commonly used passwords in Azure AD a couple of years ago.
Tomi Engdahl says:
Watch Out for Fileless Ransomware
https://www.securityweek.com/watch-out-fileless-ransomware
At a recent industry conference I heard some commentary about the “disappearance” of ransomware, but I’m here to assure you that that isn’t the case. It’s true that some criminal gangs have switched to distributing cryptocurrency miners instead of ransomware (for now, I emphasize), as such mining is currently more difficult for many security systems to detect, and it’s proving extremely profitable to the criminals, which is all that matters.
A May survey showed phishing has surpassed ransomware as a concern for IT security managers, and for understandable reasons—the number of phishing emails reaching users keeps rising, and phishing is the top source of breaches at companies.
But don’t think ransomware is going to go quietly or go away at all. The narrative of the decline of ransomware is being driven in part by the decrease in mass, botnet-driven mailings sent in the tens of millions, which are spectacular and generate headlines. But it’s important to balance that narrative, focused on the decline in the sheer volume of ransomware distributions, with the understanding that during this past year there has also been an increase in the overall number of ransomware variants in circulation and more varied distribution methods in use, with each campaign typically targeting smaller audiences in the tens of thousands.
Tomi Engdahl says:
Hackers Exploit Drupal Flaw for Monero Mining
https://www.securityweek.com/hackers-exploit-drupal-flaw-monero-mining
Network attacks exploiting a recently patched Drupal vulnerability are attempting to drop Monero mining malware onto vulnerable systems, Trend Micro reports.
Tracked as CVE-2018-7602 and considered a highly critical issue that could result in remote code execution, the vulnerability impacts Drupal’s versions 7 and 8 and was addressed in April this year.
The flaw is dubbed Drupalgeddon3 and the patch for it only works if the fix for the original Drupalgeddon2 vulnerability (CVE-2018-7600) has been applied.
Last month, hackers were observed targeting both security vulnerabilities to deliver a variety of threats, including cryptocurrency miners, remote administration tools (RATs) and tech support scams.
Trend Micro now says they noticed network attacks exploiting CVE-2018-7602 to turn affected systems into Monero-mining bots.
Tomi Engdahl says:
The Intercept:
Documents and sources detail how the NSA taps into the data between AT&T, its partners, and customers, making the telco essential to US surveillance efforts — The secrets are hidden behind fortified walls in cities across the United States, inside towering, windowless skyscrapers …
https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/
Tomi Engdahl says:
Julie Creswell / New York Times:
Amid growing outcry from civil liberties groups, Orlando has ended its pilot project for police to use Amazon’s Rekognition facial recognition software for now — Amid a growing outcry about privacy concerns by civil liberties groups, officials in Orlando, Fla., said Monday …
Orlando Pulls the Plug on Its Amazon Facial Recognition Program
https://www.nytimes.com/2018/06/25/business/orlando-amazon-facial-recognition.html
Tomi Engdahl says:
Brian Brackeen / TechCrunch:
Brian Brackeen, CEO of facial recognition firm Kairos, on why the tech, given its abuse potential and bias against people of color, shouldn’t be used by police — Recent news of Amazon’s engagement with law enforcement to provide facial recognition surveillance (branded “Rekognition”) …
Facial recognition software is not ready for use by law enforcement
https://techcrunch.com/2018/06/25/facial-recognition-software-is-not-ready-for-use-by-law-enforcement/
To be truly effective, the algorithms powering facial recognition software require a massive amount of information. The more images of people of color it sees, the more likely it is to properly identify them. The problem is, existing software has not been exposed to enough images of people of color to be confidently relied upon to identify them.
And misidentification could lead to wrongful conviction, or far worse.
There is no place in America for facial recognition that supports false arrests and murder.
In a social climate wracked with protests and angst around disproportionate prison populations and police misconduct, engaging software that is clearly not ready for civil use in law enforcement activities does not serve citizens, and will only lead to further unrest.
Whether or not you believe government surveillance is okay, using commercial facial recognition in law enforcement is irresponsible and dangerous.
