Cyber Security August 2018

This posting is here to collect security alert news in August 2018.

I post links to security vulnerability news to comments of this article.

 

428 Comments

  1. Tomi Engdahl says:

    Pentagon Restricts Use of Fitness Trackers, Other Devices
    By Associated Press on August 07, 2018
    https://www.securityweek.com/pentagon-restricts-use-fitness-trackers-other-devices

    WASHINGTON (AP) — Military troops and other defense personnel at sensitive bases or certain high-risk warzone areas won’t be allowed to use fitness-tracker or cellphone applications that can reveal their location, according to a new Pentagon order.

    Reply
  2. Tomi Engdahl says:

    New Method Discovered for Cracking WPA2 Wi-Fi Passwords
    By Eduard Kovacs on August 07, 2018
    https://www.securityweek.com/new-method-discovered-cracking-wpa2-wi-fi-passwords

    Developers of the popular password cracking tool Hashcat have identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.

    Jens ‘Atom’ Steube, the lead developer of Hashcat, revealed that the new attack method was discovered by accident during an analysis of the recently launched WPA3 security standard.

    According to Steube, the main difference between the new and older attacks is that the new method does not require capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), which is a network port authentication protocol. Instead, the attack targets the Robust Secure Network Information Element (RSN IE).

    RSN is a protocol designed for establishing secure communications over an 802.11 wireless network and is part of the 802.11i (WPA) standard

    An attacker can use the hcxdumptool tool to request the PMKID from the targeted access point and dump the received frame to a file. Hcxdumptool can then be used to obtain a hash of the password that Hashcat can crack.

    Some members of the industry pointed out that while this new method can make the attack easier to conduct, brute-forcing is still involved

    Reply
  3. Tomi Engdahl says:

    Let’s Encrypt Now Trusted by All Major Root Programs
    https://www.securityweek.com/lets-encrypt-now-trusted-all-major-root-programs

    Let’s Encrypt root, ISRG Root X1, is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.

    Let’s Encrypt is a free, automated, and open Certificate Authority (CA) backed by the Linux Foundation that provides website owners with free digital certificates for their sites and handles the certificate management process for them.

    Launched by the Internet Security Research Group (ISRG) as an effort to drive HTTPS adoption

    Reply
  4. Tomi Engdahl says:

    Snapchat Source Code Leaked and Posted to GitHub
    https://motherboard.vice.com/en_us/article/ywkqew/snapchat-code-leaked-online-github-removed

    Snap confirmed to Motherboard that an iOS update recently exposed some of the company’s source code.

    “An iOS update in May exposed a small amount of our source code and we were able to identify the mistake and rectify it immediately,” a Snap spokesperson told Motherboard in an email. “We discovered that some of this code had been posted online and it has been subsequently removed. This did not compromise our application and had no impact on our community.”

    Reply
  5. Tomi Engdahl says:

    Justin Lynch / Fifth Domain:
    DHS official says at BlackHat that DHS-funded researchers found major vulnerabilities in phones sold by all four major US carriers, doesn’t list manufacturers — Research funded by the Department of Homeland Security has found a “slew” of vulnerabilities in mobile devices offered …

    New bugs leave millions of phones vulnerable to hackers
    https://www.fifthdomain.com/show-reporters/black-hat/2018/08/07/manufacturing-bugs-allow-millions-of-phones-to-be-taken-over-dhs-project-to-announce/

    Research funded by the Department of Homeland Security has found a “slew” of vulnerabilities in mobile devices offered by the four major U.S. cell phone carriers, including loopholes that may allow a hacker to gain access to a user’s data, emails, text messages without the owner’s knowledge.

    The flaws allow a user “to escalate privileges and take over the device,” Vincent Sritapan, a program manager at the Department of Homeland Security’s Science and Technology Directorate told Fifth Domain during the Black Hat conference in Las Vegas.

    The vulnerabilities are built into devices before a customer purchases the phone. Researchers said it is not clear if hackers have exploited the loophole yet.

    Millions of users in the U.S. are likely at risk

    Researchers are expected to announce more details about the flaws later in the week.

    Sritapan said the vulnerabilities have been found in devices used by the four major carriers, which include Verizon, AT&T, T-Mobile, and Sprint. Other carriers are using the flawed devices as well, he said.

    Stavrou said that manufacturers were notified of the flaws as early as February.

    The research was spurred by vulnerabilities Kryptowire discovered in the Blu phone company. There, sensitive data was collected and and transmitted to a third party without users knowledge.
    https://www.kryptowire.com/adups_security_analysis.html

    Reply
  6. Tomi Engdahl says:

    European workers hit by “security fatigue”
    https://www.itproportal.com/news/european-workers-hit-by-security-fatigue/
    Employees in Europe have been inundated with security messaging
    through their organisations, as well as the media. Clearly giving
    further warnings and adding procedures isnt having the desired effect.
    . If employees understand the risks, but arent acting on it, the
    answer is not to provide yet more training, but to bring in enhanced
    technology that can provide the assistance and the protection workers
    need to do their jobs.

    Reply
  7. Tomi Engdahl says:

    Consumer Reports now evaluates products’ security and privacy
    https://boingboing.net/2018/08/06/graceful-failure.html

    Consumer Reports is arguably America’s most trusted source of product reviews — published by Consumers Union, a venerable nonprofit with a deserved reputation for scrupulous care and neutrality — and for years it has been wrestling with how to address privacy and cybersecurity in modern products (disclosure: I have advised them some on this).

    In 2016, the magazine published a blockbuster security analysis of a horribly leaky pregnancy-tracking app; they hired a director of tech policy later that year; then they published a dire warning about crypto backdoors within a year; and were early doomsayers about SIM Swap scamming.

