A new program aims to provide white hat hackers and companies running bug bounty and vulnerability disclosure programs with open source legal guidelines to avoid issues sometimes associated with security research.
Launched jointly on Thursday by Bugcrowd and Amit Elazari, a University of California Berkeley doctoral candidate, Disclose.io can be adopted by any organization running a bug bounty or disclosure program. The initiative offers boilerplate language that a company can use as terms between it and security researchers who want to disclose a bug.
Bugcrowd asserts that current laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) have a chilling effect on security research. Research conducted in order to find software vulnerabilities is often perceived as malicious hacking
. “Standardization is the best way to negate any legal or reputational blowback, while still attracting the best hunters to your program.”
Thursday was the official start of the 26th annual DEF CON hacker convention, this year spread out between Caesars Palace and The Flamingo.
the hacking villages where people practice remotely hijacking cars and breaking into voting machines are still getting set up
But DEF CON is so much more than the official talks and villages. Indeed, a huge draw of the annual cybersecurity pilgrimage is getting the chance to meet up with your brethren from around the world who just so happen to share a likeminded inclination to see what they can get away with.
According to a newly released State Department cable, the attack was part of a Russian campaign to sow disinformation about NATO. It came as Russia allegedly was stealing Democrats’ emails.
The cable is the first confirmation that Russia was suspected in the March 2016 attacks in Sweden, which came as the Swedish government was debating whether to approve a cooperation treaty with NATO.
“Russia has focused significant resources on specific Partners, like Sweden and Finland,” the cable notes in a section marked SBU — sensitive but unclassified. “Russian actors are suspected of being behind recent efforts to infiltrate Sweden with distorted and false information about NATO in the Swedish press, at think tank events, and on social media.”
It adds, “Russia is also suspected of carrying out cyberattacks against Swedish media outlets in March 2016.”
Trend Micro researchers have discovered a malware listing on Dark Web marketplace that lets attackers steal from Bitcoin ATMs. They can easily rake in cryptocurrency worth 6,750 in Euros, Pounds or Dollars by attacking the ATMs.
It’s not just inciting violence, threats and hate speech that will get Facebook to remove posts by you or your least favorite troll. Endangering someone financially, not just physically, or tricking them to earn a profit are now also strictly prohibited.
As a relentless swarm of successful cyber attacks severely disrupt companies in every industry and require enormous expenditures to repair the damage, what typically gets lost in the shuffle is that some industries are victimized more than others — sometimes far more. The corporate victim that almost always grabs this dubious spotlight is the healthcare industry — the second-largest industry in the U.S. and one in which hacker meddling of operations not only costs lots of time, money and operational downtime, but threatens lives.
The healthcare industry itself is partly responsible. In a seemingly admirable quest to maximize the quality of patient care, tunnel vision gives short shrift to other priorities, specifically cybersecurity.
In aggregate, healthcare organizations on average spend only half as much on cybersecurity as other industries.
Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU, security researcher Christopher Domas told the Black Hat conference here Thursday (Aug. 9).
The command — “.byte 0x0f, 0x3f” in Linux — “isn’t supposed to exist, doesn’t have a name, and gives you root right away,” Domas said, adding that he calls it “God Mode.”
The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces (“userland”) run in ring 3
“We have direct ring 3 to ring 0 hardware privilege escalation,” Domas said. “This has never been done.”
That’s because of the hidden RISC chip, which lives so far down on the bare metal that Domas half-joked that it ought to be thought of as a new, deeper ring of privilege
“These black boxes that we’re trusting are things that we have no way to look into,” he said. “These backdoors probably exist elsewhere.”
Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents.
We’ve got bad news for all those who use their web browser’s private browsing mode – such as Chrome’s Incognito Mode – in order to covertly Google their poop-related medical questions, search for other jobs while at work, or, as is most likely the case – look at porn.
Firstly, none of the private modes offered by the major browsers can protect your online history from being viewed by Internet service providers or government agencies, block third-party groups from tracking your activity or determining your geographical location, nor prevent viruses and malware from infecting your computer. Instead, the modes are designed to simply stop cookies and autofill details from being saved on the user’s local device.
At DEF CON, one of the world’s largest hacking conferences, hackers clad in black hoodies made headlines last year when they exposed an array of structural vulnerabilities in voting technology, successfully hacking into every voting machine they attempted to breach.
Children as young as 5 will compete to hack election results websites, and DEF CON has partnered with children’s hacking organization r00tz Asylum to award prizes to the first and youngest kids to breach the sites and hack equipment.
Jake Braun, a former White House liaison for the U.S. Department of Homeland Security, told ABC News that the conference decided to invite young hackers because it would be a “waste of time” to demonstrate that cybersecurity experts can hack election results reporting sites.
“These websites are so easy to hack we couldn’t give them to adult hackers — they’d be laughed off the stage,”
Bianca Lewis, 11, has many hobbies. She likes Barbie, video games, fencing, singing… and hacking the infrastructure behind the world’s most powerful democracy.
“I’m going to try and change the votes for Donald Trump,” she tells me.
“I’m going to try to give him less votes. Maybe even delete him off of the whole thing.”
Fortunately for the President, Bianca is attacking a replica website, not the real deal.
She’s taking part in a competition organised by R00tz Asylum, a non-profit organisation that promotes “hacking for good”.
Project Zero researcher highlights stubborn iOS bugs as an example of why Apple and the rest of the industry needs to take a fresh approach to securing systems.
Beer said he doesn’t blame individual security researchers. Instead, he saved his criticism toward organizations with security leads that have an academic background versus an exploit background.
“Undeniably these people have really strong engineering security skillsets. But, they don’t have an exploitation background… Their focus is on the design of the system and not on exploitation,” he said. “Please, we need to stop just spot-fixing bugs and learn from them, and act on that.”
Beer said each bug needs to be a lesson where a security lead needs to ask: “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could of found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”
According to a newly released State Department cable, the attack was part of a Russian campaign to sow disinformation about NATO. It came as Russia allegedly was stealing Democrats’ emails.
A publicly accessible Amazon S3 bucket was found storing documents apparently detailing GoDaddy infrastructure running in the Amazon AWS cloud, UpGuard reveals.
GoDaddy is considered the world’s largest domain name registrar and, as of this year, is also the largest web hosting provider by market share. It is also one of the largest SSL certificate providers. The company has over 17 million customers and handles more than 76 million domain names.
The improperly secured Amazon S3 bucket, which was discovered in June, included documents revealing “high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios,” UpGuard says.
Named abbottgodaddy, the S3 bucket included iterations of an Excel spreadsheet, the last of which was 17MB in size and included multiple sheets and tens of thousands of rows.