Tomi Engdahl says:
Wall Street Journal:
Out of about 350 sampled public sector entities and municipalities, report says 38% will suffer ransomware attacks this year, up from 31% last year
Ransom Demands and Frozen Computers: Hackers Hit Towns Across the U.S.
Online extortionists search for vulnerabilities, offer instructions on how to pay in bitcoin
https://www.wsj.com/articles/ransom-demands-and-frozen-computers-hackers-hit-towns-across-the-u-s-1529838001
Tomi Engdahl says:
Jacob Kastrenakes / The Verge:
Wi-Fi Alliance begins certifying products that support WPA3, the successor to the WPA2 security protocol that provides additional protections against attacks
Wi-Fi security is starting to get its biggest upgrade in over a decade
WPA3 certification starts today
https://www.theverge.com/circuitbreaker/2018/6/26/17501594/wpa3-wifi-security-certification
Wi-Fi devices have been using the same security protocol for over a decade. But today, that’ll begin to change: the Wi-Fi Alliance, which oversees adoption of the Wi-Fi standard, is beginning to certify products that support WPA3, the successor to the WPA2 security protocol that’s been in use since 2004.
The new protocol provides a number of additional protections for devices connected over Wi-Fi. One big improvement makes it harder for hackers to crack your password by guessing it over and over again, and another limits what data hackers can see even once they’ve uncovered the passcode. Nothing will change as far as users see it; you’ll still just type in your password and connect to the network.
WPA3 protections won’t just flip on overnight — in fact, it’s going to be a many-years-long process.
The Wi-Fi Alliance expects WPA3 rollout to ramp up over the next year. For now, it won’t be mandatory in new products. But the next generation of Wi-Fi itself — 802.11ax — is also starting to come out and is expected to hit mass adoption in late 2019; as those devices become available, the Alliance expects the pace of WPA3 adoption to pick up.
You’ll start to see WPA3 a lot more in 2020
Tomi Engdahl says:
Troy Hunt:
Have I Been Pwned breach data search now integrated in 1Password via Watchtower, will be trialed in Firefox via a new Firefox Monitor tool starting next week
We’re Baking Have I Been Pwned into Firefox and 1Password
https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/
Tomi Engdahl says:
New York Times:
Sources: top tech companies met intelligence officials to discuss midterm elections but neither the FBI nor DHS was willing to share specific threat information — SAN FRANCISCO — Eight of the tech industry’s most influential companies, in anticipation of a repeat of the Russian meddling …
Top Tech Companies Met With Intelligence Officials to Discuss Midterms
https://www.nytimes.com/2018/06/25/technology/tech-meeting-midterm-elections.html
Eight of the tech industry’s most influential companies, in anticipation of a repeat of the Russian meddling that occurred during the 2016 presidential campaign, met with United States intelligence officials last month to discuss preparations for this year’s midterm elections.
The meeting, which took place May 23 at Facebook’s headquarters in Menlo Park, Calif., was also attended by representatives from Amazon, Apple, Google, Microsoft, Oath, Snap and Twitter, according to three attendees of the meeting who spoke on condition of anonymity because of its sensitive nature.
The company officials met with Christopher Krebs, an under secretary for the Department of Homeland Security, as well as a representative of the Federal Bureau of Investigation’s newly formed “foreign influence” task force.
Neither the Department of Homeland Security nor the F.B.I. responded to a request for comment.
Tomi Engdahl says:
Tom Warren / The Verge:
Microsoft is integrating Adblock Plus into its Edge browser on iOS and Android, letting users enable it in settings, rolling out to beta testers now
Microsoft Edge for iOS and Android now comes with a built-in ad blocker
Available in beta right now
https://www.theverge.com/2018/6/25/17500318/microsoft-edge-android-ad-blocker-built-in
Tomi Engdahl says:
Ava Kofman / The Intercept:
Interpol rolls out new international voice ID database, four years in the making, with 192 law enforcement agencies participating in audio clip sharing
Interpol Rolls Out International Voice Identification Database Using Samples From 192 Law Enforcement Agencies
https://theintercept.com/2018/06/25/interpol-voice-identification-database/
Last week, Interpol held a final project review of its speaker identification system, a four-year, 10 million euro project that has recently come to completion. The Speaker Identification Integrated Project, what they call SiiP, marks a major development in the international expansion of voice biometrics for law enforcement uses — and raises red flags when it comes to privacy.
