Cyber Security August 2018

This posting is here to collect security alert news in August 2018.

I post links to security vulnerability news to comments of this article.

 

428 Comments

  1. Tomi Engdahl says:

    Botnet of Smart Heaters, ACs Can Cause Power Disruptions: Researchers
    https://www.securityweek.com/botnet-smart-heaters-acs-can-cause-power-disruptions-researchers

    A research paper published this week at the 27th USENIX Security Symposium describes a new type of attack that could cause energy grid disruptions. The method involves a botnet powered by tens of thousands of compromised high-wattage IoT devices such as heaters and air conditioners.

    Wi-Fi enabled air conditioners, ovens, water heaters and space heaters that can be controlled remotely over the Internet are increasingly popular. The power usage of these devices ranges between 1,000 and 5,000 watts.

    Researchers from the Department of Electrical Engineering at Princeton University claim that these types of high-wattage IoT devices can be exploited in what they call “Manipulation of demand via IoT” (MadIoT) attacks to cause local power outages and even large-scale blackouts.

    In a MadIoT attack, a threat actor takes control of smart high-wattage devices in order to manipulate (i.e. increase or decrease) power consumption.

    The experts tested their theory using state-of-the-art simulators of real-world power grid models.

    One attack scenario involves frequency instability.

    Using a simulator based on the power grid model of the Western Electricity Coordinating Council (WECC), which is responsible for compliance monitoring and enforcement in the Western part of the United States and Canada, researchers calculated that a 30 percent increase in power demand would lead to all generators tripping.

    In order to launch such an attack, experts determined that an attacker would need a botnet of 90,000 air conditioners and 18,000 electric water heaters within the targeted geographical area.

    A botnet of roughly 100,000 IoT systems may not seem like an impossible task considering that the Mirai botnet, at its peak, infected over 600,000 devices. However, those devices were distributed across more than 160 countries and they included low-wattage devices such as cameras. In the case of a MadIoT botnet, the bots would need to be concentrated in the region of the targeted power grid and they would need to be high-wattage devices for the attack to have an impact.

    If the attack leads to a blackout, the grid operator will need to perform what is known as a black start in order to get the power back on. During this process, power is restored in one area at a time to avoid frequency instability. The attacker can use the botnet to suddenly increase demand once power is restored in one area, which can cause the grid to shut down once again.

    Reply
  2. Tomi Engdahl says:

    Documents Reveal Successful Cyberattack in California Congressional Race
    https://www.rollingstone.com/politics/politics-news/california-election-hacking-711202/

    The FBI investigated hacking attempts targeting a Democrat who ran against “Putin’s favorite congressman”

    FBI agents in California and Washington, D.C., have investigated a series of cyberattacks over the past year that targeted a Democratic opponent of Rep. Dana Rohrabacher (R-CA). Rohrabacher is a 15-term incumbent who is widely seen as the most pro-Russia and pro-Putin member of Congress and is a staunch supporter of President Trump.

    The hacking attempts and the FBI’s involvement are described in dozens of emails and forensic records obtained by Rolling Stone.

    Cybersecurity experts say that it’s nearly impossible to identify who was behind the hacks without the help of law enforcement or high-priced private cybersecurity firms that collect their own threat data. These experts speculate that the hackers could have been one of many actors: a nation-state (such as Russia), organized crime, so-called e-crime or a hacktivist with a specific agenda. The FBI declined to comment.

    The timing of the attacks is significant.

    . The executive declined to name those candidates, but the Daily Beast reported that the Russian intelligence agency responsible for the cyberattacks in 2016 had attempted to hack the office of Sen. Claire McCaskill (D-MO), who is running for reelection this year. (A Microsoft spokesperson declined to say if Keirstead was one of three people targeted by hackers, citing “customer privacy.”)

    In December, the cyberattacks on Keirstead took a different form: a sophisticated and sustained effort to hack into the campaign’s website and hosting service.

    In January, according to the campaign’s digital consultant, there were also several attempts to access the campaign’s Twitter account by unknown users. And later that same month, Keirstead’s company was briefly hacked again, according to campaign emails and interviews.

    He says the accounts he’s heard from fellow political operatives about cyberattacks and other suspicious online activity grow more common by the day. “The targets aren’t just high-profile statewide candidates or elected officials,” he says. “Individual congressional campaigns are being targeted on a regular basis.”

    Reply
  3. Tomi Engdahl says:

    Teen pleads guilty to hacking Apple’s computer system
    https://www.cultofmac.com/570743/teen-pleads-guilty-to-hacking-apples-computer-system/

    An Australian teenager who repeatedly broke into Apple’s computer system is facing criminal charges after Apple contacted the FBI.

    The teenager, who hasn’t been named for legal reasons, reportedly downloaded 90GB of secure files and accessed customer accounts. The information was uncovered in a raid on his family home in Melbourne, found in a computer folder called “Hacky hack hack.”

    The court was told that the hacker managed to use security keys which “worked flawlessly” to access Apple’s information. Unsurprisingly, details about exactly what that information entailed have not been shared publicly. The Crown prosecutor said that Apple is, “very sensitive about publicity.”

    Melbourne teen hacked into Apple’s secure computer network, court told
    https://www.theage.com.au/national/victoria/melbourne-teen-hacked-into-apple-s-secure-computer-network-court-told-20180816-p4zxwu.html

    Reply
  4. Tomi Engdahl says:

    Melbourne teen hacked into Apple’s secure computer network, court told
    https://thehackernews.com/2018/08/google-chrome-vulnerability.html

    With the release of Chrome 68, Google prominently marks all non-HTTPS websites as ‘Not Secure’ on its browser to make the web a more secure place for Internet users.