    Now they’ve gone all in: according to Geoffrey MacDougall, Consumer Reports’ head of partnership and strategy, they’ve broken new ground by explicitly factoring privacy and security into a product category roundup

    https://twitter.com/taliesan/status/1026469679659995136

    Big day for consumers and privacy advocates! First time privacy and security have factored directly into a Consumer Reports rating. Hopefully the start of something big and meaningful. Thanks to everyone who helped us get here!

    Reply
  8. Tomi Engdahl says:

    government
    Telegram traffic from around the world took a detour through Iran
    https://www.cyberscoop.com/telegram-iran-bgp-hijacking/

    Data from the popular encrypted messenger app Telegram was hijacked by Iran’s state-owned telecommunications giant on Monday, a day before proposed protests over the country’s economic crisis.

    The move looks to be a BGP hijack, a practice where an intermediary illegitimately takes over groups of IP addresses so data originally destined for one place can be forcefully sent to another.

    Monday’s attacks were widely detected as they happened by Oracle’s InternetIntelligence and Cisco’s BGPMon.

    “Once a valid BGP hijack occurs, the hijacker can perform [man-in-the-middle] attacks, eavesdropping, etc.,” said Nico Waisman, a cybersecurity researcher at Cyxtera.

    Woodward added that organizations “whose traffic is hijacked currently have no effective technical means to prevent such attacks.”

    Iran’s minister of Information and Communications Technology confirmed the reports in a Tweet on Monday night, saying that “in the event of an error, whether inadvertent or intentional, the Telecommunication Company of Iran will be severely penalized.” An investigation is underway.

    Hijacking BGP is a common tactic used by both cybercriminals and nation-states for financial gain, surveillance and censorship. It’s happened everywhere from Italy to Russia to the United States.

    Reply
  9. Tomi Engdahl says:

    Health care cyber experts tout progress in vulnerability disclosure at BSides Vegas
    https://www.cyberscoop.com/health-care-cybersecurity-vulnerability-disclosure-bsides-las-vegas/

    The delicate process for disclosing software and hardware bugs in medical devices has made important strides in recent years, according to experts, as big manufacturers have set up disclosure programs and the threat of lawsuits against security researchers has receded. Health care cybersecurity hands are now looking to capitalize on what they say is growing trust between manufacturers and researchers to strengthen vulnerability disclosure in the industry.

    “There’s still a lot of work to be done to make it better, but man, has it come a far way,” Jay Radcliffe, a cybersecurity researcher at medical device manufacturer Boston Scientific, said at the BSides Las Vegas conference Tuesday. “And as a researcher, that makes me a lot more comfortable doing my disclosures and doing my research.”

    Radcliffe, who is diabetic, told the story of a presentation he gave at Black Hat in 2011 on hacking insulin pumps.

    “At that time, the state of disclosure was pretty chaotic,” he said. “I didn’t feel comfortable enough going to the manufacturer to disclose that before my talk” out of fear of getting sued.

    The Digital Millennium Copyright Act, for example, could have been used to prosecute researchers for accessing copyrighted data on a device. But a three-year exemption to that DMCA provision for “good faith” research, instituted in October 2015, has helped lift the specter of lawsuits.

    Reply
  10. Tomi Engdahl says:

    Health Care Data of 2 Million People in Mexico Exposed Online
    https://www.bleepingcomputer.com/news/security/health-care-data-of-2-million-people-in-mexico-exposed-online/

    A MongoDB database was exposed online that contained health care information for 2 million patients in Mexico. This data included information such as the person’s full name, gender, date of birth, insurance information, disability status, and home address.

    The database was discovered by security researcher Bob Diachenko via Shodan, which is a search engine for all Internet connected devices and not just web servers. When discovered, this database was fully exposed to the Internet and could be accessed and edited by anyone without a password.

    Hovahealth.com belonged to Hova Health, a technology company based out of Mexico that services the health care sector. It is not as clear who the efimed.care domain belongs to, but may be a government health service.

    Exposed MongoDB databases are nothing new and Diachenko and with ransomware and other malware developers actively targeting the health scare sector, it is important that administrators follow best practices when securing their databases.

    “Issues with MongoDB have been known since at least March of 2013 and have been widely reported since,”

    Telemedicine company exposed data of more than 2 millions patients in Mexico
    https://www.linkedin.com/pulse/draft/AgF9Ma3EceoC2AAAAWUOuL48hIy2sW_c_L-Ul4I3UC26TKyeMXuq2VKLRNhlqJ3It9pngg8

    On August 3rd, I have discovered that personal information of 2,373,764 patients from Mexico is publicly available through a misconfigured MongoDB instance. Data included such fields as:

    Full name and gender;
    CURP number (i.e. Personal ID Code Number, a unique identity code for both citizens and residents of Mexico);
    Insurance policy number and its expiration date;
    Date of birth;
    Home address;
    ‘Disability’ and ‘migrant’ flags

    Reply
  11. Tomi Engdahl says:

    Research reveals de-identified patient data can be re-identified
    http://newsroom.melbourne.edu/news/research-reveals-de-identified-patient-data-can-be-re-identified

    University of Melbourne researchers have found that confidential patient data can be re-identified, without decryption, prompting calls for improved and strengthened algorithms for protecting individuals’ online privacy.

