Cyber Security August 2018

This posting is here to collect security alert news in August 2018.

I post links to security vulnerability news to comments of this article.

 

428 Comments

  1. Tomi Engdahl says:

    It Takes 5 Minutes for a Hacker to Physically Install Malicious Firmware Right into Your Laptop
    https://vpn.review/hacker-firmware-laptop/

    Anti-virus software, firewalls, encryption, along with some personal awareness and vigilance go a long way in protecting against common threats and hacks and maintaining one’s digital security and privacy. But all of these practices could be in vain if a hacker has physical access to your device.

    A researcher from a security firm called Eclypsium recently posted a video in which he breaks open a laptop, installs a device loaded with malicious software, and puts it back together in mere minutes.

    This type of ‘physical’ attack, so to speak, is known as an evil maid attack

    Physical attacks are very dangerous. Firstly, they are hard to defend against. Secondly, there is not enough awareness around them; most people don’t do anything to defend against them. Thirdly, and most concerning, is that they are not very hard to execute

    The device used in the demonstration can be purchased for less than three hundred dollars. The malicious software – a generic proof-of-concept backdoor – can be downloaded from GitHub for free.

    Of course, different devices would require a different setup

    So make sure that you don’t leave your devices unattended in public gatherings – conferences and such

    Reply
  2. Tomi Engdahl says:

    Reddit breach exposes non-critical user data
    https://techcrunch.com/2018/08/01/reddit-breach-exposes-user-data-but-not-much/

    Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method.

    Said access was gated behind two-factor authentication systems, but unfortunately they were of the type that occasionally or optionally allow SMS to be used instead of an authenticator app or token. SMS has some major inherent security flaws, and this method was declared unacceptable by NIST back in 2016. But it is far from eliminated, and many services still use it as a main or backup 2FA method.

    Reply
  3. Tomi Engdahl says:

    Hackers used conventional techniques, such as phishing emails and watering-hole attacks.

    Russian Hackers Slip into US Electricity Companies, Could Have Caused Blackouts
    https://vpn.review/russia-hack-us-electricity-blackouts/

    The Wall Street Journal recently reported that hackers believed to be working with Russia had gained access to the control rooms of US electric utilities last year. The group of hackers, which was previously identified as Dragonfly or Energetic Bear, had broken into networks belonging to third-party vendors that had relationships with the power companies. The hacks gave the group to power to cause blackouts.

    Reply
  4. Tomi Engdahl says:

    How US Military Hackers Prepared to Hack the Islamic State
    https://motherboard.vice.com/en_us/article/ne5d5g/how-us-military-cybercom-hackers-hacked-islamic-state-documents

    Documents obtained by Motherboard give insight into how hackers at CYBERCOM prepare before launching offensive cyber operations, including figuring out how likely an attack will be attributed back to them.

    In 2016, US Cyber Command (CYBERCOM), a part of the military tasked with conducting offensive cyber operations, hacked internet infrastructure used by the so-called Islamic State. Now, redacted versions of formerly Top Secret and other classified documents obtained by Motherboard lay out the contours of how CYBERCOM planned that operation, taking into account political fallout, the chance of the attack being attributed back to the US government, and other potential consequences.

    Reply
  5. Tomi Engdahl says:

    Hackers find creative way to steal $7.7 million without being detected
    https://arstechnica.com/information-technology/2018/07/hackers-find-creative-way-to-steal-7-7-million-without-being-detected/

    Thieves obtain platform’s private key, use it to destroy coins, then create new ones.

    Hackers managed to steal $7.7 million dollars’ worth of cryptocurrency from the platform known as KICKICO by using a novel technique—destroying existing coins and then creating new ones totaling the same amount and putting them in hacker-controlled addresses, KICKICO officials said.

    The technique evaded KICKICO’s security measures because it didn’t change the number of KICK tokens issued on the network. Such security measures are generally designed to spot thefts and other malicious actions by detecting sudden shifts in total cryptocurrency funds available on the market. The unknown attackers were able to destroy the existing coins and create new ones by first obtaining the secret cryptographic key controlling the KICKICO smart contract.

    Reply
  6. Tomi Engdahl says:

    Dixons Carphone Breach: Much Larger Than First Thought
    https://www.securityweek.com/dixons-carphone-breach-much-larger-first-thought

    A data breach at Dixons Carphone that was made public last month resulted in 10 million records being accessed by unknown actors, the consumer UK electronics retailer announced Tuesday.

    The company initially said that only 1.2 million records containing personal data of its customers, such as name, address or email address, were accessed during the intrusion.

    Although it initially said that the attackers were attempting to access 5.9 million cards and that 105,000 non-EU issued payment cards were indeed compromised, the company now says that the impacted records did not contain payment card details.

    Reply
  7. Tomi Engdahl says:

    Yale University Discloses Decade-Old Data Breach
    https://www.securityweek.com/yale-university-discloses-decade-old-data-breach

    Yale University revealed that hackers accessed one of its databases between 2008 and 2009 and accessed the personal information of 119,000 people.

