Every day, cyber threat intelligence firm RiskIQ hoovers up terabytes of internet data. It concentrates on the internet infrastructure and how it functions, gathering up domains, IP addresses, email addresses and web page materials. It does this on behalf of its customers. With booming cloud and social media, not only is there no longer a perimeter to defend, companies often don’t even know what they have to defend.
The attack surface is expanding, and attackers target company brands, suppliers and customers across the internet as well as companies’ own data centers. RiskIQ scans the internet to see what, where and how its customers might be vulnerable.
“We collect crawled web pages, mobile apps, social media profiles and more so that we can identify what our clients own online, so they in turn can identify any vulnerabilities or risks — down to, for example, criminal or malicious actors who may be attempting to masquerade as their business in an effort to go after their employees, or customers, and so on,” explained Brandon Dixon, RiskIQ VP of product.
The North Korea-linked hacking group Lazarus is said to have stolen $13.5 million in a recent cyber-attack targeting SWIFT/ATM infrastructure of Cosmos Bank.
The attackers likely gained access to the bank’s systems via spear phishing and/or remote administration/third-party interface and used multiple attack techniques to steal funds. The theft took place between August 10 and 13, 2018, according to researchers from Securonix.
Believed to be backed by the North Korean government, the Lazarus group was said last year to be the most serious threat to banks. This year, the hackers also focused heavily on crypto-currency exchanges and have been involved in numerous attacks against such organizations.
A recent report also revealed that most malware families originating from North Korea can be linked to Lazarus via code reuse.
he Russian hackers indicted by the U.S. special prosecutor last month have spent years trying to steal the private correspondence of some of the world’s most senior Orthodox Christian figures, The Associated Press has found, illustrating the high stakes as Kiev and Moscow wrestle over the religious future of Ukraine.
The targets included top aides to Ecumenical Patriarch Bartholomew I, who often is described as the first among equals of the world’s Eastern Orthodox Christian leaders.
The Istanbul-based patriarch is currently mulling whether to accept a Ukrainian bid to tear that country’s church from its association with Russia, a potential split fueled by the armed conflict between Ukrainian military forces and Russia-backed separatists in eastern Ukraine.
The AP’s evidence comes from a hit list of 4,700 email addresses supplied last year by Secureworks, a subsidiary of Dell Technologies.
Facebook has pulled one of its own products from Apple’s app store because it didn’t want to stop tracking what people were doing on their iPhones. Facebook also banned a quiz app from its social network for possible privacy intrusions on about 4 million users.
The social media company said late Wednesday that it took action against the myPersonality quiz app, saying that its creators refused an inspection. But even as Facebook did that, it found its own Onavo Protect security app at odds with Apple’s tighter rules for applications.
Onavo Protect is a virtual-private network service aimed at helping users secure their personal information over public Wi-Fi networks. The app also alerts users when other apps use too much data.
SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.
The campaign involved the use of sixteen domains that contained more than 300 spoofed websites and login pages for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.
Many of the spoofed domains, SecureWorks says, referenced the targeted universities’ online library systems, suggesting that the actors behind the campaign were interested in accessing those resources. Not all domains were accessible during analysis.
Victims who entered their login credentials into the fake login pages were redirected to the legitimate websites. Once there, they were either automatically logged into a valid session or asked for the login credentials again, SecureWorks explains.
Despite indictments in March 2018, the Iranian threat group is likely responsible for a large-scale campaign that targeted university credentials using the same spoofing tactics as previous attacks.
Exploit code for a Critical remote code execution vulnerability in Apache Struts 2 was published on GitHub within days after the bug was addressed last week.
Tracked as CVE-2018-11776, the security flaw was found to impact Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the popular Java framework.
Google has alerted U.S. Sen. Pat Toomey’s office that hackers with ties to a “nation-state” sent phishing emails to old campaign email accounts, a spokesman for the Pennsylvania Republican said Friday.
Toomey’s office was notified this week about the attempt to infiltrate email accounts, said spokesman Steve Kelly. He said the dormant accounts hadn’t been used since the end of the 2016 campaign, and the staffers they’re attached to no longer work for Toomey. The nation-state wasn’t identified.
“This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” he said. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.”
Google sucks up consumer data in ways users might find surprising—such as when browsers are in “incognito” mode—according to an analysis of the company’s data collection by a researcher from Vanderbilt University.
The study, released Tuesday and commissioned by the trade org Digital Content Next, looks at how data is gathered from all Google products, including Android mobile devices, Chrome web browsers, YouTube and Photos. In addition to incognito data collection, the study looked at other “passive” means of collection, where “an application is instrumented to gather information while it’s running, possibly without the user’s knowledge,” the report says.
The CEO of Epic Games, maker of smash-hit shoot-em-up Fortnite, continues to savage Google for disclosing a security hole in his software.
Calling the ad giant “irresponsible” for publicly disclosing the vulnerability on Friday, Tim Sweeney posted a string of angry tweets over the weekend and into Monday accusing the search king of hypocrisy – and implied that the release was payback for Epic deciding to offer its game to Android users outside of Google’s official Play app store.
The issue tracker webpage for the bug reveals that Google ran a security check against Epic’s Fortnite installer as soon as it was made publicly available on August 15. The uncovered flaw could be exploited by another malicious app on a phone to hijack the installation process of the game, and install spyware and other dodgy code in its place.
It’s not bad enough to take Microsoft out-of-cycle, but CERT CC has just put out a warning of a new privilege escalation bug in Windows.
“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges”, the advisory stated.
ALPC, Advanced Local Procedure Call, restricts the impact somewhat, since it’s a local bug.
However, it opens an all-too-familiar attack vector: if an attacker can get a target to download and run an app, local privilege escalation gets the malware out of the user context up to (in this case) system privilege. Ouch.
The vulnerability note says: “The CERT CC is currently unaware of a practical solution to this problem.”
Two ISPs in Denmark have emerged victorious from a battle to keep the personal details of their customers private. Telenor and Telia were previously ordered to hand over information to copyright trolls but when the demands kept coming, the ISPs kicked back. Following a big win for the providers at the High Court in May, the Supreme Court will not hear the case, meaning the trolls will lose access to their cash cows.
All around the world, rightsholders connected to often lower-tier media are generating revenue from people alleged to have pirated their content online.
The system is mostly uniform, with alleged infringers’ IP addresses gathered by the ‘copyright trolls’ and taken to court, in the hope that a judge will order ISPs to hand over their personal details. With this information in hand, copyright trolls demand a cash payment to make a supposed lawsuit go away.
It’s important to note, however, that if rightsholders cannot force ISPs to hand over alleged infringers’ details, their entire project is dead in the water. That’s now the position in Denmark after copyright trolls’ greed prompted ISPs to dig in their heels and refuse to cooperate.
Linux v4.19-rc1, release candidate code published on Sunday, allows those building their own kernel or Linux distribution to choose whether or not to trust the CPU hardware random number generator, a decision that has become complicated in the wake of the revelations about government surveillance over the past five years.
When random number generation is insufficiently random, encryption based on such numbers can be broken with less effort. Among the security-minded, there’s concern that hardware makers might offer subpar randomization unknowingly, as a result of espionage, or to accommodate demands from government law enforcement or intelligence agencies.
The paranoia wasn’t always so palpable. Back in 2013, Linus Torvalds, Lord of the Linux, dismissed calls to ditch Intel’s RDRAND processor instruction, noting that the Linux kernel uses multiple sources of input to generate random numbers.
The Domino effect scares: cyber attacks can shake electricity from across Europe
German security specialists warn that strategicly targeted cybercrime would be able to paralyze entire European electricity distribution.
According to Der Spiegel, the country’s cyber-security center, intelligence services and the information security ministry jointly evaluate the online threat may pose a variety of problems for critical infrastructure. Through the network it would be possible to hinder the reliability of traffic and energy supply, for example.
According to the estimates, the paralysis of a single German energy distribution company could cause a domino effect through which the problems would be reflected across Europe through a common electricity distribution network. The report calls for increased infrastructure protection.
A similar problem in Finland has been warned, among other things, by the Stonesoft security company in 2013.
In Germany, reporters have been familiar with the cyber attacks in Ukraine. In December 2015, the malware dropped an electricity grid.
Turning virtual cash into real money without being caught is a big problem for successful cyber-criminals.
They often have to get creative when “cashing out” or laundering the money they have stolen, according to a security expert.
Ziv Mador, head of security research at Trustwave SpiderLabs. told the BBC that credit card thieves, for example, have limited time to profit, because at some point the victim will put a stop on their card.
Tens of thousands of stolen card numbers are traded daily on the underground markets that Mr Mador and his colleagues monitor, with details taken from compromised websites or databases.
“They can try to sell the card, which is not big money because they only get a few dollars for each one,” he said.
Instead, he added, they are more likely to use them to buy more valuable assets like iPhones or Macbooks, which are popular because they tend to hold their value when resold.