Oracle informed customers late on Friday that its Database product is affected by a critical vulnerability. Patches have been released and users have been advised to install them as soon as possible.
The security hole, tracked as CVE-2018-3110 with a CVSS score of 9.9, affects Oracle Database 11.2.0.4 and 12.2.0.1 on Windows. Version 12.1.0.2 on Windows and Database running on Unix or Linux are also impacted, but patches for these versions were included in Oracle’s July 2018 CPU.
The vulnerability, present in the Java VM component of Oracle Database Server, can be exploited to take complete control of the product and obtain shell access to the underlying server.
However, the vendor noted that the weakness cannot be exploited remotely without authentication
A researcher has discovered that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems.
Back in 2014, IOActive Principal Security Consultant Ruben Santamarta published a research paper describing theoretical attack scenarios on satellite communications. The expert resumed his research in November 2017, after taking a look at the in-flight entertainment system during a Norwegian flight.
After passively collecting traffic from the airplane’s Wi-Fi network, Santamarta noticed that several commonly used services, such as Telnet, HTTP and FTP, were available for certain IP addresses, and some interfaces associated with the plane’s on-board satellite communications (satcom) modems were accessible without authentication.
Further research into satcom systems revealed the existence of various types of vulnerabilities, including insecure protocols, backdoors, and improper configuration that could allow attackers to take control of affected devices. The expert disclosed his findings this week at the Black Hat security conference in Las Vegas.
Researchers have disclosed the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. The flaws have been patched, but they could have been exploited to install outdated firmware and get ATMs to dispense cash.
Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have conducted a successful black box attack against the NCR S1 and S2 cash dispenser controllers.
A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repositories (repos).
Around since 2009, Homebrew is a free and open-source software package management system that is integrated with command line and which allows for simple installation of software on macOS machines.
Researchers have demonstrated that brand new Mac computers used in enterprise environments can be hacked by sophisticated threat actors on the first boot through Apple’s mobile device management (MDM) protocol.
MDM is designed to allow system administrators to send management commands to managed macOS and iOS devices, including to install or remove applications, monitor compliance with corporate policies, and securely erase or lock a device.
Security Teams Can Shift the Risk/Reward Ratio and Make ERP Applications Less Attractive Targets
A confluence of factors is putting hundreds of thousands of implementations of Enterprise Resource Planning (ERP) applications at risk of cyber attacks. These factors include the following:
● Cyber attackers can focus their efforts. The vast majority of large organizations have implemented ERP applications from one of two market leaders – SAP and Oracle. This means that attackers can concentrate on understanding and finding weaknesses within just one or both applications.
● The rewards are big. The largest organizations in the world support their most critical business processes and house their most sensitive information in these systems.
● They can leverage known vulnerabilities. ERP customers struggle to stay up to date with security vulnerabilities, secure configurations and security patches for a variety of reasons, including: complex system architecture, a high number of interfaces and integrations, customized functionality and little tolerance for system downtime. As a result, many organizations are implementing and running insecure ERP applications.
● The attack surface is expanding. Due to cloud, mobile and digital transformation projects, thousands of these applications are directly connected to the Internet and can increase an organization’s exposure to risk when security measures aren’t implemented correctly.
● Information is being leaked. Third parties and employees are exposing internal ERP applications unintentionally by using insecure file repositories over the Internet and sharing ERP login credentials in public forums.
The bottom line is that the risk/reward ratio is attractive. As a result, nation-state actors, cybercriminals and hacktivist groups are attacking these applications for the purposes of cyber espionage, sabotage, business disruption, data theft and even cryptocurrency mining.
The following four recommendations can help to improve the cyber security posture of your organization’s ERP applications, whether deployed on premise or in public, private and hybrid cloud environments:
1. Identify and mitigate ERP application-layer vulnerabilities, insecure configurations and excessive user privileges. This includes aligning with your vendor’s security patching cadence (monthly for SAP and quarterly for Oracle), strengthening weak/default passwords, and reviewing user privileges for administrators and developers as well as those used for batch jobs and interfaces with other applications.
2. Identify and remove dangerous interfaces and APIs between the different ERP applications in the organization, especially those with third parties and Internet-facing.
3. Monitor and respond to sensitive ERP user activity and ERP-specific indicators of compromise.
4. Monitor for leaked ERP data and user credentials.
Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with
a denial-of-service attack on networking kit.
The bug, which has the identifier CVE-2018-5390, has been dubbed ‘SegmentSmack’ by Red Hat.
“In a worst-case scenario, an attacker can stall an affected host or device with less than 2kpps [2,000 packets per second] of an attack
traffic,” explains the software company.
It has confirmed that Red Hat systems affected include those running RHEL 6 and 7, RHEL 7 for Real Time, RHEL 7 for ARM64 systems, RHEL 7
Linux kernel versions are affected.
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7 for Real Time
Red Hat Enterprise Linux 7 for ARM64
Red Hat Enterprise Linux 7 for Power
Red Hat Enterprise Linux Atomic Host
No effective workaround/mitigation besides a fixed kernel is known at this time. Red Hat is tracking fixes via Bugzilla ticket 1601704. Red
Hat Enterprise Linux kernel updates will be released as they become available.
US government employees, contractors and agencies might have to ditch most of their Huawei and ZTE tech. The President has signed the Defense Authorization Act into law, and part of it is a ban on devices and equipment used to route or view user data made by the two companies and some other Chinese manufacturers. Government contractors can still use components that don’t handle user data in any way. But since they still have to get rid of existing parts and devices that do, the law includes a directive for agencies to prioritize funding for businesses that have to replace their equipment.
The US government considers Huawei and ZTE as security threats and has been seeing them as such for a long time.
SAN FRANCISCO (AP) — Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.
An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.
Computer-science researchers at Princeton confirmed these findings at the AP’s request.
For the most part, Google is upfront about asking permission to use your location information.
Storing your minute-by-minute travels carries privacy risks and has been used by police to determine the location of suspects
Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”
That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .)
For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are.
Kun palvelut keskittyvät, verkkohyökkäykset saavat aikaan yhä laajempaa tuhoa – Sunnuntain isku kaatoi monta kansalaisille tärkeää palvelua tunneiksi https://www.hs.fi/kotimaa/art-2000005789547.html
Palvelunestohyökkäykset internetissä viettivät viime vuonna 20-vuotisjuhliaan: syyskuussa 1996 syn-tulvahyökkäys aiheutti New Yorkin kaupungin ensimmäiselle internetoperaattorille useiden päivien palvelukatkon.