    The data breach was discovered on June 16, 2018, during a security review. The attackers extracted names, Social Security numbers, and, in almost all cases, dates of birth. In many cases, Yale email addresses were also extracted, and in some cases the physical addresses of individuals associated with the university were compromised as well.

    Reply
  8. Tomi Engdahl says:

    Trump Criticized for Not Leading Effort to Secure Elections
    https://www.securityweek.com/trump-criticized-not-leading-effort-secure-elections

    WASHINGTON (AP) — As alarms blare about Russian interference in U.S. elections, the Trump administration is facing criticism that it has no clear national strategy to protect the country during the upcoming midterms and beyond.

    Both Republicans and Democrats have criticized the administration’s response as fragmented, without enough coordination across federal agencies. And with the midterms just three months away, critics are calling on President Donald Trump to take a stronger stand on an issue critical to American democracy.

    Reply
  9. Tomi Engdahl says:

    “Because European citizens’ data is presumably affected by the breach, and the incident occurred in June, it’s likely that GDPR regulators will get involved. There will be question marks for starters over the length of time it took to notify customers and the decision to force users to proactively check their emails to see if they were affected by the more recent breach” – writes Phil Muncaster for Infosecurity Magazine

    https://www.infosecurity-magazine.com/news/reddit-breached-after-sms-2fa-fail/

    Reply
  10. Tomi Engdahl says:

    Tara Seals for Threatpost:

    “Kenin added that while cryptomining is the primary goal of this wave of attacks, the script has persistence and the flexibility to change and add new features, exacerbating the threat.”

    https://threatpost.com/huge-cryptomining-attack-on-isp-grade-routers-spreads-globally/134667/

    Reply
  11. Tomi Engdahl says:

    Millions of U.S. Voter Records Exposed on Robocall Company RoboCent’s Poorly Configured AWS Cloud Storage
    https://spectrum.ieee.org/tech-talk/telecom/security/millions-of-us-voter-records-exposed-by-political-robocall-company-robotcent-on-aws

    A political robocalling company called RoboCent exposed 4,500 client files to the open Internet by failing to properly configure its cloud storage on Amazon Web Services (AWS).

    Those files, which were uploaded to the company’s AWS portal by campaign staffers working on behalf of political candidates across the United States, contained millions of records about individual U.S. voters.

    Some of the files, which were primarily Excel spreadsheets, contained details about specific voters that went far beyond information that is publicly available through voter rolls compiled by state governments, which often include name, address, phone number, and party affiliation.

    The exposed files were being stored in the cloud and were publicly accessible, no password required, for an unknown period of time.

    Misconfigured cloud storage has led to the exposure of a staggering number of sensitive records in recent years. One report found that 102,431,953 files were mistakenly exposed on Amazon Simple Storage Service in just the first three months of 2018.

    Reply
  12. Tomi Engdahl says:

    #TheRegister

    “However, iCliniq stored these private medical documents in a public AWS S3 bucket. This bucket, according to Gliwka, contained about 20,000 medical documents (such as information on blood screens and HIV tests).
    Gliwka was able to establish a connection between the icliniq.com website and the S3 bucket. Test files he uploaded through the website appeared in the same cloud-based system.”

    https://www.theregister.co.uk/2018/08/03/icliniq_cloud_breach/

    Reply
  13. Tomi Engdahl says:

    Amazon’s answer to all those leaky AWS S3 buckets: A dashboard warning light
    Look out for that orange alert
    https://www.theregister.co.uk/2017/11/07/amazon_aws_s3_alert/

    Reply
  14. Tomi Engdahl says:

    #EntrustDatacardBlog

    “The moral of the story is simple: hackers get smarter every day and find new ways to circumvent standard security measures. Those of us responsible for defending against cybercrime need to evolve at least as fast — and preferably faster — than the bad guys. And that’s the very nature of an adaptive authentication platform like IntelliTrust™. It’s built to learn and become smarter and more efficacious over time. So next time, instead of being congratulated for catching a hack in less than two weeks, an IT team can be appreciated for not making the news at all.”

    https://www.entrustdatacard.com/blog/2018/august/singapore-healthcare

    Reply
  15. Tomi Engdahl says:

    Venezuela President Maduro ‘survives drone attack’
    https://www.bbc.com/news/world-latin-america-45073385

    Venezuelan President Nicolás Maduro says he has survived an assassination attempt involving explosive drones.

    Mr Maduro was speaking at an military event in Caracas when the alleged attack occurred.

    Live footage of Mr Maduro’s speech shows the president suddenly looking upwards – startled – and dozens of soldiers running away.

    Mr Maduro has blamed Colombia for the attack

    Mr Maduro later said in a national address: “A flying object exploded near me, a big explosion. Seconds later there was a second explosion.”