“They do not buy 100 or so iPhones at once,” he said. “They use a lot of different cards at different times.”
Mr Mador said the crooks use randomisation tools to thwart anti-fraud systems that would spot if all the purchases, even those made with different cards, are being done on the same computer.
Another “cashing out” technique uses gift cards from big retailers such as Amazon and WalMart.
Then there are the more creative scams that seek to use Uber and other ride-hailing firms to launder cash.
Mr Mador, and others, have seen adverts seeking drivers who can take part, with Spain and the US both popular locations for the fraud. Other places like Moscow and St Petersburg were “temporarily unavailable”.
“They are looking for Uber drivers for fraudulent payments, people who can register for Uber and do fake rides,” said Mr Mador.
The driver’s account is used to launder the cash generated when stolen credit cards are used to pay for the fictitious journeys and they get a cut of the money as a payment.
The University of Helsinki is devastated by the exceptionally large flood of spear phishing mails – hundreds of people have been kidding to give their information to criminals
Data fishing has rarely spread to such great proportions, says Head of Information Administration at the University of Helsinki. The University intends to file a criminal offense.
The University of Helsinki is suffering from an exceptionally large flood of fatalities. In messages, users are encouraged to activate their username by clicking the link that leads to a very real-looking site.
By signing up for the site, the user gives his ID and password to the criminal, warns Ilkka Siissalo, IT Director of the University.
The problem started around mid-August. The University of Helsinki has 70,000 users, all of whom are likely to have received fishing messages.
The number of people sending messages is unknown, but according to Siissalo there are more than 300 people.
“Generally, if there is such a relatively well-made fishing message, so a handful or half a dozen people may be chasing. Now that the magnitude of this is that more than 300 people have been plagued by them, it has not been seen before. ”
Details of an unpatched vulnerability in Microsoft’s Windows 10 operating system were made public on Monday, via Twitter.
Information on the bug and a link to proof-of-concept (PoC) code hosted on GitHub was posted by a security researcher who claims to be frustrated with Microsoft’s bug submission process.
I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM!
The latest ESRA report from Mimecast indicates just why email attacks are so loved by cybercriminals, and why organizations need to take email security more seriously.
ESRA is Mimecast’s ongoing Email Security Risk Assessment quarterly analysis. Working with 37 organizations across 20 different industries, Mimecast compares the email threats it detects to those detected by the organizations’ incumbent email security technologies. The results provide two major sets of statistics: the volume of threats that go undetected by the incumbent technologies; and the sheer size of the email threat.
The latest report (PDF) covers more than 142 million emails received by almost 261,924 users. The incumbent email security was Office 365 and Proofpoint.
This doesn’t mean that the bad emails were effective, only that they were delivered to their destination. Other security controls might detect malware and inhibit users from clicking on malicious links — but it does imply that these additional controls need to be 100% effective against threats that could have been blocked before delivery.
The threat from rogue insiders, for so long dismissed as scare stories, has quietly bubbled back on to the official worry list.
High-profile cases – like that brought against Anthony Levandowski over IP he was accused of stealing from Google’s Waymo car division, and Jiaqiang Xu, who got five years in the clink for stealing source code belonging to IBM – have helped to bring these fears back to the fore.
Even the US government has been caught out – three employees of the Department for Home Security were accused of stealing a computer containing the personal files of 246,000 agency staff.
For years, the dominant narrative was the spiteful employee run amok, either spilling or stealing data (the Morrisons worker who leaked its entire employee database in 2014), or just plain messing with the network (the admin who caused chaos at Gucci in 2010).
It’s now dawned on organisations that it’s the quiet rogues you never hear about – let’s call them the “exfiltraitors” – that represent a threat potentially as bad as anything from the outside.
A CA study (PDF) earlier this year reckoned that 47 per cent of insider threats stemmed from maliciousness of one sort of another, with the remainder caused by carelessness. The single biggest factor was the abuse of privileges, precisely the thing that coders, admins and managers need to do their jobs.
Fade to grey
The idea of abusing privileges brings us to a specialised category of exfiltrating insider, the so-called “grey hat”. These are engineers or coders who know a lot about a company’s IP, assets and weaknesses, and have the entrepreneurial skills to understand that this knowledge is worth something.
Strictly speaking, a grey hat is just a black hat hacker who uses their day job to enable their nefarious activity, but this month’s Malwarebytes-sponsored Osterman survey of 900 security pros across the UK, US, Germany, Australia and Singapore found that it can be incredibly difficult for companies to spot the difference.
Globally, 4.6 per cent of respondents believed a colleague fell into the grey category, which rose in the UK to an alarming 7.9 per cent.
When asked which security threats had affected their organisations in the previous 12 months, intentional insider data breaches were mentioned by almost one in ten.
“Our research discovered that the proportion of grey hats increases with the size of the organisation.”
“We are seeing more instances of the malicious insider causing damage to company productivity, revenue, IP and reputation,” said Malwarebytes’ CEO, Marcin Kleczynski.
In a recent Fortune article, Kennedy drew attention to “collection requirements”, a term used to describe catalogues of tech IP that attract the highest prices on the black markets used by nation states to grab each other’s secrets.
“Do any of your employees have such handbooks? And if they were stockpiling and exporting sensitive data, would you know before it was too late?” he wrote.
State-sponsored IP theft has become a business, the threat from which could be internal just as easily as external.
It’s no longer journalists and security companies writing about malicious insiders – CEOs now feel the need to advertise the threat from their own employees to the world, a strange thing to do on the face of it. Or perhaps the message isn’t only for investors but is directed at employees who might think about leaking IP.
Oath, the advertising arm of Verizon — which owns both Yahoo and AOL — has been pitching advertisers a service that would allow them to peer into the email accounts of more than 200 million people.
The service benefits advertisers by allowing them to identify and segment potential customers by picking up on contextual buying signals, and past purchases. It’s a service that, according to Dough Sharp, Oath’s VP of data measurement and insights, allows anyone willing to spend the money to take a peek behind the curtain at commercial emails in any accountholders inbox — although, presumably, the data would be anonymized.
“Email is an expensive system,” Sharp said. “I think it’s reasonable and ethical to expect the value exchange, if you’ve got this mail service and there is advertising going on.”
Those paying Yahoo $3.49 a month for the premium, ad-free experience aren’t immune. The service still scans their mailbox for commercial mailings.
The system works much like advertisements on Facebook. Using a series of algorithms, the system spots potential targeting matches and places a piece of tracking code, a “cookie,” on a users computer.
A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.
The flaw affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.
Tracked as CVE-2018-11776, the bug is rather trivial to exploit: because Apache Struts doesn’t properly validate namespace input data, an attacker would only need to insert their own namespace as a parameter in an HTTP request.
260,000 Impacted in Cryptocurrency Investment Platform Breach
The information of over 260,000 users was stolen after hackers managed to compromise the cryptocurrency investment platform Atlas Quantum.
The company says it has over 240,000 users in more than 50 countries and over $30 million in assets under its management. In 2017, the platform delivered a cumulative 38% return to investors, Atlas claims.
A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum. From a report:
The breach was reported today by Chinese media after several cyber-security firms spotted the forum ad [1, 2, 3, 4]. The seller said he obtained the data from Huazhu Hotels Group Ltd (Huazhu from hereafter), one of China’s largest hotel chains, which operates 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.
David Meyer / ZDNet:
Telegram publishes a new privacy policy, says it may comply with court orders to disclose IP addresses and phone numbers of terror suspects
Mike Masnick / Techdirt:
US Court of Appeals upholds lower court ruling that an IP address is not enough evidence to tie copyright infringement to an individual — Tons of copyright lawsuits (and even more copyright trolling shakedowns that never even reach court) are based on one single bit of data: the IP address.
Catalin Cimpanu / BleepingComputer:
Reports: data of 130M guests at Chinese company Huazhu Hotels, including booking and personal info like phone numbers and email addresses, sold on the dark web — A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum.
“When the Russian military is using free stuff, you know how good that stuff is.”
When people hear about a cyber attack or hacking campaign, they may picture a well-oiled machine that’s taken time, skills and resources to build.
They imagine underground forums on the dark web, where attackers can buy powerful malware and unleash it on their target of choice.
But what if having access to the funding and contacts necessary to deliver attacks with the power of state-backed campaigns wasn’t required?
In some cases, tools which can be used to conduct malicious cyber operations, ranging from espionage to taking down infrastructure, are freely available on the open web. Even state-backed operations have taken advantage of these free tools, as part of sophisticated cyber campaigns.
There are various sources for this code, which is commonly available on developer forums and from code repositories like GitHub. There are often messages stating that the code is for research purposes only, but that doesn’t stop it being used for malicious intent.
Vault, QuintessenceLabs, and Ziroh Labs have joined forces to build a system for strong encryption of user data for government.