    Reply
  12. Tomi Engdahl says:

    ‘Data is a fingerprint’: why you aren’t as anonymous as you think online
    https://www.theguardian.com/world/2018/jul/13/anonymous-browsing-data-medical-records-identity-privacy

    So-called ‘anonymous’ data can be easily used to identify everything from our medical records to purchase histories

    Reply
  13. Tomi Engdahl says:

    Reporting Malicious Websites in 2018
    https://isc.sans.edu/diary/rss/23892

    Takedown Requests

    For takedown, contacting the abuse contact for the domain is a good first step. Especially if it’s an instance of a compromised site hosting malicious code. If you think the host was set up in bad faith, contacting the hoster’s abuse contact and the domain registar is where you would want to go. Despite GDPR, abuse contact email addresses should still appear in the public records. Nowadays, cloud is more likely to be involved so here are the abuse reporting pages for the big ones:

    Amazon AWS: https://aws.amazon.com/forms/report-abuse
    Microsoft Azure: https://portal.msrc.microsoft.com/en-us/engage/cars
    Google Cloud: https://support.google.com/code/contact/cloud_platform_report?hl=en
    Salesforce: https://www.salesforce.com/company/abuse/
    Tencent: has an acceptable use policy – https://cloud.tencent.com/document/product/301/9245

    You may also run into something hosted on a Content Delivery Network.

    Cloudflare: https://www.cloudflare.com/abuse/
    Akamai: [email protected]

    Generally for takedown request it’s best to stick to just the facts, and perhaps cite the terms of service and leave it at that. Threat’s of legal action or law enforcement just routes your request over to the company’s legal team and your request doesn’t get worked. Should you not get the response that you were hoping for, it’s time to move on to phase two…
    Protecting Others

    Participate in improving herd immunity by reporting the malicious URL to various protection mechanisms. These break down into the following classes:

    Search Engines
    Browsers
    Browser Plugins
    AV and Proxy services
    DNS services

    Flagging a site in a search engine will help future folks from stumbling on the site.

    Google Safe Browsing: http://www.google.com/safebrowsing/report_badware/
    Bing is integrated with Internet Explorer, you can submit a url under Tools / SmartScreen Filter / Report Unsafe Website

    Reply
  14. Tomi Engdahl says:

    Cyber incidents increased by 32% in the first quarter of 2018, compared with Q1 of 2017, according to Positive Technologies. The use of malware in cyberattacks rose 75% from a year earlier, while malware was involved in 63% pf all attacks. The cybersecurity threatscape is seeing hackers go after account credentials and other personal data. Another leading concern is data theft, which was up 13% from 2017.

    https://www.ptsecurity.com/ww-en/about/news/293941/

    Reply
  15. Tomi Engdahl says:

    How hackers exploit critical infrastructure
    https://www.helpnetsecurity.com/2018/07/19/hackers-exploit-critical-infrastructure/

    The traditional focus of most hackers has been on software, but the historical focus of crime is on anything of value. It should come as no surprise, therefore, that as operational technology (OT) and industrial control system (ICS) infrastructure have become much more prominent components of national critical infrastructure, that malicious hacking activity would be increasingly targeted in this direction.

    It also stands to reason that the salient aspects of hacking – namely, remote access, automated tools, and weak attribution – would extend naturally to malicious targeting of critical OT/ICS infrastructure. These attributes are particularly attractive in this context, because criminals interested in disrupting factories, production systems, and other tangible infrastructure, previously had to establish physical presence or compromise some group with local access.

    The new approach to OT/ICS hacking involves a combination of traditional techniques with domain expertise of the systems being targeted – although little expertise might be required to trigger damage to an ICS/OT system.

    Reply
  16. Tomi Engdahl says:

    What Do I Need To Know about “SegmentSmack”
    https://isc.sans.edu/diary.html
    https://isc.sans.edu/forums/diary/What+Do+I+Need+To+Know+about+SegmentSmack/23964/

    “SegmentSmack” is yet another branded vulnerability, also known as CVE-2018–5390. It hit the “news” yesterday. Succesful exploitation may lead to a denial of service against a targeted system. At this point, not a lot is known about this vulnerability. But here are some highlights:

    Linux Kernel 4.9 is vulnerable. Older versions are not vulnerable. However, some Linux distributions like RedHat ES 6 and 7 include the vulnerable code as they backported some of the 4.9 networking code into their kernels
    An attacker should not be able to exploit this vulnerability using a spoofed IP address. The attacker needs to first establish a TCP connection which is very difficult with a spoofed address.
    It is not known how much traffic the attacker will have to send. But likely not more than a user would send in a normal TCP connection.
    The attack can be launched against any exposed TCP service (Web, Mail, DNS…)
    The vulnerable functions, tcp_collapse_ofo_queue() and tcp_prune_ofo_queue(), are used to deal with reassembling TCP segments. This likely implies that an exploit would use many out of order or otherwise abnormal packets. But this is just a guess at this point.
    If you are vulnerable, your best bet is to update. There is likely not much else you can do (e.g. firewall rules)

    Reply
  17. Tomi Engdahl says:

    Has YOUR password been sold on the Dark Web? Security app becomes the first to monitor for leaked details on the murky side of the internet
    http://www.dailymail.co.uk/sciencetech/article-5999319/Dashlane-6-adds-dark-web-monitoring-password-manager.html

    Password manager Dashlane provides an overview of its users’ online security
    The latest update informs users about data breaches on the Dark Web
    Criminals use the Dark Web to sell login details, including emails and passwords
    Dashlane alerts users to accounts that need changes to ensure they are secure

    A computer security firm has released a new app that monitors the murky depths of the internet for leaked personal details (pictured). The software flags up specific website data breaches and the number of other online accounts affected.

    New York based firm Dashlane, best known for its password management software, this week launched Dashlane 6, the latest version of its flagship product.

    Password managers allow users to generate unique passwords for each of their online accounts. These login details are stored by the software, which also monitors for any data breaches and duplicate passwords across users’ accounts.

    Dashlane 6 includes the ability to monitor up to five email addresses for breaches on the dark web.