    Reply
  16. Tomi Engdahl says:

    US names arrested Fin7 cyber-gang suspects
    https://www.bbc.com/news/technology-45029638

    Three Ukrainian citizens suspected of being part of a “prolific hacking group” have been arrested, the US Department of Justice has announced.

    The three men are accused of using malware to attack more than 120 US companies, including the restaurant chains Chipotle and Arby’s.

    Firms in the UK, France and Australia were also said to have been targeted.

    The gang involved has been called several names including Fin7, Carbanak and JokerStash.

    Its activities had been widely tracked in the cyber-security press.

    The Department of Justice (DoJ) said that the group had hijacked more than 15 million payment card details from more than 6,500 payment check-out points in the US alone.

    the information was then sold via the “dark net”

    The resulting losses are believed to have run into the tens of millions of dollars.

    The group is understood to still be active.

    “The clever techniques it used to infiltrate companies demonstrates that it is impossible to guarantee that systems processing card numbers will be protected from all attacks.

    “For this reason, payment systems are gradually being changed to reduce the value of card numbers to criminals, such as by creating card numbers which can only be used once, or confirming transactions by sending a text message to the customer.”

    Reply
  17. Tomi Engdahl says:

    Phishing Campaign Targets 400 Industrial Organizations
    https://www.securityweek.com/phishing-campaign-targets-400-industrial-organizations

    A new wave of spear-phishing emails masquerading as legitimate procurement and accounting letters have hit over 400 industrial organizations, according to Kaspersky Lab.

    Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics.

    Reply
  18. Tomi Engdahl says:

    MikroTik Routers Exploited in Massive Crypto-Mining Campaign
    https://www.securityweek.com/mikrotik-routers-exploited-massive-crypto-mining-campaign

    Attackers managed to infect tens of thousands of MikroTik network routers in Brazil with code that injects the CoinHive in-browser crypto-mining script into web traffic.

    The attack emerged on July 31, when more than 70,000 MikroTik devices in the country started displaying the same behavior. With all using the same CoinHive site-key, it became apparent that a single actor was behind the attack.

    No zero-day was used in this massive attack, as MikroTik, a Latvian router manufacturer, patched the targeted vulnerability back in April 2018. The issue, however, is that the vulnerable devices haven’t been updated in a timely manner.

    At the moment, there are “hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,”

    ability to read files from a vulnerable MikroTik router and get unauthenticated remote admin access to the device

    Reply
  19. Tomi Engdahl says:

    Security
    TSMC chip fab tools hit by virus, payment biz BGP hijacked, CCleaner gets weird – and more
    What else is gong on in infosec this week…
    https://www.theregister.co.uk/2018/08/04/security_roundup/

    TSMC chip assembly line computers infected

    Chipmaker TSMC – which supplies components for Apple, AMD, Nvidia, Qualcomm, Broadcom, and others – said its semiconductor fab tools were downed by a virus.

    The malware hit the Taiwanese manufacturing giant’s systems on Friday night, and some plants remain infected at time of writing while others have been restored to operation. It is not believed to be the result of an intrusion by one or more hackers – it sounds as though a staffer accidentally ran some kind of software nasty, and pwned computers on the network.

    “Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day,” the biz told the media on Saturday.

    Linux’s leaky timer bug: Countdown to patching

    A researcher has detailed a bug in the Linux kernel that can be exploited to leak sensitive data – such as cryptographic keys and passwords – from protected kernel memory, much in the same way as the Spectre and Meltdown processor design vulnerabilities. Interestingly, it took months for the fix to wind its way into Linux distributions, if at all.

    Andrey Konovalov spelled out the situation to the Full Disclosure list this week: the programming blunder (CVE-2017-18344) was introduced way back in kernel version 3.10, and is due to a buggy show_timer() function. This code can be potentially abused by a malicious application to read memory it should not be about to snoop on.

    Essentially, although the vulnerability has been known about for eight months, a CVE was only assigned late last month, and some Linux distributions are still shipping vulnerable kernels.

    “This gives some insight into how much time it usually takes for a fix to travel from upstream through stable into a distro kernel when there’s no CVE. Compared to the 14 days that distros are usually given to fix a security bug reported through linux-distros@, that seems rather long.”