Australian cloud services provider Vault, alongside QuintessenceLabs (QLabs) and Ziroh Labs, has announced a secure enterprise file synchronisation and sharing (EFSS) proof of concept aimed at protecting data.
The Canberra-based companies will bring together QuintessenceLabs’ quantum key generation and key management with Vault’s protected cloud and Ziroh Labs’ homomorphic encryption technology, calling the end result “full entropy as a service”.
Some 500 million pieces of customer data is believed to have been compromised, including that of 150 million accounts currently on sale in the dark web for 8 Bitcoins.
Russell Brandom / The Verge:
Q&A with five experts on whether it is time to regulate facial recognition technology and its usage by police, and what needs to be done to overcome racial bias
Russell Brandom / The Verge:
Google’s Titan Security Key set, including a USB key, a Bluetooth key, and various connectors, is now available to all for $50, shipping immediately
Google’s Titan Security Key is finally available to anyone who wants one. The two-factor token went live today in the Google store, with a full kit available for $50, shipping immediately. The kits include a USB key, a Bluetooth key, and various connectors. The key has been available to Google Cloud customers since July, when the project was first publicly announced.
Built to the FIDO standard, the Titan keys work as a second factor for a number of services, including Facebook, Dropbox, and Github. But not surprisingly, they’re built particularly for Google account logins, particularly the Advanced Protection Program announced in October. Because the keys verify themselves with a complex handshake rather than a static code, they’re far more resistant to phishing attacks than a conventional confirmation code. The key was initially designed for internal Google use, and has been in active use within the company for more than eight months.
George Garofano, 26, one of four charged over illegal hacking of American actor and other celebrities
A hacker was sentenced to eight months in prison on Wednesday for a scheme that exposed intimate photos of the actor Jennifer Lawrence and other celebrities.
George Garofano, 26, was accused of illegally hacking the private Apple iCloud accounts of 240 people, including Hollywood stars as well as average internet users, allowing their nude photos and private information to be spread around the internet.
He was one of four people charged in the 2014 hacking scandal, in which private photos of Lawrence, Kate Upton, Kirsten Dunst and others were published online.
Lawrence said at the time the invasion was equivalent to a sex crime, and called for tougher laws.
A federal judge at a US district court in Bridgeport, Connecticut, ordered Garofano to serve the prison term followed by three years of supervised release.
He had pleaded guilty in April, admitting that he sent emails to the victims while posing as a member of Apple’s online security personnel in order to obtain their usernames and passwords.
A misconfigured MongoDB server belonging to Abbyy, an optical character recognition software developer, allowed public access to customer files.
Independent security researcher Bob Diachenko discovered the database on August 19 hosted on the Amazon Web Services (AWS) cloud platform. It was 142GB in size and it allowed access without the need to log in. The sizeable database included scanned documents of the sensitive kind: contracts, non-disclosure agreements, internal letters, and memos. Included were more than 200,000 files from Abbyy customers who scanned the data and kept it at the ready in the cloud.
Air Canada told customers in an email today that the personal information for about 20,000 customers “may potentially have been improperly accessed” via a breach in its mobile app. As a precaution, the airline locked down all 1.7 million accounts until customers change their passwords.
As the DNS-over-HTTPS (DoH) secured domain querying draft creeps towards standardisation, Mozilla has run a test to see if applying encryption brings too heavy a performance penalty.
One somewhat-surprising outcome: for some queries, performance improved using DoH.
As Mozilla discusses here, run-of-the-mill DNS requests over DoH take a small performance hit.
Russian researchers armed with Shodan and Censys have identified nearly 5,000 SD-WANs with vulnerable management interfaces.
It won’t surprise anyone, The Register suspects, that most of the problems the three researchers (Denis Kolegov and Antony Nikolaev of Tomsk State University, and DarkMatter’s Sergey Gordeychik) discovered are down to “outdated software and insecure configuration”.
In this paper at arXiv, they explained how their active and passive fingerprinting showed that vendors or users failing to update their SD-WAN applications and (usually) Linux operating systems made SD-WANs “low-hanging fruit even for a script kiddie”.
Among the vendors whose systems they found accessible from the internet were all big, familiar names – Cisco, VMware, Citrix, SilverPeak, Huawei, Arista – along with another nine smaller outfits.
The researchers confined themselves to the management interface only, not touching any data plane interface (for one thing, messing around with the SD-WANs’ internals would create a juicy legal jeopardy).
“In general, the accessibility of management interface on the internet indicates the presence of CWE-749 weakness ‘Exposed Dangerous Method or Function’,” the paper stated.
After querying the target systems they found on Shodan and Censys (and cleaning up the results), it was straightforward to identify vendors and versions, because whether the systems used SSH, HTML, JSON, JavaScript or SNMP, they responded to contact with information like “viptela 17.2.4″ (from Cisco).
Freelance cybersleuths can help companies find flaws in their code. But the bug hunters could fall afoul of anti-hacking laws.
They are the Ubers of the digital security world. Instead of matching independent drivers with passengers, companies like Bugcrowd and HackerOne connect people who like to spend time searching for flaws in software with companies willing to pay them for bugs they find.
This cybersecurity gig economy has expanded to hundreds of thousands of hackers, many of whom have had some experience in the IT security industry.
Code cleaners
More and more large companies like GM, Microsoft, and Starbucks, are now running “bug bounty” programs that offer monetary rewards to those who spot and report bugs in their software. Platforms like Bugcrowd can help by alerting the hacking community to programs being launched, prioritizing bugs sent on to firms, and handling things like payments.
Moreover, at a time when experts are forecasting that 3.5 million cybersecurity jobs worldwide will be vacant by 2021 because there aren’t enough skilled workers, freelancers can ease some of the strain on internal teams.
Still, the platforms face a couple of big challenges. One is to keep expanding the pool of talented bug hunters. Another is to establish greater legal clarity about what tools and techniques ethical hackers can safely use. Popular tactics such as using injection attacks, which involve inserting code into software applications that could change the way the programs are executed, could potentially lead to prosecution under anti-hacking laws such as America’s Computer Fraud and Abuse Act (CFAA).
There have already been cases where security researchers and reporters have faced possible legal action for unearthing and reporting vulnerabilities in companies’ code. It would take only a couple of high-profile lawsuits to have a chilling effect on the industry.
Hacker uni
To address the talent challenge, the crowdsourcing platforms are publishing far more content to help hackers upgrade their skills and to attract more people to gig work.
Legal air cover
On the legal front, the platforms are pushing for more “safe harbor” language to be inserted in contracts governing bug bounties. The aim, says Adam Bacchus of HackerOne, is to get companies to be clear that if hackers follow the rules of engagement within reason, they won’t wind up being taken to court.
Bugcrowd has partnered with Amit Elazari, a security researcher whose work has highlighted the need for safe harbor language, to launch an initiative called disclose.io to create a standardized framework for finding and reporting bugs. This would provide explicit authorization for using bug-hunting techniques that would normally be clear violations of provisions in anti-hacking statutes.
If the security community could tell you just one thing, it’s that “nothing is unhackable.” Except John McAfee’s cryptocurrency wallet, which was only unhackable until it wasn’t — twice.
Security researchers have now developed a second attack, which they say can obtain all the stored funds from an unmodified Bitfi wallet. The Android-powered $120 wallet relies on a user-generated secret phrase and a “salt” value
But the researchers say that the secret phrase and salt can be extracted
Using this “cold boot attack,” it’s possible to steal funds even when a Bitfi wallet is switched off.
Rashid told TechCrunch that the keys are stored in the memory longer than Bitfi claims, allowing their combined exploits to run code on the hardware without erasing the memory.
“This attack is both reliable and practical, requiring no specialist hardware,”
The McAfee-backed company offered a $250,000 bounty for anyone who could carry out what its makers consider a “successful attack.” But Bitfi declined to pay out, arguing that the hack was outside the scope of the bounty, and instead resorted to posting threats on Twitter.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” a spokesperson told TechCrunch.
Security keys are one of the strongest lines of defense against account breaches. That’s because a hacker on the other side of the world trying to break into your account needs not only your password but also your physical key — and that’s not something a hacker can easily or covertly steal.
Although there are a handful of security key brands out there — Yubikey and Feitian to name two — Google thinks it can do better with its own Titan security keys.
For many months it was expected that privacy protections afforded to consumers by GDPR would also benefit the bad guys. It was feared that security researchers would no longer be able to track new bad domains through WHOIS data, and that spammers would rush to register new domains under new GDPR-enforced anonymity; and that spam would spike once GDPR became effective in May 2018. It hasn’t happened.
Shanghai police said they were investigating a suspected data leak at NASDAQ-listed Chinese hotelier Huazhu Group, the local partner of France-based AccorHotels.
Huazhu, one of China’s biggest hoteliers, released a statement on Tuesday saying it had alerted police to reports that the company’s internal data was being sold online, asking them to investigate.
Chinese media reports said the data included guest membership information, personal IDs, check-in records, guest names, mobile numbers, and emails.
