Foeke Postma / bellingcat:
Analysis: fitness tracking website Polar Flow exposed info like names and home addresses of ~6500 military, FBI, NSA, and other staffers at 200+ sensitive sites
Polar, a fitness app, is revealing the homes and lives of people exercising in secretive locations, such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world, a joint investigation of Bellingcat and Dutch journalism platform De Correspondent reveals.
In January Nathan Ruser discovered that the fitness app Strava revealed sensitive locations throughout the world as it tracked and published the exercises of individuals, including soldiers at secret (or, “secret”) military outposts. The discovery of those military sites made headlines globally, but Polar, which can feed into the Strava app, is revealing even more.
The manufacturing company known for making the world’s first wireless heart-rate monitor uses its site ‘Polar Flow’ as a social platform where users can share their runs.
By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised.
Users often use their full names in their profiles, accompanied by a profile picture — even if they did not connect their Facebook profile to their Polar account.
Polar is not the only app doing this, but the difference between it and other popular fitness platforms, such as Strava or Garmin, is that these other sites require you to navigate to a specific person to view separate instances of his or her sessions
you only need to navigate to an interesting site, select one of the profiles exercising there, and you can get a full history of that individual.
With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning
We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity.
We were able to scrape Polar’s site (another security flaw) for individuals exercising at 200+ of such senstive sites, and we gathered a list of nearly 6,500 unique users.
The risk from Polar’s open data set also poses a risk to civilians
On registering your account, Polar asks you to provide a name, location, height, weight, date of birth, gender and the amount of training per week.
As with most open sources, Polar’s platform has its limitations. The Polar data relies on GPS, which can be inaccurate and spoofed
The data tends to be accurate enough to tell when users are on the street, or on the property of a particular house.
The U.S. military has already reviewed its rules for fitness trackers, and it is likely other countries will have done so too.
Fitness devices and apps are just one more area where people need to be aware of what kind of data they are sharing, particularly as they strongly rely on sensitive data such as location and health-metrics.
DomainFactory, a Germany-based web hosting services provider of GoDaddy-owned Host Europe Group, informed customers late last week that their personal and financial information was exposed after a hacker gained access to some of its systems.
According to DomainFactory, one of the largest hosting firms in Germany, the breach occurred in late January, but the company only learned of the incident on July 3 after the hacker started disclosing samples of the stolen information on the DomainFactory forum.
The hack is still being investigated, but the attacker appears to have gained access to data such as customer name, company name, customer number, address, email address, phone number, DomainFactory phone password, date of birth, and bank name and account number.
The company says it has secured the point of entry used by the hacker, but has warned customers that the compromised information may be misused for financial fraud and other types of attacks.
Timehop informed users late last week that hackers gained unauthorized access to some of its systems as part of an attack that impacts roughly 21 million accounts.
New York-based Timehop has created an application that shows users the photos, videos and posts they shared on the current day in previous years on Facebook, Instagram, Twitter and other websites. The app also allows users to share these memories with their friends.
According to Timehop, the attacker accessed a database storing usernames, phone numbers, email addresses and social media access tokens.
Mobile fitness app Polar has suspended its location tracking feature after security researchers found it had revealed sensitive data on military and intelligence personnel from 69 countries.
A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.
The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET’s security researchers say.
Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.
After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.
“D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.
D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled cyberespionage group focused on East Asia, particularly Taiwan
Two more individuals, a hedge fund manager and a securities trader, have been convicted by a U.S. court for their role in a $30 million scheme that involved hacking major newswire companies.
The scheme involved Ukraine-based hackers breaking into the systems of Marketwired, PR Newswire and Business Wire between February 2010 and August 2015, and stealing as many as 150,000 press releases. The hackers sent the stolen press releases containing nonpublic financial information to several traders who quickly monetized it.
Korchevsky and Khalupsky are said to have traded based on nonpublic press releases issued by hundreds of companies, including Align Technology, CA Technologies, Caterpillar, HP, Home Depot, Panera Bread, and Verisign.
According to authorities, Korchevsky made more than $15 million over the course of the scheme
nine individuals accused of making $30 million through the newswire hacking scheme
A botnet discovered at the start of the year and named Hide ‘N Seek (HNS) has expanded from infecting Internet of Things (IoT) devices and is now also targeting cross-platform database solutions as well.
This is an important development in the botnet’s evolution, which also passed a significant milestone in May when it became the first IoT malware that was capable of surviving device reboots.
Recently, researchers have uncovered new attacks against the Long-Term Evolution (LTE) network protocol. LTE, a type of 4G network, is a mobile communications standard used by billions of devices around the world.
Security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi discovered three new attacks against LTE technology. The first two are passive attacks — identity mapping and website fingerprinting. These allow the attacker to listen in on not only the destinations that are visited from the target’s mobile device, but also on what data is passing over the network. The third is an active domain name system (DNS) redirect attack, referred to as “aLTEr” by the research team.
How does the attack work?
This attack works by taking advantage of a design flaw within the LTE network — the data link layer (or layer 2) of the LTE network is encrypted with AES-CTR but it is not integrity-protected. This means an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext. As a result, the attacker is posing as a cell tower to the victim, while pretending to be a subscriber to the real network.
These types of attacks are not only limited to LTE networks. 5G networks may also be vulnerable to these attacks in the future
How can you protect against these types of attacks?
The best way to protect against DNS spoofing attacks is to encrypt DNS queries, and only use trusted DNS resolvers.
The Cisco Security Connector app protects users from connecting to malicious destinations in the first place. It leverages security intelligence to first classify the requested domain, and then determines if the request should be allowed — for safe destinations, or blocked — for malicious destinations.
“Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.”
Details and public exploit code have been published online for a severe vulnerability affecting Hewlett Packard Integrated Lights-Out 4 (HP iLO 4) servers.
HP iLO devices are extremely popular among small and large enterprises alike. iLO cards can be embedded in regular computers. They have a separate Ethernet network connection and run a proprietary embedded server management technology that provides out-of-band management features, allowing sysadmins to manage computers from afar.
iLO cards allow sysadmins to install firmware remotely, reset servers, provide access to a remote console, read logs, and more.
A vulnerability in iLO cards can be used to break into many companies’ networks and possibly gain access to highly sensitive or proprietary information.
Stupid-simple exploit found in HP iLO4 servers
The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware.
Vulnerability patched last year
But iLO server owners don’t need to panic. The security research team discovered this vulnerability way back in February 2017 and notified HP with the help of the CERT division at Airbus.
HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54. System administrators who’re in the habit of regularly patching servers are most likely protected against this bug for months.
PoCs available online
In the past few months, the research team has been presenting their findings at security conferences, such as ReCon Brussels and SSTIC 2018.
The SSTIC 2018 talk is available here, although the team presented their findings in French. Slides and an in-depth research paper —in English— are also available.
The attack, called “Thermanator”, could use your body heat against you in order to steal your credentials or any other short string of text that you have typed on a computer keyboard
A team of academics from the University of California, Irvine (UCI), have presented a type of attack that could enable a malefactor to retrieve sensitive information you entered via your keyboard – possibly up to a minute after you typed it.
The researchers had 30 users enter 10 different passwords, both strong and weak, on four common external keyboards. Using a thermal imaging camera, the researchers then scanned the residual heat left on the recently-pressed keys. In the second stage, they enlisted the help of eight non-experts in the field who, acting as “adversaries”, were asked to derive the set of pressed keys from the thermal imaging data – which they reliably did.
Long story short, the subjects successfully retrieved entire sets of key-presses that were captured by the camera as late as 30 seconds after the first key was entered. In addition, recovery of a partial set of key-presses was possible one minute after the first key was pressed
“If you type your password and walk or step away, someone can learn a lot about it after-the-fact,” said one of the paper’s authors, Gene Tsudik.
A study back in 2011 showed that PIN codes entered on cash machines can also be recovered by analyzing the residual heat left behind on the keypads.
Earlier this week, Israeli security agencies announced that the Hamas terrorist organization had installed spyware on Israeli soldiers’ smartphones in its latest attempt to collect information on its long time enemy. About 100 people fell victim to the attack that came in the form of fake World Cup and online dating apps that had been uploaded to the Google Play Store, the official app store of Google.
A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.
The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.
Google this week released its July 2018 set of Android patches to address tens of vulnerabilities in the mobile operating system, including several rated as Critical.
The Internet giant addressed 11 vulnerabilities as part of the 2018-07-01 security patch level, including three rated Critical and 8 High risk bugs. The issues impact framework, media framework, and system.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in an advisory.
Affected operating system versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.
A total of 32 flaws were addressed as part of the 2018-07-05 security patch level, 8 rated Critical severity and 24 considered High risk.
