Cyber Security September 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

 

493 Comments

  1. Tomi Engdahl says:

    Thomas Brewster / Forbes:
    FBI compelled a suspect to use Face ID to unlock his iPhone X, following other cases where police with warrants unlocked iPhones via Touch ID

    Feds Force Suspect To Unlock An Apple iPhone X With Their Face
    https://www.forbes.com/sites/thomasbrewster/2018/09/30/feds-force-suspect-to-unlock-apple-iphone-x-with-their-face/#4a44c1dc1259

    It finally happened. The feds forced an Apple iPhone X owner to unlock their device with their face.

    A child abuse investigation unearthed by Forbes includes the first known case in which law enforcement used Apple Face ID facial recognition technology to open a suspect’s iPhone. That’s by any police agency anywhere in the world, not just in America.

    It happened on August 10

    Reply
  2. Tomi Engdahl says:

    A Majority of Teens Have Experienced Some Form of Cyberbullying
    http://www.pewinternet.org/2018/09/27/a-majority-of-teens-have-experienced-some-form-of-cyberbullying/

    59% of U.S. teens have been bullied or harassed online, and a similar share says it’s a major problem for people their age. At the same time, teens mostly think teachers, social media companies and politicians are failing at addressing this issue.

    Reply
  3. Tomi Engdahl says:

    Hertig / CoinDesk:
    A major vulnerability present in Bitcoin codebase for 2 years and patched last week has prompted a heated debate on how to improve Bitcoin’s code review process — “Shock” is perhaps the word that best describes the mood ever since one of bitcoin’s most severe bugs was discovered and patched last week.

    In Wake of ‘Major Failure,’ Bitcoin Code Review Comes Under Scrutiny
    https://www.coindesk.com/in-wake-of-major-failure-bitcoin-code-review-comes-under-scrutiny/

    “Shock” is perhaps the word that best describes the mood ever since one of bitcoin’s most severe bugs was discovered and patched last week.

    As the community reels over the vulnerability that was hiding in the code for two years, and that could have been exploited to print more bitcoins than the 21 million is hard-coded to be produced, developers are wondering: Is there a way to prevent such a severe bug from being added to the code again?

    Days after the discover, there hasn’t been any formal proposals.

    It’s an important question, too – What if a malicious actor had found the exploit first? What if there are other hidden bugs in the code right now?

    To this point, pseudonymous bitcoin subreddit moderator ‘Theymos’ urged the community not to forget the bug.

    He argued it was “was undeniably a major failure”

    The community’s ‘fault’

    Still, developers argue more could be done to make sure the digital money works smoothly.

    Theymos thinks one avenue would be to build “more sophisticated” tests tailored at locating severe, but hard to find bugs, like the one last week. “Perhaps all large bitcoin companies should be expected by the community to assign skilled testing specialists to Core,” he continued, adding:

    “Currently a lot of companies don’t contribute anything to Core development.”

    Bitcoin Core contributor James Hilliard stressed much the same, suggesting that developers can increase the “amount” and “quality” of testing. Though, this might be easier said than done. Bitcoin Core contributor Greg Maxwell agreed in Theymos’s thread that testing is important, but the quality and detail of the tests is important.

    “Directing more effort into testing has been a long-term challenge for us, in part because the art and science of testing is no less difficult than any other aspect of the system’s engineering. Testing involves particular skills and aptitudes that not everyone has,” Maxwell said.

    Reply
  4. Tomi Engdahl says:

    Digital Single Market:
    EU enacts law enabling cross-border recognition of national electronic IDs, like driver licenses and bank cards, in tax filing, medical records, public services

    Cross-border digital identification for EU countries: Major step for a trusted Digital Single Market
    https://ec.europa.eu/digital-single-market/en/news/cross-border-digital-identification-eu-countries-major-step-trusted-digital-single-market

    People will be able to use their electronic ID (eID) such as ID cards, driver licenses, bank cards and fill tax returns online, access medical records and online public services across the EU.