    Reply
  20. Tomi Engdahl says:

    Drones, facial recognition and a social credit system: 10 ways China watches its citizens
    https://m.scmp.com/news/china/society/article/2157883/drones-facial-recognition-and-social-credit-system-10-ways-china

    From tracking the activity of mobile app users to setting up a social credit scorecard, the world’s most populated country is taking surveillance technology to new heights

    Reply
  21. Tomi Engdahl says:

    Debby Wu / Bloomberg:
    TSMC says a virus infected its fabrication tools on Friday night and shut down several factories, some of which won’t restart at least until Sunday — – Some factories back to normal, rest in another day, TSMC says — Virus that struck Friday night ‘was not caused by hacker’
    http://www.bloomberg.com/news/articles/2018-08-04/tsmc-takes-emergency-steps-as-operations-hit-by-computer-virus

    Reply
  22. Tomi Engdahl says:

    TSMC is a critical partner for the launch of the new iPhone

    Virus shuts down factories of major iPhone component manufacturer TSMC
    https://techcrunch.com/2018/08/04/virus-shuts-down-factories-of-major-iphone-component-manufacturer-tsmc/?utm_source=tcfbpage&sr_share=facebook

    AdChoices

    Virus shuts down factories of major iPhone component manufacturer TSMC
    Danny Crichton
    @dannycrichton / Yesterday

    TAIWAN-CHIP-TSMC-COMPANY-EARNINGS
    Apple touts the cybersecurity of its iPhone, but less can be said for the exclusive manufacturer who makes the processor for the iPhone.

    Semiconductor foundry TSMC, or Taiwan Semiconductor Manufacturing Company, was hit by a virus late Friday night, which forced it to shut down several factories according to Debbie Wu at Bloomberg. The virus and the shutdown were confirmed by TSMC representatives.

    It is not clear at this time which factories were hit, or whether those factories were producing the iPhone’s main processor. Apple is expected to unveil new iPhones this fall

    Reply
  23. Tomi Engdahl says:

    Cisco to buy cyber-security company Duo for $2.35 billion
    https://www.moneycontrol.com/news/world/cisco-to-buy-cyber-security-company-duo-for-2-35-billion-2799571.html

    The deal is the biggest acquisition for Cisco since its $3.7-billion purchase of business performance monitoring software company AppDynamics last year, and its largest in the cyber security sector since its $2.7-billion takeover of Sourcefire in 2013.

    Reply
  24. Tomi Engdahl says:

    Security Researchers Express Concerns Over Mozilla’s New DNS Resolution For Firefox
    https://yro.slashdot.org/story/18/08/05/2353249/security-researchers-express-concerns-over-mozillas-new-dns-resolution-for-firefox?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    With their next patch Mozilla will introduce two new features to their Firefox browser they call “DNS over HTTPs” (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise.

    Mozilla’s new DNS resolution is dangerous
    All your DNS traffic will be sent to Cloudflare
    https://blog.ungleich.ch/en-us/cms/blog/2018/08/04/mozillas-new-dns-resolution-is-dangerous/

    With their next patch Mozilla will introduce two new features to their Firefox browser they call “DNS over HTTPs” (DoH) and Trusted Recursive Resolver (TRR). In this article we want to talk especially about the TRR. They advertise it as an additional feature which enables security. We think quite the opposite: we think it’s dangerous, and here’s why.

    Why would you replace your ISP’s DNS server with another one?

    There are a variety of problems with the DNS protocol (“the language of DNS”). DNS requests are usually sent unencrypted and potentially everyone between you and the DNS server can read your DNS requests. Mozilla is using a new technique to transport requests over https, which encrypts the data. That is generally speaking a good thing. However usually the DNS servers that you use are local DNS servers (from your ISP) and thus the attack vector (i.e. who can spy on you) is local.

    Mozilla wants to override any configured DNS server with Cloudflare

    Reply
  25. Tomi Engdahl says:

    Vint Cerf on Differential Traceability on the Internet
    https://yro.slashdot.org/story/18/08/05/2329251/vint-cerf-on-differential-traceability-on-the-internet?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Addressing the bad behaviors on the Internet, that range from social network bullying and misinformation to email spam, distributed denial of service attacks, direct cyberattacks against infrastructure, malware propagation, identity theft, and a host of other ills require a wide range of technical and legal considerations, says Vint Cerf, even as he steers clear that he supports encryption. But is there a way to bring more accountability and traceability on our actions on the internet without compromising our privacy? He has a proposition:

    https://cacm.acm.org/magazines/2018/8/229771-traceability/fulltext

    Reply
  26. Tomi Engdahl says:

    Security World Hits Las Vegas For a Week of Hacking, Cracking, Fun
    https://it.slashdot.org/story/18/08/05/2239243/security-world-hits-las-vegas-for-a-week-of-hacking-cracking-fun?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    About a quarter of a century ago, a handful of hackers decided to have a party in a cheap hotel, and had a whale of a time. Fast forward to 2018, and that get-together has grown into events that will see an estimated 30,000 people converge on Las Vegas for the biggest security shindig in the world — the combination of Black Hat USA, DEF CON and BSidesLV.

    https://www.theregister.co.uk/2018/08/04/black_hat_def_con_bsides_intro/

    Reply
  27. Tomi Engdahl says:

    DNC warns candidates: Don’t use ZTE or Huawei phones
    https://money.cnn.com/2018/08/03/technology/democratic-national-committee-zte-huawei/index.html

    Democrats running in November’s midterms were warned Friday not to use devices produced by Chinese manufacturers ZTE and Huawei. The warning, which came from the Democratic National Committee, was sent out after the DNC learned that a Democratic organization was considering buying ZTE phones for its staff, a senior Democratic source told CNN.