Some of the most popular Android applications installed on your phone may be vulnerable to a new type of attack named “Man-in-the-Disk” that can grant a third-party app the ability to crash them and/or run malicious code.
Discovered by the Check Point team, the Man-in-the-Disk (MitD) attack scenario revolves around an app’s ability to use “External Storage,” one of the two types of data storage methods supported by the Android OS.
Internal Storage, also known as System Memory, is a section of an Android’s phone’s built-in storage space that stores the operating system itself, system apps, drivers, and selected data of user-installed apps.
Each installed app can allocate itself “internal storage” space that is protected by a sandboxed environment, meaning it can’t be accessed by any other app.
External Storage is a common storage space, usually made up with what’s left of the phone’s built-in hard drive and any additional SD cards or USB storage devices connected to the phone.
How the Man-in-the-Disk attack works
The Man-in-the-Disk attack works because of two reasons. First, any app can tamper with another app’s External Storage data. Second, because almost all apps ask for this permission, users are generally willing to give it and unaware of any security risks.
DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great.
For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes.
All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites.
(Various folks, including ex-NSA and Immunity Inc founder Dave Aitel, have argued the simulation was likely not particularly realistic.)
On the adult side, Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old, and one person managed to, with physical access, upload a Linux operating system to the device and use it to play music, although that hack took a little more time than you’d get while voting.
Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card, which you could swap out while voting, containing supervisor passwords in plain text. An attacker could physically access and tamper with these cards, which also hold the unencoded personal records for all voters including the last four digits of their social security numbers, addresses, and driver’s license numbers.
Hackers thus found that by inserting specially programmed memory cards when no election official is looking, they could change voting tallies and voter registration information. And take a guess what the root password was? Yes, “Password” – again stored in plain text.
More bizarrely, voting machine manufacturer WinVote’s VoteActive device was found to contain pop music. The machine, which was running Windows XP, could be hacked wirelessly in seconds, and had a music player and CD ripper program built in.
DEF CON Rob Joyce, the former head of the NSA’s Tailored Access Operations hacking team, has spilled the beans on which nations are getting up to mischief online.
Joyce gave one of the first talks at the DEF CON hacking conference in Las Vegas and interest was intense – the lines to get in stretched around the hall. Joyce congratulated the crowd on their work in hacking systems to make them safer but warned tougher times were to come.
Nation state hacking is nothing new, but Joyce warned that the practice is increasingly being weaponized so as to cause maximum disruption. Everyone is going to have to be a lot more careful in the future to avoid chaos, he said.
Investigations into possible Russian hacking of the 2016 US election and the UK’s Brexit vote are still ongoing but that wasn’t the half of it, Joyce said. Russian hackers are constantly trying to penetrate key US networks, he claimed, adding that it is a constant struggle to keep them out as they are very persistent and motivated.
Hacking by China used to be more common, he said, but had a different focus. Middle Kingdom meddlers were more interested in harvesting American intellectual property to kickstart their own industries. This activity has dropped off recently, he said, but he predicted they may restart if Sino-US relationships worsen.
Iran, the third big player, has also slackened off its attacks on the US recently, said Joyce.
The final player is North Korea, which remains very backward but has a high degree of hacking skill
A committee of MPs has expressed concerns that foreign hackers might have had a hand in crashing the UK’s voter registration website last year shortly before the Brexit referendum.
The Public Administration Committee concluded that a foreign cyber attack remains a potential reason that the “register to vote” site crashed on 7 June last year, shortly after a televised debate and hours before a (subsequently extended) registration deadline.
The Australian government is still committed to ‘no backdoors’, publishing draft legislation that will force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.
Draft legislation intended to give cops and spooks access to encrypted communications should keep encryption strong. But the powers it proposes aren’t just about fighting paedophiles, terrorists, and organised criminals.
LAS VEGAS – In recent years there has been more attention paid to the security of medical devices; however, there has been little security research done on the unique protocols used by these devices. Many of the insulin pumps, heart monitors and other gadgets found in hospital rooms use aging protocol to communicate with nurses’ stations and doctors; and as such, can be easily subverted.
Case in point is the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient’s condition and vital signs. Doug McKee, senior security researcher at McAfee’s Advanced Threat Research team, has discovered a weakness that allows data on the patient’s condition to be modified by an attacker in real-time, to provide false information to medical personnel.
How to Train Your Employees for Latest Cyberattacks through Next Generation Awareness Training
Companies belonging to any industry have now shunned traditional manual processes and have moved towards automation. All this data processing and storage requires IT infrastructure. However, as the world is becoming more and more digitalized, criminals have also moved towards IT to carry out sophisticated attacks on businesses.
Why is Next Generation Computer Security Awareness Needed?
Last year, a research indicated that almost 90 percent of all cyber-attacks were made possible due to human errors.
Hackers gathered here for the annual Black Hat and DefCon conferences, among others, are sounding privacy alarms as hotel security personnel along the Las Vegas Strip demand access to their rooms.
More than two dozen hackers and security experts attending security events this week privately reported to The Parallax or publicly reported on Twitter that people identifying themselves as security personnel at the Mandalay Bay, Luxor, Caesars Palace, Flamingo, Aria, Cromwell, Tuscany, Linq, Planet Hollywood, or Mirage hotels had entered their rooms.
As Broome explained to The Parallax during a phone call Saturday afternoon, security personnel are authorized to check on guest rooms as frequently as once a day.
When I asked what they would be looking for, Cynthia replied, “WMDs—that sort of thing.”
Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking
Stone tweeted that she left DefCon early because of the incident.
“These changes represent the new reality that all hotels have to face in their work to keep guests safe,” he said at the conference’s closing ceremony Sunday. Caesars is “working closely with DefCon management to figure out the best way forward for next year.”
John McAfee’s ‘unhackable’ cryptocurrency wallet – the one with a $250,000 bug bounty on it – has been cracked to run the iconic game DOOM, courtesy of a teenage security researcher.
Video of the old-school first-person shooter has surfaced on Twitter. Self-described adversarial thinker Saleem Rashid is credited with hijacking it – a hacking prodigy just 15-years old.
Keep in mind, Bitfi’s wallet is meant be the world’s first ‘unhackable’ device, supposedly doubling as a secure cryptocurrency storage solution. But as we already know, this is hardly the case.
free tool called DepShield that offers a basic level of protection for GitHub developers.
The product is actually two parts. For starters, Sonatype has a database of open source dependency vulnerabilities called OSS Index.
After a developer installs DepShield, it checks a code commit in GitHub against the known vulnerabilities in the OSS Index with recommendations on how to proceed.
As for the differences between the commercial and free products, Jackson say it’s a matter of scale.