    If you haven’t yet, there is another significant reason to immediately switch to the latest version of the Chrome web browser.

    Ron Masas, a security researcher from Imperva, has discovered a vulnerability in web browsers that could allow attackers to find everything other web platforms, like Facebook and Google, knows about you—and all they need is just trick you into visiting a website.

    The vulnerability, identified as CVE-2018-6177, takes advantage of a weakness in audio/video HTML tags and affects all web browsers powered by “Blink Engine,” including Google Chrome.

    To demonstrate the vulnerability, the researcher created multiple Facebook posts with different combinations of the restricted audiences to categorize victims according to their age, location, interest or gender.

    Now, if a website embeds all these Facebook posts on a web page, it will load and display only a few specific posts at the visitors’ end based on individuals’ profile data on Facebook that matches restricted audience settings.

    Thanks to Cross-Origin Resource Sharing (CORS)—a browser security mechanism that prevents a website from reading the content of other sites without their explicit permission.

    However, Imperva researcher found that since audio and video HTML tags don’t validate the content type of fetched resources or reject responses with invalid MIME types, an attacker can use multiple hidden video or audio tags on a website to request Facebook posts.

    Reply
  5. Tomi Engdahl says:

    Adobe fixes critical code execution flaws in latest patch update
    https://www.zdnet.com/article/adobe-fixes-critical-code-execution-flaws-in-latest-patch-update/

    Two vulnerabilities in Acrobat and Reader are considered critical.

    Reply
  6. Tomi Engdahl says:

    Rootstealer – X11 Trick To Inject Commands On Root Terminal
    https://www.kitploit.com/2018/08/rootstealer-x11-trick-to-inject.html?m=1

    This is simple example of new attack that using X11. Program to detect when linux user opens terminal with root and inject intrusive commands in terminal with X11 lib.

    Mitigation
    Don’t trust in anyone. https://www.esecurityplanet.com/views/article.php/3908881/9-Best-Defenses-Against-Social-Engineering-Attacks.htm
    Always when you enter by root user, change window title

    Reply
  7. Tomi Engdahl says:

    Polymorph – A Real-Time Network Packet Manipulation Framework With Support For Almost All Existing Protocols
    https://www.kitploit.com/2018/08/polymorph-real-time-network-packet.html?m=1

    Reply
  8. Tomi Engdahl says:

    How US Military Hackers Prepared to Hack the Islamic State
    https://motherboard.vice.com/en_us/article/ne5d5g/how-us-military-cybercom-hackers-hacked-islamic-state-documents

    Documents obtained by Motherboard give insight into how hackers at CYBERCOM prepare before launching offensive cyber operations, including figuring out how likely an attack will be attributed back to them.

    Reply
  9. Tomi Engdahl says:

    Adam Segal / Foreign Affairs:
    How President Xi Jinping plans to turn China into a “cyber-superpower” that will dominate the web through domestic regulations, innovation, and foreign policy — For almost five decades, the United States has guided the growth of the Internet. From its origins as a small Pentagon program …

    When China Rules the Web
    Technology in Service of the State
    https://www.foreignaffairs.com/articles/china/2018-08-13/when-china-rules-web

    For almost five decades, the United States has guided the growth of the Internet. From its origins as a small Pentagon program to its status as a global platform that connects more than half of the world’s population and tens of billions of devices, the Internet has long been an American project. Yet today, the United States has ceded leadership in cyberspace to China. Chinese President Xi Jinping has outlined his plans to turn China into a “cyber-superpower.” Already, more people in China have access to the Internet than in any other country, but Xi has grander plans. Through domestic regulations, technological innovation, and foreign policy, China aims to build an “impregnable” cyberdefense system, give itself a greater voice in Internet governance, foster more world-class companies, and lead the globe in advanced technologies.

    China’s continued rise as a cyber-superpower is not guaranteed. Top-down, state-led efforts at innovation in artificial intelligence, quantum computing, robotics, and other ambitious technologies may well fail. Chinese technology companies will face economic and political pressures as they globalize. Chinese citizens, although they appear to have little expectation of privacy from their government, may demand more from private firms. The United States may reenergize its own digital diplomacy, and the U.S. economy may rediscover the dynamism that allowed it create so much of the modern world’s technology.

    XI’S VISION

    Almost from the moment he took power in 2012, Xi made it clear just how big a role the Internet played in his vision for China.

    First, Chinese leaders want to ensure a harmonious Internet.

    Second, China wants to reduce its dependence on foreign suppliers of digital and communications equipment. It hopes to eventually lead the world in advanced technologies such as artificial intelligence, quantum computing, and robotics.

    Third, Chinese policymakers, like their counterparts around the world, are increasingly wary of the risk of cyberattacks on governmental and private networks that could disrupt critical services, hurt economic growth, and even cause physical destruction.

    Finally, China has promoted “cyber-sovereignty” as an organizing principle of Internet governance, in direct opposition to U.S. support for a global, open Internet. In Xi’s words, cyber-sovereignty represents “the right of individual countries to independently choose their own path of cyber development, model of cyber regulation and Internet public policies, and participate in international cyberspace governance on an equal footing.” China envisions a world of national Internets, with government control justified by the sovereign rights of states. It also wants to weaken the bottom-up, private-sector-led model of Internet governance championed by the United States and its allies

    THE END OF THE OPEN INTERNET

    The Xi era will be remembered for putting an end to the West’s naive optimism about the liberalizing potential of the Internet. Over the last five years, Beijing has significantly tightened controls on websites and social media.