Police in Shanghai said in a statement that they were looking into the case.
Huazhu’s website said it operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.
A new rootkit that has been distributed via the RIG exploit kit over the past few weeks can manipulate web browsers and also contains sophisticated defense mechanisms, Check Point says.
Dubbed CEIDPageLock, the malware was initially discovered a few months ago, when it was attempting to modify the homepage of a victim’s browser. The rootkit is currently attempting to turn the victim browser’s homepage into a site pretending to be a Chinese web directory.
On top of these sophisticated features, the latest versions of the malware monitors user browsing and, when the user attempts to access several popular Chinese websites, it dynamically replaces the content of those sites with the fake home page.
A new campaign by the Russia-based Cobalt hacking group was observed on August 13, 2018. Cobalt is best-known for targeting financial institutions, and this campaign is no different. Two targets have been identified to date: NS Bank in Russia and Carpatica/Patria in Romania.
Cobalt has been operating since at least 2016. So far it is credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan.
Loki Bot’s operators have been targeting corporate mailboxes with their spam messages, Kaspersky Lab reports.
The emails employ various lures to trick potential victims into opening malicious attachments that would deploy the Loki Bot stealer onto the target machines. The messages masquerade as notifications from other companies, or as orders and offers.
As part of the campaign, cybercriminals have been targeting corporate mailboxes that can be obtained from public sources or which are listed on the targeted companies’ websites, Kaspersky discovered.
The spam messages would attempt to deliver the malicious payload via an attached ISO file. The extension is associated with copies of optical discs that can be mounted to access their content. Modern operating systems can mount ISO files directly, but dedicated software that can handle the extension also exists.
A newly detailed Android spyware that has an incredibly wide-ranging protocol has been active since May 2016, Kaspersky Lab warns.
Dubbed BusyGasper, the malware includes device sensors listeners (such as motion detectors), can exfiltrate data from messaging applications (WhatsApp, Viber, Facebook), includes keylogging capabilities, and supports 100 commands.
Featuring a multicomponent architecture, the malware can download payloads and updates from the command and control (C&C) server, an FTP server belonging to the free Russian web hosting service Ucoz.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
428 Comments
Tomi Engdahl says:
“Evil Internet Minute” Report Shows Scale of Malicious Online Activity
https://www.securityweek.com/evil-internet-minute-report-shows-scale-malicious-online-activity
Every day, cyber threat intelligence firm RiskIQ hoovers up terabytes of internet data. It concentrates on the internet infrastructure and how it functions, gathering up domains, IP addresses, email addresses and web page materials. It does this on behalf of its customers. With booming cloud and social media, not only is there no longer a perimeter to defend, companies often don’t even know what they have to defend.
The attack surface is expanding, and attackers target company brands, suppliers and customers across the internet as well as companies’ own data centers. RiskIQ scans the internet to see what, where and how its customers might be vulnerable.
“We collect crawled web pages, mobile apps, social media profiles and more so that we can identify what our clients own online, so they in turn can identify any vulnerabilities or risks — down to, for example, criminal or malicious actors who may be attempting to masquerade as their business in an effort to go after their employees, or customers, and so on,” explained Brandon Dixon, RiskIQ VP of product.
Tomi Engdahl says:
North Korea-linked Hackers Stole $13.5 Million From Cosmos Bank: Report
https://www.securityweek.com/north-korea-linked-hackers-stole-135-million-cosmos-bank-report
The North Korea-linked hacking group Lazarus is said to have stolen $13.5 million in a recent cyber-attack targeting SWIFT/ATM infrastructure of Cosmos Bank.
The attackers likely gained access to the bank’s systems via spear phishing and/or remote administration/third-party interface and used multiple attack techniques to steal funds. The theft took place between August 10 and 13, 2018, according to researchers from Securonix.
Believed to be backed by the North Korean government, the Lazarus group was said last year to be the most serious threat to banks. This year, the hackers also focused heavily on crypto-currency exchanges and have been involved in numerous attacks against such organizations.
A recent report also revealed that most malware families originating from North Korea can be linked to Lazarus via code reuse.
Tomi Engdahl says:
Sacrilegious Spies: Russians Tried Hacking Orthodox Clergy
https://www.securityweek.com/sacrilegious-spies-russians-tried-hacking-orthodox-clergy
he Russian hackers indicted by the U.S. special prosecutor last month have spent years trying to steal the private correspondence of some of the world’s most senior Orthodox Christian figures, The Associated Press has found, illustrating the high stakes as Kiev and Moscow wrestle over the religious future of Ukraine.
The targets included top aides to Ecumenical Patriarch Bartholomew I, who often is described as the first among equals of the world’s Eastern Orthodox Christian leaders.
The Istanbul-based patriarch is currently mulling whether to accept a Ukrainian bid to tear that country’s church from its association with Russia, a potential split fueled by the armed conflict between Ukrainian military forces and Russia-backed separatists in eastern Ukraine.
The AP’s evidence comes from a hit list of 4,700 email addresses supplied last year by Secureworks, a subsidiary of Dell Technologies.
Tomi Engdahl says:
Facebook Pulls Security App From Apple Store Over Privacy
https://www.securityweek.com/facebook-pulls-security-app-apple-store-over-privacy
Facebook has pulled one of its own products from Apple’s app store because it didn’t want to stop tracking what people were doing on their iPhones. Facebook also banned a quiz app from its social network for possible privacy intrusions on about 4 million users.
The social media company said late Wednesday that it took action against the myPersonality quiz app, saying that its creators refused an inspection. But even as Facebook did that, it found its own Onavo Protect security app at odds with Apple’s tighter rules for applications.
Onavo Protect is a virtual-private network service aimed at helping users secure their personal information over public Wi-Fi networks. The app also alerts users when other apps use too much data.
Tomi Engdahl says:
Iranian Hackers Target Universities in Large Attack Campaign: SecureWorks
https://www.securityweek.com/iranian-hackers-target-universities-large-attack-campaign-secureworks
SecureWorks security researchers have discovered that a new, large phishing campaign targeting universities is similar to previous cyber operations by an actor associated with the Iranian government.
The campaign involved the use of sixteen domains that contained more than 300 spoofed websites and login pages for 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States.
Many of the spoofed domains, SecureWorks says, referenced the targeted universities’ online library systems, suggesting that the actors behind the campaign were interested in accessing those resources. Not all domains were accessible during analysis.
Victims who entered their login credentials into the fake login pages were redirected to the legitimate websites. Once there, they were either automatically logged into a valid session or asked for the login credentials again, SecureWorks explains.
Back to School: COBALT DICKENS Targets Universities
https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities
Despite indictments in March 2018, the Iranian threat group is likely responsible for a large-scale campaign that targeted university credentials using the same spoofing tactics as previous attacks.
Tomi Engdahl says:
Exploit for Recent Critical Apache Struts Vulnerability Published
https://www.securityweek.com/exploit-recent-critical-apache-struts-vulnerability-published
Exploit code for a Critical remote code execution vulnerability in Apache Struts 2 was published on GitHub within days after the bug was addressed last week.
Tracked as CVE-2018-11776, the security flaw was found to impact Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the popular Java framework.
Tomi Engdahl says:
Google Tells Toomey Hackers Tried to Infiltrate Staff Email
https://www.securityweek.com/google-tells-toomey-hackers-tried-infiltrate-staff-email
Google has alerted U.S. Sen. Pat Toomey’s office that hackers with ties to a “nation-state” sent phishing emails to old campaign email accounts, a spokesman for the Pennsylvania Republican said Friday.
Toomey’s office was notified this week about the attempt to infiltrate email accounts, said spokesman Steve Kelly. He said the dormant accounts hadn’t been used since the end of the 2016 campaign, and the staffers they’re attached to no longer work for Toomey. The nation-state wasn’t identified.
“This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” he said. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.”
Tomi Engdahl says:
A new study suggests that Google collects more consumer data than users think (way more)
http://adage.com/article/digital/incognito-web-browsing-private-google-study/314670/
Google sucks up consumer data in ways users might find surprising—such as when browsers are in “incognito” mode—according to an analysis of the company’s data collection by a researcher from Vanderbilt University.
The study, released Tuesday and commissioned by the trade org Digital Content Next, looks at how data is gathered from all Google products, including Android mobile devices, Chrome web browsers, YouTube and Photos. In addition to incognito data collection, the study looked at other “passive” means of collection, where “an application is instrumented to gather information while it’s running, possibly without the user’s knowledge,” the report says.
Tomi Engdahl says:
Ah, um, let’s see. Yup… Fortnite CEO is still mad at Google for revealing security hole early
Normal policy – or punishment for stepping outside ad giant’s walled garden?
https://www.theregister.co.uk/2018/08/27/fortnite_ceo_slams_google_for_revealing_security_hole_early/
The CEO of Epic Games, maker of smash-hit shoot-em-up Fortnite, continues to savage Google for disclosing a security hole in his software.