    Reply
  18. Tomi Engdahl says:

    Vulnerability research and responsible disclosure: Advice from an industry veteran
    https://www.helpnetsecurity.com/2018/07/23/vulnerability-research-responsible-disclosure/

    “Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab.

    At the beginning of every year, he puts forth a few topics that are currently relevant or may become relevant in the near future. But, also, things happen when they happen – they often stumble upon things during research and customer related consulting work, and they decide to deepen the research.

    One of the things he learned in his many years in the security field is that the more organizations spend on security from the very beginning, long before writing a single line of code, the more money they’ll save in the end.

    “Unfortunately, you can wave your security budget bye-bye if marketing says a new product needs to launch yesterday, even if that might introduce a ‘slight’ security risk. In the end, business and convenience always trump security concerns,” he notes.

    That’s one of the reasons why he thinks vulnerability research will remain an exciting field of work and skilled consultants/researchers won’t have to worry about finding a decent job.

    Advice for aspiring vulnerability researchers

    His advice to security professionals who would like to specialize in vulnerability research is not to do it for fame or quick money. He’s not a proponent of bug bounties, but says they can be used by researchers as an inspiration or as a test to see whether they are up to the challenge.

    “Don’t forget: You might invest a considerable amount of time into a bug bounty but then someone beats you to it or you just don’t find anything. There is no guaranteed reward at the end,” he notes.

    “Security bounties aim for quick fixes, but not solving underlying issues, and vendors use it to avoid integrating security at a technological level. If you’re serious, an established security company might be the better choice for the long run. Being a security consultant also means to show how to fix it, and that requires a lot of expertise and training on the job.”

    Reply
  19. Tomi Engdahl says:

    Academics Announce New Protections Against Spectre and Rowhammer Attacks
    https://www.bleepingcomputer.com/news/security/academics-announce-new-protections-against-spectre-and-rowhammer-attacks/

    Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer.

    Both these fixes are at the software level, meaning they don’t require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.

    Spectre v1 fix for Linux

    The first of these new mitigation mechanisms was announces on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs.

    Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.

    “The solution developed at Dartmouth uses ELFbac to securely partition a program’s address space,” researchers said. “This approach ensures that all data and code – including user secrets – are isolated from each other.”

    “The ELFbac policy approach denies access to Spectre and results in processing that is generally more secure,” researchers added.

    Reply
  20. Tomi Engdahl says:

    Bank on it: It’s either legal to port-scan someone without consent or it’s not, fumes researcher
    One rule for banks, another for us, says white hat
    https://www.theregister.co.uk/2018/08/07/halifax_bank_ports_scans/

    Halifax Bank scans the machines of surfers that land on its login page whether or not they are customers, it has emerged.

    Security researcher Paul Moore has made his objection to this practice – in which the British bank is not alone – clear, even though it is done for good reasons. The researcher claimed that performing port scans on visitors without permission is a violation of the UK’s Computer Misuse Act (CMA).

    Halifax has disputed this, arguing that the port scans help it pick up evidence of malware infections on customers’ systems. The scans are legal, Halifax told Moore in response to a complaint he made on the topic last month.

    Moore said he wouldn’t have an issue if Halifax carried out the security checks on people’s computers after they had logged on. It’s the lack of consent and the scanning of any visitor that bothers him. “If they ran the script after you’ve logged in… they’d end up with the same end result, but they wouldn’t be scanning visitors, only customers,” Moore said.

    According to Moore, when he called Halifax to complain, a representative told him: “We have to port scan your machine for security reasons.”

    “If security researchers operate in a similar fashion, we almost always run into the Computer Misuse Act, even if their intent isn’t malicious. The CMA should be applied fairly…”

    Reply
  21. Tomi Engdahl says:

    Support Scams fifth most common threat in July
    https://www.gdatasoftware.com/blog/2018/08/30952-support-scams-fifth-most-common-threat-in-july

    Tech support scams from call centers in India have long been a nuisance to Windows users. The fraudsters are currently particularly active, as demonstrated by internal numbers from G DATA.

    Tech support scams are currently an active threat for Windows-users, statistical information gathered by G DATA clearly demonstrates. Users are led to believe that their computers have viruses or other security problems and that a costly clean-up is necessary.

    The figures from G DATA show that this scam is currently one of the most common threats. In July, several thousand attempted infections were detected and blocked on any given day by the G DATA protection solutions. This type of attempted fraud is currently at position #5 of the most common types of threat that were blocked by G DATA.

    Reply
  22. Tomi Engdahl says:

    Batten down the ports: Linux networking bug SegmentSmack could remotely crash systems
    Patches incoming for kernel versions 4.9 and up
    https://www.theregister.co.uk/2018/08/07/segmentsmack/

    A networking flaw has been discovered in the Linux kernel that could trigger a remote denial-of-service attack.

    Versions 4.9 and up are “vulnerable to denial-of-service conditions with low rates of specially crafted packets”, according to a US-CERT advisory this week. The bug is being tracked as SegmentSmack (CVE-2018-5390).

    The flaw could be worse – there’s no remote code execution – but it’s an issue because hackers may be able to remotely tie up or crash vulnerable systems provided they are configured with an open port. Firewalls are a sufficient defence here.

    Fortunately patches are already available to address the vulnerability from a long list of networking, security, storage and open-source OS vendors.

    Reply
  23. Tomi Engdahl says:

    Voice of concern: Smart assistants are creating new openings for hackers
    Let’s talk about the security of smart speakers.
    https://www.cnet.com/news/voice-of-concern-smart-assistants-are-creating-new-openings-for-hackers/

    It didn’t take Shulman’s students long to find alarming vulnerabilities with Cortana, which can be used in laptops, computers, watches and phones.