    MADE IN CHINA

    Chinese policymakers believe that to be truly secure, China must achieve technological self-sufficiency. Small wonder, then, that support for science and technology is front and center in the country’s most recent five-year plan, which began in 2016. China’s investment in research and development has grown by an average of 20 percent a year since 1999. It now stands at approximately $233 billion, or 20 percent of total world R & D spending.

    Reply
  10. Tomi Engdahl says:

    ‘Hacky Hack Hack’: Australia Teen Breaches Apple’s Secure Network
    https://www.securityweek.com/hacky-hack-hack-australia-teen-breaches-apples-secure-network

    A schoolboy who “dreamed” of working for Apple hacked the firm’s computer systems, Australian media has reported, although the tech giant said Friday no customer data was compromised.

    The Children’s Court of Victoria was told the teenager broke into Apple’s mainframe — a large, powerful data processing system — from his home in the suburbs of Melbourne and downloaded 90GB of secure files, The Age reported late Thursday.

    The boy, then aged 16, accessed the system multiple times over a year as he was a fan of Apple and had “dreamed of” working for the US firm, the newspaper said, citing his lawyer.

    Apple said in a statement Friday that its teams “discovered the unauthorised access, contained it, and reported the incident to law enforcement”.

    The firm, which earlier this month became the first private-sector company to surpass US$1 trillion in market value, said it wanted “to assure our customers that at no point during this incident was their personal data compromised”.

    An international investigation was launched after the discovery involving the FBI and the Australian Federal Police, The Age reported.

    The Age said police raided the boy’s home last year and found hacking files and instructions saved in a folder called “hacky hack hack”.

    Reply
  11. Tomi Engdahl says:

    China Believes Its Cyber Capabilities Lag Behind US: Pentagon
    https://www.securityweek.com/china-believes-its-cyber-capabilities-lag-behind-us-pentagon

    China believes its cyberwarfare capabilities lag behind the United States, but it’s working on closing the gap, according to the U.S. Department of Defense (DOD).

    In its annual report to Congress, the Pentagon describes the cyber capabilities and cyber operations of the People’s Liberation Army (PLA), and warns that China continues to launch cyberattacks against organizations around the world, including in the United States.

    The PLA sees cyberspace as one of the four critical security domains and it has taken steps to make improvements in this area, the report says.

    “China believes its cyber capabilities and personnel lag behind the United States and is working to improve training and bolster domestic innovation to overcome these perceived deficiencies and advance cyberspace operations,” the Pentagon noted.

    One of the steps taken by the PLA in an effort to improve its cyber capabilities is the creation of the Strategic Support Force (SSF). Believed to have been established in 2015, the SSF’s role is to centralize the military’s space, cyber and electronic warfare missions.

    Reply
  12. Tomi Engdahl says:

    How to Protect Yourself Against a SIM Swap Attack
    https://www.wired.com/story/sim-swap-attack-defend-phone/

    A spate of hacked Instagram accounts. A $220 million lawsuit against AT&T. A bustling underground crime ring. They all have roots in an old problem that has lately found new urgency: SIM card swaps, a scam in which hackers steal your mobile identity—and use it to upend your life.

    At its most basic level, a SIM swap is when someone convinces your carrier to switch your phone number over to a SIM card they own. They’re not doing it for prank call cover, or to rack up long-distance charges. By diverting your incoming messages, scammers can easily complete the text-based two-factor authentication checks that protect your most sensitive accounts. Or, if you don’t have two-factor set up in the first place, they can use your phone number to trick services into coughing up your passwords.

    SIM attacks appear to be behind a recent string of Instagram takeovers, as well as the very unfortunate, not great time a hacker posted Justin Bieber nudes from Selena Gomez’s account last year. But they can impact other corners of your life as well. A cryptocurrency investor this week claimed that a SIM swap resulted in the theft of $23.8 million-worth of tokens; he’s suing his carrier, AT&T, for 10 times that amount.

    ‘I Lived a Nightmare:’ SIM Hijacking Victims Share Their Stories
    Nine victims of SIM hijacking—an increasingly popular scam—share their stories.
    https://motherboard.vice.com/en_us/article/j5bpg7/sim-hijacking-t-mobile-stories

    Reply
  13. Tomi Engdahl says:

    Flaws in Smart Irrigation Systems Expose Water Utilities to Botnet-Grade Attacks
    https://www.bleepingcomputer.com/news/security/flaws-in-smart-irrigation-systems-expose-water-utilities-to-botnet-grade-attacks/

    Smart water irrigation systems deployed across a city, region, or even a country, can be hijacked by nefarious threat actors who could cause a mass water crisis by forcing these systems to consume more water than usual.

    This is the conclusion and warning of recent research presented by a team of Israeli academics at a security conference in the US.

    The research team argues that threat actors could identify vulnerabilities in popular smart water irrigation systems left connected to the Internet and use them to assemble botnets that exploit these flaws.

    Researchers argue that threat actors could synchronize these irrigation systems to start at the same time and trigger a mass consumption of local water resources.

    Such attacks, they say, could lead to the emptying of local emergency water reservoirs, and even to water utility companies shutting down water supply in extreme cases.

    IoT DDoS botnets can help attackers

    Furthermore, Nassi told us that an attacker doesn’t have to necessarily infect devices in the first place, as he could simply rent one of the many DDoS-for-hire botnets and use the bots part of that botnet to scan for smart irrigation systems on local networks. Malicious ads (malvertising) on popular sites could also help attackers relay malicious code to internal LANs.

    Nassi and his colleagues have even calculated how large the botnet needs to be for certain attacks.

    “A standard water tower can be emptied in an hour using a botnet of 1,355 sprinklers,” Nassi et. all wrote in their whitepaper. “A flood water reservoir can be emptied overnight using a botnet of 23,866 sprinklers.”