OSS Index is a free service used by developers to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities.
OSS Index is based on vulnerability data derived from public sources and does not include human curated intelligence nor expert remediation guidance.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
428 Comments
Tomi Engdahl says:
TECHNOLOGY
Open source project looks to give legal safe harbor for ethical hackers
https://www.cyberscoop.com/disclose-io-bug-bounty-safe-harbor/
A new program aims to provide white hat hackers and companies running bug bounty and vulnerability disclosure programs with open source legal guidelines to avoid issues sometimes associated with security research.
Launched jointly on Thursday by Bugcrowd and Amit Elazari, a University of California Berkeley doctoral candidate, Disclose.io can be adopted by any organization running a bug bounty or disclosure program. The initiative offers boilerplate language that a company can use as terms between it and security researchers who want to disclose a bug.
Bugcrowd asserts that current laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA) have a chilling effect on security research. Research conducted in order to find software vulnerabilities is often perceived as malicious hacking
. “Standardization is the best way to negate any legal or reputational blowback, while still attracting the best hunters to your program.”
The terms of Disclose.io are available on GitHub.
https://github.com/disclose/disclose/blob/master/terms/core.md
Tomi Engdahl says:
The hackers just arrived, and they’re already breaking Vegas
https://mashable.com/2018/08/09/def-con-hackers-break-las-vegas/?europe=true#XQ2Mrso58SqG
Thursday was the official start of the 26th annual DEF CON hacker convention, this year spread out between Caesars Palace and The Flamingo.
the hacking villages where people practice remotely hijacking cars and breaking into voting machines are still getting set up
But DEF CON is so much more than the official talks and villages. Indeed, a huge draw of the annual cybersecurity pilgrimage is getting the chance to meet up with your brethren from around the world who just so happen to share a likeminded inclination to see what they can get away with.
The answer? A lot.
Tomi Engdahl says:
Massive Attack On Swedish News Sites Was The Work Of Russia, US Told Its Ambassadors
https://www.buzzfeednews.com/article/kevincollier/2016-sweden-ddos-expressen-hack-russia-cables
According to a newly released State Department cable, the attack was part of a Russian campaign to sow disinformation about NATO. It came as Russia allegedly was stealing Democrats’ emails.
The cable is the first confirmation that Russia was suspected in the March 2016 attacks in Sweden, which came as the Swedish government was debating whether to approve a cooperation treaty with NATO.
“Russia has focused significant resources on specific Partners, like Sweden and Finland,” the cable notes in a section marked SBU — sensitive but unclassified. “Russian actors are suspected of being behind recent efforts to infiltrate Sweden with distorted and false information about NATO in the Swedish press, at think tank events, and on social media.”
It adds, “Russia is also suspected of carrying out cyberattacks against Swedish media outlets in March 2016.”
Tomi Engdahl says:
Cyber Criminals selling Bitcoin ATM Malware on Dark Web
https://www.hackread.com/sellers-demanding-25000-for-bitcoin-atm-malware-at-the-dark-web/
Trend Micro researchers have discovered a malware listing on Dark Web marketplace that lets attackers steal from Bitcoin ATMs. They can easily rake in cryptocurrency worth 6,750 in Euros, Pounds or Dollars by attacking the ATMs.
Tomi Engdahl says:
Microsoft threatened to drop hosting for Gab over hate speech posts
https://www.theverge.com/2018/8/9/17671188/microsoft-gab-hate-speech-hosting-ban-deplatform
Founder says ‘Gab will go down for weeks/months’ if dropped
Tomi Engdahl says:
Facebook now deletes posts that financially endanger/trick people
https://techcrunch.com/2018/08/09/facebook-financial-danger/?utm_source=tcfbpage&sr_share=facebook
It’s not just inciting violence, threats and hate speech that will get Facebook to remove posts by you or your least favorite troll. Endangering someone financially, not just physically, or tricking them to earn a profit are now also strictly prohibited.
Tomi Engdahl says:
The healthcare industry is in a world of cybersecurity hurt
https://techcrunch.com/2018/08/09/the-healthcare-industry-is-in-a-world-of-cybersecurity-hurt/?sr_share=facebook&utm_source=tcfbpage
As a relentless swarm of successful cyber attacks severely disrupt companies in every industry and require enormous expenditures to repair the damage, what typically gets lost in the shuffle is that some industries are victimized more than others — sometimes far more. The corporate victim that almost always grabs this dubious spotlight is the healthcare industry — the second-largest industry in the U.S. and one in which hacker meddling of operations not only costs lots of time, money and operational downtime, but threatens lives.
The healthcare industry itself is partly responsible. In a seemingly admirable quest to maximize the quality of patient care, tunnel vision gives short shrift to other priorities, specifically cybersecurity.
In aggregate, healthcare organizations on average spend only half as much on cybersecurity as other industries.
Tomi Engdahl says:
Hacker Finds Hidden ‘God Mode’ on Old x86 CPUs
https://www.tomshardware.com/news/x86-hidden-god-mode,37582.html
Some x86 CPUs have hidden backdoors that let you seize root by sending a command to an undocumented RISC core that manages the main CPU, security researcher Christopher Domas told the Black Hat conference here Thursday (Aug. 9).
The command — “.byte 0x0f, 0x3f” in Linux — “isn’t supposed to exist, doesn’t have a name, and gives you root right away,” Domas said, adding that he calls it “God Mode.”
The backdoor completely breaks the protection-ring model of operating-system security, in which the OS kernel runs in ring 0, device drivers run in rings 1 and 2, and user applications and interfaces (“userland”) run in ring 3
“We have direct ring 3 to ring 0 hardware privilege escalation,” Domas said. “This has never been done.”
That’s because of the hidden RISC chip, which lives so far down on the bare metal that Domas half-joked that it ought to be thought of as a new, deeper ring of privilege
“These black boxes that we’re trusting are things that we have no way to look into,” he said. “These backdoors probably exist elsewhere.”
Domas discovered the backdoor, which exists on VIA C3 Nehemiah chips made in 2003, by combing through filed patents.
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/smart-cities-at-risk-from-panic/
Tomi Engdahl says:
If You Use Your Web Browser’s Incognito Mode We’ve Got Bad News
http://www.iflscience.com/technology/if-you-use-your-web-browsers-incognito-mode-weve-got-bad-news-/
We’ve got bad news for all those who use their web browser’s private browsing mode – such as Chrome’s Incognito Mode – in order to covertly Google their poop-related medical questions, search for other jobs while at work, or, as is most likely the case – look at porn.