    Reply
  5. Tomi Engdahl says:

    Tim Berners-Lee:
    Tim Berners-Lee unveils Solid, an open source project to decentralize the web and give users control of their data, and Inrupt, a startup to guide the project

    One Small Step for the Web…
    https://medium.com/@timberners_lee/one-small-step-for-the-web-87f92217d085

    Reply
  6. Tomi Engdahl says:

    No Patches for Critical Flaws in Fuji Electric Servo System, Drives
    https://www.securityweek.com/no-patches-critical-flaws-fuji-electric-servo-system-drives

    ICS-CERT and Trend Micro’s Zero Day Initiative (ZDI) this week disclosed the existence of several unpatched vulnerabilities affecting servo systems and drives from Japanese electrical equipment company Fuji Electric.

    According to ICS-CERT and ZDI, researcher Michael Flanders discovered two vulnerabilities in Fuji’s Alpha 5 Smart servo system, specifically its Loader software, version 3.7 and prior.

    The product, mainly used in the commercial facilities and critical manufacturing sectors in Europe and Asia, makes adjustments to ensure that the motors powering various machines operate properly.

    Reply
  7. Tomi Engdahl says:

    EU Lawmakers Push for Cybersecurity, Data Audit of Facebook
    https://www.securityweek.com/eu-lawmakers-push-cybersecurity-data-audit-facebook

    BRUSSELS (AP) — European Union lawmakers appear set this month to demand audits of Facebook by Europe’s cybersecurity agency and data protection authority in the wake of the Cambridge Analytica scandal.

    A draft resolution submitted Thursday to the EU Parliament’s civil liberties and justice committee urged Facebook to accept “a full and independent audit of its platform investigating data protection and security of personal data.”

    Reply
  8. Tomi Engdahl says:

    Meet Torii, a Stealthy, Versatile and Highly Persistent IoT Botnet
    https://www.securityweek.com/meet-torii-stealthy-versatile-and-highly-persistent-iot-botnet

    There’s a new Internet of Things (IoT) botnet lurking around, a stealthy one that attempts to achieve persistence by running six different routines at once, Avast has discovered.

    Active since at least December 2017, Torii can infect devices powered by MIPS, ARM, x86, x64, PowerPC, SuperH, Motorola 68k, and others, Avast has discovered. The malware targets weak credentials over the Telnet protocol and, after the initial compromise, it executes a shell script to determine the device’s architecture and download the appropriate payload, either over HTTP or FTP.

    Torii botnet – Not another Mirai variant
    https://blog.avast.com/new-torii-botnet-threat-research

    Reply
  9. Tomi Engdahl says:

    Hide ‘N Seek IoT Botnet Now Targets Android Devices
    https://www.securityweek.com/hide-n-seek-iot-botnet-now-targets-android-devices

    After being observed targeting smart homes just two months ago, the Hide ‘N Seek Internet of Things (IoT) botnet is now capable of infecting Android devices.

    First detailed in January by Bitdefender, the botnet originally targeted home routers and IP cameras, but later evolved from performing brute force attacks over Telnet to leveraging injection exploits, thus greatly expanding its list of targeted device types.

    Featuring a decentralized, peer-to-peer architecture, the botnet was able to abuse the various compromise methods to ensnare over 90,000 unique devices by May.

    Reply
  10. Tomi Engdahl says:

    Researchers: 11-Year-Old Flaw in Vote Scanner Still Unfixed
    https://www.securityweek.com/researchers-11-year-old-flaw-vote-scanner-still-unfixed

    An uncorrected security flaw in a vote-counting machine used in 23 U.S states leaves it vulnerable to hacking 11 years after the manufacturer was alerted to it, security researchers say.

    The M650 high-speed ballot scanner is made by Election Systems & Software, the nation’s leading elections equipment vendor.

    Reply
  11. Tomi Engdahl says:

    Port of San Diego Hit by Ransomware
    https://www.securityweek.com/port-san-diego-hit-ransomware

    The Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) were called in by the Port of San Diego in California after some of the organization’s IT systems became infected with a piece of ransomware.