    Reply
  14. Tomi Engdahl says:

    Web cache poisoning just got real: How to fling evil code at victims
    Cache me outside, how ’bout dah?
    https://www.theregister.co.uk/2018/08/17/web_cache_poisoning/

    BSides Manchester Websites can be hijacked to turn their caches into exploit delivery systems.

    James Kettle of Portswigger, the biz behind Burp Suite, has developed techniques to go beyond previous cache poisoning.

    Caching speeds up webpage loads by reducing latency while also reducing the load on application server. Some organizations host their own cache using software like Varnish, and others opt to rely on a Content Delivery Network such as Cloudflare, with caches scattered across geographical locations. Also, some popular web applications and frameworks like Drupal – a popular content management system – have a built-in cache.

    Web cache poisoning is geared towards sending a request that causes a harmful response that then gets saved in the cache and served to other users.

    Kettle’s research focused on looking at how it might be possible to poison caches using unkeyed inputs1 such as HTTP headers.

    Cache poisoning isn’t an end in itself but rather a way to open the door towards the exploitation of secondary vulnerabilities such as XSS (cross-site scripting) in the unkeyed input. Done correctly, this creates a mechanism to cause a response that will execute arbitrary JavaScript against whomever attempts to view a particular resource on a targeted website through its cache.

    Mr Robot

    The researcher said he was able to compromise Mozilla’s infrastructure and partially hijack a notorious Firefox feature2, related to a badly thought-through add-on designed to promote hacking-themed show Mr Robot. The approach theoretically would have allowed Kettle to co-opt millions of Firefox browsers as a low-fat botnet.

    Reply
  15. Tomi Engdahl says:

    Necurs Botnet Pushing New Marap Malware
    https://www.bleepingcomputer.com/news/security/necurs-botnet-pushing-new-marap-malware/

    Security researchers from Proofpoint have discovered a new malware strain that they named Marap and which is currently distributed via massive waves of spam emails carrying malicious attachments (malspam).

    The malware is neither a banking trojan, a remote access trojan (RAT), or ransomware, but a malware download (also referred to as malware loader or malware dropper).

    Marap is a slim malware strain that infects victims, fingerprints their systems, and sends this information back to a central command & control (C&C) server.

    Based on the victim’s profile, Marap will later download specific modules based on the instructions it receives from the C&C server and the malware’s authors.

    Reply
  16. Tomi Engdahl says:

    New Trickbot Variant Touts Stealthy Code-Injection Trick
    https://threatpost.com/new-trickbot-variant-touts-stealthy-code-injection-trick/136606/

    Trickbot is back, this time with a stealthy code injection trick.

    Trickbot has been around since 2016 – but a new variant of the infamous financial trojan has caught the eyes of researchers with a stealthy code-injection technique.

    Researchers at Cyberbit this week said that they have found a new Trickbot iteration that features a sneaky method of performing process-hollowing using direct system calls, anti-analysis techniques and the disabling of security tools.

    “Trickbot is constantly evolving, adopting new tricks and becoming stealthier,” said Cyberbit malware analyst Hod Gavriel in a blog post. “It still has some way to go since it didn’t implement all its process-hollowing function calls via direct system calls. To avoid being analyzed, it added some very simple and ineffective techniques such as sleep (for a long/short time) and useless function calls. To avoid detection, it disabled and deleted the Windows Defender service.”

    Reply
  17. Tomi Engdahl says:

    Exclusive: FBI probing cyber attack on congressional campaign in California – sources
    https://www.reuters.com/article/us-usa-election-hacking-exclusive/exclusive-fbi-probing-cyber-attack-on-congressional-campaign-in-california-sources-idUSKBN1L22BZ

    The U.S. Federal Bureau of Investigation is investigating a cyber attack on the congressional campaign of a Democratic candidate in California, according to three people close to the campaign.

    The hackers successfully infiltrated the election campaign computer of David Min, a Democratic candidate for the House of Representatives who was later defeated in the June primary for California’s 45th Congressional district.

    The incident, which has not been previously reported, follows an article in Rolling Stone earlier this week that the FBI has also been investigating a cyber attack against Hans Keirstead, a California Democrat.

    Reply
  18. Tomi Engdahl says:

    How risky is the Internet? Researchers say 42%
    https://www.kaspersky.com/blog/risky-websites-42/23502/

    When you visit a website, you can open your computer to a lot more danger than you might think. All sites load their own content, some load ads served by an ad network, some load content served by other sites, and some load services hosted by other sites. Often, you’re receiving a pretty motley assortment of visible and invisible code.

    Sounds like something you need to worry about only on shady or small sites, right? Wrong: A recent analysis by Menlo Security of the world’s most-visited websites shows nearly half still leave visitors open to vulnerable software, too much active content, and large amounts of code execution — in other words, a lot of potential danger. Ultimately, the researchers deemed 42% of the Alexa Top 100,000 “risky.”

    Sites trusting other sites

    The reasons also included a bunch of things users can’t control at all — unpatched server software, previous known malware infestation, a past security breach, and the like. Beyond the visited site, the findings revealed that each site calls an average of 25 background sites to fetch various types of content.

    That means that when you’re visiting a website you presumably trust, you’re actually dealing with dozens of sites, most of which you never even heard of.

    Vulnerable Web software

    The report also states that many of the world’s most popular websites don’t have to worry about their partners letting them down; they take care of that part just fine — by using outdated servers. Some hadn’t been updated in years or even decades. Such sites are extremely vulnerable to malware and breaches, which in turn puts their visitors at risk.