Firstly, none of the private modes offered by the major browsers can protect your online history from being viewed by Internet service providers or government agencies, block third-party groups from tracking your activity or determining your geographical location, nor prevent viruses and malware from infecting your computer. Instead, the modes are designed to simply stop cookies and autofill details from being saved on the user’s local device.
Tomi Engdahl says:
Kids as young as 5 challenged to hack election results websites
https://abcnews.go.com/Politics/def-con-18-kids-young-challenged-hack-election/story?id=57122727
At DEF CON, one of the world’s largest hacking conferences, hackers clad in black hoodies made headlines last year when they exposed an array of structural vulnerabilities in voting technology, successfully hacking into every voting machine they attempted to breach.
Children as young as 5 will compete to hack election results websites, and DEF CON has partnered with children’s hacking organization r00tz Asylum to award prizes to the first and youngest kids to breach the sites and hack equipment.
Jake Braun, a former White House liaison for the U.S. Department of Homeland Security, told ABC News that the conference decided to invite young hackers because it would be a “waste of time” to demonstrate that cybersecurity experts can hack election results reporting sites.
“These websites are so easy to hack we couldn’t give them to adult hackers — they’d be laughed off the stage,”
Hacking the US mid-terms? It’s child’s play
https://www.bbc.com/news/technology-45154903
Bianca Lewis, 11, has many hobbies. She likes Barbie, video games, fencing, singing… and hacking the infrastructure behind the world’s most powerful democracy.
“I’m going to try and change the votes for Donald Trump,” she tells me.
“I’m going to try to give him less votes. Maybe even delete him off of the whole thing.”
Fortunately for the President, Bianca is attacking a replica website, not the real deal.
She’s taking part in a competition organised by R00tz Asylum, a non-profit organisation that promotes “hacking for good”.
Tomi Engdahl says:
Ship Tracker: A real-time map of ships that are broadcasting their location to the Internet.
https://shiptracker.shodan.io/
MarineTraffic App
https://www.marinetraffic.com/en/ais/home/centerx:-12.0/centery:25.0/zoom:4
Tomi Engdahl says:
https://yle.fi/uutiset/3-10348540?utm_source=facebook-share
Tomi Engdahl says:
DorkMe – Tool Designed With The Purpose Of Making Easier The Searching Of Vulnerabilities With Google Dorks
https://www.kitploit.com/2018/08/dorkme-tool-designed-with-purpose-of.html?m=1
Tomi Engdahl says:
Black Hat 2018: Google Bug Hunter Urges Apple to Change its iOS Security Culture
https://threatpost.com/google-bug-hunter-urges-apple-to-change-its-ios-security-culture/134842/
Project Zero researcher highlights stubborn iOS bugs as an example of why Apple and the rest of the industry needs to take a fresh approach to securing systems.
Beer said he doesn’t blame individual security researchers. Instead, he saved his criticism toward organizations with security leads that have an academic background versus an exploit background.
“Undeniably these people have really strong engineering security skillsets. But, they don’t have an exploitation background… Their focus is on the design of the system and not on exploitation,” he said. “Please, we need to stop just spot-fixing bugs and learn from them, and act on that.”
Beer said each bug needs to be a lesson where a security lead needs to ask: “Why is this bug here? How is it being used? How did we miss it earlier? What process problems need to be addressed so we could of found it earlier? Who had access to this code and reviewed it and why, for whatever reason, didn’t they report it?”
Tomi Engdahl says:
Denial of service attack against public services in Finland
https://yle.fi/uutiset/3-10349357
Tomi Engdahl says:
Russian Hackers Targeted Swedish News Sites In 2016, State Department Cable Says
https://www.buzzfeednews.com/article/kevincollier/2016-sweden-ddos-expressen-hack-russia-cables
According to a newly released State Department cable, the attack was part of a Russian campaign to sow disinformation about NATO. It came as Russia allegedly was stealing Democrats’ emails.
Tomi Engdahl says:
Amazon S3 Bucket Exposed GoDaddy Server Information
https://www.securityweek.com/amazon-s3-bucket-exposed-godaddy-server-information
A publicly accessible Amazon S3 bucket was found storing documents apparently detailing GoDaddy infrastructure running in the Amazon AWS cloud, UpGuard reveals.
GoDaddy is considered the world’s largest domain name registrar and, as of this year, is also the largest web hosting provider by market share. It is also one of the largest SSL certificate providers. The company has over 17 million customers and handles more than 76 million domain names.
The improperly secured Amazon S3 bucket, which was discovered in June, included documents revealing “high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios,” UpGuard says.
Named abbottgodaddy, the S3 bucket included iterations of an Excel spreadsheet, the last of which was 17MB in size and included multiple sheets and tens of thousands of rows.
Tomi Engdahl says:
Critical Vulnerability Patched in Oracle Database
https://www.securityweek.com/critical-vulnerability-patched-oracle-database
Oracle informed customers late on Friday that its Database product is affected by a critical vulnerability. Patches have been released and users have been advised to install them as soon as possible.
The security hole, tracked as CVE-2018-3110 with a CVSS score of 9.9, affects Oracle Database 11.2.0.4 and 12.2.0.1 on Windows. Version 12.1.0.2 on Windows and Database running on Unix or Linux are also impacted, but patches for these versions were included in Oracle’s July 2018 CPU.
The vulnerability, present in the Java VM component of Oracle Database Server, can be exploited to take complete control of the product and obtain shell access to the underlying server.
However, the vendor noted that the weakness cannot be exploited remotely without authentication
Tomi Engdahl says:
Researcher Finds Hundreds of Planes Exposed to Remote Attacks
https://www.securityweek.com/researcher-finds-hundreds-planes-exposed-remote-attacks
A researcher has discovered that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems.
Back in 2014, IOActive Principal Security Consultant Ruben Santamarta published a research paper describing theoretical attack scenarios on satellite communications. The expert resumed his research in November 2017, after taking a look at the in-flight entertainment system during a Norwegian flight.
After passively collecting traffic from the airplane’s Wi-Fi network, Santamarta noticed that several commonly used services, such as Telnet, HTTP and FTP, were available for certain IP addresses, and some interfaces associated with the plane’s on-board satellite communications (satcom) modems were accessible without authentication.
Further research into satcom systems revealed the existence of various types of vulnerabilities, including insecure protocols, backdoors, and improper configuration that could allow attackers to take control of affected devices. The expert disclosed his findings this week at the Black Hat security conference in Las Vegas.
Tomi Engdahl says:
Flaws in ATM Dispenser Controllers Allowed Hackers to Steal Cash
https://www.securityweek.com/flaws-atm-dispenser-controllers-allowed-hackers-steal-cash
Researchers have disclosed the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. The flaws have been patched, but they could have been exploited to install outdated firmware and get ATMs to dispense cash.
Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have conducted a successful black box attack against the NCR S1 and S2 cash dispenser controllers.
Tomi Engdahl says:
Leaked GitHub API Token Exposed Homebrew Software Repositories
https://www.securityweek.com/leaked-github-api-token-exposed-homebrew-software-repositories
A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repositories (repos).
Around since 2009, Homebrew is a free and open-source software package management system that is integrated with command line and which allows for simple installation of software on macOS machines.
Macs in Enterprise Can Be Hacked on First Boot
https://www.securityweek.com/macs-enterprise-can-be-hacked-first-boot
Researchers have demonstrated that brand new Mac computers used in enterprise environments can be hacked by sophisticated threat actors on the first boot through Apple’s mobile device management (MDM) protocol.
MDM is designed to allow system administrators to send management commands to managed macOS and iOS devices, including to install or remove applications, monitor compliance with corporate policies, and securely erase or lock a device.
Tomi Engdahl says:
Four Ways to Mitigate Cyber Risks for ERP Applications
https://www.securityweek.com/four-ways-mitigate-cyber-risks-erp-applications
Security Teams Can Shift the Risk/Reward Ratio and Make ERP Applications Less Attractive Targets
A confluence of factors is putting hundreds of thousands of implementations of Enterprise Resource Planning (ERP) applications at risk of cyber attacks. These factors include the following:
● Cyber attackers can focus their efforts. The vast majority of large organizations have implemented ERP applications from one of two market leaders – SAP and Oracle. This means that attackers can concentrate on understanding and finding weaknesses within just one or both applications.
● The rewards are big. The largest organizations in the world support their most critical business processes and house their most sensitive information in these systems.
● They can leverage known vulnerabilities. ERP customers struggle to stay up to date with security vulnerabilities, secure configurations and security patches for a variety of reasons, including: complex system architecture, a high number of interfaces and integrations, customized functionality and little tolerance for system downtime. As a result, many organizations are implementing and running insecure ERP applications.
● The attack surface is expanding. Due to cloud, mobile and digital transformation projects, thousands of these applications are directly connected to the Internet and can increase an organization’s exposure to risk when security measures aren’t implemented correctly.
● Information is being leaked. Third parties and employees are exposing internal ERP applications unintentionally by using insecure file repositories over the Internet and sharing ERP login credentials in public forums.
The bottom line is that the risk/reward ratio is attractive. As a result, nation-state actors, cybercriminals and hacktivist groups are attacking these applications for the purposes of cyber espionage, sabotage, business disruption, data theft and even cryptocurrency mining.
The following four recommendations can help to improve the cyber security posture of your organization’s ERP applications, whether deployed on premise or in public, private and hybrid cloud environments:
1. Identify and mitigate ERP application-layer vulnerabilities, insecure configurations and excessive user privileges. This includes aligning with your vendor’s security patching cadence (monthly for SAP and quarterly for Oracle), strengthening weak/default passwords, and reviewing user privileges for administrators and developers as well as those used for batch jobs and interfaces with other applications.
2. Identify and remove dangerous interfaces and APIs between the different ERP applications in the organization, especially those with third parties and Internet-facing.
3. Monitor and respond to sensitive ERP user activity and ERP-specific indicators of compromise.
4. Monitor for leaked ERP data and user credentials.
Tomi Engdahl says:
Linux kernel bug: TCP flaw lets remote attackers stall devices with tiny DoS attack
https://www.zdnet.com/article/linux-kernel-bug-tcp-flaw-lets-remote-attackers-stall-devices-with-tiny-dos-attack/
‘SegmentSmack’ Linux bug gives a remote attacker the means to knock out a system with minimal traffic.
Because of this requirement, the attacks can’t be performed with spoofed IP addresses,
The bug, which has the identifier CVE-2018-5390, has been dubbed ‘SegmentSmack’ by Red Hat.
Tomi Engdahl says:
Netin pimeältä puolelta saa ostettua palvelunestohyökkäyksen pilkkahinnalla – Asiantuntija kertoo, kuinka helposti sivustoja voidaan kaataa
https://www.iltalehti.fi/digiuutiset/201808132201132978_dx.shtml
Tomi Engdahl says:
Linux kernel bug: TCP flaw lets remote attackers stall devices with tiny DoS attack
‘SegmentSmack’ Linux bug gives a remote attacker the means to knock out a system with minimal traffic.
https://www.zdnet.com/article/linux-kernel-bug-tcp-flaw-lets-remote-attackers-stall-devices-with-tiny-dos-attack/
Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with
a denial-of-service attack on networking kit.
The bug, which has the identifier CVE-2018-5390, has been dubbed ‘SegmentSmack’ by Red Hat.
“In a worst-case scenario, an attacker can stall an affected host or device with less than 2kpps [2,000 packets per second] of an attack
traffic,” explains the software company.
It has confirmed that Red Hat systems affected include those running RHEL 6 and 7, RHEL 7 for Real Time, RHEL 7 for ARM64 systems, RHEL 7
for IBM POWER systems, and RHEL Atomic Host.
https://access.redhat.com/articles/3553061#affected-products-2
SegmentSmack attack is possible due to the algorithms used in the Linux kernel network stack; all the Red Hat products with moderately new
Linux kernel versions are affected.
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 7 for Real Time
Red Hat Enterprise Linux 7 for ARM64
Red Hat Enterprise Linux 7 for Power
Red Hat Enterprise Linux Atomic Host
No effective workaround/mitigation besides a fixed kernel is known at this time. Red Hat is tracking fixes via Bugzilla ticket 1601704. Red
Hat Enterprise Linux kernel updates will be released as they become available.
Tomi Engdahl says:
US bans government personnel from using Huawei and ZTE devices
It’s part of the Defense Authorization Act the President has just signed into law.
https://www.engadget.com/2018/08/14/us-defense-huawei-zte-ban/
US government employees, contractors and agencies might have to ditch most of their Huawei and ZTE tech. The President has signed the Defense Authorization Act into law, and part of it is a ban on devices and equipment used to route or view user data made by the two companies and some other Chinese manufacturers. Government contractors can still use components that don’t handle user data in any way. But since they still have to get rid of existing parts and devices that do, the law includes a directive for agencies to prioritize funding for businesses that have to replace their equipment.
The US government considers Huawei and ZTE as security threats and has been seeing them as such for a long time.
Tomi Engdahl says:
AP Exclusive: Google tracks your movements, like it or not
https://apnews.com/828aefab64d4411bac257a07c1af0ecb
SAN FRANCISCO (AP) — Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to.