On Monday July 2, Jackie Doyle-Price, the parliamentary under-secretary of state for health, delivered a written statement to the UK parliament. It explained that 150,000 NHS patients who had specifically opted out of the NHS patient data-sharing regime were in fact not opted out.
“As a result,” says the statement, “these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 2018. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients.”
NHS Digital is the national information and technology partner to the health and social care system.
On the same day, NHS Digital released its own statement. “We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier (TPP) and means that some people’s data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data.”
Cryptocurrency theft and its use to launder other illegal activity is booming. This has prompted the evolution of a related industry that sits on the borderline of legality (barely legal in some jurisdictions, illegal in others): cryptocurrency money laundering. The laundering of illegally-obtained money may be illegal, but the process used may not be.
Menlo Park, Calif. startup CipherTrace is a firm founded on the need for cryptocurrency anti-money laundering (AML), blockchain forensics and enforcement solutions. It aids law enforcement and financial regulators in their investigations, helps enterprises to deploy real-world cryptocurrency transactional systems within regulations, and offers a bitcoin scam and theft asset recovery service.
The unique features of your face can allow you to unlock your new iPhone, access your bank account or even “smile to pay” for some goods and services.
The same technology, using algorithms generated by a facial scan, can allow law enforcement to find a wanted person in a crowd or match the image of someone in police custody to a database of known offenders.
Facial recognition came into play last month when a suspect arrested for a shooting at a newsroom in Annapolis, Maryland, refused to cooperate with police and could not immediately be identified using fingerprints.
A long established ransomware family recently added the ability to deploy a cryptocurrency miner instead of file encryptor, based on the victim machine’s configuration.
The malware, which Kaspersky Lab detects as Rakhni, was first discovered in 2013 and has received numerous updates ever since. The latest feature added to the threat, however, makes it stand out from the crowd: the malware’s downloader checks the victim system and decides whether to infect it with a cryptor or a miner.
Mainly affecting users in Russia but spread worldwide, the Trojan is being distributed via spam emails with a malicious Word document attached. The file has an embedded PDF document that, once opened, launches a malicious downloader and also displays a fake error message to the victim.
Going over my WebLogic honeypot, I am used to seeing a lot of crypto miners. The honeypot is vulnerable to CVE-2017-10271. I have written before about the various crypto miners.
But this weekend, I finally spotted something a bit different. The attacker installed a backdoor which so far is not recognized by any antivirus tool according to Virustota
This binary establishes a connection to the attacker for remote control protected by a trivial default password. Note to the attacker: If the password is “replace with your password”; do it!”
The malicious file was uploaded and executed via a well known WebLogic vulnerability.
Two insurance companies are suing a cyber-security firm to recover insurance fees paid to a customer after the security firm failed to detect malware on the client’s network for months, an issue that led to one of the biggest security breaches of the 2000s. The security firms says the lawsuit is meritless.
The two insurance firms are Lexington Insurance Company and Beazley Insurance Company, and both insured Heartland Payment Systems, a leading payment processing company.
Lawsuit related to 2009 Heartland mega breach
In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland’s customers.
Following this devastating hack and one of the biggest of the 2000s, Heartland paid over $148 million in settlement fees for various lawsuits, and other remediation costs and expenses Heartland owed its customers.
Lawsuit related to 2009 Heartland mega breach
In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland’s customers.
Lawsuit claims Trustwave failed to detect intrusion
The two insurance firms claim that Chicago-based Trustwave Holdings, Inc. —the security firm— had failed to detect that an attacker used an SQL injection attack to breach Heartland’s systems on July 24, 2007.
Furthermore, the two say Trustwave also failed to detect that attackers installed malware on the payments processor’s servers on May 14, 2008, and did not raise a sign of alarm about the event.
The lawsuit also mentions that in the aftermath of the hack, Visa conducted a review of Heartland’s servers and found that Trustwave incorrectly certified Heartland as PCI DSS compliant.
The lawsuit claims that Visa discovered that Trustwave ignored the fact that Heartland didn’t run a firewall, was using vendor-supplied passwords, didn’t have sufficient protection for the storage system used for card data, failed to assign unique identification to each person accessing its system, and had failed to monitor servers and cardholder data at regular intervals.
All of these are PCI DSS compliance rules, and Visa said that despite all the problems on Heartland’s network, Trustwave provided PCI DSS attestation.
Trustwave denies fault, says it’s an old story
But in a statement to Bleeping Computer, Trustwave says the lawsuit is meritless.
This is the third time Trustwave is on the receiving end of such a lawsuit.
A German web-hosting firm has suffered a severe data breach because one of its customers reportedly owed money to the attacker. The company only learned of the breach when the hacker announced it himself, on its support forum
On Jan. 29, the attacker compromised customer names, company names, various addresses, telephone numbers, DomainFactory passwords, dates of birth, bank names and account numbers, and Schufa scores (German credit score).
However, the company and its customers only learned of the breach six months later, on July 3
The reason behind the attack, according to German news outlet Heise Online, was to obtain the credentials of an customer who owed the attacker money. When he noticed that DomainFactory was reluctant to acknowledge the breach, he decided to make it public.
DomainFactory’s explanation, however, differs a bit
Chipzilla preps for quarterly public patch updates
Exclusive Intel will today emit a dozen security alerts for its products – including details of another data-leaking vulnerability within the family of Spectre CPU flaws.
Rather than drop surprise alerts onto its security advisory page at irregular intervals, Intel hopes to gradually adopt a routine similar to Microsoft’s monthly Patch Tuesday, albeit once every three months.
Urgent security updates will be pushed out in between these quarterly batches.
From what we understand, Intel hopes to give folks – from IT administrators to ordinary netizens – time and notice to plan for installing security updates at regular-ish intervals, rather than relying on them to look out for sporadic patches.
Speculative execution continues to haunt
The new Spectre-class side-channel vulnerability in Intel’s processors, to be disclosed today, can be exploited in a bounds-check bypass store attack.
function pointers and return addresses are overwritten in the attack, allowing the malicious code to change the CPU’s course, and infer the contents of memory that should be out of reach.
The good news is that software mitigations available today for Spectre variant 1 will thwart bounds-check bypass store attacks. Thus, web browsers and other applications employing anti-Spectre mechanisms should be safe.
For programmers and compiler writers, this means slipping LFENCE instructions into code, before it reads from memory,
The other good news is that there is little or no malware known to be circulating in the wild exploiting Spectre vulnerabilities
Instead, Spectre, for now, remains a fascinating insight into the world of CPU design, where engineers across the industry trade off a little security for a little more performance.
A chain of California shopping centers is sharing its license plate reader data with a well-known U.S. Immigration and Customs Enforcement (ICE) contractor, giving that agency the ability to track license plate numbers it captures in near real-time.
For every real criminal out there, there will always be a phony riding on the coattails of his success.
A number of people have already been bombarded with fake threat emails demanding an amount in Bitcoin, failure to which would lead to grave consequences. The racketeers take blackmail letter examples from the internet and modify them before sending it to you.
these racketeers are banking on panic and rash decision-making to keep their businesses thriving and Bitcoin flowing.
The Fake Threat Emails are poorly written; sent en Masse
Fake ransomware racketeering is on the rise.
The emails demanding Bitcoin are usually authored in poor English and often contain threats to leak private information if the Bitcoin ransom is not paid.
You never quite know what you’ll find on the dark web. In June, a threat intelligence team known as Insikt Group at security research firm Recorded Future discovered the sale of sensitive U.S. military information in the course of monitoring criminal activity on dark web marketplaces.
English-speaking hacker purported to have documentation on the MQ-9 Reaper unmanned aerial vehicle
other set of documents appears to have been stolen from a U.S. Army official or from the Pentagon
In the course of its investigation, Insikt Group determined that the hacker obtained the documents by accessing a Netgear router with misconfigured FTP login credentials. When the team corresponded with the hacker to confirm the source of hacked drone documents, the attacker disclosed that he also had access to footage from a MQ-1 Predator drone.
Here’s how he did it
Insikt Group notes that it is “incredibly rare” for hackers to sell military secrets on open marketplaces.
A few folks have reported a new ransomware technique that preys upon corporate inability to keep passwords safe. The notes – which are usually aimed at instilling fear – are simple: the hacker says “I know that your password is X. Give me a bitcoin and I won’t blackmail you.”
This is cool. A Bitcoin ransom with using what I think is passwords from a big leak. Pretty neat since people would be legit scared when they see their password. The concealed part is actually an old password
To be clear there is very little possibility that anyone has video of you cranking it unless, of course, you video yourself cranking it. Further, this is almost always a scam. That said, the fact that the hackers are able to supply your real passwords – most probably gleaned from the multiple corporate break-ins that have happened over the past few years – is a clever change to the traditional cyber-blackmail methodology.