    Reply
  12. Tomi Engdahl says:

    The Facebook Security Meltdown Exposes Way More Sites Than Facebook
    https://www.wired.com/story/facebook-security-breach-third-party-sites/

    Reply
  13. Tomi Engdahl says:

    Voice Phishing Scams Are Getting More Clever
    https://krebsonsecurity.com/2018/10/voice-phishing-scams-are-getting-more-clever/

    Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly).

    Reply
  14. Tomi Engdahl says:

    Maailmalla valtavaa häiriötä aiheuttanut pornokiristys saapui Suomeen
    https://www.is.fi/digitoday/tietoturva/art-2000005848028.html?ref=rss

    Reply
  15. Tomi Engdahl says:

    70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS
    http://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/

    note:We have informed various ISPs on the IoC list, and OVH, ORACLE, Google, Microsoft have taken down the related IPs and some others are working on it (Thanks!)
    Background introduction

    DNSchanger is not something new and was quite active years ago [1], we occasionally encountered one every once in a while, but given the impact they have, we normally don’t bother to write any article.

    But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.

    Furthermore, the above DNSChanger Systems are only part of a larger system that the malware campaign runs. The whole campaign also includes: Phishing Web System, Web Admin System, Rogue DNS System. These four parts work together to perform DNS hijacking function. Here we call the whole campaign GhostDNS.

    Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials.

    Reply
  16. Tomi Engdahl says:

    Twitter:
    Twitter outlines its election integrity efforts ahead of midterms, says it removed ~50 accounts pretending to be members of various state Republican parties

    An update on our elections integrity work
    https://blog.twitter.com/official/en_us/topics/company/2018/an-update-on-our-elections-integrity-work.html

    Ahead of upcoming elections, today we are sharing updates across three critical areas of our election integrity efforts: (1) Updates to the Twitter Rules (2) Detection and Enforcement; and (3) Product Improvements.

    Reply
  17. Tomi Engdahl says:

    Industry Reactions to Facebook Hack
    https://www.securityweek.com/industry-reactions-facebook-hack

    The breach was discovered last week following an investigation triggered by a traffic spike observed on September 16. Facebook says it has patched the vulnerability and there is no evidence that the compromised access tokens have been misused.

    The incident, the latest in a series of security and privacy scandals involving the social media giant, could have serious repercussions for Facebook. The company’s stock went down, and it faces probes by government authorities, class action lawsuits, and a fine that could exceed $1.6 billion.

    The Scandals Bedevilling Facebook
    https://www.securityweek.com/scandals-bedevilling-facebook

    Facebook is at the centre of controversy yet again after admitting that up to 50 million accounts were breached by hackers.

    Facebook chief executive Mark Zuckerberg said engineers discovered the breach on Tuesday, and patched it on Thursday night.

    “We don’t know if any accounts were actually misused,” Zuckerberg said. “We face constant attacks from people who want to take over accounts or steal information around the world.”

    Facebook reset the 50 million breached accounts, meaning users will need to sign back in using passwords. It also reset “access tokens” for another 40 million accounts as a precautionary measure.

    Here is a roundup of the scandals dogging the social media giant.

    Reply
  18. Tomi Engdahl says:

    RDP Increasingly Abused in Attacks: FBI
    https://www.securityweek.com/rdp-increasingly-abused-attacks-fbi

    Cyberattacks leveraging the remote desktop protocol (RDP) have been on the rise for the past couple of years, fueled by the emergence of dark markets selling RDP access, the Federal Bureau of Investigation (FBI) warns.

    Malicious actors have created new methods of identifying and exploiting vulnerable RDP sessions over the web and both businesses and private users should take steps to reduce the likelihood of compromise, a joint alert from the FBI and Department of Homeland Security (DHS) reads.

    RDP provides users with the ability to control a remote machine over the Internet. While authentication with a username and password are required to establish a remote desktop connection, attackers can infiltrate such connections and inject malware onto the remote system.