    “It’s very important that party and campaign workers not use ZTE or Huawei devices, even if the price is low or free,” Bob Lord, the DNC’s chief security officer, wrote.

    He added, “please make sure that you are not using or purchasing ZTE or Huawei devices anywhere within your staff – for personal or work-related use.”

    Reply
  28. Tomi Engdahl says:

    Symantec culling 8% of workforce to soak up slow enterprise sales
    Hundreds of jobs to go
    https://www.theregister.co.uk/2018/08/03/symantec_job_cuts/

    Symantec has announced plans to slash 8 per cent of its global workforce in response to disappointing sales.

    The security software maker revealed on Thursday that revenues for the quarter ended 29 June fell 1.6 per cent to $1.16bn from $1.18bn a year ago.

    Losses were pegged at $63m, an improvement on $133m in the same period last year.

    “Security segment, first quarter fiscal year 2019 enterprise implied billings were below expectations due to longer than expected sales cycles for large, multi-product platform sales,” said Greg Clark, Symantec’s chief exec. Clark added that the issue was largely restricted to its North American sales pipeline. Consumer security sales showed “strong revenue growth in the first quarter”.

    http://investor.symantec.com/About/Investors/press-releases/press-release-details/2018/Symantec-Reports-Fiscal-First-Quarter-2019-Results/default.aspx

    Reply
  29. Tomi Engdahl says:

    The Explosive-Carrying Drones in Venezuela Won’t Be the Last
    https://www.wired.com/story/venezuela-drones-explosives-maduro-threat
    On Saturday, as Venezuelan President Nicolas Maduro gave a speech in Caracas before a large military assemblage, drones carrying explosives approached, officials there said, detonating near the stage. While Maduro was unharmed, Venezuelan information minister Jorge Rodriguez said that the attack injured seven soldiers. It’s a method of assault that only a few years ago felt unthinkable, but has quickly become inevitable.

    Details remain scarce about the exact nature of the attack, which Rodriguez characterized as an “assassination attempt,” including what type of drones were used and the nature of the explosives involved.

    As the hours passed, some reports disputed the drone attack narrative. The Associated Press reported that three unnamed firefighters say it was actually an apartment gas tank explosion. A military expert quoted in The Washington Post posited that the government lost control of its own drone, and had to take it down. But local witnesses later confirmed seeing a drone explode.

    Not long after the attack, Venezuelan authorities arrested six suspects

    Reverol also provided more details about the incident, alleging that the suspects used two DJI M600 drones, each loaded down with 1 kilogram of C-4 explosive, capable of creating a blast radius of 50 meters.

    “It’s clear that increasingly capable and hard-to-stop drones will become a key instrument of revolutionaries going forward,”

    While shocking, the drone attack at least has ample precedent. ISIS has consistently used quadcopters to drop grenades, dive-bomb targets, and more for years. And a 2016 report by the nonprofit group Open Briefing laid out the possibility of targeted drone strikes not unlike Saturday’s chaos. That concern has now manifested—and current defenses aren’t strong enough to keep it from happening again.

    “the technical competence of a 12-year-old can pull off an attempt like this,”

    “Today we are unable to effectively counter malicious use of drones.”

    That malicious use goes well beyond explosives; it includes drug smuggling, criminal surveillance, malware injection, and more. Limits are defined less by technology than by one’s imagination.

    Options for defense, meanwhile, remain slim. Chang and Glawe blame the current regulatory environment for that lack of preparedness.

    In truth, most good drone defenses come with drawbacks and caveats. You can switch on a super-powered radio-frequency jammer, but risk disrupting mobile communications. You can shoot a drone down, but risk collateral damage. You can force geofencing on manufacturers, creating certain no-fly zones—popular drone maker DJI already does this—but a savvy attacker can disable those protections with relative ease. Dutch police have tested training eagles to hunt down bad drones, but the impracticalities of that approach add up astonishingly fast.

    If the situation seems grim, there’s at least something like a silver lining. While drone attacks draw plenty of attention, they’re also relatively ineffective, especially for carrying out any sort of large-scale attack. The odds that a drone attack will injure you personally remain very small.

    Reply
  30. Tomi Engdahl says:

    The Information War Is On. Are We Ready For It?
    https://www.wired.com/story/misinformation-disinformation-propaganda-war

    On August 1, 2018, the Senate Select Committee on Intelligence held a public hearing asking experts to testify on how foreign actors have used—and are using—social media to meddle in the American political process. The question of whether Russian entities interfered in American politics was not up for debate; that has already been firmly established. There was also no question about whether Russian influence operations are ongoing across social platforms: they are.

    Facebook announced it had found numerous fake Pages masquerading as left-wing activists.