Luckily, the hackers don’t have current passwords.
The Ukrainian Secret Service (SBU) said today it stopped a cyber-attack with the VPNFilter malware on a chlorine distillation plant in the village of Aulska, in the Dnipropetrovsk region.
As Mister Trump and his wife greeted the Queen of England, a reporter on a hot mic broke the embargo that the U.S. is indicting 12 Russian military officers with attacks on the 2016 U.S. Presidential elections, and that Guccifer 2.0 and DC LEAKS were Russian intelligence missions.
“Both were created and controlled by Russia’s GRU,”
Related comments from page:
Aric Toler
@AricToler
Most of the breaking news breathlessly reported in the U.S. press on Russian hacking or troll factory activities were uncovered years ago by independent Russian journalists; reading their work is like having spoilers for American news months in advance
Washington (CNN)The Justice Department announced indictments against 12 Russian nationals as part of special counsel Robert Mueller’s investigation of Russian interference in the 2016 election, accusing them of engaging in a “sustained effort” to hack Democrats’ emails and computer networks.
The revelations provide more detail on the sophisticated assault on the US election in 2016, including the release of emails designed to damage Democratic presidential candidate Hillary Clinton.
Trump is due to meet Russian President Vladimir Putin — who has denied election meddling — in Helsinki on Monday
The Justice Department says the hacking targeted Clinton’s campaign, Democratic National Committee and the Democratic Congressional Campaign Committee, with the intention to “release that information on the internet under the names DCLeaks and Guccifer 2.0 and through another entity.”
“The Russians are nailed. No Americans are involved. Time for Mueller to end this pursuit of the President and say President Trump is completely innocent,”
In a paper entitled Internet Filtering and Adolescent Exposure to Online Sexual Material, Oxford Internet Institute researchers Victoria Nash and Andrew Przybylski found that Internet filters rarely work to keep adolescents away from online porn.
“It’s important to consider the efficacy of Internet filtering,” said Dr, Nash. “Internet filtering tools are expensive to develop and maintain, and can easily ‘underblock’ due to the constant development of new ways of sharing content. Additionally, there are concerns about human rights violations – filtering can lead to ‘overblocking’, where young people are not able to access legitimate health and relationship information.”
This research follows the controversial news that the UK government was exploring a country-wide porn filter
The study’s most interesting finding was that between 17 and 77 households “would need to use Internet filtering tools in order to prevent a single young person from accessing sexual content” and even then a filter “showed no statistically or practically significant protective effects.”
the alleged hackers paid for their nefarious deeds with bitcoin and other cryptocurrencies.
It is perhaps the most popular and realistic argument against cryptocurrency that it enables anonymous transactions globally and at scale, no exception made for Russian intelligence or ISIS. So the news that a prominent and controversial technology was used to fund state-sponsored cyber attacks will not be passed over by its critics.
You can expect bluster on cable news and some sharp words from lawmakers, who will also probably issue some kind of public denouncement of cryptocurrencies and call for more stringent regulation. It’s only natural: their constituencies will hear that Russians are using bitcoin to hack the election systems and take it at face value. They have to say something.
But this knee-jerk criticism is misguided and hypocritical for several reasons.
the process of laundering, after all, becomes rather difficult when there is an immutable, peer-maintained record of every penny being pushed around
So although bitcoin has its shady side, it’s far from perfect secrecy
it doesn’t provide much in the way of new capabilities for those who wish to keep secret their activities online.
“This is definitely not something you want to discover on a Russian underground RDP shop,” warn researchers.
Cyber criminals are offering remote access to IT systems for just $10 via a dark web hacking store — potentially enabling attackers to steal information, disrupt systems, deploy ransomware and more.
The sales of backdoor access to compromised systems was uncovered by researchers at security company McAfee Labs looking into the sale of remote desktop protocol (RDP) access to hacked machines on underground forums — some of which are selling access to tens of thousands of compromised systems.
Systems advertised for sale on the forum range from Windows XP through to Windows 10, with access to Windows 2008 and 2012 Server most common. The store owners also offer tips for how those using the illicit logins can remain undetected.
Technology companies have a privacy problem. They’re terribly good at invading ours and terribly negligent at protecting their own.
And with the push by technologists to map, identify and index our physical as well as virtual presence with biometrics like face and fingerprint scanning, the increasing digital surveillance of our physical world is causing some of the companies that stand to benefit the most to call out to government to provide some guidelines on how they can use the incredibly powerful tools they’ve created.
IoT devices are frequently largely without any protection. Even if they are quite uninteresting for attack scenarios such as ransomware, the security issues in connection with smart devices remain an explosive topic. The devices are relatively easy to manipulate so that users can be spied on or information stolen.
So how big is the IoT security market really? According to Gartner’s market researchers, global spending on IoT security will increase to $1.5 billion this year. By 2021, compliance is to become the most important factor influencing the growth of IoT security. Cyberattacks on the Internet of Things (IoT) are already a reality
Gartner predicts that global spending on IoT security will amount to $1.5 billion in 2018. This would mean a growth of 28 percent compared to 2017 ($1.2 billion).
Internet filtering tools, like parental controls, are largely unsuccessful in preventing young people from watching porn online, according to new research from the Oxford Internet Institute.
It comes after the UK government announced earlier this year they were exploring options to filter and block online porn, joining a handful of countries around the world who censor certain online material. Nash says filtering can “overblock” young people who might be trying to access health and relationship information, leading to concerns about human rights violations.
from nearly 20,000 boys and girls aged 11 to 16 who were asked whether they had looked at porn on their home computers. Almost half of the participants had some sort of filter applied at home, but still saw about the same amount of porn as those who didn’t. Furthermore, “filtering tools are ineffective and in most cases were an insignificant factor in whether young people had seen explicit sexual content.”
filter “showed no statistically or practically significant protective effects.”
If a kid is going to look at porn, they’re going to find a way around parental controls, which the researchers note are also expensive.
resources would be better spent trying to “develop the resilience of teenagers to such experiences.”
“We hope this leads to a re-think in effectiveness targets for new technologies, before they are rolled out to the population,”
Russia hosted the World Cup from 14th June to 15 July 2018.
President Putin confirmed 25 million Cyber-attacks during World Cup
There is no lead that where these Cyber attacks come from
About 25 Million Cyber Attacks and other criminal influences on Russia information related to the FIFA World Cup one way or another were neutralized during the FIFA World Cup tournament, said Putin.
Putin proposes a joint cybersecurity group with the US to investigate Russian election meddling
Taylor Hatmaker
@tayhatmaker / 17 hours ago
President Trump And President Putin Hold A Joint Press Conference After Summit
Over the course of Monday’s controversial Helsinki summit, Russian President Vladimir Putin pushed an agenda that would ostensibly see the U.S. and Russia working side by side as allies. The two countries make stranger bedfellows than ever as just days prior, Trump’s own Department of Justice indicted 12 Russian intelligence officials for the infamous 2016 Democratic National Committee hack.
Nonetheless, the Russian president revived talks of a joint group between the U.S. and Russia dedicated to cybersecurity matters. For anyone with the security interests of the U.S. at heart, such a proposal, which Trump endorsed in a tweet one year ago, would truly be a worst-case scenario outcome of the puzzlingly cozy relationship between the two world leaders.
The porn extortion scam works like this: you get an email from a stranger claiming that he hacked your computer and recorded video of you masturbating to pornography, which he’ll release unless you send him some cryptocurrency.
It’s not a very convincing pitch, lacking any evidence that the scammer is telling the truth.
But thanks to the massive databases of leaked passwords circulating online after massive, multi-million-user breaches, the extortionists behind these scams have an extremely effective convincer: your passwords.
The new version of this scam, first spotted in the wild last week, has your stolen username and password (from some breached service) in the subject line and opens with this: “It seems that, (password), is your password. You may not know me and you are probably wondering why you are getting this e mail, right?”
In the week since this tactic was first observed, the scammer who pioneered it has made $50,000
Speaking at the Aspen Security Forum today, Microsoft said it already blocked the first attempts of a Russian threat actor at hacking into the campaigns of three congressional candidates participating in the 2018 midterm elections.
“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,”
“We took down that domain,”
Hacking scale not comparable to 2016 elections
“I would say that the consensus of the threat intelligence community right now is [that] were not seeing the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when looking back on the 2016 elections,”
A vacuum vulnerability could mean your Roomba knockoff is hoovering up surveillance
Taylor Hatmaker
@tayhatmaker / 13 hours ago
Screen Shot 2018-07-19 at 10.42.45 AM
Yet again we are reminded that the mild conveniences of the smart home are all well and good, right up until someone decides to turn one of those Wi-Fi-connected things you invited in against you.
But you probably didn’t think it was going to be the vacuum, did you?