Speaker identification works by taking samples of a known voice, capturing its unique and behavioral features, and then turning these features into an algorithmic template that’s known as a voice print or voice model.
SiiP will join Interpol’s existing fingerprint and face databases, and its key advantage will be to facilitate a quick identification process — say, of a kidnapper making a phone call — even in the absence of other identifiers.
SiiP’s database will include samples from YouTube, Facebook, publicly recorded conversations, and other sources where individuals might not realize that their voices are being turned into biometric voice prints.
Tomi Engdahl says:
Tick Group Weaponized Secure USB Drives to Target Air-Gapped Critical Systems
https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/
Tick is a cyberespionage group primarily targeting organizations in Japan and the Republic of Korea. The group is known to conduct attack campaigns with various custom malware such as Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader. Unit 42 last wrote about the Tick group in July 2017.
Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company. The USB drive and its management system have various features to follow security guidelines in South Korea.
The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet. In addition, our research shows that the malware used in these attacks will only try to infect systems running Microsoft Windows XP or Windows Server 2003. This is despite the fact that the malware appears to have been created when newer versions of Windows software were available. This would seem to indicate an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity. Air-gapped systems are common practice in many countries for government, military, and defense contractors, as well as other industry verticals.
Tomi Engdahl says:
Meet TLBleed: A crypto-key-leaking CPU attack that Intel reckons we shouldn’t worry about
How to extract 256-bit keys with 99.8% success
https://www.theregister.co.uk/2018/06/22/intel_tlbleed_key_data_leak/
Intel has, for now, no plans to specifically address a side-channel vulnerability in its processors that can be potentially exploited by malware to extract encryption keys and other sensitive info from applications.
A team of researchers at the Systems and Network Security Group at Vrije Universiteit Amsterdam, in the Netherlands, say they were able to leverage the security weakness to extract crypto keys from another running program in 99.8 of tests on an Intel Skylake Core i7-6700K desktop CPU; 98.2 percent of tests on an Intel Broadwell Xeon E5-2620 v4 server CPU; and 99.8 per cent of tests on a Coffeelake part.
Their code was able to lift a secret 256-bit key, used to cryptographically sign data, from another program while it performed a signing operation with libgcrypt’s Curve 25519 EdDSA implementation. It took roughly 17 seconds to determine each of the keys using machine-learning software and some brute force, according to a paper detailing the attack, seen by The Register this week.
“The end-to-end attack time is composed of: 2ms of capture time; 17 seconds of signals analysis with the trained classifier; and a variable amount of brute-force guessing with a median work factor of 213, taking a fraction of a second,” the team – Ben Gras, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida – stated in their paper.
he extraction technique is not reliant on speculative execution, and thus is unrelated to Spectre and Meltdown. Instead, it builds upon the exploitation of Intel’s Hyper-Threading technology and the processor caches to leak data
Intel SMT vulnerability ‘not critical’ – says Intel
Got to ‘own’ a machine to make use of it
https://www.theregister.co.uk/2005/05/16/intel_ht_vuln_fix_pledge/
Tomi Engdahl says:
Cisco ASA Flaw Exploited in DoS Attacks
https://www.securityweek.com/cisco-asa-flaw-exploited-dos-attacks
Cisco has informed users that a recently patched vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software has been exploited in denial-of-service (DoS) attacks.
The vulnerability, tracked as CVE-2018-0296 and classified “high severity,” was addressed with the patches released by Cisco in early June.
Tomi Engdahl says:
Toxic Content, Insider Threats Lurk in Business Collaboration Tools: Report
https://www.securityweek.com/toxic-content-insider-threats-lurk-business-collaboration-tools-report
A new report quantifies what every manager instinctively knows: private messaging within collaboration tools can hide worrying content sent between employees. This can include confidential and sensitive data inappropriately shared, password sharing, and even toxic sentiment that could harm workplace productivity or highlight a nascent insider threat.