    Assaults that abuse RDP do not require user input and the intrusion is difficult to detect. By abusing RDP sessions, malicious actors can compromise identities, steal login credentials, and ransom other sensitive information, the alert reads.

    Reply
  19. Tomi Engdahl says:

    Weak Passwords Abused for ‘FruitFly’ Mac Malware Distribution
    https://www.securityweek.com/weak-passwords-abused-fruitfly-mac-malware-distribution

    FruitFly, a piece of Mac malware that infected thousands of machines over the course of more than 13 years, was being distributed via poorly protected external services.

    First detailed in early 2017, FruitFly (also known as Quimitchin) targeted individuals, companies, schools, a police department, and the U.S. government, including a computer owned by a subsidiary of the Department of Energy.

    Reply
  20. Tomi Engdahl says:

    Who’s behind DDoS attacks at UK universities?
    https://www.welivesecurity.com/2018/09/28/whos-behind-ddos-attacks-uk-universities/

    The timing of the attacks suggests that many attempts to take the networks offline may not necessarily be perpetrated by organized cybercriminal gangs

    Students and staff are suspected to be behind many distributed denial-of-service (DDoS) attacks at colleges and universities in the United Kingdom, recent research suggests.

    The non-profit Jisc – which among other things provides internet connectivity to the UK research and education community – analyzed over 850 DDoS attacks at nearly 190 higher-education institutions in the UK shortly before and during the 2017-2018 academic year. And what it found in the data is “clear patterns”.

    Reply
  21. Tomi Engdahl says:

    Cyber Actors Increasingly Exploit The Remote Desktop Protocol to Conduct Malicious Activity
    https://www.ic3.gov/media/2018/180927.aspx

    Remote administration tools, such as Remote Desktop Protocol (RDP), as an attack vector has been on the rise since mid-late 2016 with the rise of dark markets selling RDP Access. Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information. The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recommend businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.

    Reply
  22. Tomi Engdahl says:

    Telegram Leaks IP Addresses by Default When Initiating Calls
    https://www.bleepingcomputer.com/news/security/telegram-leaks-ip-addresses-by-default-when-initiating-calls/

    Telegram Messenger is a communication app that allows you to create encrypted chats and phone calls with other users over the Internet. This program describes itself as being a secure and private communication app, but a researcher has shown that in its default configuration it would allow a user’s IP address to be leaked when making call.

    This is caused by a default setting in Telegram, which causes voice calls to be made over P2P. When using P2P to initiate Telegram calls, though, the IP address of the person you are speaking with will appear in the Telegram console logs. Not all versions include a console log.

    Reply
  23. Tomi Engdahl says:

    iDRACula Vulnerability Impacts Millions of Legacy Dell EMC Servers
    https://www.servethehome.com/idracula-vulnerability-impacts-millions-of-legacy-dell-emc-servers/

    Today we have news of a confirmed security vulnerability that impacts tens of millions of legacy Dell EMC servers. This vulnerability is known and is a broader industry-wide issue that impacts far more than Dell EMC iDRAC. We are calling this one iDRACula short for “integrated Dell Remote Access Controller unauthorized load access.” Earlier this week, a user on the STH forums posted that along with another individual, they were able to bypass the Dell EMC iDRAC firmware protections and load their own custom firmware onto the iDRAC baseboard management controller both via local access and via a remote access method. If exploited by a malicious party, iDRACula can allow a malicious actor to have complete remote administrative capability of a server.

    Reply
  24. Tomi Engdahl says:

    Telegram fixes IP address leak in desktop client
    https://www.zdnet.com/article/telegram-fixes-ip-address-leak-in-desktop-client/

    Telegram team forgot to add privacy-enhancing option for voice calls in desktop clients.

    Telegram users who specifically utilize the application for its anonymity features are advised to update their desktop clients as soon as possible to patch a bug that will leak their IP address in some scenarios.

    The bug was found by Dhiraj Mishra, a bug hunter from Mumbai, India, and was patched by Telegram with the releases of Telegram for Desktop v1.4.0 and v1.3.17 beta.