Two researchers with enterprise security company Positive Technologies discovered vulnerabilities affecting the Dongguan Diqee 360 line of robotic vacuum cleaners and have shared details of the security flaw. The vacuum cleaners, manufactured by Chinese smart home manufacturer Diqee, are equipped with Wi-Fi and a 360-degree camera for a mode known as “dynamic monitoring” that turns the machine into a home surveillance device. The camera is probably what you need to be worried about.
The remote code vulnerability, known as CVE-2018-10987, can give an attacker who obtains the device’s MAC address system admin privileges.
UK government panel issues inconclusive Huawei security report
Brian Heater
@bheater / 13 hours ago
Huawei P20 – 1
Huawei’s had a rough go of it here in the States, after concerns around ties to the Chinese government have left the company scrambling to gain a commercial toehold. Over the past several years, top U.K. security officials have also put the company under the microscope over potential security concerns.
A new report issued by a government panel with the straightforward name “Huawei Cyber Security Evaluation Centre” this week presents some fairly inconclusive findings.
“Identification of shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management,” the report notes
Each record contains a voter’s name, address, and “calculated” political affiliation.
Another cache of US voter data has leaked.
A Virginia-based political campaign and robocalling company, which claims it can “reach thousands of voters instantly,” left a huge batch of files containing hundreds of thousands of voter records on a public and exposed Amazon S3 bucket that anyone could access without a password.
The bucket contained close to 2,600 files, including spreadsheets and audio recordings, for several US political campaigns.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
194 Comments
Tomi Engdahl says:
Foeke Postma / bellingcat:
Analysis: fitness tracking website Polar Flow exposed info like names and home addresses of ~6500 military, FBI, NSA, and other staffers at 200+ sensitive sites
After Strava, Polar is Revealing the Homes of Soldiers and Spies
https://www.bellingcat.com/resources/articles/2018/07/08/strava-polar-revealing-homes-soldiers-spies/
Polar, a fitness app, is revealing the homes and lives of people exercising in secretive locations, such as intelligence agencies, military bases and airfields, nuclear weapons storage sites, and embassies around the world, a joint investigation of Bellingcat and Dutch journalism platform De Correspondent reveals.
In January Nathan Ruser discovered that the fitness app Strava revealed sensitive locations throughout the world as it tracked and published the exercises of individuals, including soldiers at secret (or, “secret”) military outposts. The discovery of those military sites made headlines globally, but Polar, which can feed into the Strava app, is revealing even more.
The manufacturing company known for making the world’s first wireless heart-rate monitor uses its site ‘Polar Flow’ as a social platform where users can share their runs.
By showing all the sessions of an individual combined onto a single map, Polar is not only revealing the heart rates, routes, dates, time, duration, and pace of exercises carried out by individuals at military sites, but also revealing the same information from what are likely their homes as well. Tracing all of this information is very simple through the site: find a military base, select an exercise published there to identify the attached profile, and see where else this person has exercised.
Users often use their full names in their profiles, accompanied by a profile picture — even if they did not connect their Facebook profile to their Polar account.
Polar is not the only app doing this, but the difference between it and other popular fitness platforms, such as Strava or Garmin, is that these other sites require you to navigate to a specific person to view separate instances of his or her sessions
you only need to navigate to an interesting site, select one of the profiles exercising there, and you can get a full history of that individual.
With only a few clicks, a high-ranking officer of an airbase known to host nuclear weapons can be found jogging across the compound in the morning
We can find Western military personnel in Afghanistan through the Polar site. Cross-checking one name and profile picture with social media confirmed one soldier or officer’s identity.
We were able to scrape Polar’s site (another security flaw) for individuals exercising at 200+ of such senstive sites, and we gathered a list of nearly 6,500 unique users.
The risk from Polar’s open data set also poses a risk to civilians
On registering your account, Polar asks you to provide a name, location, height, weight, date of birth, gender and the amount of training per week.
As with most open sources, Polar’s platform has its limitations. The Polar data relies on GPS, which can be inaccurate and spoofed
The data tends to be accurate enough to tell when users are on the street, or on the property of a particular house.
The U.S. military has already reviewed its rules for fitness trackers, and it is likely other countries will have done so too.
Fitness devices and apps are just one more area where people need to be aware of what kind of data they are sharing, particularly as they strongly rely on sensitive data such as location and health-metrics.
Tomi Engdahl says:
German Hosting Firm DomainFactory Hacked
https://www.securityweek.com/german-hosting-firm-domainfactory-hacked
DomainFactory, a Germany-based web hosting services provider of GoDaddy-owned Host Europe Group, informed customers late last week that their personal and financial information was exposed after a hacker gained access to some of its systems.
According to DomainFactory, one of the largest hosting firms in Germany, the breach occurred in late January, but the company only learned of the incident on July 3 after the hacker started disclosing samples of the stolen information on the DomainFactory forum.
The hack is still being investigated, but the attacker appears to have gained access to data such as customer name, company name, customer number, address, email address, phone number, DomainFactory phone password, date of birth, and bank name and account number.
The company says it has secured the point of entry used by the hacker, but has warned customers that the compromised information may be misused for financial fraud and other types of attacks.
Tomi Engdahl says:
Timehop Data Breach Hits 21 Million Users
https://www.securityweek.com/timehop-data-breach-hits-21-million-users
Timehop informed users late last week that hackers gained unauthorized access to some of its systems as part of an attack that impacts roughly 21 million accounts.
New York-based Timehop has created an application that shows users the photos, videos and posts they shared on the current day in previous years on Facebook, Instagram, Twitter and other websites. The app also allows users to share these memories with their friends.
According to Timehop, the attacker accessed a database storing usernames, phone numbers, email addresses and social media access tokens.
Tomi Engdahl says:
Fitness App Revealed Data on Military, Intelligence Personnel
https://www.securityweek.com/fitness-app-revealed-data-military-intelligence-personnel
Mobile fitness app Polar has suspended its location tracking feature after security researchers found it had revealed sensitive data on military and intelligence personnel from 69 countries.
Tomi Engdahl says:
Hackers Using Stolen D-Link Certificates for Malware Signing
https://www.securityweek.com/hackers-using-stolen-d-link-certificates-malware-signing
A cyber-espionage group is abusing code-signing certificates stolen from Taiwan-based companies for the distribution of their backdoor, ESET reports.
The group, referred to as BlackTech, appears highly skilled and focused on the East Asia region, particularly Taiwan. The certificates, stolen from D-Link and security company Changing Information Technology Inc., have been used to sign the Plead backdoor, ESET’s security researchers say.
Evidence of the fact that the D-Link certificate was stolen comes from the fact that it was used to sign non-malicious D-Link software, not only the Plead malware, ESET explains.
After being informed on the misuse of its certificate, D-Link revoked it, along with a second certificate, on July 3. In an advisory, the company said that most of its customers should not be affected by the revocation.
“D-Link was victimized by a highly active cyber espionage group which has been using PLEAD Malware to steal confidential information from companies and organizations based in East Asia, particularly in Taiwan, Japan, and Hong Kong,” the company said.
Certificates stolen from Taiwanese tech-companies misused in Plead malware campaign
https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/
D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly skilled cyberespionage group focused on East Asia, particularly Taiwan
Tomi Engdahl says:
Two More Traders Convicted in Newswire Hacking Scheme
https://www.securityweek.com/two-more-traders-convicted-newswire-hacking-scheme
Two more individuals, a hedge fund manager and a securities trader, have been convicted by a U.S. court for their role in a $30 million scheme that involved hacking major newswire companies.
The scheme involved Ukraine-based hackers breaking into the systems of Marketwired, PR Newswire and Business Wire between February 2010 and August 2015, and stealing as many as 150,000 press releases. The hackers sent the stolen press releases containing nonpublic financial information to several traders who quickly monetized it.
Korchevsky and Khalupsky are said to have traded based on nonpublic press releases issued by hundreds of companies, including Align Technology, CA Technologies, Caterpillar, HP, Home Depot, Panera Bread, and Verisign.
According to authorities, Korchevsky made more than $15 million over the course of the scheme
nine individuals accused of making $30 million through the newswire hacking scheme
Tomi Engdahl says:
https://www.uusiteknologia.fi/2018/07/10/liikuteltavat-virve-tukiasemat-apuun-putin-ja-trump-tulevat/
Tomi Engdahl says:
HNS Evolves From IoT to Cross-Platform Botnet
https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/
A botnet discovered at the start of the year and named Hide ‘N Seek (HNS) has expanded from infecting Internet of Things (IoT) devices and is now also targeting cross-platform database solutions as well.
This is an important development in the botnet’s evolution, which also passed a significant milestone in May when it became the first IoT malware that was capable of surviving device reboots.