Calling the ad giant “irresponsible” for publicly disclosing the vulnerability on Friday, Tim Sweeney posted a string of angry tweets over the weekend and into Monday accusing the search king of hypocrisy – and implied that the release was payback for Epic deciding to offer its game to Android users outside of Google’s official Play app store.
The issue tracker webpage for the bug reveals that Google ran a security check against Epic’s Fortnite installer as soon as it was made publicly available on August 15. The uncovered flaw could be exploited by another malicious app on a phone to hijack the installation process of the game, and install spyware and other dodgy code in its place.
Tomi Engdahl says:
Windows 0-day pops up out of nowhere Twitter
Local privilege escalation in procedure calls
https://www.theregister.co.uk/2018/08/28/windows_0day_pops_up_out_of_span_classstrikenowherespan_twitter/
It’s not bad enough to take Microsoft out-of-cycle, but CERT CC has just put out a warning of a new privilege escalation bug in Windows.
“Microsoft Windows task scheduler contains a vulnerability in the handling of ALPC, which can allow a local user to gain SYSTEM privileges”, the advisory stated.
ALPC, Advanced Local Procedure Call, restricts the impact somewhat, since it’s a local bug.
However, it opens an all-too-familiar attack vector: if an attacker can get a target to download and run an app, local privilege escalation gets the malware out of the user context up to (in this case) system privilege. Ouch.
The vulnerability note says: “The CERT CC is currently unaware of a practical solution to this problem.”
Tomi Engdahl says:
Jacksonville mass shooting: ‘Gamer’ kills two and injures 11 after opening fire at Madden NFL video game tournament in Florida
https://www.telegraph.co.uk/news/2018/08/26/multiple-fatalities-reported-mass-shooting-games-tournament/
A gunman opened fire at a live-streamed video game tournament in Florida on Sunday
Investigators were looking into online video that appeared to capture the scene right before the shooting began
Just before the shots were heard, a red laser dot appeared on the chest of one of the players, who was wearing white headphones and a red sweatshirt.
Tomi Engdahl says:
Copyright Trolls Killed Off in Denmark After Supreme Court Hearing Denied
https://torrentfreak.com/copyright-trolls-killed-off-in-denmark-after-supreme-court-hearing-denied-180824/
Two ISPs in Denmark have emerged victorious from a battle to keep the personal details of their customers private. Telenor and Telia were previously ordered to hand over information to copyright trolls but when the demands kept coming, the ISPs kicked back. Following a big win for the providers at the High Court in May, the Supreme Court will not hear the case, meaning the trolls will lose access to their cash cows.
All around the world, rightsholders connected to often lower-tier media are generating revenue from people alleged to have pirated their content online.
The system is mostly uniform, with alleged infringers’ IP addresses gathered by the ‘copyright trolls’ and taken to court, in the hope that a judge will order ISPs to hand over their personal details. With this information in hand, copyright trolls demand a cash payment to make a supposed lawsuit go away.
It’s important to note, however, that if rightsholders cannot force ISPs to hand over alleged infringers’ details, their entire project is dead in the water. That’s now the position in Denmark after copyright trolls’ greed prompted ISPs to dig in their heels and refuse to cooperate.
Tomi Engdahl says:
Linux 4.19 lets you declare your trust in AMD, IBM and Intel
Wave the the CPU trust flag if you’re feeling safe enough
https://www.theregister.co.uk/2018/08/28/linux_419_trust/
Linux v4.19-rc1, release candidate code published on Sunday, allows those building their own kernel or Linux distribution to choose whether or not to trust the CPU hardware random number generator, a decision that has become complicated in the wake of the revelations about government surveillance over the past five years.
When random number generation is insufficiently random, encryption based on such numbers can be broken with less effort. Among the security-minded, there’s concern that hardware makers might offer subpar randomization unknowingly, as a result of espionage, or to accommodate demands from government law enforcement or intelligence agencies.
The paranoia wasn’t always so palpable. Back in 2013, Linus Torvalds, Lord of the Linux, dismissed calls to ditch Intel’s RDRAND processor instruction, noting that the Linux kernel uses multiple sources of input to generate random numbers.
Tomi Engdahl says:
Network monitoring is hard… If only there was some kind of machine that could learn to do it
*AI bursts through wall* ‘OHHH YEAHHH!’
https://www.theregister.co.uk/2018/08/22/ai_network_monitoring/
Tomi Engdahl says:
‘Irresponsible’ Google Refused Fortnite’s Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic’s Chief
https://it.slashdot.org/story/18/08/27/1630234/irresponsible-google-refused-fortnites-request-to-delay-vulnerability-disclosure-to-score-cheap-pr-points-says-epics-chief?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Google is irresponsible claims Fortnite’s chief in bug row
https://www.bbc.com/news/technology-45320672
On Friday, Google made public that hackers could hijack the game’s installation software to load malware.
The installer is needed because Epic Games has bypassed Google’s app store to avoid giving it a cut of sales.
Epic’s chief executive said Google should have delayed sharing the news.
“We asked Google to hold the disclosure until the update was more widely installed,” tweeted Tim Sweeney.
“They refused, creating an unnecessary risk for Android users in order to score cheap PR points.”
Tomi Engdahl says:
The Domino effect scares: cyber attacks can shake electricity from across Europe
German security specialists warn that strategicly targeted cybercrime would be able to paralyze entire European electricity distribution.
According to Der Spiegel, the country’s cyber-security center, intelligence services and the information security ministry jointly evaluate the online threat may pose a variety of problems for critical infrastructure. Through the network it would be possible to hinder the reliability of traffic and energy supply, for example.
According to the estimates, the paralysis of a single German energy distribution company could cause a domino effect through which the problems would be reflected across Europe through a common electricity distribution network. The report calls for increased infrastructure protection.
A similar problem in Finland has been warned, among other things, by the Stonesoft security company in 2013.
In Germany, reporters have been familiar with the cyber attacks in Ukraine. In December 2015, the malware dropped an electricity grid.
Source: https://www.tivi.fi/Kaikki_uutiset/dominoefekti-pelottaa-kyberisku-voi-pimentaa-sahkot-koko-euroopasta-6738176
More:
http://www.spiegel.de/netzwelt/netzpolitik/sicherheitsbehoerden-halten-europaweiten-stromausfall-nach-hackerangriff-fuer-moeglich-a-1224727.html
Tomi Engdahl says:
Unpicking the cyber-crime economy
https://www.bbc.com/news/technology-44355153
Turning virtual cash into real money without being caught is a big problem for successful cyber-criminals.
They often have to get creative when “cashing out” or laundering the money they have stolen, according to a security expert.
Ziv Mador, head of security research at Trustwave SpiderLabs. told the BBC that credit card thieves, for example, have limited time to profit, because at some point the victim will put a stop on their card.
Tens of thousands of stolen card numbers are traded daily on the underground markets that Mr Mador and his colleagues monitor, with details taken from compromised websites or databases.
“They can try to sell the card, which is not big money because they only get a few dollars for each one,” he said.
Instead, he added, they are more likely to use them to buy more valuable assets like iPhones or Macbooks, which are popular because they tend to hold their value when resold.
“They do not buy 100 or so iPhones at once,” he said. “They use a lot of different cards at different times.”
Mr Mador said the crooks use randomisation tools to thwart anti-fraud systems that would spot if all the purchases, even those made with different cards, are being done on the same computer.
Another “cashing out” technique uses gift cards from big retailers such as Amazon and WalMart.
Then there are the more creative scams that seek to use Uber and other ride-hailing firms to launder cash.
Mr Mador, and others, have seen adverts seeking drivers who can take part, with Spain and the US both popular locations for the fraud. Other places like Moscow and St Petersburg were “temporarily unavailable”.
“They are looking for Uber drivers for fraudulent payments, people who can register for Uber and do fake rides,” said Mr Mador.
The driver’s account is used to launder the cash generated when stolen credit cards are used to pay for the fictitious journeys and they get a cut of the money as a payment.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/brittilainen-it-yhtio-aloittaa-pohjois-euroopan-valloituksensa-suomesta-tuttu-suomalaiskolmikko-otti-ohjat-6738198
Tomi Engdahl says:
The University of Helsinki is devastated by the exceptionally large flood of spear phishing mails – hundreds of people have been kidding to give their information to criminals
Data fishing has rarely spread to such great proportions, says Head of Information Administration at the University of Helsinki. The University intends to file a criminal offense.
The University of Helsinki is suffering from an exceptionally large flood of fatalities. In messages, users are encouraged to activate their username by clicking the link that leads to a very real-looking site.
By signing up for the site, the user gives his ID and password to the criminal, warns Ilkka Siissalo, IT Director of the University.
The problem started around mid-August. The University of Helsinki has 70,000 users, all of whom are likely to have received fishing messages.
The number of people sending messages is unknown, but according to Siissalo there are more than 300 people.