    Reply
  25. Tomi Engdahl says:

    FBI solves mystery surrounding 15-year-old Fruitfly Mac malware
    https://www.zdnet.com/article/fbi-solves-mystery-surrounding-15-year-old-fruitfly-mac-malware/

    Fruitfly malware author used port scanning with weak or no passwords to identify potential victims.

    Reply
  26. Tomi Engdahl says:

    Cybersecurity Canon Candidate Book Review: “Cybersecurity: A Business Solution”
    https://researchcenter.paloaltonetworks.com/2018/09/cybersecurity-canon-candidate-book-review-cybersecurity-business-solution/

    Managing cyber risk is a challenging undertaking, even for large organizations with significant resources at their disposal. For executives and senior managers in small to medium-sized organizations, however, managing cyber risk can quickly become a daunting and overwhelming task. That is where Rob Arnold’s book Cybersecurity: A Business Solution provides a unique and helpful perspective. Written specifically for small to medium-sized businesses, the book provides executives and senior managers with a business-centered perspective on managing cyber risk in their organizations. The audience for this book also includes IT professionals and network defenders. By mapping out how to manage an organization’s cyber risk strategies, as well as how to implement an effective cybersecurity plan, it gives IT professionals a way to speak to administration and provide them with tools for an overall plan of action.

    Reply
  27. Tomi Engdahl says:

    Cities Paying Ransom: What Does It Mean for Taxpayers?
    https://blog.radware.com/security/2018/09/cities-paying-ransom/

    On September 1, Ontario’s Municipal Offices experienced a cyberattack that left their computers inoperable when Malware entered its systems and rendered its servers useless. The municipality was faced with paying a ransom to the attackers or face the consequences of being locked out of its systems. Per the advice of a consultant, the city paid an undisclosed amount of ransom to its attackers.

    Reply
  28. Tomi Engdahl says:

    Microsoft Adds New Tools to Azure DDoS Protection
    https://www.securityweek.com/microsoft-adds-new-tools-azure-ddos-protection

    Microsoft this week announced a new set of distributed denial of service (DDoS) mitigation tools for Azure, which the company says will provide customers with increased visibility and support when their computing resources are under attack.

    Building on the capabilities of Azure DDoS Protection, new features such as DDoS Attack Analytics and DDoS Rapid Response can deliver attack insights that can be leveraged for compliance, security audits, and defense optimizations, and also help customers engage DDoS experts during an active attack for specialized support.

    There are three new features that Azure DDoS Protection Standard customers can now take advantage of, namely Attack Mitigation Reports, Attack Mitigation Flow Logs and DDoS Rapid Response. Thus, organizations will get detailed visibility into attack traffic and mitigation actions in Azure Monitor, as well as custom mitigations and support for attack investigation, Microsoft notes.

    DDoS Protection Attack Analytics and rapid response
    https://azure.microsoft.com/en-us/blog/ddos-protection-attack-analytics-rapid-response/

    Reply
  29. Tomi Engdahl says:

    Linux Kernel Vulnerability Affects Red Hat, CentOS, Debian
    https://www.securityweek.com/linux-kernel-vulnerability-affects-red-hat-centos-debian

    Qualys has disclosed the details of an integer overflow vulnerability in the Linux kernel that can be exploited by a local attacker for privilege escalation. The flaw, dubbed “Mutagen Astronomy,” affects certain versions of the Red Hat, CentOS and Debian distributions.

    Tracked as CVE-2018-14634, the flaw exists in the kernel’s create_elf_tables() function. The security hole can be exploited using a SUID binary to escalate privileges to root, but it only works on 64-bit systems.

    The vulnerability affects versions of the kernel released between July 19, 2007, and July 7, 2017. While many Linux distributions have backported the commit that addresses the bug, the fix hasn’t been implemented in Red Hat Enterprise Linux, CentOS (which is based on Red Hat), and Debian 8 Jessie.

    Red Hat, which assigned the flaw an impact rating of “important” and a CVSS score of 7.8 (high severity), has started releasing updates that should address the issue.