Tomi Engdahl says:
Protecting against the latest LTE network attacks
https://blogs.cisco.com/security/protecting-against-the-latest-lte-network-attacks
Recently, researchers have uncovered new attacks against the Long-Term Evolution (LTE) network protocol. LTE, a type of 4G network, is a mobile communications standard used by billions of devices around the world.
Security researchers from Ruhr-Universität Bochum and New York University Abu Dhabi discovered three new attacks against LTE technology. The first two are passive attacks — identity mapping and website fingerprinting. These allow the attacker to listen in on not only the destinations that are visited from the target’s mobile device, but also on what data is passing over the network. The third is an active domain name system (DNS) redirect attack, referred to as “aLTEr” by the research team.
How does the attack work?
This attack works by taking advantage of a design flaw within the LTE network — the data link layer (or layer 2) of the LTE network is encrypted with AES-CTR but it is not integrity-protected. This means an attacker can modify the bits even within an encrypted data packet, which later decrypts to a related plaintext. As a result, the attacker is posing as a cell tower to the victim, while pretending to be a subscriber to the real network.
These types of attacks are not only limited to LTE networks. 5G networks may also be vulnerable to these attacks in the future
How can you protect against these types of attacks?
The best way to protect against DNS spoofing attacks is to encrypt DNS queries, and only use trusted DNS resolvers.
The Cisco Security Connector app protects users from connecting to malicious destinations in the first place. It leverages security intelligence to first classify the requested domain, and then determines if the request should be allowed — for safe destinations, or blocked — for malicious destinations.
Tomi Engdahl says:
Using AutorunsToWinEventLog
https://isc.sans.edu/diary/rss/23840
“Autoruns conveniently includes a non-interactive command line utility. This code generates a CSV of Autoruns entries, converts them to JSON, and finally inserts them into a custom Windows Event Log. By doing this, we can take advantage of our existing WEF infrastructure to get these entries into our SIEM and start looking for signs of malicious persistence on endpoints and servers.”
https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog
Tomi Engdahl says:
You Can Bypass Authentication on HPE iLO4 Servers With 29 “A” Characters
https://www.bleepingcomputer.com/news/security/you-can-bypass-authentication-on-hpe-ilo4-servers-with-29-a-characters/
Details and public exploit code have been published online for a severe vulnerability affecting Hewlett Packard Integrated Lights-Out 4 (HP iLO 4) servers.
HP iLO devices are extremely popular among small and large enterprises alike. iLO cards can be embedded in regular computers. They have a separate Ethernet network connection and run a proprietary embedded server management technology that provides out-of-band management features, allowing sysadmins to manage computers from afar.
iLO cards allow sysadmins to install firmware remotely, reset servers, provide access to a remote console, read logs, and more.
A vulnerability in iLO cards can be used to break into many companies’ networks and possibly gain access to highly sensitive or proprietary information.
Stupid-simple exploit found in HP iLO4 servers
The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware.
Vulnerability patched last year
But iLO server owners don’t need to panic. The security research team discovered this vulnerability way back in February 2017 and notified HP with the help of the CERT division at Airbus.
HP released patches for CVE-2017-12542 in August last year, in iLO 4 firmware version 2.54. System administrators who’re in the habit of regularly patching servers are most likely protected against this bug for months.
PoCs available online
In the past few months, the research team has been presenting their findings at security conferences, such as ReCon Brussels and SSTIC 2018.
The SSTIC 2018 talk is available here, although the team presented their findings in French. Slides and an in-depth research paper —in English— are also available.
Backdooring your server through its BMC: the HPE iLO4 case — Alexandre Gazet, Fabien Perigaud, Joffrey Czarny
https://www.sstic.org/2018/presentation/backdooring_your_server_through_its_bmc_the_hpe_ilo4_case/
Tomi Engdahl says:
Attackers could use heat traces left on keyboard to steal passwords
https://www.welivesecurity.com/2018/07/06/thermanator-attackers-heat-keyboard-password/
The attack, called “Thermanator”, could use your body heat against you in order to steal your credentials or any other short string of text that you have typed on a computer keyboard
A team of academics from the University of California, Irvine (UCI), have presented a type of attack that could enable a malefactor to retrieve sensitive information you entered via your keyboard – possibly up to a minute after you typed it.
The researchers had 30 users enter 10 different passwords, both strong and weak, on four common external keyboards. Using a thermal imaging camera, the researchers then scanned the residual heat left on the recently-pressed keys. In the second stage, they enlisted the help of eight non-experts in the field who, acting as “adversaries”, were asked to derive the set of pressed keys from the thermal imaging data – which they reliably did.
Long story short, the subjects successfully retrieved entire sets of key-presses that were captured by the camera as late as 30 seconds after the first key was entered. In addition, recovery of a partial set of key-presses was possible one minute after the first key was pressed
“If you type your password and walk or step away, someone can learn a lot about it after-the-fact,” said one of the paper’s authors, Gene Tsudik.
A study back in 2011 showed that PIN codes entered on cash machines can also be recovered by analyzing the residual heat left behind on the keypads.
ICS Researchers Introduce Thermanator, Revealing a New Threat to Using Keyboards to Enter Passwords and Other Sensitive Information
https://www.cs.uci.edu/ics-researchers-introduce-thermanator-revealing-a-new-threat-to-using-keyboards-to-enter-passwords-and-other-sensitive-information/
Tomi Engdahl says:
An Invasive Spyware Attack on Military Mobile Devices
https://blog.checkpoint.com/2018/07/05/an-invasive-spyware-attack-on-military-mobile-devices/
Earlier this week, Israeli security agencies announced that the Hamas terrorist organization had installed spyware on Israeli soldiers’ smartphones in its latest attempt to collect information on its long time enemy. About 100 people fell victim to the attack that came in the form of fake World Cup and online dating apps that had been uploaded to the Google Play Store, the official app store of Google.
Tomi Engdahl says:
https://www.longplay.fi/sivu%C3%A4%C3%A4net/suomalainen-fitness-sovellus-paljastanut-satojen-sotilaiden-liikkeita
Tomi Engdahl says:
After Strava, Polar is Revealing the Homes of Soldiers and Spies
https://www.bellingcat.com/resources/articles/2018/07/08/strava-polar-revealing-homes-soldiers-spies/
Tomi Engdahl says:
New Smoke Loader Attack Targets Multiple Credentials
https://www.securityweek.com/new-smoke-loader-attack-targets-multiple-credentials
A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.
The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.
Tomi Engdahl says:
Google Fixes Critical Android Vulnerabilities
https://www.securityweek.com/google-fixes-critical-android-vulnerabilities
Google this week released its July 2018 set of Android patches to address tens of vulnerabilities in the mobile operating system, including several rated as Critical.
The Internet giant addressed 11 vulnerabilities as part of the 2018-07-01 security patch level, including three rated Critical and 8 High risk bugs. The issues impact framework, media framework, and system.
“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in an advisory.
Affected operating system versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.
A total of 32 flaws were addressed as part of the 2018-07-05 security patch level, 8 rated Critical severity and 24 considered High risk.
Android Security Bulletin—July 2018
https://source.android.com/security/bulletin/2018-07-01
Tomi Engdahl says:
NHS Digital Erroneously Reveals Data of 150,000 Patients
https://www.securityweek.com/nhs-digital-erroneously-reveals-data-150000-patients
On Monday July 2, Jackie Doyle-Price, the parliamentary under-secretary of state for health, delivered a written statement to the UK parliament. It explained that 150,000 NHS patients who had specifically opted out of the NHS patient data-sharing regime were in fact not opted out.
“As a result,” says the statement, “these objections were not upheld by NHS Digital in its data disseminations between April 2016, when the NHS Digital process for enabling them to be upheld was introduced, and 26 June 2018. This means that data for these patients has been used in clinical audit and research that helps drive improvements in outcomes for patients.”
NHS Digital is the national information and technology partner to the health and social care system.
On the same day, NHS Digital released its own statement. “We apologize unreservedly for this issue, which has been caused by a coding error by a GP system supplier (TPP) and means that some people’s data preferences have not been upheld when we have disseminated data. The TPP coding error meant that we did not receive these preferences and so have not been able to apply them to our data.”
NHS Digital and TPP statement about type 2 objections error
https://digital.nhs.uk/news-and-events/latest-news/statement-on-type-2-opt-out-error
Tomi Engdahl says:
CipherTrace Unveils Crypto-Currency Anti-Money Laundering Solution
https://www.securityweek.com/ciphertrace-unveils-crypto-currency-anti-money-laundering-solution
Cryptocurrency theft and its use to launder other illegal activity is booming. This has prompted the evolution of a related industry that sits on the borderline of legality (barely legal in some jurisdictions, illegal in others): cryptocurrency money laundering. The laundering of illegally-obtained money may be illegal, but the process used may not be.