    Shulman’s college assignment, disclosed at the Black Hat cybersecurity conference in Las Vegas on Wednesday, underscores the growing risk voice assistants and smart speakers pose as they show up in more and more homes. In the first quarter of 2018 alone, 9.2 million smart speakers shipped, with the majority of them featuring Amazon’s Alexa or Google Assistant. The market is growing smartly and researchers expect 55 percent of US households to have a digital voice assistant by 2022.

    Davis says the proliferation of voice assistants raises the likelihood they will be used in attacks in the future.

    Microsoft quickly fixed the vulnerabilities that both Shulman and McAfee discovered by disabling the ability to activate Cortana on locked devices.

    Reply
  24. Tomi Engdahl says:

    How insecure is your router?
    https://opensource.com/article/18/5/how-insecure-your-router?sc_cid=7016000000127ECAAY

    Your router is your first point of contact with the internet. How much is it increasing your risk?

    Reply
  25. Tomi Engdahl says:

    Facebook open sources library to enhance latest Transport Layer Security protocol
    https://techcrunch.com/2018/08/06/facebook-open-sources-library-to-speed-up-latest-transport-layer-security-protocol/?utm_source=tcfbpage&sr_share=facebook

    Facebook created an API library called Fizz to enhance the latest version, TLS 1.3, on Facebook’s networks. Today, it announced it’s open sourcing Fizz and placing it on GitHub for anyone to access and use.

    Reply
  26. Tomi Engdahl says:

    WhatsApp security snafu allows sneaky ‘message manipulation’
    You could put words in people’s mouths, claim researchers
    https://www.theregister.co.uk/2018/08/09/whatsapp_message_manipulation/

    Researchers claim to have uncovered weaknesses in WhatsApp that can be potentially exploited to manipulate messages in private and group conversations.

    with some social engineering trickery and custom extensions for popular network-packet-twiddling toolkit Burp Suite, they can apparently

    Essentially, you can potentially fake message content, quote it back, and sow the seeds of all sorts of confusion.

    Kevin Bocek, chief cybersecurity strategist at machine identity protection vendor Venafi, told us: “This was a serious flaw and it’s made possible thanks to machine identities – encryption keys and digital certificates that enable privacy and authentication between our devices, apps, and clouds.”

    https://research.checkpoint.com/fakesapp-a-vulnerability-in-whatsapp/

    Reply
  27. Tomi Engdahl says:

    Watch this 15-year-old hacker play DOOM on John McAfee’s ‘unhackable’ crypto-wallet
    https://thenextweb.com/hardfork/2018/08/09/hacker-doom-bitfi-cryptocurrency-wallet/

    John McAfee’s ‘unhackable’ cryptocurrency wallet – the one with a $250,000 bug bounty on it – has been cracked to run the iconic game DOOM, courtesy of a teenage security researcher.

    Keep in mind, Bitfi’s wallet is meant be the world’s first ‘unhackable’ device, supposedly doubling as a secure cryptocurrency storage solution. But as we already know, this is hardly the case.

    John McAfee’s ‘unhackable’ Bitcoin wallet (allegedly) got hacked
    https://thenextweb.com/hardfork/2018/08/02/john-mcafees-unhackable-bitcoin-wallet-got-hacked/

    Reply
  28. Tomi Engdahl says:

    This Russian Spy Agency Is in the Middle of Everything
    https://www.thedailybeast.com/this-russian-spy-agency-is-in-the-middle-of-everything

    Only a few years ago, the GRU looked like it might be dissolved. But Putin found new uses for it: covert war in Ukraine and ‘active measures’ that helped Trump get elected.

    Robert Mueller indicted 12 GRU officers for hacking into computers of the Clinton campaign and the Democratic National Committee. The GRU allegedly was behind the recent poisonings of four people in Britain, including former GRU officer Sergei Skripal, who survived, and a woman accidentally exposed to the powerful nerve agent used, who died.

    The 2014 downing of Malaysia Airlines Flight 17 over Ukraine has been laid at the door of the GRU.

    Igor Korobov, the head of the GRU, was singled out personally for U.S. Treasury sanctions in March, along with his organization, even though he had already been sanctioned by the Obama administration in late 2016 for interference in our elections.

    “It was necessary to look each other in the eye and talk about issues that threaten us and the Americans.”
    — Russian intelligence veteran commenting on secret visit of Russian spy chiefs to Washington.

    “The chaos in Ukraine was a boon for the GRU.”
    — Mark Galeotti, War on the Rocks

    By one estimate, of the 7,000 GRU officers working in the Soviet era, only 2,000 remained. This included a 40-percent reduction among GRU staff at foreign embassies.

    As Galeotti pointed out: “The chaos in Ukraine was a boon for the GRU, which was one of the lead agencies both in the seizure of the Crimea in 2014 and the subsequent destabilization of the Donbas [Eastern Ukraine]. If the future means more ‘hybrid war’ operations, more interactions with warlords, gangsters, and insurgents, then this is much more the forte of the GRU than the SVR.”

    Although it is the job of the FSB, as a counterintelligence agency, to find spies and potential traitors within the military, there is some speculation that FSB officers passed information about the GRU’s hacking operations to American intelligence.

    Back in December 2016, by which time the GRU had been exposed, some high-level FSB officers in the FSB’s cybersecurity unit were arrested and charged with treason.

    Reply
  29. Tomi Engdahl says:

    Flaws in ATM Dispenser Controllers Allowed Hackers to Steal Cash
    https://www.securityweek.com/flaws-atm-dispenser-controllers-allowed-hackers-steal-cash

    Researchers have disclosed the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. The flaws have been patched, but they could have been exploited to install outdated firmware and get ATMs to dispense cash.

    Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have conducted a successful black box attack against the NCR S1 and S2 cash dispenser controllers. In these types of attacks, the attacker only sees inputs and outputs, without having any knowledge of the system’s internal workings.

    The method, which the researchers described as a “logical attack,” requires physical access to the targeted device. In this particular case, an attacker could have leveraged the poor physical security of the targeted dispenser controller to connect to it, install vulnerable firmware, and issue commands that would instruct the machine to dispense cash.

    The experts disclosed their findings this week at the Black Hat security conference in Las Vegas.

    http://i.blackhat.com/us-18/Thu-August-9/us-18-Stennikov-Blackbox-is-dead–Long-live-Blackbox!.pdf

    Reply
  30. Tomi Engdahl says:

    A Guided Tour of the Asian Dark Web
    https://www.securityweek.com/guided-tour-asian-dark-web

    The Asian dark web is not well known. Most people just think of Russia when thinking about underground hacking forums. To gain a better understanding of Asian onion sites and black markets, researchers from IntSights embarked on a six-month long investigation and analysis.

    The results, published this week at Black Hat, show a diverse, culturally sensitive and wider than perhaps expected Asian dark web. Along with the report, IntSights’ director of threat research, Itay Kozuch, took SecurityWeek on a guided tour of the Asian dark web.

    Reply
  31. Tomi Engdahl says:

    New G Suite Alerts Provide Visibility Into Suspicious User Activity
    https://www.securityweek.com/new-g-suite-alerts-provide-visibility-suspicious-user-activity

    After bringing alerts on state-sponsored attacks to G Suite last week, Google is now also providing administrators with increased visibility into user behavior to help identify suspicious activity.

    Courtesy of newly introduced reports, G Suite administrators can keep an eye on account actions that seem suspicious and can also choose to receive alerts when critical actions are performed.

    Admins can set alerts for password changes, and can also receive warnings when users enable or disable two-step verification or when they change account recovery information such as phone number, security questions, and recovery email.

    Reply
  32. Tomi Engdahl says:

    Back to Basics: Retro Cybersecurity Lessons Still Matter
    https://www.securityweek.com/back-basics-retro-cybersecurity-lessons-still-matter

    We are all too familiar with the game of leapfrog being played between cybersecurity personnel and hackers as stories of data theft, identity theft and malware are reported daily. Luckily, technology is often on our side. Machine learning can now watch for strange and unexpected behaviors, alert artificial intelligence systems when an anomaly is spotted and trigger automated actions in the blink of an eye to quarantine an infected system or alert the security team to quickly act.

    So, it’s all good? Not so fast. People are becoming complacent and ignoring the basic lessons we learned decades ago. Technology has advanced immensely since 1990 when the term “cybersecurity” arrived on the scene.

    We need to remember best practices, personally and in business:

    ● Change your password regularly and follow complexity guidelines. Ideally, a password is no less than eight characters with a mix of letter case, numbers and symbols.

    ● Don’t reuse passwords. For business especially, identity and access management systems can ensure unique passwords and prevent reuse.

    ● Use two-factor authentication where possible, but remember two-factor authentication that’s backed by a weak password can still prove ineffective.

    Some key tips to keep in mind include:

    ● Always use the most recent anti-virus software available and ensure that it’s updated regularly for the latest signatures.

    ● Avoid disabling advanced features. When you keep your security products up to date, you can ensure that the best protection for your organization is always available. Current toolkits are cloud-enabled, so if a new threat is detected, you can make sure you are protected in real time.

    ● Ignore the old arguments that anti-virus “slows down my computer.” While this may have been true with the inefficient software of the 1990s, computers today are so powerful and have such well-managed software that antivirus won’t have more than a two percent impact on performance – a hardly noticeable amount.

    This is what we should we be thinking about in 2018:

    ● Your network sees everything – every spreadsheet, every email, every anomaly. It’s like a digital heartbeat – it needs to be monitored for fluctuations.

    ● Leverage intelligence. Remember that not all devices have built-in security – like IoT sensors or industrial controls – and cannot self-protect. Network intelligence turns data and actionable insight into your security posture, which can be used to create dynamic policies for faster mitigation and remediation of threats.

    ● Security solutions must work together. It’s rare today for an organization to rely on a single vendor for all their cybersecurity needs – but it’s imperative that all solutions leverage the same intelligence, use the same policies and work cohesively.

    Reply
  33. Tomi Engdahl says:

    Flaw in BIND Security Feature Allows DoS Attacks
    https://www.securityweek.com/flaw-bind-security-feature-allows-dos-attacks

    The Internet Systems Consortium (ISC) revealed on Wednesday that the BIND DNS software is affected by a serious vulnerability that can be exploited for denial-of-service (DoS) attacks.

    The flaw, discovered by Tony Finch of the University of Cambridge and tracked as CVE-2018-5740, can be exploited remotely and it has been assigned a CVSS score of 7.5, which makes it “high severity.”

    However, the vulnerability only impacts servers on which a feature called “deny-answer-aliases” has been enabled. The feature is disabled by default.

    Reply
  34. Tomi Engdahl says:

    DarkHydrus Uses Open Source Phishery Tool in Middle-East Attacks
    https://www.securityweek.com/darkhydrus-uses-open-source-phishery-tool-middle-east-attacks

    The recently detailed DarkHydrus threat group is leveraging the open-source Phishery tool to create malicious documents used in attacks on government entities in the Middle East, Palo Alto Networks warns.

    Reply
  35. Tomi Engdahl says:

    Reconnaissance, Lateral Movement Soar in Manufacturing Industry
    https://www.securityweek.com/reconnaissance-lateral-movement-soar-manufacturing-industry

    An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks.