Wiretap, a firm that provides monitoring for collaboration tools such as Slack, Microsoft Teams, Yammer, Workplace by Facebook and Skype for Business, has analyzed (PDF) more than a million enterprise collaboration messages from tens of thousands of authors. The premise of the study is that without knowledge of the risks hidden in collaboration tools, organizations could become victims of their own staff, or possibly worse, eschew the undoubted benefits of collaboration tools altogether.
The Wiretap findings are categorized in three areas: sentiment, toxicity and insider threats.
Sentiment covers employees’ moods and feelings towards the company and its leadership.
“With an understanding of employee opinion, leaders can better determine where to invest in company culture, development, and workplace conditions,”
Toxicity covers behavior including sexual harassment, racism and bullying. “Toxic employees have a way of spreading their behavior to others around them, similar to a nasty virus; crippling others’ morale, performance, and productivity,”
Insider threats come from naive users, malicious users, and even whistleblowers (whose motives may be subject to interpretation). They “are one of the most prevalent threats in an enterprise environment,” says the report, “and are difficult to mitigate.”
Tomi Engdahl says:
RANCOR Cyber Espionage Group Uncovered
https://www.securityweek.com/rancor-cyber-espionage-group-uncovered
A cyber espionage group that has remained undetected until recently, has been targeting South East Asia with two previously unknown malware families, according to Palo Alto Networks.
The group, referred to as RANCOR, has been targeting political entities in Singapore, Cambodia, and Thailand, but might have hit targets in other countries as well.
Tomi Engdahl says:
EFF Secures Email Delivery With STARTTLS Everywhere
https://www.securityweek.com/eff-secures-email-delivery-starttls-everywhere
The Electronic Frontier Foundation (EFF) this week announced STARTTLS Everywhere, a new project aimed at improving the security of email delivery.
The EFF is already involved in initiatives aimed at encrypting the web, such as the Let’s Encrypt Certificate Authority, and is now determined to advance email encryption in a manner similar to that of browsing.
Designed for mailserver admins, STARTTLS Everywhere provides the software that allows email servers to automatically get a valid certificate from Let’s Encrypt. It also allows admins to configure their email server software to use STARTTLS, and presents the valid certificate to other email servers.
Tomi Engdahl says:
Sophos Patches Privilege Escalation Flaws in SafeGuard Products
https://www.securityweek.com/sophos-patches-privilege-escalation-flaws-safeguard-products
Researchers discovered several vulnerabilities in Sophos SafeGuard full-disk and file encryption products. The flaws allow an attacker to escalate privileges on a compromised device and execute arbitrary code with SYSTEM permissions.
Tomi Engdahl says:
Security Startup Quantum Xchange Promises Unbreakable Quantum-Safe Encryption
https://www.securityweek.com/security-startup-quantum-xchange-promises-unbreakable-quantum-safe-encryption
Quantum Xchange Raises $10 Million, Launches Quantum Key Distribution Service
Bethesda, MD-based start-up Quantum Xchange has announced $10 Million Series A funding from New Technology Ventures, and the launch of the first commercial quantum key distribution (QKD) service in the U.S. The funding will support the deployment of a fiber network serving the Northeast Corridor from Washington D.C. to Boston, connecting the financial markets on Wall Street with back office operations in New Jersey.
The business premise is simple. The budding arrival of quantum computers will make current strong public key encryption immensely weak. Where current computing power would take too long or too many computers to make factoring large numbers feasible, one quantum computer could factor current public key lengths in a matter of minutes. Public key encryption will not provide security against quantum computers.
Tomi Engdahl says:
Advanced DDoS attacks becoming more common
https://www.itproportal.com/news/advanced-ddos-attacks-becoming-more-common/
Malicious bots that abuse stolen credentials remain one of the biggest threats to online businesses.
This is according to a new report by Akamai, based on the analysis of almost 112 billion bot requests and 3.9 billion malicious login attempts targeting travel and hospitality industries.