Menlo Park, Calif. startup CipherTrace is a firm founded on the need for cryptocurrency anti-money laundering (AML), blockchain forensics and enforcement solutions. It aids law enforcement and financial regulators in their investigations, helps enterprises to deploy real-world cryptocurrency transactional systems within regulations, and offers a bitcoin scam and theft asset recovery service.
https://ciphertrace.com/
Tomi Engdahl says:
As Facial Recognition Use Grows, So Do Privacy Fears
https://www.securityweek.com/facial-recognition-use-grows-so-do-privacy-fears
The unique features of your face can allow you to unlock your new iPhone, access your bank account or even “smile to pay” for some goods and services.
The same technology, using algorithms generated by a facial scan, can allow law enforcement to find a wanted person in a crowd or match the image of someone in police custody to a database of known offenders.
Facial recognition came into play last month when a suspect arrested for a shooting at a newsroom in Annapolis, Maryland, refused to cooperate with police and could not immediately be identified using fingerprints.
Tomi Engdahl says:
Trojan Either Encrypts Files or Mines for Cryptocurrency
https://www.securityweek.com/trojan-either-encrypts-files-or-mines-cryptocurrency
A long established ransomware family recently added the ability to deploy a cryptocurrency miner instead of file encryptor, based on the victim machine’s configuration.
The malware, which Kaspersky Lab detects as Rakhni, was first discovered in 2013 and has received numerous updates ever since. The latest feature added to the threat, however, makes it stand out from the crowd: the malware’s downloader checks the victim system and decides whether to infect it with a cryptor or a miner.
Mainly affecting users in Russia but spread worldwide, the Trojan is being distributed via spam emails with a malicious Word document attached. The file has an embedded PDF document that, once opened, launches a malicious downloader and also displays a fake error message to the victim.
Tomi Engdahl says:
Criminals Don’t Read Instructions or Use Strong Passwords
https://isc.sans.edu/diary/rss/23850
Going over my WebLogic honeypot, I am used to seeing a lot of crypto miners. The honeypot is vulnerable to CVE-2017-10271. I have written before about the various crypto miners.
But this weekend, I finally spotted something a bit different. The attacker installed a backdoor which so far is not recognized by any antivirus tool according to Virustota
This binary establishes a connection to the attacker for remote control protected by a trivial default password. Note to the attacker: If the password is “replace with your password”; do it!”
The malicious file was uploaded and executed via a well known WebLogic vulnerability.
Tomi Engdahl says:
Security Firm Sued for Failing to Detect Malware That Caused a 2009 Breach
https://www.bleepingcomputer.com/news/security/security-firm-sued-for-failing-to-detect-malware-that-caused-a-2009-breach/
Two insurance companies are suing a cyber-security firm to recover insurance fees paid to a customer after the security firm failed to detect malware on the client’s network for months, an issue that led to one of the biggest security breaches of the 2000s. The security firms says the lawsuit is meritless.
The two insurance firms are Lexington Insurance Company and Beazley Insurance Company, and both insured Heartland Payment Systems, a leading payment processing company.
Lawsuit related to 2009 Heartland mega breach
In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland’s customers.
Following this devastating hack and one of the biggest of the 2000s, Heartland paid over $148 million in settlement fees for various lawsuits, and other remediation costs and expenses Heartland owed its customers.
Lawsuit related to 2009 Heartland mega breach
In January 2009, Heartland announced a major security breach of its network, following which an attacker stole details for over 100 million payment cards stored on its systems by over 650 of Heartland’s customers.
Lawsuit claims Trustwave failed to detect intrusion
The two insurance firms claim that Chicago-based Trustwave Holdings, Inc. —the security firm— had failed to detect that an attacker used an SQL injection attack to breach Heartland’s systems on July 24, 2007.
Furthermore, the two say Trustwave also failed to detect that attackers installed malware on the payments processor’s servers on May 14, 2008, and did not raise a sign of alarm about the event.
The lawsuit also mentions that in the aftermath of the hack, Visa conducted a review of Heartland’s servers and found that Trustwave incorrectly certified Heartland as PCI DSS compliant.
The lawsuit claims that Visa discovered that Trustwave ignored the fact that Heartland didn’t run a firewall, was using vendor-supplied passwords, didn’t have sufficient protection for the storage system used for card data, failed to assign unique identification to each person accessing its system, and had failed to monitor servers and cardholder data at regular intervals.
All of these are PCI DSS compliance rules, and Visa said that despite all the problems on Heartland’s network, Trustwave provided PCI DSS attestation.
Trustwave denies fault, says it’s an old story
But in a statement to Bleeping Computer, Trustwave says the lawsuit is meritless.
This is the third time Trustwave is on the receiving end of such a lawsuit.
Tomi Engdahl says:
Vengeful hacker exposes DomainFactory customer banking data and passwords
https://hotforsecurity.bitdefender.com/blog/vengeful-hacker-exposes-domainfactory-customer-banking-data-and-passwords-20094.html
A German web-hosting firm has suffered a severe data breach because one of its customers reportedly owed money to the attacker. The company only learned of the breach when the hacker announced it himself, on its support forum
On Jan. 29, the attacker compromised customer names, company names, various addresses, telephone numbers, DomainFactory passwords, dates of birth, bank names and account numbers, and Schufa scores (German credit score).
However, the company and its customers only learned of the breach six months later, on July 3
The reason behind the attack, according to German news outlet Heise Online, was to obtain the credentials of an customer who owed the attacker money. When he noticed that DomainFactory was reluctant to acknowledge the breach, he decided to make it public.
DomainFactory’s explanation, however, differs a bit
Tomi Engdahl says:
https://www.tivi.fi/CIO/suuryritysten-toimitusjohtajat-vakavina-kyberiskut-eivat-ole-enaa-jos-vaan-kun-6732070?utm_source=Facebook&utm_medium=Social&utm_campaign=TV_NA_07&utm_content=Ad+-+Post%3A+%2FTivi%2Fposts%2F10155596690642267
Tomi Engdahl says:
Another data-leaking Spectre CPU flaw among Intel’s dirty dozen of security bug alerts today
https://www.theregister.co.uk/2018/07/10/intel_security_spectre_advisories/
Chipzilla preps for quarterly public patch updates
Exclusive Intel will today emit a dozen security alerts for its products – including details of another data-leaking vulnerability within the family of Spectre CPU flaws.
Rather than drop surprise alerts onto its security advisory page at irregular intervals, Intel hopes to gradually adopt a routine similar to Microsoft’s monthly Patch Tuesday, albeit once every three months.
Urgent security updates will be pushed out in between these quarterly batches.
From what we understand, Intel hopes to give folks – from IT administrators to ordinary netizens – time and notice to plan for installing security updates at regular-ish intervals, rather than relying on them to look out for sporadic patches.
Speculative execution continues to haunt
The new Spectre-class side-channel vulnerability in Intel’s processors, to be disclosed today, can be exploited in a bounds-check bypass store attack.
function pointers and return addresses are overwritten in the attack, allowing the malicious code to change the CPU’s course, and infer the contents of memory that should be out of reach.
The good news is that software mitigations available today for Spectre variant 1 will thwart bounds-check bypass store attacks. Thus, web browsers and other applications employing anti-Spectre mechanisms should be safe.
For programmers and compiler writers, this means slipping LFENCE instructions into code, before it reads from memory,
The other good news is that there is little or no malware known to be circulating in the wild exploiting Spectre vulnerabilities
Instead, Spectre, for now, remains a fascinating insight into the world of CPU design, where engineers across the industry trade off a little security for a little more performance.
Tomi Engdahl says:
California malls are sharing license plate tracking data with ICE
https://techcrunch.com/2018/07/10/alpr-license-plate-recognition-ice-irvine-company/?sr_share=facebook&utm_source=tcfbpage
A chain of California shopping centers is sharing its license plate reader data with a well-known U.S. Immigration and Customs Enforcement (ICE) contractor, giving that agency the ability to track license plate numbers it captures in near real-time.
Tomi Engdahl says:
Racketeers Sending Fake Blackmail Emails Demanding Bitcoin Ransom
https://darkwebnews.com/bitcoin/fake-email-bitcoin-ransom/
For every real criminal out there, there will always be a phony riding on the coattails of his success.
A number of people have already been bombarded with fake threat emails demanding an amount in Bitcoin, failure to which would lead to grave consequences. The racketeers take blackmail letter examples from the internet and modify them before sending it to you.
these racketeers are banking on panic and rash decision-making to keep their businesses thriving and Bitcoin flowing.
The Fake Threat Emails are poorly written; sent en Masse
Fake ransomware racketeering is on the rise.
The emails demanding Bitcoin are usually authored in poor English and often contain threats to leak private information if the Bitcoin ransom is not paid.