“Generally, if there is such a relatively well-made fishing message, so a handful or half a dozen people may be chasing. Now that the magnitude of this is that more than 300 people have been plagued by them, it has not been seen before. ”
Source: https://www.hs.fi/kaupunki/art-2000005805242.html
Tomi Engdahl says:
https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2018/08/ttn201808241251.html
Tomi Engdahl says:
Exploit Published for Windows Task Scheduler Zero-Day
https://www.securityweek.com/exploit-published-windows-task-scheduler-zero-day
Details of an unpatched vulnerability in Microsoft’s Windows 10 operating system were made public on Monday, via Twitter.
Information on the bug and a link to proof-of-concept (PoC) code hosted on GitHub was posted by a security researcher who claims to be frustrated with Microsoft’s bug submission process.
I’ve confirmed that this works well in a fully-patched 64-bit Windows 10 system.
LPE right to SYSTEM!
Tomi Engdahl says:
Email Impersonation Attacks Increase by 80%
https://www.securityweek.com/email-impersonation-attacks-increase-80
The latest ESRA report from Mimecast indicates just why email attacks are so loved by cybercriminals, and why organizations need to take email security more seriously.
ESRA is Mimecast’s ongoing Email Security Risk Assessment quarterly analysis. Working with 37 organizations across 20 different industries, Mimecast compares the email threats it detects to those detected by the organizations’ incumbent email security technologies. The results provide two major sets of statistics: the volume of threats that go undetected by the incumbent technologies; and the sheer size of the email threat.
The latest report (PDF) covers more than 142 million emails received by almost 261,924 users. The incumbent email security was Office 365 and Proofpoint.
This doesn’t mean that the bad emails were effective, only that they were delivered to their destination. Other security controls might detect malware and inhibit users from clicking on malicious links — but it does imply that these additional controls need to be 100% effective against threats that could have been blocked before delivery.
https://www.mimecast.com/globalassets/documents/infographics/esra-infographic—august-2018.pdf
Tomi Engdahl says:
Black hats are baddie hackers, white hats are goodies, grey hats will sell IP to kids in hoodies
Survey says one in five security pros have been asked to screw over their employer
https://www.theregister.co.uk/2018/08/28/black_hat_white_hat_grey_hat/
The threat from rogue insiders, for so long dismissed as scare stories, has quietly bubbled back on to the official worry list.
High-profile cases – like that brought against Anthony Levandowski over IP he was accused of stealing from Google’s Waymo car division, and Jiaqiang Xu, who got five years in the clink for stealing source code belonging to IBM – have helped to bring these fears back to the fore.
Even the US government has been caught out – three employees of the Department for Home Security were accused of stealing a computer containing the personal files of 246,000 agency staff.
For years, the dominant narrative was the spiteful employee run amok, either spilling or stealing data (the Morrisons worker who leaked its entire employee database in 2014), or just plain messing with the network (the admin who caused chaos at Gucci in 2010).
It’s now dawned on organisations that it’s the quiet rogues you never hear about – let’s call them the “exfiltraitors” – that represent a threat potentially as bad as anything from the outside.
A CA study (PDF) earlier this year reckoned that 47 per cent of insider threats stemmed from maliciousness of one sort of another, with the remainder caused by carelessness. The single biggest factor was the abuse of privileges, precisely the thing that coders, admins and managers need to do their jobs.
Fade to grey
The idea of abusing privileges brings us to a specialised category of exfiltrating insider, the so-called “grey hat”. These are engineers or coders who know a lot about a company’s IP, assets and weaknesses, and have the entrepreneurial skills to understand that this knowledge is worth something.
Strictly speaking, a grey hat is just a black hat hacker who uses their day job to enable their nefarious activity, but this month’s Malwarebytes-sponsored Osterman survey of 900 security pros across the UK, US, Germany, Australia and Singapore found that it can be incredibly difficult for companies to spot the difference.
Globally, 4.6 per cent of respondents believed a colleague fell into the grey category, which rose in the UK to an alarming 7.9 per cent.
When asked which security threats had affected their organisations in the previous 12 months, intentional insider data breaches were mentioned by almost one in ten.
“Our research discovered that the proportion of grey hats increases with the size of the organisation.”
“We are seeing more instances of the malicious insider causing damage to company productivity, revenue, IP and reputation,” said Malwarebytes’ CEO, Marcin Kleczynski.
In a recent Fortune article, Kennedy drew attention to “collection requirements”, a term used to describe catalogues of tech IP that attract the highest prices on the black markets used by nation states to grab each other’s secrets.
“Do any of your employees have such handbooks? And if they were stockpiling and exporting sensitive data, would you know before it was too late?” he wrote.
State-sponsored IP theft has become a business, the threat from which could be internal just as easily as external.
It’s no longer journalists and security companies writing about malicious insiders – CEOs now feel the need to advertise the threat from their own employees to the world, a strange thing to do on the face of it. Or perhaps the message isn’t only for investors but is directed at employees who might think about leaking IP.
Tomi Engdahl says:
Both Yahoo and AOL are scanning customer emails to attract advertisers
https://thenextweb.com/insider/2018/08/29/both-yahoo-and-aol-are-scanning-customer-emails-to-attract-advertisers/
Oath, the advertising arm of Verizon — which owns both Yahoo and AOL — has been pitching advertisers a service that would allow them to peer into the email accounts of more than 200 million people.
The service benefits advertisers by allowing them to identify and segment potential customers by picking up on contextual buying signals, and past purchases. It’s a service that, according to Dough Sharp, Oath’s VP of data measurement and insights, allows anyone willing to spend the money to take a peek behind the curtain at commercial emails in any accountholders inbox — although, presumably, the data would be anonymized.
“Email is an expensive system,” Sharp said. “I think it’s reasonable and ethical to expect the value exchange, if you’ve got this mail service and there is advertising going on.”
Those paying Yahoo $3.49 a month for the premium, ad-free experience aren’t immune. The service still scans their mailbox for commercial mailings.
The system works much like advertisements on Facebook. Using a series of algorithms, the system spots potential targeting matches and places a piece of tracking code, a “cookie,” on a users computer.
Tomi Engdahl says:
Critical Apache Struts Vulnerability Exploited in Live Attacks
https://www.securityweek.com/critical-apache-struts-vulnerability-exploited-live-attacks
A Critical remote code execution vulnerability in Apache Struts 2 that was patched last week is already being abused in malicious attacks, threat intelligence firm Volexity warns.
The flaw affects Struts 2.3 through 2.3.34, Struts 2.5 through 2.5.16, and possibly unsupported versions of the framework.
Tracked as CVE-2018-11776, the bug is rather trivial to exploit: because Apache Struts doesn’t properly validate namespace input data, an attacker would only need to insert their own namespace as a parameter in an HTTP request.
Tomi Engdahl says:
Hackers Breach Cryptocurrency Platform Atlas Quantum
https://www.securityweek.com/hackers-breach-cryptocurrency-platform-atlas-quantum
260,000 Impacted in Cryptocurrency Investment Platform Breach
The information of over 260,000 users was stolen after hackers managed to compromise the cryptocurrency investment platform Atlas Quantum.
The company says it has over 240,000 users in more than 50 countries and over $30 million in assets under its management. In 2017, the platform delivered a cumulative 38% return to investors, Atlas claims.
Tomi Engdahl says:
Data of 130 Million Chinese Hotel Chain Guests Sold on Dark Web Forum
https://yro.slashdot.org/story/18/08/29/0110204/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum. From a report:
The breach was reported today by Chinese media after several cyber-security firms spotted the forum ad [1, 2, 3, 4]. The seller said he obtained the data from Huazhu Hotels Group Ltd (Huazhu from hereafter), one of China’s largest hotel chains, which operates 13 hotel brands across 5,162 hotels in 1,119 Chinese cities.
https://www.bleepingcomputer.com/news/security/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum/
Tomi Engdahl says:
David Meyer / ZDNet:
Telegram publishes a new privacy policy, says it may comply with court orders to disclose IP addresses and phone numbers of terror suspects
Telegram starts to play nice with security agencies over user data, but not in Russia
https://www.zdnet.com/article/telegram-starts-to-play-nice-with-security-agencies-over-user-data-but-not-in-russia/
Under Telegram’s new privacy policy, it could hand over user IP and phone details given the right court order.
Tomi Engdahl says:
Mike Masnick / Techdirt:
US Court of Appeals upholds lower court ruling that an IP address is not enough evidence to tie copyright infringement to an individual — Tons of copyright lawsuits (and even more copyright trolling shakedowns that never even reach court) are based on one single bit of data: the IP address.
Important Appeals Court Ruling States Clearly That Merely Having An IP Address Is Insufficient For Infringement Claims
https://www.techdirt.com/articles/20180829/00360440535/important-appeals-court-ruling-states-clearly-that-merely-having-ip-address-is-insufficient-infringement-claims.shtml
Tomi Engdahl says:
Catalin Cimpanu / BleepingComputer:
Reports: data of 130M guests at Chinese company Huazhu Hotels, including booking and personal info like phone numbers and email addresses, sold on the dark web — A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum.