    We all agreed: this is an information war. These operations are ongoing and the adversaries will evolve.

    there is both a short-term threat—the hijacking of narratives in the upcoming 2018 election—and significant long-term challenges. Crucially, that tech platforms and government alike need to decide how to respond to information operations while preserving our commitment to free speech and the free flow of ideas

    Right now, the responsibility for solving this problem falls to the private platforms that control our public squares. But that doesn’t appear to be working. Because, regardless of how you feel about the tech platforms, eradicating misinformation while preserving free speech is a monumental challenge.

    Senator Ron Wyden, one of the authors of Section 230 of the Communications Decency Act, the legislation that has protected internet companies from being liable for the information published on their platforms, was particularly forceful in the hearing as well, stating that “these pipes are no longer neutral”, and that 230 gave the platforms both “a shield and a sword”—and they’d ignored the sword.

    But, ultimately, what the government—and the general public—is realizing is that while disinformation, misinformation, and social media hoaxes have evolved from a nuisance into high-stakes information war, our frameworks for dealing with them have remained the same.

    We discuss counter-messaging, treating this as a problem of false stories rather than as an attack on our information ecosystem.

    Malign narratives have existed for a very long time, but today’s influence operations are materially different—the propaganda is shared by friends on popular social platforms. It’s efficiently amplified by algorithms, so campaigns achieve unprecedented scale. Adversaries leverage the entire ecosystem to manufacture the appearance of popular consensus. Content is created, tested, and hosted on platforms such as YouTube, Reddit, and Pinterest. It’s pushed to Twitter and Facebook, with standing audiences of hundreds of millions, and targeted at the most receptive. Trending algorithms are gamed to make content go viral—this often has the added benefit of mainstream media coverage on traditional channels including television.

    recommendation and search engines will continue to serve it up

    The Internet Research Agency, the Russian troll farm charged with interfering in the U.S. election, employed this playbook.

    This problem is one of the defining threats of our generation. Influence operations take advantage of our commitment to freedom of speech and the free flow of ideas.

    The IRA was not the only adversary to target American citizens online. The co-opting of social networks reached mainstream awareness in 2014 as ISIS established a virtual caliphate

    Social platforms have begun to take steps to reduce the spread of disinformation.

    Future campaigns will be compounded by the use of witting or unwitting people through whom state actors will filter their propaganda.

    Influence operations exploit divisions in our society using vulnerabilities in our information ecosystem.

    In the short term, our government, civil society, political organizations, and social platforms must prioritize immediate action to identify and eliminate influence campaigns, and to educate the public ahead of the 2018 elections. In the longer term, it’s time for an updated global Information Operations doctrine

    We should pursue the regulatory and oversight frameworks

    And we need structures for cooperation between the public and private sectors

    Finally, we should agree that deciding how to fight an information war should not be a partisan issue.

    Reply
  31. Tomi Engdahl says:

    Reuters:
    Sources: UK’s GCHQ questioned security of Huawei’s equipment in part because it uses US-based Wind River’s VxWorks OS, which will stop receiving patches in 2020

    Huawei in British spotlight over use of U.S. firm’s software
    https://www.reuters.com/article/us-huawei-security-britain-usa/huawei-in-british-spotlight-over-use-of-u-s-firms-software-idUSKBN1KQ001

    Huawei Technologies is facing increased scrutiny in Britain because it is using an aging software component sold by a firm based in the United States, one of the countries where lawmakers allege its equipment could facilitate Chinese spying, sources told Reuters.

    A report last month by a British government oversight board charged with analyzing Huawei equipment said it had found technical and supply chain “shortcomings” which exposed the country’s telecoms networks to new security risks.

    One of those is due to Huawei’s use of the VxWorks operating system, which is made by California-based Wind River Systems, said three people with knowledge of the matter,

    The sources said the version of VxWorks being used by Huawei will stop receiving security patches and updates from Wind River in 2020, even though some of the products it is embedded in will still be in service, potentially leaving British telecoms networks vulnerable to attack.

    “Third party software, including security critical components, on various component boards will come out of existing long-term support in 2020, even though the Huawei end of life date for the products containing this component is often longer,” the July report, which did not name VxWorks, said.

    U.S. and Australian lawmakers have said Huawei’s products can be used to facilitate Chinese espionage operations

    Reply
  32. Tomi Engdahl says:

    These companies are trying to win back your trust
    Wells Fargo says hundreds of customers lost homes after computer glitch
    https://money.cnn.com/2018/08/04/news/companies/wells-fargo-mortgage-modification/index.html

    By Jackie Wattles August 5, 2018: 10:06 AM ET
    Hundreds of people had their homes foreclosed on after software used by Wells Fargo incorrectly denied them mortgage modifications.

    The embattled bank revealed the issue in a regulatory filing this week and said it has set aside $8 million to compensate customers affected by the glitch.

    Reply
  33. Tomi Engdahl says:

    MikroTik routers enslaved in massive Coinhive cryptojacking campaign
    https://www.zdnet.com/article/mikrotik-routers-enslaved-in-massive-coinhive-cryptojacking-campaign/

    Hundreds of thousands of devices are mining cryptocurrency through power stolen from victims.