Tomi Engdahl says:
US Air Force drone documents found for sale on the dark web for $200
https://techcrunch.com/2018/07/11/reaper-drone-dark-web-air-force-hack/?utm_source=tcfbpage&sr_share=facebook
You never quite know what you’ll find on the dark web. In June, a threat intelligence team known as Insikt Group at security research firm Recorded Future discovered the sale of sensitive U.S. military information in the course of monitoring criminal activity on dark web marketplaces.
English-speaking hacker purported to have documentation on the MQ-9 Reaper unmanned aerial vehicle
other set of documents appears to have been stolen from a U.S. Army official or from the Pentagon
In the course of its investigation, Insikt Group determined that the hacker obtained the documents by accessing a Netgear router with misconfigured FTP login credentials. When the team corresponded with the hacker to confirm the source of hacked drone documents, the attacker disclosed that he also had access to footage from a MQ-1 Predator drone.
Here’s how he did it
Insikt Group notes that it is “incredibly rare” for hackers to sell military secrets on open marketplaces.
Tomi Engdahl says:
Ransomware technique uses your real passwords to trick you
https://techcrunch.com/2018/07/12/ransomware-technique-uses-your-real-passwords-to-trick-you/?sr_share=facebook&utm_source=tcfbpage
A few folks have reported a new ransomware technique that preys upon corporate inability to keep passwords safe. The notes – which are usually aimed at instilling fear – are simple: the hacker says “I know that your password is X. Give me a bitcoin and I won’t blackmail you.”
This is cool. A Bitcoin ransom with using what I think is passwords from a big leak. Pretty neat since people would be legit scared when they see their password. The concealed part is actually an old password
To be clear there is very little possibility that anyone has video of you cranking it unless, of course, you video yourself cranking it. Further, this is almost always a scam. That said, the fact that the hackers are able to supply your real passwords – most probably gleaned from the multiple corporate break-ins that have happened over the past few years – is a clever change to the traditional cyber-blackmail methodology.
Luckily, the hackers don’t have current passwords.
Tomi Engdahl says:
https://www.uusiteknologia.fi/2018/07/13/kyberhyokkaykset-pilvipalveluihin-lisaantyneet-katso-uusimmat-trendit/?utm_source=dlvr.it&utm_medium=facebook
Tomi Engdahl says:
SENATORS FEAR MELTDOWN AND SPECTRE DISCLOSURE GAVE CHINA AN EDGE
https://www.wired.com/story/meltdown-and-spectre-intel-china-disclosure/
Tomi Engdahl says:
Here’s Why You Should Probably Wrap Your Car Keys In Tin Foil
http://www.iflscience.com/technology/heres-why-you-should-probably-wrap-your-car-keys-in-tin-foil/
Tomi Engdahl says:
Ukraine Says It Stopped a VPNFilter Attack on a Chlorine Distillation Station
https://www.bleepingcomputer.com/news/security/ukraine-says-it-stopped-a-vpnfilter-attack-on-a-chlorine-distillation-station/
The Ukrainian Secret Service (SBU) said today it stopped a cyber-attack with the VPNFilter malware on a chlorine distillation plant in the village of Aulska, in the Dnipropetrovsk region.
Tomi Engdahl says:
Mueller indicts 12 Russian military officers for election hacking, says DCLeaks & Guccifer 2.0 were Russia intel
https://boingboing.net/2018/07/13/indictment-friday.html
As Mister Trump and his wife greeted the Queen of England, a reporter on a hot mic broke the embargo that the U.S. is indicting 12 Russian military officers with attacks on the 2016 U.S. Presidential elections, and that Guccifer 2.0 and DC LEAKS were Russian intelligence missions.
“Both were created and controlled by Russia’s GRU,”
Related comments from page:
Aric Toler
@AricToler
Most of the breaking news breathlessly reported in the U.S. press on Russian hacking or troll factory activities were uncovered years ago by independent Russian journalists; reading their work is like having spoilers for American news months in advance
Tomi Engdahl says:
12 Russians indicted in Mueller investigation
https://edition.cnn.com/2018/07/13/politics/russia-investigation-indictments/index.html
Washington (CNN)The Justice Department announced indictments against 12 Russian nationals as part of special counsel Robert Mueller’s investigation of Russian interference in the 2016 election, accusing them of engaging in a “sustained effort” to hack Democrats’ emails and computer networks.
The revelations provide more detail on the sophisticated assault on the US election in 2016, including the release of emails designed to damage Democratic presidential candidate Hillary Clinton.
Trump is due to meet Russian President Vladimir Putin — who has denied election meddling — in Helsinki on Monday
The Justice Department says the hacking targeted Clinton’s campaign, Democratic National Committee and the Democratic Congressional Campaign Committee, with the intention to “release that information on the internet under the names DCLeaks and Guccifer 2.0 and through another entity.”
“The Russians are nailed. No Americans are involved. Time for Mueller to end this pursuit of the President and say President Trump is completely innocent,”
Tomi Engdahl says:
Researchers find that filters don’t prevent porn
https://techcrunch.com/2018/07/13/researchers-find-that-filters-dont-prevent-porn/?sr_share=facebook&utm_source=tcfbpage
In a paper entitled Internet Filtering and Adolescent Exposure to Online Sexual Material, Oxford Internet Institute researchers Victoria Nash and Andrew Przybylski found that Internet filters rarely work to keep adolescents away from online porn.
“It’s important to consider the efficacy of Internet filtering,” said Dr, Nash. “Internet filtering tools are expensive to develop and maintain, and can easily ‘underblock’ due to the constant development of new ways of sharing content. Additionally, there are concerns about human rights violations – filtering can lead to ‘overblocking’, where young people are not able to access legitimate health and relationship information.”
This research follows the controversial news that the UK government was exploring a country-wide porn filter
The study’s most interesting finding was that between 17 and 77 households “would need to use Internet filtering tools in order to prevent a single young person from accessing sexual content” and even then a filter “showed no statistically or practically significant protective effects.”
https://www.liebertpub.com/doi/full/10.1089/cyber.2017.0466
Tomi Engdahl says:
Russian hackers used bitcoin to fund election interference, so prepare for FUD
https://techcrunch.com/2018/07/13/russian-hackers-used-bitcoin-to-fund-election-interference-so-prepare-for-fud/?utm_source=tcfbpage&sr_share=facebook
the alleged hackers paid for their nefarious deeds with bitcoin and other cryptocurrencies.
It is perhaps the most popular and realistic argument against cryptocurrency that it enables anonymous transactions globally and at scale, no exception made for Russian intelligence or ISIS. So the news that a prominent and controversial technology was used to fund state-sponsored cyber attacks will not be passed over by its critics.
You can expect bluster on cable news and some sharp words from lawmakers, who will also probably issue some kind of public denouncement of cryptocurrencies and call for more stringent regulation. It’s only natural: their constituencies will hear that Russians are using bitcoin to hack the election systems and take it at face value. They have to say something.
But this knee-jerk criticism is misguided and hypocritical for several reasons.
the process of laundering, after all, becomes rather difficult when there is an immutable, peer-maintained record of every penny being pushed around
So although bitcoin has its shady side, it’s far from perfect secrecy
it doesn’t provide much in the way of new capabilities for those who wish to keep secret their activities online.
Tomi Engdahl says:
Hackers are selling backdoors into PCs for just $10
https://www.zdnet.com/article/hackers-are-selling-backdoors-into-pcs-for-just-10/
“This is definitely not something you want to discover on a Russian underground RDP shop,” warn researchers.
Cyber criminals are offering remote access to IT systems for just $10 via a dark web hacking store — potentially enabling attackers to steal information, disrupt systems, deploy ransomware and more.
The sales of backdoor access to compromised systems was uncovered by researchers at security company McAfee Labs looking into the sale of remote desktop protocol (RDP) access to hacked machines on underground forums — some of which are selling access to tens of thousands of compromised systems.
Systems advertised for sale on the forum range from Windows XP through to Windows 10, with access to Windows 2008 and 2012 Server most common. The store owners also offer tips for how those using the illicit logins can remain undetected.
Tomi Engdahl says:
As facial recognition technology becomes pervasive, Microsoft (yes, Microsoft) issues a call for regulation
https://techcrunch.com/2018/07/13/as-facial-recognition-technology-becomes-pervasive-microsoft-yes-microsoft-issues-a-call-for-regulation/?utm_source=tcfbpage&sr_share=facebook
Technology companies have a privacy problem. They’re terribly good at invading ours and terribly negligent at protecting their own.
And with the push by technologists to map, identify and index our physical as well as virtual presence with biometrics like face and fingerprint scanning, the increasing digital surveillance of our physical world is causing some of the companies that stand to benefit the most to call out to government to provide some guidelines on how they can use the incredibly powerful tools they’ve created.