    Reply
  19. Tomi Engdahl says:

    Security
    ‘Oh sh..’ – the moment an infosec bod realized he was tracking a cop car’s movements by its leaky cellular gateway
    Internet boxes blab coordinates on login pages
    https://www.theregister.co.uk/2018/08/18/cellular_gateway_snafu/

    Black Hat If you want to avoid the cops, or watch deliveries and call-outs by trucks and another vehicles in real-time, well, there’s potentially not a lot stopping you.

    Security researchers have found more than 100,000 internet-facing cellular gateways, some of which broadcast their exact whereabouts to the world. These particular devices are fitted to fleet vehicles, police cars, ambulances, and so on, blab their coordinates on webpages served by their built-in web servers from their public IP addresses. Thus, they and their vehicles can be found, inspected, and stalked using port scans and search engines, such as Shodan.io.

    This security blunder was found by accident after an investigation by F5 Labs into Linux malware took an interesting turn, leading the team to stumble across the gossiping gateways. Since then more than 13,500 warning notes have been sent out to people making and operating exposed equipment, we’re told, with two replies were received – one of which was Sierra Wireless, the manufacturer of most of the discovered gateways.

    The location information is leaked from misconfigured cellular gateways that are used to connect equipment in a vehicle to the internet via a cellphone network, or provide Wi-Fi that routes connections out to the outside world via a cellular connection.

    Gateways from Sierra Wireless, Cradlepoint, Moxa, and Digi have been found on the public internet poorly secured by their owners, according to F5. They display the unit’s physical location in a device status box on the administrator login page, and possibly still use the username and password defaults of user/12345 on Sierra kit.

    Reply
  20. Tomi Engdahl says:

    Zero-Day In Microsoft’s VBScript Engine Used By Darkhotel APT
    https://www.bleepingcomputer.com/news/security/zero-day-in-microsofts-vbscript-engine-used-by-darkhotel-apt/

    A vulnerability in the VBScript engine has been used by hackers working for North Korea to compromise systems targeted by the Darkhotel operation.

    VBScript is available in the latest versions of Windows and in Internet Explorer 11. In recent versions of Windows, though, Microsoft disabled execution of VBScript in the default configuration of its browser, making it immune to the vulnerability.

    There are other methods to load scripts, though. For instance, applications in the Office suite rely on the IE engine to load and render web content.

    Reply
  21. Tomi Engdahl says:

    SentinelOne makes YouTube delete Bsides vid ‘cuz it didn’t like the way bugs were reported
    Research silenced amid copyright, trademark claim
    https://www.theregister.co.uk/2018/08/18/sentinelone_bsides_copyright_takedown/

    If you were at BSides Manchester in England this week, you hopefully caught James Williams’ presentation on the shortcomings of some commercial antivirus tools.

    If not, and you hoped to watch it on YouTube, you may be out of luck for a while.

    That’s because one of the vendors mentioned – SentinelOne – is rather upset with the talk, funnily enough titled “Next-gen AV vs my shitty code.” To stop people seeing it, the Silicon Valley biz filed a copyright-infringement complaint to make YouTube remove a recording of the presentation from the BSides Manchester channel.

    Reply
  22. Tomi Engdahl says:

    HackNotice Alerts You When a Site is Hacked or Your Info is Leaked
    https://www.bleepingcomputer.com/news/security/hacknotice-alerts-you-when-a-site-is-hacked-or-your-info-is-leaked/

    HackNotice is a service that went live in July and is designed to alert you when your information has been disclosed in leaked data breaches from hacked sites. HackNotice does this by collecting leaked information from data breaches and compiling it into a database that can be used to determine if information related to your monitored email addresses have been leaked.

    To use the service, users need to register a free account on the HackNotice site. They can then create watchlists for email addresses and web sites that they wish to monitor for detection in leaks or for when new hacks occur.

    https://www.hacknotice.com/

    Reply
  23. Tomi Engdahl says:

    VORACLE Attack Can Recover HTTP Data From VPN Connections
    https://www.bleepingcomputer.com/news/security/voracle-attack-can-recover-http-data-from-vpn-connections/

    A new attack named VORACLE can recover HTTP traffic sent via encrypted VPN connections under certain conditions.

    The attack was discovered by security researcher Ahamed Nafeez, who presented his findings at the Black Hat and DEF CON security conferences held last week in Las Vegas.
    VORACLE = CRIME for VPNs

    VORACLE is not a new attack per-se, but a variation and mix of older cryptographic attacks such as CRIME, TIME, and BREACH.

    In those previous attacks, researchers discovered that they could recover data from TLS-encrypted connections if the data was compressed before it was encrypted.

    Fixes for those attacks were deployed in 2012 and 2013, respectively, and HTTPS connections have been safe ever since.

    But Nafeez discovered that the theoretical points of those attacks were still valid when it came to some type of VPN traffic.

    Nafeez says that VPN services/clients that compress HTTP web traffic before encrypting it as part of the VPN connection are still vulnerable to those older attacks.

    “VORACLE allows an attacker to decrypt secrets from HTTP traffic sent through a VPN,” Nafeez told Bleeping Computer in a private conversation today.

    “The aim of the attack is to leak interesting secrets. This can be any cookies, pages with sensitive information, etc.,” he added.

    Reply
  24. Tomi Engdahl says:

    President Trump relaxes US cyber-attacks rules
    https://www.bbc.com/news/technology-45208776

    President Trump has signed an order relaxing rules around the use of cyber-weapons, the Wall Street Journal reports.

    It is a reversal of guidelines, drawn up under President Obama, which required a large number of federal agencies to be involved in any decision to launch a cyber-attack.

    Specific details of what the new rules will be are classified information.

    One official said the US was taking “an offensive step forward”.