    The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows attacker behavior and trends across nine industries.

    The Attacker Behavior Industry Report shows that Vectra has detected a significant number of threats in manufacturing companies. This industry has generated the third highest number of detections, after the education and energy sectors.

    Reply
  36. Tomi Engdahl says:

    DDoS Attacks Less Frequent But Pack More Punch: Report
    https://www.securityweek.com/ddos-attacks-less-frequent-pack-more-punch-report

    There were seven times more distributed denial (DDoS) attacks larger than 300 Gbps (gigabit per second) observed during the first six months of 2018 compared to the first half of 2017, NETSCOUT Arbor reveals.

    According to the security company’s latest threat intelligence report, the number of large DDoS attacks jumped from 7 to 47 year-over-year in the first half of 2018, and the average DDoS attack size grow 174% during that period. The overall frequency of attacks, however, went down 13%.

    The overall assault size was driven by novel techniques and has seen an increase of 37% since memcached appeared (memcached amplification fueled a 1.7 Tbps attack earlier this year). Between March and June 2018, the number of vulnerable (and accessible) memcached servers dropped from 17,000 to 550.

    Reply
  37. Tomi Engdahl says:

    Leaked GitHub API Token Exposed Homebrew Software Repositories
    https://www.securityweek.com/leaked-github-api-token-exposed-homebrew-software-repositories

    A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repositories (repos).

    Around since 2009, Homebrew is a free and open-source software package management system that is integrated with command line and which allows for simple installation of software on macOS machines.

    Reply
  38. Tomi Engdahl says:

    Researchers Find Flaws in WPA2′s 4-way Handshake Implementations
    https://www.securityweek.com/researchers-find-flaws-wpa2s-4-way-handshake-implementations

    Researchers have discovered several security vulnerabilities in implementations of Wi-Fi Protected Access two (WPA2)’s 4-way handshake, which is used by nearly all protected Wi-Fi networks.

    The discovery was the result of simulating cryptographic primitives during symbolic execution for the analysis of security protocol implementations, KU Leuven researchers Mathy Vanhoef and Frank Piessens explain in a recently published whitepaper (PDF).

    By applying the technique on three client-side implementations of WPA2’s 4-way handshake, the researchers discovered timing side-channels when verifying authentication tags, a denial-of-service attack, a stack-based buffer overflow, and a non-trivial decryption oracle.

    https://papers.mathyvanhoef.com/woot2018.pdf

    Reply
  39. Tomi Engdahl says:

    Google Hacker Asks Tim Cook to Donate $2.45 Million In Unpaid iPhone Bug Bounties
    https://motherboard.vice.com/en_us/article/7xqdxe/google-project-zero-hacker-iphone-bug-bounty

    A Google security researcher says that he’s found 30 vulnerabilities in iOS that have made Apple’s software more secure—and he wants the company to pay up.

    Reply
  40. Tomi Engdahl says:

    Free Facial Recognition Tool Can Track People Across Social Media Sites
    https://thehackernews.com/2018/08/social-mapper-osint.html

    Security researchers at Trustwave have released a new open-source tool that uses facial recognition technology to locate targets across numerous social media networks on a large scale.

    Dubbed Social Mapper, the facial recognition tool automatically searches for targets across eight social media platforms, including—Facebook, Instagram, Twitter, LinkedIn, Google+, the Russian social networking site VKontakte, and China’s Weibo and Douban—based on their names and pictures.

    The tool’s creators claim they developed Social Mapper intelligence-gathering tool predominantly to help pen testers and red teamers with social engineering attacks.

    Mapping Social Media with Facial Recognition: A New Tool for Penetration Testers and Red Teamers
    https://www.trustwave.com/Resources/SpiderLabs-Blog/Mapping-Social-Media-with-Facial-Recognition–A-New-Tool-for-Penetration-Testers-and-Red-Teamers/

    Reply
  41. Tomi Engdahl says:

    Researchers Release Free TRITON/TRISIS Malware Detection Tools
    https://www.darkreading.com/threat-intelligence/researchers-release-free-triton-trisis-malware-detection-tools/d/d-id/1332520

    Team of experts re-creates the TRITON/TRISIS attack to better understand the epic hack of an energy plant that ultimately failed.

    Reply
  42. Tomi Engdahl says:

    Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families
    https://securingtomorrow.mcafee.com/mcafee-labs/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-malware-families/

    This research is a joint effort by Jay Rosenberg, senior security researcher at Intezer, and Christiaan Beek, lead scientist and senior principal engineer at McAfee. Intezer has also posted this story.

    Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to have come from North Korea. But how can we know with certainty? And what connection does a DDoS and disk-wiping attack from July 4, 2009, have with WannaCry, one of the largest cyberattacks in the history of the cyber sphere?

    From the Mydoom variant Brambul to the more recent Fallchill, WannaCry, and the targeting of cryptocurrency exchanges, we see a distinct timeline of attacks beginning from the moment North Korea entered the world stage as a significant threat actor.

    https://www.intezer.com/examining-code-reuse-reveals-undiscovered-links-among-north-koreas-malware-families/

    Reply
  43. Tomi Engdahl says:

    If for some reason you’re still using TKIP crypto on your Wi-Fi, ditch it – Linux, Android world bug collides with it
    Patch wpa_supplicant and/or kill off key protocol, thanks
    https://www.theregister.co.uk/2018/08/09/wifi_eapol_oracle_attack/

    It’s been a mildly rough week for Wi-Fi security: hard on the heels of a WPA2 weakness comes a programming cockup in the wpa_supplicant configuration tool used on Linux, Android, and other operating systems.