Almost 40 per cent of the traffic across hotel and travel sites is labelled as “impersonators of known browsers”, which is a known vector for fraud.
These attacks originate mostly from Russia, China and Indonesia, it was said, with roughly half of all traffic coming from these countries.
“These countries have historically been large centres for cyberattacks, but the attractiveness of the hospitality industry appears to have made it a significant target for hackers to carry out bot-driven fraud,”
Tomi Engdahl says:
New Malware Family Uses Custom UDP Protocol for C&C Communications
Tuesday, June 26, 2018 Wang Wei
https://thehackernews.com/2018/06/cyber-espionage-malware.html
Security researchers have uncovered a new highly-targeted cyber espionage campaign, which is believed to be associated with a hacking group behind KHRAT backdoor Trojan and has been targeting organizations in South East Asia.
According to researchers from Palo Alto, the hacking group, which they dubbed RANCOR, has been found using two new malware families—PLAINTEE and DDKONG—to target political entities primarily in Singapore and Cambodia.
Tomi Engdahl says:
We’re Baking Have I Been Pwned into Firefox and 1Password
https://www.troyhunt.com/were-baking-have-i-been-pwned-into-firefox-and-1password/
Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called “Firefox Monitor”.
This is major because Firefox has an install base of hundreds of millions of people which significantly expands the audience that can be reached once this feature rolls out to the mainstream. You can read Mozilla’s announcement of the new feature and how they plan to conduct the testing and rollout.
1Password
My relationship with 1Password stretches all the way back to 2011 when I came to the realisation that the only secure password is the one you can’t remember.
Tomi Engdahl says:
Microsoft Forcing Multi-Factor Authentication on Azure AD Admin Accounts
https://www.bleepingcomputer.com/news/security/microsoft-forcing-multi-factor-authentication-on-azure-ad-admin-accounts/
Microsoft will soon enable multi-factor authentication (MFA) for all high-privileged Azure AD accounts, the company said on Friday.
The MFA feature will be part of Microsoft Azure AD’s “baseline policy,” a set of security features that are enabled for accounts to support a minimum of security measures.
Tomi Engdahl says:
MARKETING FIRM EXACTIS LEAKED A PERSONAL INFO DATABASE WITH 340 MILLION RECORDS
https://www.wired.com/story/exactis-database-leak-340-million-records/
YOU’VE PROBABLY NEVER heard of the marketing and data aggregation firm Exactis. But it may well have heard of you. And now there’s also a good chance that whatever information the company has about you, it recently leaked onto the public internet, available to any hacker who simply knew where to look.
Earlier this month, security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server. The haul comprises close to 2 terabytes of data that appears to include personal information on hundreds of millions of American adults, as well as millions of businesses. While the precise number of individuals included in the data isn’t clear—and the leak doesn’t seem to contain credit card information or Social Security numbers—it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person’s children.
“It seems like this is a database with pretty much every US citizen in it,”
In the Open
While it’s far from clear if any criminal or malicious hackers have accessed the database, Troia says it would have been easy enough for them to find. Troia himself spotted the database while using the search tool Shoda
So he simply used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. That returned about 7,000 results.
“I’m not the first person to think of scraping ElasticSearch servers,” he says. “I’d be surprised if someone else didn’t already have this.”
Troia contacted both Exactis and the FBI about his discovery last week, and he says the company has since protected the data so that it’s no longer accessible.
Troia contacted both Exactis and the FBI about his discovery last week, and he says the company has since protected the data so that it’s no longer accessible.
While the lack of financial information or Social Security numbers means the database isn’t a straightforward tool for identity theft, the depth of personal info nonetheless could help scammers with other forms of social engineering
A Database Dilemma
Massive leaks of user databases that are accidentally left accessible on the public internet have nearly reached epidemic status, affecting everything from health information to password caches stored by software firms. One particularly prolific researcher, security firm UpGuard’s Chris Vickery, has discovered those database leaks again and again, from 93 million Mexican citizens’ voter registration records to a list of 2.2 million “high-risk” people suspected of crime or terrorism, known as the World Check Risk Screening database.