    The US administration is under pressure to deal with cyber-threats, amid growing concerns that state-sponsored hacks could hit critical infrastructure.

    Reply
  25. Tomi Engdahl says:

    Botched CIA Communications System Helped Blow Cover of Chinese Agents
    The number of informants executed in the debacle is higher than initially thought.
    https://foreignpolicy.com/2018/08/15/botched-cia-communications-system-helped-blow-cover-chinese-agents-intelligence/

    It was considered one of the CIA’s worst failures in decades: Over a two-year period starting in late 2010, Chinese authorities systematically dismantled the agency’s network of agents across the country, executing dozens of suspected U.S. spies. But since then, a question has loomed over the entire debacle.

    How were the Chinese able to roll up the network?

    Now, nearly eight years later, it appears that the agency botched the communication system it used to interact with its sources, according to five current and former intelligence officials. The CIA had imported the system from its Middle East operations, where the online environment was considerably less hazardous, and apparently underestimated China’s ability to penetrate it.

    “The attitude was that we’ve got this, we’re untouchable,” said one of the officials who, like the others, declined to be named discussing sensitive information. The former official described the attitude of those in the agency who worked on China at the time as “invincible.”

    Reply
  26. Tomi Engdahl says:

    Hijacking online accounts through voicemail
    August 17, 2018
    https://www.kaspersky.com/blog/hacking-online-accounts-via-voice-mail/23499/

    Who uses voicemail these days? “No one” is probably the first response on most people’s lips. That answer is both right and wrong. True, not many people use voicemail now, yet many mobile subscribers have the service — and it’s still in good working order, even if somewhat neglected.

    Reply
  27. Tomi Engdahl says:

    Mehreen Khan / Financial Times:
    Source: EU is drafting regulations to impose fines on social media platforms if they do not remove material flagged as terrorist content within an hour

    Brussels to act against tech groups over terror content
    Threat of fines after commission sees insufficient progress on voluntary action
    https://www.ft.com/content/a4068e88-a22a-11e8-85da-eeb7a9ce36e4

    Brussels plans to force companies including Facebook, YouTube and Twitter to identify and delete online terrorist propaganda and extremist violence or face the threat of fines.

    The European Commission has decided to abandon a voluntary approach to get big internet platforms to remove terror-related videos, posts and audio clips from their websites, in favour of tougher draft regulation due to be published next month.

    Julian King, the EU’s commissioner for security, told the Financial Times that Brussels had “not seen enough progress” on the removal of terrorist material from technology companies and would “take stronger action in order to better protect our citizens”.

    “We cannot afford to relax or become complacent in the face of such a shadowy and destructive phenomenon,” said Mr King.

    Reply
  28. Tomi Engdahl says:

    New York Times:
    Microsoft says hackers linked to the Russian military intelligence agency formerly known as the GRU targeted conservative US think tanks that challenge Moscow

    New Russian Hacking Targeted Republican Groups, Microsoft Says
    https://www.nytimes.com/2018/08/21/us/politics/russia-cyber-hack.html

    Microsoft said it had seized fake websites, linked to a Russian military intelligence unit, meant to trick people into thinking they were sites for Republican-leaning think tanks that have criticized President Vladimir V. Putin of Russia.

    The Russian military intelligence unit that sought to influence the 2016 election appears to have a new target: conservative American think tanks that have broken with President Trump and are seeking continued sanctions against Moscow, exposing oligarchs or pressing for human rights.

    In a report scheduled for release on Tuesday, Microsoft Corporation said that it detected and seized websites that were created in recent weeks by hackers linked to the Russian unit formerly known as the G.R.U. The sites appeared meant to trick people into thinking they were clicking through links managed by the Hudson Institute and the International Republican Institute, but were secretly redirected to web pages created by the hackers to steal passwords and other credentials.

    Reply
  29. Tomi Engdahl says:

    What is Momo? Parents warned over sick WhatsApp ‘suicide’ game that could be next Blue Whale
    https://www.mirror.co.uk/news/world-news/what-momo-parents-warned-over-13018367

    Police in Argentina are investigating if the suicide of a 12-year-old girl in Buenos Aires is linked to Momo

    Parents warned over sick Whatsapp ‘suicide’ game Momo which uses the work of a Japanese artist as the avatar

    Parents are being warned that ‘Momo’ could be the next Blue Whale – a vile and dangerous social media game linked to at least 130 teen deaths across Russia.

    Reply
  30. Tomi Engdahl says:

    YouTube accused of promoting videos and phone numbers for terrifying ‘Momo suicide challenge
    https://www.telegraph.co.uk/technology/2018/08/20/youtube-accused-promoting-videos-phone-numbers-terrifying-momo/

    Dozens of disturbing videos promoting an online game that encourages children to commit suicide have been found on YouTube.

    he craze, named the “Momo Challenge”, requires children to message a fictional horror character named Momo by calling or sending texts to strangers’ phone numbers they find on the Internet. Some of these can be found on YouTube

    The anonymous person will then instruct children to engage in dares or challenges. These can range from relatively innocent activities like watching a horror film or staying up late, through to self-harm and suicide. Children are told to film themselves and send the clips to Momo, who responds…

    Reply
  31. Tomi Engdahl says:

    IoT botnet of heaters & ovens can cause massive widespread power outages
    https://www.hackread.com/iot-botnet-heaters-ovens-cause-widespread-power-outages/

    Reply
  32. Tomi Engdahl says:

    Booz Allen Hamilton wins $1 billion US cybersecurity contract
    https://www.zdnet.com/article/booz-allen-hamilton-wins-1-billion-us-cybersecurity-contract/

    The contractor is now responsible for securing nearly 80 percent of the .gov enterprise.