Tomi Engdahl says:
The 1.5 Billion Dollar Market: IoT Security
https://blog.paessler.com/investments-in-iot-security-are-set-to-increase-rapidly-in-2018?utm_source=facebook&utm_medium=cpc&utm_campaign=Burda-Blog-Global&utm_content=1%2C5IOTSecurity&hsa_grp=23842989932620129&hsa_cam=23842989931580129&hsa_net=facebook&hsa_ver=3&hsa_ad=23842989933220129&hsa_src=fb&hsa_acc=2004489912909367
IoT devices are frequently largely without any protection. Even if they are quite uninteresting for attack scenarios such as ransomware, the security issues in connection with smart devices remain an explosive topic. The devices are relatively easy to manipulate so that users can be spied on or information stolen.
So how big is the IoT security market really? According to Gartner’s market researchers, global spending on IoT security will increase to $1.5 billion this year. By 2021, compliance is to become the most important factor influencing the growth of IoT security. Cyberattacks on the Internet of Things (IoT) are already a reality
Gartner predicts that global spending on IoT security will amount to $1.5 billion in 2018. This would mean a growth of 28 percent compared to 2017 ($1.2 billion).
Tomi Engdahl says:
We Have Some Bad News For You About Porn
http://www.iflscience.com/technology/the-prevailing-power-of-porn-study-finds-even-our-best-efforts-cant-stop-kids-from-viewing-it/
Internet filtering tools, like parental controls, are largely unsuccessful in preventing young people from watching porn online, according to new research from the Oxford Internet Institute.
It comes after the UK government announced earlier this year they were exploring options to filter and block online porn, joining a handful of countries around the world who censor certain online material. Nash says filtering can “overblock” young people who might be trying to access health and relationship information, leading to concerns about human rights violations.
from nearly 20,000 boys and girls aged 11 to 16 who were asked whether they had looked at porn on their home computers. Almost half of the participants had some sort of filter applied at home, but still saw about the same amount of porn as those who didn’t. Furthermore, “filtering tools are ineffective and in most cases were an insignificant factor in whether young people had seen explicit sexual content.”
filter “showed no statistically or practically significant protective effects.”
If a kid is going to look at porn, they’re going to find a way around parental controls, which the researchers note are also expensive.
resources would be better spent trying to “develop the resilience of teenagers to such experiences.”
“We hope this leads to a re-think in effectiveness targets for new technologies, before they are rolled out to the population,”
Tomi Engdahl says:
Cyber AttackJuly 16, 2018
25 Million Cyber Attacks On Russia During FIFA World Cup
https://hackersonlineclub.com/25-million-cyber-attacks-on-russia-during-fifa-world-cup/
Russia hosted the World Cup from 14th June to 15 July 2018.
President Putin confirmed 25 million Cyber-attacks during World Cup
There is no lead that where these Cyber attacks come from
About 25 Million Cyber Attacks and other criminal influences on Russia information related to the FIFA World Cup one way or another were neutralized during the FIFA World Cup tournament, said Putin.
Tomi Engdahl says:
Putin proposes a joint cybersecurity group with the US to investigate Russian election meddling
https://techcrunch.com/2018/07/16/trump-putin-joint-cybersecurity-group/?sr_share=facebook&utm_source=tcfbpage
AdChoices
Putin proposes a joint cybersecurity group with the US to investigate Russian election meddling
Taylor Hatmaker
@tayhatmaker / 17 hours ago
President Trump And President Putin Hold A Joint Press Conference After Summit
Over the course of Monday’s controversial Helsinki summit, Russian President Vladimir Putin pushed an agenda that would ostensibly see the U.S. and Russia working side by side as allies. The two countries make stranger bedfellows than ever as just days prior, Trump’s own Department of Justice indicted 12 Russian intelligence officials for the infamous 2016 Democratic National Committee hack.
Nonetheless, the Russian president revived talks of a joint group between the U.S. and Russia dedicated to cybersecurity matters. For anyone with the security interests of the U.S. at heart, such a proposal, which Trump endorsed in a tweet one year ago, would truly be a worst-case scenario outcome of the puzzlingly cozy relationship between the two world leaders.
Tomi Engdahl says:
Porn blackmailers supercharge their scam with password dumps, make bank
https://boingboing.net/2018/07/19/oily-rags-r-us.html
The porn extortion scam works like this: you get an email from a stranger claiming that he hacked your computer and recorded video of you masturbating to pornography, which he’ll release unless you send him some cryptocurrency.
It’s not a very convincing pitch, lacking any evidence that the scammer is telling the truth.
But thanks to the massive databases of leaked passwords circulating online after massive, multi-million-user breaches, the extortionists behind these scams have an extremely effective convincer: your passwords.
The new version of this scam, first spotted in the wild last week, has your stolen username and password (from some breached service) in the subject line and opens with this: “It seems that, (password), is your password. You may not know me and you are probably wondering why you are getting this e mail, right?”
In the week since this tactic was first observed, the scammer who pioneered it has made $50,000
Tomi Engdahl says:
Microsoft Says It Blocked Attempts at Hacking Midterm Campaigns
https://www.bleepingcomputer.com/news/government/microsoft-says-it-blocked-attempts-at-hacking-midterm-campaigns/
Speaking at the Aspen Security Forum today, Microsoft said it already blocked the first attempts of a Russian threat actor at hacking into the campaigns of three congressional candidates participating in the 2018 midterm elections.
“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,”
“We took down that domain,”
Hacking scale not comparable to 2016 elections
“I would say that the consensus of the threat intelligence community right now is [that] were not seeing the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when looking back on the 2016 elections,”
Tomi Engdahl says:
A vacuum vulnerability could mean your Roomba knockoff is hoovering up surveillance
https://techcrunch.com/2018/07/19/vacuum-vulnerability-hack-diqee-positive-technologies/?utm_source=tcfbpage&sr_share=facebook
A vacuum vulnerability could mean your Roomba knockoff is hoovering up surveillance
Taylor Hatmaker
@tayhatmaker / 13 hours ago
Screen Shot 2018-07-19 at 10.42.45 AM
Yet again we are reminded that the mild conveniences of the smart home are all well and good, right up until someone decides to turn one of those Wi-Fi-connected things you invited in against you.
But you probably didn’t think it was going to be the vacuum, did you?
Two researchers with enterprise security company Positive Technologies discovered vulnerabilities affecting the Dongguan Diqee 360 line of robotic vacuum cleaners and have shared details of the security flaw. The vacuum cleaners, manufactured by Chinese smart home manufacturer Diqee, are equipped with Wi-Fi and a 360-degree camera for a mode known as “dynamic monitoring” that turns the machine into a home surveillance device. The camera is probably what you need to be worried about.
The remote code vulnerability, known as CVE-2018-10987, can give an attacker who obtains the device’s MAC address system admin privileges.
Tomi Engdahl says:
UK government panel issues inconclusive Huawei security report
https://techcrunch.com/2018/07/19/uk-government-panel-issues-inconclusive-huawei-security-report/?sr_share=facebook&utm_source=tcfbpage
UK government panel issues inconclusive Huawei security report
Brian Heater
@bheater / 13 hours ago
Huawei P20 – 1
Huawei’s had a rough go of it here in the States, after concerns around ties to the Chinese government have left the company scrambling to gain a commercial toehold. Over the past several years, top U.K. security officials have also put the company under the microscope over potential security concerns.
A new report issued by a government panel with the straightforward name “Huawei Cyber Security Evaluation Centre” this week presents some fairly inconclusive findings.
“Identification of shortcomings in Huawei’s engineering processes have exposed new risks in the UK telecommunication networks and long-term challenges in mitigation and management,” the report notes
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/727415/20180717_HCSEC_Oversight_Board_Report_2018_-_FINAL.pdf
Tomi Engdahl says:
Thousands of US voters’ data exposed by robocall firm
https://www.zdnet.com/article/us-voter-data-exposed-by-robocall-firm/
Each record contains a voter’s name, address, and “calculated” political affiliation.
Another cache of US voter data has leaked.
A Virginia-based political campaign and robocalling company, which claims it can “reach thousands of voters instantly,” left a huge batch of files containing hundreds of thousands of voter records on a public and exposed Amazon S3 bucket that anyone could access without a password.
The bucket contained close to 2,600 files, including spreadsheets and audio recordings, for several US political campaigns.
https://www.linkedin.com/pulse/hundreds-thousands-us-voter-data-appeared-online-again-bob-diachenko/?published=t
Tomi Engdahl says:
Senate wants emergency alerts to go out through Netflix, Spotify, etc.
https://techcrunch.com/2018/07/18/senate-wants-emergency-alerts-to-go-out-through-netflix-spotify-etc/?utm_source=tcfbpage&sr_share=facebook