    A massive cryptojacking campaign has struck Brazil through the enslavement of MikroTik routers and networking devices.

    Latvia-based MikroTik provides network equipment for customers worldwide, and in this campaign, Brazil is the main country which has been targeted.

    Reply
  34. Tomi Engdahl says:

    Security
    ‘Unhackable’ Bitfi crypto-currency wallet maker will be shocked to find fingernails exist
    Backed by John McAfee so you know it’s going to be A+
    https://www.theregister.co.uk/2018/08/01/unhackable_bitfi_wallet/

    A crypto-currency wallet heavily promoted as “unhackable” – complete with endorsements from the security industry’s loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week.

    The $120 Wi-Fi-connected Bitfi wallet is a hardware device that stores your crypto-coins and assets, and requires a passphrase to access these goodies. The phrase is used to temporarily generate, for a few milliseconds, the private key needed to unlock the data, and is then discarded. So without the passphrase, you can’t get at the gizmo’s fun bux, allegedly.

    Having received acres of press coverage, the company then offered its own “bounty” of $250,000, presumably in an effort to sell more hardware. But then, of course, with glum inevitability, the whole thing has come crashing down.

    Reply
  35. Tomi Engdahl says:

    Salesforce cloud glitch blurted customer data at unauthorised users
    Put your minds at REST … there’s no ‘evidence of malicious behavior’
    https://www.theregister.co.uk/2018/08/06/salesforce_breach/

    Reply
  36. Tomi Engdahl says:

    Public Documents Reveal How the Branches of the US Military Are Instructed To Harness Internet Culture To Advance Their Own Messages
    https://yro.slashdot.org/story/18/08/06/1349232/public-documents-reveal-how-the-branches-of-the-us-military-are-instructed-to-harness-internet-culture-to-advance-their-own-messaging?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    An anonymous reader shares a report:
    It’s common practice for brands or government agencies to use social media marketing tactics — such as recognizing internet holidays like #WorldEmojiDay, #NationalDogDay, or #HumpDay using emojis, or generally speaking in a more conversational, down-to-earth tone — in order to spread their messaging and communicate with the public. However, the stakes behind military Twitter accounts are fundamentally different than that

    government organizations maintain social media handbooks to encourage curators to “create a voice and be authentic.” In the recent months, many branches of the military have been criticized for insensitive tweets.

    https://theoutline.com/post/5684/inside-bad-tweets-us-military-army-navy-air-force-marines-social-media?zd=1&zi=wifp7jru

    Reply
  37. Tomi Engdahl says:

    Chip flinger TSMC warns ‘WannaCry’ outbreak will sting biz for $250m
    But it could’ve been worse, shrugs Apple supplier
    https://www.theregister.co.uk/2018/08/06/tsmc_malware/

    Chipmaker TSMC has warned that a previously disclosed virus infection of its Taiwanese plant may cost it up to $250m.

    The malware struck on Friday, and affected a number of computer systems and fab tools over two days.

    “The degree of infection varied by fab,” the firm said in an update on Sunday. “TSMC contained the problem and found a solution. As of 14:00 Taiwan time, about 80 per cent of the company’s impacted tools have been recovered, and the company expects full recovery on August 6.”

    Although unnamed in its statement, TSMC execs reportedly blamed a variant of WannaCry, aka WannaCrypt, for the infection during the course of follow-up conference calls.

    TSMC warned that the incident is likely to “cause shipment delays and additional costs”.

    Reply
  38. Tomi Engdahl says:

    Facebook cracks opens its bottle of Fizz – a carbonated TLS 1.3 lib
    Crypto-code unleashed to inflict security, performance and stability on devs
    https://www.theregister.co.uk/2018/08/06/facebook_tls_1_3_fizz/

    Looking for a TLS 1.3 library? Facebook has you covered. On Monday, the ads and data peddler plans to release Fizz, a TLS 1.3 library written in C++14, as an open source project.

    TLS 1.3 is the latest and greatest version of the Transport Layer Security protocol, the successor to Secure Sockets Layer or SSL, which encrypts network communication between clients and servers. Finalized as a specification in March, it features stronger security and more efficient networking than previous iterations.

    The protocol is still working its way into the wild.

    “It’s a drop-in replacement for TLS 1.2, uses the same keys and certificates, and clients and servers can automatically negotiate TLS 1.3 when they both support it,” he said. “There’s pretty good library support already, and Chrome and Firefox both have TLS 1.3 on by default.”

    That said, the rollout has had some rough spots.

    “Earlier draft versions did have some deployment challenges: a lot of middleboxes turned out to be broken in a way that caused failures with TLS 1.3,”

    https://github.com/facebookincubator/fizz

    Reply
  39. Tomi Engdahl says:

    Campaigns on Their Own as Cyber Threats Roil Midterms
    https://www.securityweek.com/campaigns-their-own-cyber-threats-roil-midterms

    NEW YORK (AP) — Kamala Harris has been the target of social media misinformation campaigns since she became a U.S. senator.