    The flaw can potentially be exploited by nearby eavesdroppers to recover a crucial cryptographic key exchanged between a vulnerable device and its wireless access point – and decrypt and snoop on data sent over the air without having to know the Wi-Fi password. wpa_supplicant is used by Linux distributions and Android, and a few others, to configure the Wi-Fi for computers, gadgets, and handhelds.

    Reply
  44. Tomi Engdahl says:

    Accenture reveals all on today’s biggest cyberthreats
    By Anthony Spadafora 2018-08-09T17:08:36ZSecurity
    https://www.itproportal.com/news/accenture-reveals-all-on-todays-biggest-cyberthreats/

    Accenture’s new report highlights the top five cyber threats to look out for during the second half of 2018.

    Reply
  45. Tomi Engdahl says:

    When Cameras and Routers attack Phones. Spike in CVE-2014-8361 Exploits Against Port 52869
    https://isc.sans.edu/forums/diary/When+Cameras+and+Routers+attack+Phones+Spike+in+CVE20148361+Exploits+Against+Port+52869/23942/

    Universal Plug an Play (UPnP) is the gift that keeps on giving. One interesting issue with UPnP (aside from the fact that it never ever should be exposed to the Internet, but often is), is the fact that it can be reached via various routes. One of the lesser used routes is SOAP requests via TCP port 52869.

    CVE-2014-8361 is one vulnerability that is affecting the Realtek implementation of this UPnP over SOAP protocol. Realtek distributes an SDK to make it easier to implement this protocol. As part of the SDK, it ships “miniigd”, which is Realtek’s daemon used to listen for and parse these SOAP requests. Over the years, researchers have found a couple of vulnerabilities in this service.

    https://nvd.nist.gov/vuln/detail/CVE-2014-8361

    Reply
  46. Tomi Engdahl says:

    Industrial Sector Targeted in Highly Personalized Spear-Phishing Campaign
    https://www.darkreading.com/attacks-breaches/industrial-sector-targeted-in-highly-personalized-spear-phishing-campaign-/d/d-id/1332477

    At least 400 companies in Russia have been in the bullseye of new, sophisticated spear-phishing attacks, Kaspersky Lab says.

    Reply
  47. Tomi Engdahl says:

    “A Horrifically Bad Idea”: Smartphone Voting Is Coming, Just in Time for the Midterms
    https://www.vanityfair.com/news/2018/08/smartphone-voting-is-coming-just-in-time-for-midterms-voatz

    A Boston-based start-up promises to let West Virginians vote via app. Critics call it “the Theranos of voting.”

    Enter Voatz. With a name reminiscent of a plot device in Idiocracy, Voatz is a mobile election-voting-software start-up that wants to let you vote from your phone. In the upcoming midterm elections, West Virginians serving overseas will be the first in the U.S. to be able to vote via a smartphone app using Voatz technology, CNN reported Monday. The Boston-based company raised $2.2 million earlier this year, helped along by buzzwords such as “biometrics” and “blockchain,” which it claims allows it to secure the voting process. Its app reportedly requires voters to take and upload a picture of their government-issued I.D., along with a selfie-style video of their face, which facial-recognition technology then uses to ensure the person pictured in the I.D. and the person entering a vote are the same. The ballots are anonymized and recorded on the blockchain.

    Security experts, to put it mildly, are not impressed.

    Reply
  48. Tomi Engdahl says:

    FreeBSD has its own TCP-queue-of-death bug, easier to hose than Linux’s SegmentSmack
    Also: Juniper jumps on its stack
    https://www.theregister.co.uk/2018/08/08/freebsd_tcp_queue_vulnerability/

    Hard on the heels of the Linux kernel’s packets-of-death attack dubbed SegmentSmack, a similar vulnerability has been disclosed and fixed in FreeBSD.

    Attributed to SegmentSmack discoverer Juha-Matti Tilli of Aalto University in Finland, the FreeBSD TCP issue is related to how the operating system’s networking stack reassembles segmented packets. Much in the same way Linux kernel versions 4.9 and higher can be brought down by bad network traffic, a sequence of maliciously crafted packets can also crash FreeBSD machines.

    Reply
  49. Tomi Engdahl says:

    This Guy Hacked Hundreds Of Planes From The Ground
    https://www.forbes.com/sites/thomasbrewster/2018/08/09/this-guy-hacked-hundreds-of-planes-from-the-ground/#665cac546f2f

    Throughout November and December last year, Ruben Santamarta sat in front of his computer peeking inside the technical bowels of hundreds of aircraft flying thousands of meters above him. That included commercial aircraft operated by some of the biggest airlines in the world. He believes it may’ve been the first time anyone had hacked planes from the ground by taking advantage of weaknesses in satellite equipment.

    The cybersecrity researcher could, if he’d been so inclined to break the law, have hacked those onboard systems, snooped on the onboard Wi-Fi and carried out surveillance on all connected passenger devices. Fortunately, the safety systems on the planes were not at risk

    All could be exploited remotely, without needing physical access to the hardware.

    Among the various airlines that had aircraft containing vulnerable kit were Southwest and Norweigian Airlines, according to the rezearcher.

    A Southwest spokesperson said it learned of the issues via the US-CERT

    Two of the manufacturers that produced and shipped the satellite and onboard Wi-Fi tech, Hughes and Global Eagle

    Uncloaking military bases

    The weaknesses in satcom kit also allowed Santamarta to spy on cargo ships and uncover supposedly hidden military bases.

    Rodriguez told Forbes it would be possible to gain a foothold on a plane’s in-flight network via Santamarta’s hacks from the ground, before exploiting the (now patched) WingOS vulnerability.

    told Forbes that not all the issues have been patched.

    “I think there are still [open] attack vectors,”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*