An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you’ve used a privacy setting that says it will prevent Google from doing so.
Computer-science researchers at Princeton confirmed these findings at the AP’s request.
For the most part, Google is upfront about asking permission to use your location information.
Storing your minute-by-minute travels carries privacy risks and has been used by police to determine the location of suspects
Google says that will prevent the company from remembering where you’ve been. Google’s support page on the subject states: “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”
That isn’t true. Even with Location History paused, some Google apps automatically store time-stamped location data without asking. (It’s possible, although laborious, to delete it .)
For example, Google stores a snapshot of where you are when you merely open its Maps app. Automatic daily weather updates on Android phones pinpoint roughly where you are.
How to find and delete where Google knows you’ve been
https://www.apnews.com/b031ee35d4534f548e43b7575f4ab494/How-to-find-and-delete-where-Google-knows-you%27ve-been
Tomi Engdahl says:
Kun palvelut keskittyvät, verkkohyökkäykset saavat aikaan yhä laajempaa tuhoa – Sunnuntain isku kaatoi monta kansalaisille tärkeää palvelua tunneiksi
https://www.hs.fi/kotimaa/art-2000005789547.html
Tomi Engdahl says:
KRP:tä on pyydetty tutkimaan eilistä laajaa verkkohyökkäystä
https://www.is.fi/digitoday/art-2000005790005.html
Tomi Engdahl says:
“Harva raportoi palvelunestohyökkäyksestä” – sunnuntainen laaja isku ei voinut jäädä huomaamatta
https://www.tivi.fi/Kaikki_uutiset/harva-raportoi-palvelunestohyokkayksesta-sunnuntainen-laaja-isku-ei-voinut-jaada-huomaamatta-6736013
Voiko palvelunestohyökkäyksiltä oikeasti suojautua?
https://www.tivi.fi/Kaikki_uutiset/voiko-palvelunestohyokkayksilta-oikeasti-suojautua-6630287
Palvelunestohyökkäykset internetissä viettivät viime vuonna 20-vuotisjuhliaan: syyskuussa 1996 syn-tulvahyökkäys aiheutti New Yorkin kaupungin ensimmäiselle internetoperaattorille useiden päivien palvelukatkon.
Tomi Engdahl says:
Popular Android Apps Vulnerable to Man-in-the-Disk Attacks
https://www.bleepingcomputer.com/news/security/popular-android-apps-vulnerable-to-man-in-the-disk-attacks/
Some of the most popular Android applications installed on your phone may be vulnerable to a new type of attack named “Man-in-the-Disk” that can grant a third-party app the ability to crash them and/or run malicious code.
Discovered by the Check Point team, the Man-in-the-Disk (MitD) attack scenario revolves around an app’s ability to use “External Storage,” one of the two types of data storage methods supported by the Android OS.
Internal Storage, also known as System Memory, is a section of an Android’s phone’s built-in storage space that stores the operating system itself, system apps, drivers, and selected data of user-installed apps.
Each installed app can allocate itself “internal storage” space that is protected by a sandboxed environment, meaning it can’t be accessed by any other app.
External Storage is a common storage space, usually made up with what’s left of the phone’s built-in hard drive and any additional SD cards or USB storage devices connected to the phone.
How the Man-in-the-Disk attack works
The Man-in-the-Disk attack works because of two reasons. First, any app can tamper with another app’s External Storage data. Second, because almost all apps ask for this permission, users are generally willing to give it and unaware of any security risks.
Tomi Engdahl says:
US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old
Pen and paper is still king in America election security
https://www.theregister.co.uk/2018/08/13/defcon_election_vote_hacking/
DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great.
For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes.
All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites.
(Various folks, including ex-NSA and Immunity Inc founder Dave Aitel, have argued the simulation was likely not particularly realistic.)
On the adult side, Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old, and one person managed to, with physical access, upload a Linux operating system to the device and use it to play music, although that hack took a little more time than you’d get while voting.
Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card, which you could swap out while voting, containing supervisor passwords in plain text. An attacker could physically access and tamper with these cards, which also hold the unencoded personal records for all voters including the last four digits of their social security numbers, addresses, and driver’s license numbers.
Hackers thus found that by inserting specially programmed memory cards when no election official is looking, they could change voting tallies and voter registration information. And take a guess what the root password was? Yes, “Password” – again stored in plain text.
Tomi Engdahl says:
More bizarrely, voting machine manufacturer WinVote’s VoteActive device was found to contain pop music. The machine, which was running Windows XP, could be hacked wirelessly in seconds, and had a music player and CD ripper program built in.
Source: https://www.theregister.co.uk/2018/08/13/defcon_election_vote_hacking/
Tomi Engdahl says:
Former NSA top hacker names the filthy four of nation-state hacking
Carefully omits to mention the Land of the Free
https://www.theregister.co.uk/2018/08/13/former_nsa_top_hacker_names_the_filthy_four_of_nationstate_hacking/
DEF CON Rob Joyce, the former head of the NSA’s Tailored Access Operations hacking team, has spilled the beans on which nations are getting up to mischief online.
Joyce gave one of the first talks at the DEF CON hacking conference in Las Vegas and interest was intense – the lines to get in stretched around the hall. Joyce congratulated the crowd on their work in hacking systems to make them safer but warned tougher times were to come.
Nation state hacking is nothing new, but Joyce warned that the practice is increasingly being weaponized so as to cause maximum disruption. Everyone is going to have to be a lot more careful in the future to avoid chaos, he said.
Investigations into possible Russian hacking of the 2016 US election and the UK’s Brexit vote are still ongoing but that wasn’t the half of it, Joyce said. Russian hackers are constantly trying to penetrate key US networks, he claimed, adding that it is a constant struggle to keep them out as they are very persistent and motivated.
Hacking by China used to be more common, he said, but had a different focus. Middle Kingdom meddlers were more interested in harvesting American intellectual property to kickstart their own industries. This activity has dropped off recently, he said, but he predicted they may restart if Sino-US relationships worsen.
Iran, the third big player, has also slackened off its attacks on the US recently, said Joyce.
The final player is North Korea, which remains very backward but has a high degree of hacking skill
Tomi Engdahl says:
MPs worried Brexit vote website wobble caused by foreign hackers
But Cabinet Office has ruled out interference from hostile powers
https://www.theregister.co.uk/2017/04/12/brexit_vote_website_wobble/
A committee of MPs has expressed concerns that foreign hackers might have had a hand in crashing the UK’s voter registration website last year shortly before the Brexit referendum.