    Every month for the last 18 months, her office has discovered on average between three and five fake Facebook profiles pretending to be hers, according to a Harris aide. It’s unclear who creates the pages

    Such internet mischief has become commonplace in U.S. politics. Facebook announced earlier this week that it uncovered “sophisticated” efforts, possibly linked to Russia, to influence U.S. politics on its platforms. Senior intelligence officials declared Thursday that foreign adversaries continue waging a quiet war against U.S. campaigns and election systems.

    Still, one thing has become clear: With the midterm elections just three months away, campaigns are largely on their own in the increasingly challenging task of protecting sensitive information and countering false or misleading content on social media.

    Reply
  40. Tomi Engdahl says:

    Chip Giant TSMC Says WannaCry Behind Production Halt
    https://www.securityweek.com/chip-giant-tsmc-says-wannacry-behind-production-halt

    Chipmaker giant Taiwan Semiconductor Manufacturing Co (TSMC) said Monday the computer virus that brought its production to a halt for two days was a variant of the WannaCry ransomware that hit users all around the world.

    Reply
  41. Tomi Engdahl says:

    FCC admits it was never actually hacked
    https://techcrunch.com/2018/08/06/fcc-admits-it-was-never-actually-hacked/?utm_source=tcfbpage&sr_share=facebook

    The FCC has come clean on the fact that a purported hack of its comment system last year never actually took place, after a report from its inspector general found a lack of evidence supporting the idea. Chairman Ajit Pai blamed the former chief information officer and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.”

    The semi-apology and finger-pointing are a disappointing conclusion to the year-long web of obfuscation that the FCC has woven.

    Reply
  42. Tomi Engdahl says:

    Net neutrality activists, not hackers, crashed the FCC’s comment system
    https://techcrunch.com/2018/08/07/net-neutrality-activists-not-hackers-crashed-the-fccs-comment-system/?utm_source=tcfbpage&sr_share=facebook

    An n unprecedented flood of citizens concerned about net neutrality is what took down the FCC’s comment system last May, not a coordinated attack, a report from the agency’s Office of the Inspector General concluded. The report unambiguously describes the “voluminous viral traffic” resulting from John Oliver’s Last Week Tonight segment on the topic, along with some poor site design, as the cause of the system’s collapse.

    FCC admits it was never actually hacked

    The FCC has come clean on the fact that a purported hack of its comment system last year never actually took place, after a report from its Inspector General found a lack of evidence supporting the idea.

    As the report notes, Bray shortly after the event issued a press release describing the system’s failure as “multiple distributed denial-of-service attacks.”

    However, internal email conversations and analysis of the traffic logs reveal that this characterization of the event was severely mistaken.

    Here it ought to be said that in the chaos of the moment and with incomplete time and information, an accurate diagnosis of a major systematic failure is generally going to be an educated guess at first — so we mustn’t judge Bray and his office too harshly for its mistake, at least in the immediate aftermath.

    But what becomes clear from the OIG’s investigation is that the DDoS narrative first advanced by Bray is not backed up by the evidence. Their own analysis of the logs clearly shows that the spikes in traffic correlate directly with activity from John Oliver’s Last Week Tonight,

    “The traffic observed during the incident was a combination of “flash crowd” activity and increased traffic volume resulting from [redacted] site design issues,” reads the report.

    It’s worth noting that this has already been looked at by federal prosecutors:

    Because of the possible criminal ramifications associated with false statements to Congress, FCC OIG formally referred this matter to the Fraud and Public Corruption Section of the United States Attorney’s Office for the District of Columbia…On June 7, 2018, after reviewing additional information and interviews, USAO-DC declined prosecution.”

    What kind of operation is this? Why was FCC leadership not foaming at the mouth asking for better information?

    FCC says its cybersecurity measures to prevent DDoS attacks must remain secret

    The FCC has provided a few — very few — details of the steps it has taken to prevent attacks like the one that briefly took down its comment system in May.

    Pai denies that he or his office was aware of these shortcomings and opted not to rectify them because they were advantageous to his plan to reverse 2015’s net neutrality rules.

    The optics of a confusing and incomplete DDoS report aren’t good.

    What’s worse are the optics of a wave of public opposition to a controversial proposal, so strong that it literally took down the system created — and recently upgraded! — to handle that kind of feedback. This narrative, of a flood of pro-net-neutrality commenters so large that not only did it break the system, but many of their comments were arguably unable to be posted and (notionally) included in the FCC’s analysis — that, my friends, is a bad look.

    it seems unthinkable that the FCC and its current leadership can walk away from this unscathed. Ultimately this entire debacle took place under Ajit Pai’s watch, and his handling of it is at best dubious.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*