    Reply
  30. Tomi Engdahl says:

    Uber Agrees to $148M Settlement With States Over Data Breach
    https://www.securityweek.com/uber-agrees-148m-settlement-states-over-data-breach

    Uber will pay $148 million and tighten data security after the ride-hailing company failed for a year to notify drivers that hackers had stolen their personal information, according to a settlement announced Wednesday.

    Uber Technologies Inc. reached the agreement with all 50 states and the District of Columbia after a massive data breach in 2016. Instead of reporting it, Uber hid evidence of the theft and paid ransom to ensure the data wouldn’t be misused.

    “This is one of the most egregious cases we’ve ever seen in terms of notification; a yearlong delay is just inexcusable,” Illinois Attorney General Lisa Madigan told The Associated Press. “And we’re not going to put up with companies, Uber or any other company, completely ignoring our laws that require notification of data breaches.”

    Reply
  31. Tomi Engdahl says:

    Web hosting providers take three days, on average, to respond to abuse reports
    https://www.zdnet.com/article/web-hosting-providers-take-three-days-on-average-to-respond-to-abuse-reports/

    Some hosting providers take over two weeks to respond, with the worst taking over 19 days.

    Web hosting providers take 3 days, 2 hours, and 33 minutes on average to respond to abuse complaints and remove malware hosted on their servers, according to a report published today.

    Abuse reports are commonly filed by security researchers, manually or using automated tools, and sent to web hosting providers at an email address specified on their sites.

    Researchers scour the internet and keep an eye out for malicious links in email spam or other places, collect the URLs, determine the web host, and send out an email to the hosting provider, asking it to take down the link before users get a chance to click on it. There are thousands if not tens of thousands of such abuse reports being sent each day.

    Previous studies have shown that the first few hours after a malware distribution are the most critical, as that’s when spam filters and antivirus engines are most likely to be caught with their pants down and when the vast majority of users get infected.

    This is why web hosting providers need to cooperate and respond to abuse complaints with urgency, to keep users safe and stop malware campaigns.

    Reply
  32. Tomi Engdahl says:

    Adam Janofsky / Wall Street Journal:
    Advances in AI and years of data gathering related to cyberattacks have made it easier for firms and governments to tie hacks to specific hacking groups — AI and sophisticated data gathering are making it easier for firms and governments to attribute hacks in months, not years

    Technology Advances Make It Easier to Assign Blame for Cyberattacks
    https://www.wsj.com/articles/technology-advances-make-it-easier-to-assign-blame-for-cyberattacks-1538677334

    AI and sophisticated data gathering are making it easier for firms and governments to attribute hacks in months, not years

    Figuring out who exactly is responsible for a cyberattack is an inexact science, but advances in machine learning and years of data-gathering on hacks are making it easier than ever for law-enforcement officials and cybersecurity specialists to name the likely culprits.

    Reply
  33. Tomi Engdahl says:

    Ben Fox Rubin / CNET:
    Amazon says it has fired an employee for sharing users’ email addresses with a third-party seller, is working with law enforcement, informing affected customers

    Amazon fires employee for allegedly sharing customer email addresses
    https://www.cnet.com/news/amazon-fires-employee-for-allegedly-sharing-customer-email-addresses/

    The company is working with law enforcement and informing affected

    Reply
  34. Tomi Engdahl says:

    Google’s cyber unit Jigsaw introduces Intra, a new security app dedicated to busting censorship
    https://techcrunch.com/2018/10/03/googles-cyber-unit-jigsaw-introduces-intra-a-security-app-dedicated-to-busting-censorship/?sr_share=facebook&utm_source=tcfbpage

    Jigsaw, the division owned by Google parent Alphabet, has revealed Intra, a new app aimed at protecting users from state-sponsored censorship.

    Intra is a new app that aims to prevent DNS manipulation attacks.

    By passing all your browsing queries and app traffic through an encrypted connection to a trusted Domain Name Server, Intra says it ensures you can use your app without meddling or get to the right site without interference.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*