    The US Department of Homeland Security (DHS) is handing over a $1 billion contract to Booz Allen Hamilton to boost cybersecurity across six federal agencies. With this deal — Booz Allen’s second-largest cybersecurity task order ever — the contractor is now responsible for securing nearly 80 percent of the .gov enterprise.

    More specifically, Booz Allen has been selected as the prime contractor for the government-wide Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) Program. DHS established the CDM program in 2012 to provide federal agencies with tools to enhance the visibility of risks and maintain an active defense against cyber threats.

    In May, the DHS and Office of Management and Budget released a report stating that 71 of 96 agencies have cybersecurity programs that they labeled as either “at risk” or “high risk.”

    “OMB and DHS also found that Federal agencies are not equipped to determine how threat actors seek to gain access to their information,” the report said.

    Reply
  33. Tomi Engdahl says:

    Meet ‘Intrusion Truth,’ the Mysterious Group Doxing Chinese Intel Hackers
    https://motherboard.vice.com/en_us/article/wjka84/intrusion-truth-group-doxing-hackers-chinese-intelligence

    Since April last year, a group calling itself ‘Intrusion Truth’ has trickled out the real names of hackers working for Chinese intelligence. Recently the group has ramped up its efforts against a Chinese operation targeting governments and businesses.

    Since the end of July, Intrusion Truth has steadily published a stream of alleged names of individual APT10 hackers, a bold and unusual move in the world of cyber-espionage, where operators typically remain anonymous, and cybersecurity companies only publish descriptions of victims in broad strokes.

    Intrusion Truth and its controversial approach bring up questions of the ethics of unmasking government-backed hackers, and whether such moves may act as some sort of deterrent, or at least retribution, against state-sponsored cyber-espionage.

    China has hacked its way to other nation’s manufacturing secrets for years, ransacking military fighter jet schematics and information on solar power, among other industrial treasures.

    This is the sort of wide-spanning industrial espionage that Intrusion Truth is particularly motivated against.

    “Intellectual property theft is a global confrontation fought between the West and its online adversaries, mainly China.

    Multiple cybersecurity firms have linked APT10 to hacks against victims in the US, UK, India, and elsewhere

    Intrusion Truth has published the names of three alleged APT10 hackers.

    Cybersecurity companies publishing reports on government hacking groups may provide the real names of hackers to their clients, but usually don’t release them publicly.

    “There’s no upside,” Barysevich said. Several other cybersecurity researchers felt the same.

    Intrusion Truth, awarded the protection of anonymity and free from commercial liability, is taking another approach.

    There may be merit to naming and shaming. In 2014, the Justice Department indicted five Chinese military hackers for conducting cyber-espionage against several US targets.

    One cybersecurity source with knowledge of Chinese APTs said that generally speaking the Chinese are not concerned with being caught; they only care about being successful.

    Segal said naming and shaming would have to be married with other actions to have consequences.

    nation state hackers work within the laws of their own countries while breaking legislation in others. “Only time can tell if naming individual operators will impact recruiting and retention for those missions.”

    It is not clear who is behind Intrusion Truth.

    Reply
  34. Tomi Engdahl says:

    Thieves use $2.3M in counterfeit money to shake down cryptocurrency millionaire
    Fake €500 bills were created using Photoshop
    https://thenextweb.com/hardfork/2018/08/20/counterfeit-money-cryptocurrency/

    Another Bitcoin millionaire has been caught in an elaborate cryptocurrency plot. A South Korean businessman has exchanged $2.3M worth of Bitcoin for cash – only to find the banknotes were cheap, poorly printed fakes.

    The setting was the glitzy French riviera, the sunny coastal town of Nice. The target – a South Korean businessman, owner of a successful cryptocurrency business in Singapore. A Serbian man and his accomplice are alleged to have convinced the businessman to part with Bitcoin fortune, armed with €2 million ($2.3M) in counterfeit notes.

    Reply
  35. Tomi Engdahl says:

    US tech circles wagons as India reviews data protection proposals
    Ex-Cisco CEO-chaired lobby leading the charge
    https://www.theregister.co.uk/2018/08/21/us_tech_circles_wagons_in_the_face_of_indias_data_protection_laws/

    Reply
  36. Tomi Engdahl says:

    London’s Gatwick Airport flies back to the future as screens fail
    Staff forced to whiteboard in terminals as cloud connection goes TITSUP*
    https://www.theregister.co.uk/2018/08/20/gatwick_fail/

    London Gatwick Airport’s shiny new cloud-based flight information display system had a hard landing this morning as its vision of the future was brought down to earth with a bump.

    While collecting the Cloud Project of the Year award at the Real IT awards in May, the airport proclaimed its new screens were “an innovative, cost effective system that are easily scalable, more flexible and resilient, and require considerably less infrastructure and maintenance”.

    Oh dear.

    Passengers at “London”** Gatwick Airport, the UK’s second largest, found themselves faced with blank information screens, and staff hurriedly wheeling out whiteboards and felt-tip pens to show flight status

    The Flight Information Display System (FIDS) at Gatwick Airport was the result of a project that kicked off back in 2015 to replace legacy systems that required a separate PC running behind the majority of the airports’ screens. The new system features 1,200 cloud-based screens requiring only 3Mbps of bandwidth and made an appearance in December 2017.

    Reply
  37. Tomi Engdahl says:

    NCC Group Releases Open Source DNS Rebinding Attack Tool
    https://www.securityweek.com/ncc-group-releases-open-source-dns-rebinding-attack-tool

    Cyber security and risk mitigation company NCC Group has released a new open source tool designed to make it easier for penetration testers and others to perform DNS rebinding attacks.