But if the Exactis leak does in fact include 230 million people’s information, that would make it one of the largest in years, bigger even than 2017′s Equifax breach of 145.5 million people’s data, though smaller than the Yahoo hack that affected 3 billion accounts
Tomi Engdahl says:
Exclusive: Ukraine says Russian hackers preparing massive strike
https://www.reuters.com/article/us-ukraine-cyber-exclusive/exclusive-ukraine-says-russian-hackers-preparing-massive-strike-idUSKBN1JM225
Hackers from Russia are infecting Ukrainian companies with malicious software to create “back doors” for a large, coordinated attack, Ukraine’s cyber police chief told Reuters on Tuesday.
The hackers are targeting companies, including banks and energy infrastructure firms
Tomi Engdahl says:
Identity theft warning after major data breach at Ticketmaster
People in UK who bought tickets since February told to be wary of suspicious activity
https://www.theguardian.com/money/2018/jun/27/identity-theft-warning-after-major-data-breach-at-ticketmaster
UK customers of Ticketmaster have been warned they could be at risk of fraud or identity theft after the global ticketing group revealed a major data breach that has affected tens of thousands of people.
The company could face questions over whether there was a delay in disclosing the breach after it emerged that some UK banks have known about the incident since early April.
The Guardian understands that a number of Ticketmaster customers have already had fraudulent transactions debited from their accounts,
The company said less than 5% of its global customer base had been caught up in the breach, and indicated the number directly affected was fewer than 40,000. However, Ticketmaster claims to serve more than 230 million customers a year globally.
“If you are concerned or notice any suspicious activity on your account, you should contact your bank(s) and any credit card companies.”
Applies also to Finland
https://www.iltalehti.fi/digiuutiset/201806282201041156_dx.shtml
https://ls24.fi/uutiset/ticketmaster-joutui-tietomurron-kohteeksi
Tomi Engdahl says:
The malware has reached Ticketmaster data – the company invites its customers to change the password and observe account transactions
Ticketmaster says it has found a malware on its international website that uses Inbenta system.
Event tickets selling Ticketmaster says some of its customers’ personal and placing the payment information fall into the hands of an unknown third party.
Behind the data leak is a malicious program that Ticketmaster says has found in Inbenta Technologies’s customer support system. This is a third party application provider used by Ticketmaster.
The Inbenta system is used on Ticketmaster’s international website.
Ticketmaster invites all of its customers to change their Ticketmaster Account password as the pre-requisite for the next login.
In addition, Ticketmaster recommends that customers monitor their account transactions for misuse or identity theft. Customers should contact their bank or credit card company if they notice any deviations from their usual account.
Finnish Ticketmaster does not comment on a break-in
The security team and technical experts will investigate how the information has affected the customer data.
Ticketmaster reports that they have blocked Inbenta products that have been targeted by malware on all Ticketmaster websites immediately after detection of malware.
Source: https://yle.fi/uutiset/3-10278123
Note from Ticketmaster:
https://tietoturva.ticketmaster.fi/
Tomi Engdahl says:
Ticketmaster admits personal data stolen in hack attack
https://www.bbc.co.uk/news/technology-44628874
Ticketmaster has admitted that it has suffered a security breach, which the BBC understands has affected up to 40,000 UK customers.
Malicious software on third-party customer support product Inbenta Technologies caused the hack, the firm said on Twitter.
“Some personal or payment information may have been accessed by an unknown third party”, it added.
All affected customers have been contacted.
In the email to those customers, Ticketmaster said it had set up a website to answer any questions and advised them to reset their passwords. It also offered them a free 12-month identity monitoring service.
The UK’s National Cyber Security Centre – a division of GCHQ – said it was monitoring the situation.
Tomi Engdahl says:
CHEW on This: How Our Digital Lives Create Real World Risks
https://www.securityweek.com/chew-how-our-digital-lives-create-real-world-risks
Adults today have witnessed video stores becoming streaming services, book stores vanishing into cyberspace. Traditional, even beloved, consumer brands are being supplanted by digital replacements. Even interpersonal relationships now occur largely online.