Data of 130 Million Chinese Hotel Chain Guests Sold on Dark Web Forum
https://www.bleepingcomputer.com/news/security/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum/
Tomi Engdahl says:
Free, easy to use, and available to anyone: The powerful malware hiding in plain sight on the open web
https://www.zdnet.com/article/free-easy-to-use-and-available-to-anyone-the-powerful-malware-hiding-in-plain-sight-on-the-open-web/
“When the Russian military is using free stuff, you know how good that stuff is.”
When people hear about a cyber attack or hacking campaign, they may picture a well-oiled machine that’s taken time, skills and resources to build.
They imagine underground forums on the dark web, where attackers can buy powerful malware and unleash it on their target of choice.
But what if having access to the funding and contacts necessary to deliver attacks with the power of state-backed campaigns wasn’t required?
In some cases, tools which can be used to conduct malicious cyber operations, ranging from espionage to taking down infrastructure, are freely available on the open web. Even state-backed operations have taken advantage of these free tools, as part of sophisticated cyber campaigns.
There are various sources for this code, which is commonly available on developer forums and from code repositories like GitHub. There are often messages stating that the code is for research purposes only, but that doesn’t stop it being used for malicious intent.
Tomi Engdahl says:
Australian security trio aim for unbreakable encrypted data environment
https://www.zdnet.com/article/australian-security-trio-aim-for-unbreakable-encrypted-data-environment/
Vault, QuintessenceLabs, and Ziroh Labs have joined forces to build a system for strong encryption of user data for government.
Australian cloud services provider Vault, alongside QuintessenceLabs (QLabs) and Ziroh Labs, has announced a secure enterprise file synchronisation and sharing (EFSS) proof of concept aimed at protecting data.
The Canberra-based companies will bring together QuintessenceLabs’ quantum key generation and key management with Vault’s protected cloud and Ziroh Labs’ homomorphic encryption technology, calling the end result “full entropy as a service”.
Tomi Engdahl says:
Chinese police investigating major security breach of hotel group
https://www.zdnet.com/article/chinese-police-investigating-security-breach-of-hotel-group/
Some 500 million pieces of customer data is believed to have been compromised, including that of 150 million accounts currently on sale in the dark web for 8 Bitcoins.
Tomi Engdahl says:
Russell Brandom / The Verge:
Q&A with five experts on whether it is time to regulate facial recognition technology and its usage by police, and what needs to be done to overcome racial bias
How should we regulate facial recognition?
https://www.theverge.com/2018/8/29/17792976/facial-recognition-regulation-rules
Tomi Engdahl says:
Russell Brandom / The Verge:
Google’s Titan Security Key set, including a USB key, a Bluetooth key, and various connectors, is now available to all for $50, shipping immediately
Google’s in-house security key is now available to anyone who wants one
https://www.theverge.com/2018/8/30/17797338/google-titan-security-key-2fa-token-store-sale
Google’s Titan Security Key is finally available to anyone who wants one. The two-factor token went live today in the Google store, with a full kit available for $50, shipping immediately. The kits include a USB key, a Bluetooth key, and various connectors. The key has been available to Google Cloud customers since July, when the project was first publicly announced.
Built to the FIDO standard, the Titan keys work as a second factor for a number of services, including Facebook, Dropbox, and Github. But not surprisingly, they’re built particularly for Google account logins, particularly the Advanced Protection Program announced in October. Because the keys verify themselves with a complex handshake rather than a static code, they’re far more resistant to phishing attacks than a conventional confirmation code. The key was initially designed for internal Google use, and has been in active use within the company for more than eight months.
https://store.google.com/?srp=/product/titan_security_key_kit
Tomi Engdahl says:
Hacker sentenced to prison for role in Jennifer Lawrence nude photo theft
https://www.theguardian.com/technology/2018/aug/29/nude-photo-hacker-prison-sentence-jennifer-lawrence-victims
George Garofano, 26, one of four charged over illegal hacking of American actor and other celebrities
A hacker was sentenced to eight months in prison on Wednesday for a scheme that exposed intimate photos of the actor Jennifer Lawrence and other celebrities.
George Garofano, 26, was accused of illegally hacking the private Apple iCloud accounts of 240 people, including Hollywood stars as well as average internet users, allowing their nude photos and private information to be spread around the internet.
He was one of four people charged in the 2014 hacking scandal, in which private photos of Lawrence, Kate Upton, Kirsten Dunst and others were published online.
Lawrence said at the time the invasion was equivalent to a sex crime, and called for tougher laws.
A federal judge at a US district court in Bridgeport, Connecticut, ordered Garofano to serve the prison term followed by three years of supervised release.
He had pleaded guilty in April, admitting that he sent emails to the victims while posing as a member of Apple’s online security personnel in order to obtain their usernames and passwords.
Tomi Engdahl says:
OCR Software Dev Abbyy Exposes 200,000 Customer Documents
https://yro.slashdot.org/story/18/08/29/2022202/ocr-software-dev-abbyy-exposes-200000-customer-documents?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
A misconfigured MongoDB server belonging to Abbyy, an optical character recognition software developer, allowed public access to customer files.
Independent security researcher Bob Diachenko discovered the database on August 19 hosted on the Amazon Web Services (AWS) cloud platform. It was 142GB in size and it allowed access without the need to log in. The sizeable database included scanned documents of the sensitive kind: contracts, non-disclosure agreements, internal letters, and memos. Included were more than 200,000 files from Abbyy customers who scanned the data and kept it at the ready in the cloud.
OCR Software Dev Exposes 200,000 Customer Documents
https://www.bleepingcomputer.com/news/security/ocr-software-dev-exposes-200-000-customer-documents/
Tomi Engdahl says:
Air Canada Mobile App Breach Affects 20,000 People
https://news.slashdot.org/story/18/08/29/2154243/air-canada-mobile-app-breach-affects-20000-people?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Air Canada told customers in an email today that the personal information for about 20,000 customers “may potentially have been improperly accessed” via a breach in its mobile app. As a precaution, the airline locked down all 1.7 million accounts until customers change their passwords.
Air Canada mobile app breach affects 20,000 people
1.7 million use the app, but only about 1% may have been compromised
https://www.cbc.ca/news/business/air-canada-mobile-app-1.4802879
Tomi Engdahl says:
No D’oh! DNS-over-HTTPS passes Mozilla performance test
Privacy-protecting domain name system standard closer
https://www.theregister.co.uk/2018/08/30/doh_passes_performance_test/
As the DNS-over-HTTPS (DoH) secured domain querying draft creeps towards standardisation, Mozilla has run a test to see if applying encryption brings too heavy a performance penalty.
One somewhat-surprising outcome: for some queries, performance improved using DoH.
As Mozilla discusses here, run-of-the-mill DNS requests over DoH take a small performance hit.
Firefox Nightly Secure DNS Experimental Results
https://blog.nightly.mozilla.org/2018/08/28/firefox-nightly-secure-dns-experimental-results/
Tomi Engdahl says:
Can a script kiddie pwn your SD-WAN? Better check the config, friend
Unpatched, outdated software abounds, say researchers
https://www.theregister.co.uk/2018/08/30/vulnerable_sdwan_census/
Russian researchers armed with Shodan and Censys have identified nearly 5,000 SD-WANs with vulnerable management interfaces.
It won’t surprise anyone, The Register suspects, that most of the problems the three researchers (Denis Kolegov and Antony Nikolaev of Tomsk State University, and DarkMatter’s Sergey Gordeychik) discovered are down to “outdated software and insecure configuration”.
In this paper at arXiv, they explained how their active and passive fingerprinting showed that vendors or users failing to update their SD-WAN applications and (usually) Linux operating systems made SD-WANs “low-hanging fruit even for a script kiddie”.
Among the vendors whose systems they found accessible from the internet were all big, familiar names – Cisco, VMware, Citrix, SilverPeak, Huawei, Arista – along with another nine smaller outfits.
The researchers confined themselves to the management interface only, not touching any data plane interface (for one thing, messing around with the SD-WANs’ internals would create a juicy legal jeopardy).
“In general, the accessibility of management interface on the internet indicates the presence of CWE-749 weakness ‘Exposed Dangerous Method or Function’,” the paper stated.
After querying the target systems they found on Shodan and Censys (and cleaning up the results), it was straightforward to identify vendors and versions, because whether the systems used SSH, HTML, JSON, JavaScript or SNMP, they responded to contact with information like “viptela 17.2.4″ (from Cisco).
https://arxiv.org/abs/1808.09027
Tomi Engdahl says:
Crowdsourcing the hunt for software bugs is a booming business—and a risky one
https://www.technologyreview.com/s/611892/crowdsourcing-the-hunt-for-software-bugs-is-a-booming-businessand-a-risky-one/
Freelance cybersleuths can help companies find flaws in their code. But the bug hunters could fall afoul of anti-hacking laws.