    DNS rebinding, an attack method that has been known for more than a decade, can allow a remote hacker to abuse a targeted entity’s web browser to directly communicate with devices on the local network. DNS rebinding can be leveraged to exploit vulnerabilities in services the targeted machine has access to.

    Getting the target to access a malicious page or view a malicious ad is often enough to conduct an attack that can lead to theft of sensitive information or taking control of vulnerable systems.

    NCC Group on Friday announced the availability of Singularity of Origin, an open source tool designed for conducting DNS rebinding attacks.

    Singularity of Origin: A DNS Rebinding Attack Framework
    https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/august/singularity-of-origin-a-dns-rebinding-attack-framework/
    https://github.com/nccgroup/singularity

    Reply
  38. Tomi Engdahl says:

    Code of App Security Tool Posted to GitHub
    https://www.securityweek.com/code-app-security-tool-posted-github

    Code of DexGuard, software designed to secure Android applications and software development kits (SDKs), was removed from GitHub last week, after being illegally posted on the platform.

    The tool is developed by Guardsquare, a company that specializes in hardening Android and iOS applications against both on-device and off-device attacks, and is designed to protect Android applications and SDKs against reverse engineering and hacking.

    The DexGuard software is built on top of ProGuard, a popular optimizer for Java and Android that Guardsquare distributes under the terms of the GNU General Public License (GPL), version 2. Unlike ProGuard, however, DexGuard is being distributed under a commercial license.

    In the DMCA takedown notice published on GitHub, Guardsquare reveals that the DexGuard code posted on the Microsoft-owned code platform was illegally obtained from one of their customers.

    The leaked code was quickly removed from the open-source hosting platform, but it did not take long for it to appear on other repositories as well. In fact, Guardsquare said it discovered nearly 200 forks of the infringing repository and that demanded all be taken down.

    HackedTeam, the account that first published the stolen code, also maintains repositories of open-source malware suite RCSAndroid (Remote Control System Android).

    Reply
  39. Tomi Engdahl says:

    Flaws in Emerson Workstations Allow Lateral Movement
    https://www.securityweek.com/flaws-emerson-workstations-allow-lateral-movement

    Researchers working for two industrial cybersecurity firms have discovered several critical and high severity vulnerabilities in Emerson DeltaV DCS Workstations. The vendor has released patches that should resolve the flaws.

    Emerson DeltaV Workstations are purpose-built computers specifically designed to run DeltaV applications. According to ICS-CERT, these systems are used worldwide, mainly in the chemical and energy sectors.

    An advisory published last week by ICS-CERT reveals that DeltaV DCS Workstation versions 11.3.1, 12.3.1, 13.3.0, 13.3.1 and R5 are impacted by four serious vulnerabilities.

    Reply
  40. Tomi Engdahl says:

    North Korean Hackers Exploit Recently Patched Zero-Day
    https://www.securityweek.com/north-korean-hackers-exploit-recently-patched-zero-day

    North Koren hackers are exploiting a recently patched vulnerability in Microsoft’s VBScript engine vulnerability in live attacks, security researchers say.

    Tracked as CVE-2018-8373, the bug was identified as a memory corruption issue that would result in remote code execution in the context of the current user. The flaw resides in the manner in which the VBScript scripting engine handles objects in memory in Internet Explorer.

    “[A]n attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft said.

    North Koren hackers are exploiting a recently patched vulnerability in Microsoft’s VBScript engine vulnerability in live attacks, security researchers say.

    Tracked as CVE-2018-8373, the bug was identified as a memory corruption issue that would result in remote code execution in the context of the current user. The flaw resides in the manner in which the VBScript scripting engine handles objects in memory in Internet Explorer.

    “[A]n attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine,” Microsoft said.

    CVE-2018-8373 | Scripting Engine Memory Corruption Vulnerability
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8373

    Reply
  41. Tomi Engdahl says:

    Anonymous Hackers Target Spain Sites in Catalonia Protest
    https://www.securityweek.com/anonymous-hackers-target-spain-sites-catalonia-protest

    Hackers from the Anonymous collective claimed responsibility for bringing down government websites in Spain on Monday in a protest against Madrid’s efforts to block Catalonia’s separatist drive.

    The sites, which included the official websites of the Constitutional Court and the economy and foreign ministries, went offline on Monday and could still not be accessed by early evening.

    Anonymous, a loosely knit group that has attacked financial and government websites around the world, said it orchestrated the shutdowns.

    Reply
  42. Tomi Engdahl says:

    Vulnerability in IP Relay Service Impacts Major Canadian ISPs
    https://www.securityweek.com/vulnerability-ip-relay-service-impacts-major-canadian-isps

    A recently addressed local file disclosure vulnerability in the SOLEO IP Relay service impacted nearly all major Internet service providers (ISPs) in Canada, a security researcher has discovered.

    Also known as telecommunications relay services (TRSs), the IP relays developed by Soleo Communications are available through all major ISPs in Canada.

    The cloud-based IP Relay service was launched over half a decade ago to allow hearing-impaired individuals and those with speech disorders to place calls through a TTY (text terminal) or other assistive telephone device.

    Because of improper input sanitization, these services exposed sensitive user information, Project Insecurity researcher Dominik Penner discovered.

    https://insecurity.sh/assets/reports/soleo.pdf

    Reply
  43. Tomi Engdahl says:

    Prince of Persia: The Sands of Foudre
    https://www.intezer.com/prince-of-persia-the-sands-of-foudre/

    In the past couple years, Palo Alto Networks reported on the “Prince of Persia” malware campaign which is believed to be of Iranian origin and ongoing for more than 10 years

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*