Digital transformation is not only making the anonymous personal. It is significantly affecting all industries and sectors — oil and gas, power and utilities, insurance, banking and securities, the public sector, real estate, the media and telecommunications.
With each entity, process or service that moves from the physical world into cyberspace, there is a corresponding transformation to the threat landscape. Digital transformation doesn’t just change the business model or the supply chain dynamic. It also introduces significant new threats that go beyond monitoring web traffic and securing networks.
Those threats take a variety of forms known as “CHEW”: criminal, hacktivism, espionage and (cyber) warfare.
Tomi Engdahl says:
Industrial IoT: Protecting the Physical World from Cyber Attacks
https://www.securityweek.com/industrial-iot-protecting-physical-world-cyber-attacks
As industrial IoT continues to grow in the years to come, the types of deployments will be divided into two major categories:
● Fixed-function devices – Connected devices that exist on the outer edge of the typical IT purview, such as building components (cameras, lighting, locks, etc.) and collaboration tools (video conferencing, smart TVs, etc.).
● Operational Technology (OT/IIoT) – Industrial and operations technologies such as Supervisory Control and Data Acquisition systems (SCADA) and Distributed Control Systems (DCS) that run the business behind the scenes.
Tomi Engdahl says:
UK Publishes Minimum Cyber Security Standard for Government Departments
https://www.securityweek.com/uk-publishes-minimum-cyber-security-standard-government-departments
The UK government’s Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes ‘organizations, agencies, Arm’s Length Bodies and contractors’); but provides an excellent security checklist/framework for all commercial organizations.
It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover.
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/719067/25062018_Minimum_Cyber_Security_Standard_gov.uk__3_.pdf
Tomi Engdahl says:
Significant DDoS Attack on ProtonMail Blamed on Russia-Linked Group
https://www.securityweek.com/significant-ddos-attack-protonmail-blamed-russia-linked-group
Encrypted email provider ProtonMail was hit by a significant distributed denial-of-service (DDoS) attack that appears to have been carried out by a group linked to Russia.
ProtonMail informed customers on Wednesday morning that its network was targeted in a sustained attack. The organization said that while emails would be delayed, they were not lost as a result of the incident. Some users reported that the attack impacted the ProtonVPN VPN service as well.
Tomi Engdahl says:
NSA-Linked Implant Patched to Work on Windows Embedded
https://www.securityweek.com/nsa-linked-implant-patched-work-windows-embedded
DoublePulsar, one of the hacking tools the Shadow Brokers supposedly stole from the National Security Agency (NSA)-linked Equation Group, can now run on Windows Embedded devices.
The backdoor was released publicly in April last year along with a variety of Windows exploits that Microsoft had patched the month before. It is a sophisticated, multi-architecture SMB (Server Message Block) backdoor that can stay well hidden on infected machines.
In addition to SMB, it is also used as the primary payload in RDP (Remote Desktop Protocol) exploits in the NSA’s FuzzBunch software (an exploitation framework that resembles Rapid7’s Metasploit).
Tomi Engdahl says:
Free Thanatos Ransomware Decryptor Released
https://www.securityweek.com/free-thanatos-ransomware-decryptor-released
Cisco’s Talos team this week announced the availability of a free decryption tool to help victims of the Thanatos ransomware recover their files without paying the ransom.
Tomi Engdahl says:
EU summons a CYBER FORCE into existence
Why cyber? Because CERT-EU was already taken
https://www.theregister.co.uk/2018/06/27/eu_cyber_force/
Lithuania’s proposal that the European Union create an international cyber-force has been endorsed, and the effort already has seven countries on board.
As well as Lithuania, which leads the project, participants currently include Croatia, Estonia, France, Finland, the Netherlands, Romania, and Spain. Belgium, Germany, Greece, and Slovenia are observers, and another four countries are expected to sign on by the end of the year.
Karoblis said to take part, countries will need an existing “standing cyber security unit” able to help investigate serious incidents.