They are the Ubers of the digital security world. Instead of matching independent drivers with passengers, companies like Bugcrowd and HackerOne connect people who like to spend time searching for flaws in software with companies willing to pay them for bugs they find.
This cybersecurity gig economy has expanded to hundreds of thousands of hackers, many of whom have had some experience in the IT security industry.
Code cleaners
More and more large companies like GM, Microsoft, and Starbucks, are now running “bug bounty” programs that offer monetary rewards to those who spot and report bugs in their software. Platforms like Bugcrowd can help by alerting the hacking community to programs being launched, prioritizing bugs sent on to firms, and handling things like payments.
Moreover, at a time when experts are forecasting that 3.5 million cybersecurity jobs worldwide will be vacant by 2021 because there aren’t enough skilled workers, freelancers can ease some of the strain on internal teams.
Still, the platforms face a couple of big challenges. One is to keep expanding the pool of talented bug hunters. Another is to establish greater legal clarity about what tools and techniques ethical hackers can safely use. Popular tactics such as using injection attacks, which involve inserting code into software applications that could change the way the programs are executed, could potentially lead to prosecution under anti-hacking laws such as America’s Computer Fraud and Abuse Act (CFAA).
There have already been cases where security researchers and reporters have faced possible legal action for unearthing and reporting vulnerabilities in companies’ code. It would take only a couple of high-profile lawsuits to have a chilling effect on the industry.
Hacker uni
To address the talent challenge, the crowdsourcing platforms are publishing far more content to help hackers upgrade their skills and to attract more people to gig work.
Legal air cover
On the legal front, the platforms are pushing for more “safe harbor” language to be inserted in contracts governing bug bounties. The aim, says Adam Bacchus of HackerOne, is to get companies to be clear that if hackers follow the rules of engagement within reason, they won’t wind up being taken to court.
Bugcrowd has partnered with Amit Elazari, a security researcher whose work has highlighted the need for safe harbor language, to launch an initiative called disclose.io to create a standardized framework for finding and reporting bugs. This would provide explicit authorization for using bug-hunting techniques that would normally be clear violations of provisions in anti-hacking statutes.
Bugcrowd Launches Disclose.io Open-Source Vulnerability Disclosure Framework to Provide a Safe Harbor for White Hat Hackers
https://www.bugcrowd.com/press-release/bugcrowd-launches-disclose-io-open-source-vulnerability-disclosure-framework-to-provide-a-safe-harbor-for-white-hat-hackers/
Tomi Engdahl says:
John McAfee’s ‘unhackable’ Bitfi wallet got hacked — again
https://techcrunch.com/2018/08/30/john-mcafees-unhackable-bitfi-wallet-got-hacked-again/?sr_share=facebook&utm_source=tcfbpage
If the security community could tell you just one thing, it’s that “nothing is unhackable.” Except John McAfee’s cryptocurrency wallet, which was only unhackable until it wasn’t — twice.
Security researchers have now developed a second attack, which they say can obtain all the stored funds from an unmodified Bitfi wallet. The Android-powered $120 wallet relies on a user-generated secret phrase and a “salt” value
But the researchers say that the secret phrase and salt can be extracted
Using this “cold boot attack,” it’s possible to steal funds even when a Bitfi wallet is switched off.
Rashid told TechCrunch that the keys are stored in the memory longer than Bitfi claims, allowing their combined exploits to run code on the hardware without erasing the memory.
“This attack is both reliable and practical, requiring no specialist hardware,”
The McAfee-backed company offered a $250,000 bounty for anyone who could carry out what its makers consider a “successful attack.” But Bitfi declined to pay out, arguing that the hack was outside the scope of the bounty, and instead resorted to posting threats on Twitter.
Tomi Engdahl says:
This is Google’s Titan security key
https://techcrunch.com/2018/08/30/this-is-googles-titan-security-key/?utm_source=tcfbpage&sr_share=facebook
Google isn’t one to shy away from bold claims.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” a spokesperson told TechCrunch.
Security keys are one of the strongest lines of defense against account breaches. That’s because a hacker on the other side of the world trying to break into your account needs not only your password but also your physical key — and that’s not something a hacker can easily or covertly steal.
Although there are a handful of security key brands out there — Yubikey and Feitian to name two — Google thinks it can do better with its own Titan security keys.
Tomi Engdahl says:
The Expected Spike in Post-GDPR Spam Activity Hasn’t Happened
https://www.securityweek.com/expected-spike-post-gdpr-spam-activity-hasnt-happened
For many months it was expected that privacy protections afforded to consumers by GDPR would also benefit the bad guys. It was feared that security researchers would no longer be able to track new bad domains through WHOIS data, and that spammers would rush to register new domains under new GDPR-enforced anonymity; and that spam would spike once GDPR became effective in May 2018. It hasn’t happened.
Tomi Engdahl says:
Hacktivist Drama ‘Mr. Robot’ to End With 4th Season in 2019
https://www.securityweek.com/hacktivist-drama-mr-robot-end-4th-season-2019
The hacktivist thriller “Mr. Robot” is coming to an end.
USA Network said Wednesday the drama series starring Emmy Award-winner Rami Malek will air its fourth and final season in 2019.
Tomi Engdahl says:
China Probes Suspected Customer Data Leak at Accor Partner
https://www.securityweek.com/china-probes-suspected-customer-data-leak-accor-partner
Shanghai police said they were investigating a suspected data leak at NASDAQ-listed Chinese hotelier Huazhu Group, the local partner of France-based AccorHotels.
Huazhu, one of China’s biggest hoteliers, released a statement on Tuesday saying it had alerted police to reports that the company’s internal data was being sold online, asking them to investigate.
Chinese media reports said the data included guest membership information, personal IDs, check-in records, guest names, mobile numbers, and emails.
Police in Shanghai said in a statement that they were looking into the case.
Huazhu’s website said it operates more than 3,000 hotels in more than 370 cities in China, including the AccorHotels brands Ibis and Mercure.
Tomi Engdahl says:
CEIDPageLock Rootkit Hijacks Web Browsers
https://www.securityweek.com/ceidpagelock-rootkit-hijacks-web-browsers
A new rootkit that has been distributed via the RIG exploit kit over the past few weeks can manipulate web browsers and also contains sophisticated defense mechanisms, Check Point says.
Dubbed CEIDPageLock, the malware was initially discovered a few months ago, when it was attempting to modify the homepage of a victim’s browser. The rootkit is currently attempting to turn the victim browser’s homepage into a site pretending to be a Chinese web directory.
On top of these sophisticated features, the latest versions of the malware monitors user browsing and, when the user attempts to access several popular Chinese websites, it dynamically replaces the content of those sites with the fake home page.
Tomi Engdahl says:
New Cobalt Campaign Targets Russian and Romanian Banks
https://www.securityweek.com/new-cobalt-campaign-targets-russian-and-romanian-banks
A new campaign by the Russia-based Cobalt hacking group was observed on August 13, 2018. Cobalt is best-known for targeting financial institutions, and this campaign is no different. Two targets have been identified to date: NS Bank in Russia and Carpatica/Patria in Romania.
Cobalt has been operating since at least 2016. So far it is credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan.
Tomi Engdahl says:
Loki Bot Attacks Target Corporate Mailboxes
https://www.securityweek.com/loki-bot-attacks-target-corporate-mailboxes
Loki Bot’s operators have been targeting corporate mailboxes with their spam messages, Kaspersky Lab reports.
The emails employ various lures to trick potential victims into opening malicious attachments that would deploy the Loki Bot stealer onto the target machines. The messages masquerade as notifications from other companies, or as orders and offers.
As part of the campaign, cybercriminals have been targeting corporate mailboxes that can be obtained from public sources or which are listed on the targeted companies’ websites, Kaspersky discovered.
The spam messages would attempt to deliver the malicious payload via an attached ISO file. The extension is associated with copies of optical discs that can be mounted to access their content. Modern operating systems can mount ISO files directly, but dedicated software that can handle the extension also exists.
Loki Bot: On a hunt for corporate passwords
https://securelist.com/loki-bot-stealing-corporate-passwords/87595/
Tomi Engdahl says:
Advanced Android Spyware Remained Hidden for Two Years
https://www.securityweek.com/advanced-android-spyware-remained-hidden-two-years
A newly detailed Android spyware that has an incredibly wide-ranging protocol has been active since May 2016, Kaspersky Lab warns.
Dubbed BusyGasper, the malware includes device sensors listeners (such as motion detectors), can exfiltrate data from messaging applications (WhatsApp, Viber, Facebook), includes keylogging capabilities, and supports 100 commands.
Featuring a multicomponent architecture, the malware can download payloads and updates from the command and control (C&C) server, an FTP server belonging to the free Russian web hosting service Ucoz.