The Public Administration Committee concluded that a foreign cyber attack remains a potential reason that the “register to vote” site crashed on 7 June last year, shortly after a televised debate and hours before a (subsequently extended) registration deadline.
Tomi Engdahl says:
Canberra gives ‘decryption’ another crack with draft legislation
https://www.zdnet.com/article/canberra-gives-decryption-another-crack-with-draft-legislation/
The Australian government is still committed to ‘no backdoors’, publishing draft legislation that will force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.
Tomi Engdahl says:
No backdoors for Australian encryption, just a riddling of ratholes
https://www.zdnet.com/article/no-backdoors-for-australian-encryption-just-a-riddling-of-ratholes/
Draft legislation intended to give cops and spooks access to encrypted communications should keep encryption strong. But the powers it proposes aren’t just about fighting paedophiles, terrorists, and organised criminals.
Tomi Engdahl says:
US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old
Pen and paper is still king in America election security
https://www.theregister.co.uk/2018/08/13/defcon_election_vote_hacking/
Tomi Engdahl says:
GOOGLE TRACKS YOU EVEN IF LOCATION HISTORY’S OFF. HERE’S HOW TO STOP IT
https://www.wired.com/story/google-location-tracking-turn-off/?mbid=social_fb
Tomi Engdahl says:
Butlin’s says guest records may have been hacked
https://www.bbc.co.uk/news/technology-45141880
Holiday camp firm Butlin’s says up to 34,000 guests at its resorts may have had their personal information stolen by hackers.
The company says the data in question included names, home addresses, contact details and holiday arrival dates.
Tomi Engdahl says:
DEF CON 2018: Hacking Medical Protocols to Change Vital Signs
https://threatpost.com/def-con-2018-hacking-medical-protocols-to-change-vital-signs/134967/
LAS VEGAS – In recent years there has been more attention paid to the security of medical devices; however, there has been little security research done on the unique protocols used by these devices. Many of the insulin pumps, heart monitors and other gadgets found in hospital rooms use aging protocol to communicate with nurses’ stations and doctors; and as such, can be easily subverted.
Case in point is the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient’s condition and vital signs. Doug McKee, senior security researcher at McAfee’s Advanced Threat Research team, has discovered a weakness that allows data on the patient’s condition to be modified by an attacker in real-time, to provide false information to medical personnel.
Tomi Engdahl says:
How to Train Your Employees for Latest Cyberattacks through Next Generation Awareness Training | By Yossi Barkalifa
https://eforensicsmag.com/how-to-train-your-employees-for-latest-cyberattacks-through-next-generation-awareness-training-by-yossi-barkalifa/
How to Train Your Employees for Latest Cyberattacks through Next Generation Awareness Training
Companies belonging to any industry have now shunned traditional manual processes and have moved towards automation. All this data processing and storage requires IT infrastructure. However, as the world is becoming more and more digitalized, criminals have also moved towards IT to carry out sophisticated attacks on businesses.
Why is Next Generation Computer Security Awareness Needed?
Last year, a research indicated that almost 90 percent of all cyber-attacks were made possible due to human errors.
Tomi Engdahl says:
“Tell me and I’ll forget; show me and I may remember; involve me and I’ll understand.” – A Chinese Proverb
Tomi Engdahl says:
Hack causes pacemakers to deliver life-threatening shocks
https://arstechnica.com/information-technology/2018/08/lack-of-encryption-makes-hacks-on-life-saving-pacemakers-shockingly-easy/
Researchers criticize device-maker Medtronic for slow response.
Tomi Engdahl says:
In post-massacre Vegas, security policies clash with privacy values
https://www.the-parallax.com/2018/08/12/vegas-hotel-room-security-privacy-defcon/
Hackers gathered here for the annual Black Hat and DefCon conferences, among others, are sounding privacy alarms as hotel security personnel along the Las Vegas Strip demand access to their rooms.
More than two dozen hackers and security experts attending security events this week privately reported to The Parallax or publicly reported on Twitter that people identifying themselves as security personnel at the Mandalay Bay, Luxor, Caesars Palace, Flamingo, Aria, Cromwell, Tuscany, Linq, Planet Hollywood, or Mirage hotels had entered their rooms.
As Broome explained to The Parallax during a phone call Saturday afternoon, security personnel are authorized to check on guest rooms as frequently as once a day.
When I asked what they would be looking for, Cynthia replied, “WMDs—that sort of thing.”
Google security engineer Maddie Stone tweeted that a man wearing a light-blue shirt and a walkie-talkie entered her Caesars Palace room with a key, but without knocking
Stone tweeted that she left DefCon early because of the incident.
“These changes represent the new reality that all hotels have to face in their work to keep guests safe,” he said at the conference’s closing ceremony Sunday. Caesars is “working closely with DefCon management to figure out the best way forward for next year.”
Tomi Engdahl says:
Watch this 15-year-old hacker play DOOM on John McAfee’s ‘unhackable’ crypto-wallet
https://thenextweb.com/hardfork/2018/08/09/hacker-doom-bitfi-cryptocurrency-wallet/
John McAfee’s ‘unhackable’ cryptocurrency wallet – the one with a $250,000 bug bounty on it – has been cracked to run the iconic game DOOM, courtesy of a teenage security researcher.
Video of the old-school first-person shooter has surfaced on Twitter. Self-described adversarial thinker Saleem Rashid is credited with hijacking it – a hacking prodigy just 15-years old.
Keep in mind, Bitfi’s wallet is meant be the world’s first ‘unhackable’ device, supposedly doubling as a secure cryptocurrency storage solution. But as we already know, this is hardly the case.
Tomi Engdahl says:
Google Chrome Now Marks HTTP Sites “Not Secure”
https://www.eff.org/deeplinks/2018/07/google-chrome-now-marks-http-sites-not-secure
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8271-android-sovelluksista-loytynyt-windows-viruksia
Tomi Engdahl says:
Sonatype offers developers free security scan tool on GitHub
https://techcrunch.com/2018/08/14/sonatype-now-offers-free-open-source-vulnerability-scans-to-github-users/?sr_share=facebook&utm_source=tcfbpage
free tool called DepShield that offers a basic level of protection for GitHub developers.
The product is actually two parts. For starters, Sonatype has a database of open source dependency vulnerabilities called OSS Index.
After a developer installs DepShield, it checks a code commit in GitHub against the known vulnerabilities in the OSS Index with recommendations on how to proceed.
As for the differences between the commercial and free products, Jackson say it’s a matter of scale.
https://ossindex.sonatype.org
OSS Index is a free service used by developers to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities.
OSS Index is based on vulnerability data derived from public sources and does not include human curated intelligence nor expert remediation guidance.