The Belgian Financial Services and Markets Authority (FSMA) has warned netizens about the spread of illegitimate cryptomonnaies and blockchain platforms, as tricksters continue to dupe the general public.
The FSMA has strengthened its warning with an updated list of “cryptomonnaies” (Belgium’s surprizingly mellifluous word for cryptocurrencies) trading sites, which has grown to include over 70 known scams, with 28 being added in the latest update.
Scams in these cases are pretty simple. Users will go to a fake website looking to buy Bitcoin, Ethereum, or other cryptomonnaies. The buyer will send their fiat to the merchant, who then simply walks away, without ever sending the cryptomonnaies owed to the buyer.
Even though the FSMA has issued numerous warnings, and has been updating its list of known scammers since the end of February this year, complaints continue to roll in.
mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.
Attackers have been exploiting vulnerabilities in MikroTik routers to forward network traffic to a handful of IP addresses under their control. “The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files,” reports Bleeping Computer. “Exploit code is freely available from at least three sources from at least three sources.”
A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality he is exposing the pitfalls of not knowing how to properly configure a hidden service.
One of the main purposes of setting up a dark web web site on Tor is to make it difficult to identify the owner of the site. In order to properly anonymize a dark web site, though, the administrator must configure the web server properly so that it is only listens on localhost (127.0.0.1) and not on an IP address that is publicly exposed to the Internet.
Yonathan Klijnsma, a threat researcher lead for RiskIQ, has discovered that there are many Tor sites that utilize SSL certificates and also misconfigure a hidden service so that it is accessible via the Internet. As RiskIQ crawls the web and associates any SSL certificate it discovers to it’s hosted IP address, it was easy for Klijnsma to map a misconfigured hidden Tor service with its corresponding public IP address.
BERLIN (Reuters) – A growing number of countries can hack into private computer networks and install malicious software to sabotage another country’s infrastructure, Germany’s domestic spy chief said.
A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components.
CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.
The growing IoT botnet has now infected routers from D-Link, Huawei and Realtek.
Security researchers have identified a new IoT botnet that has recently made its presence known online after lying dormant for months online.
The Hakai IoT botnet, named after the Japanese word for destruction, was first discovered in June by security researchers at NewSky Security. The first version of this new IoT botnet was based on the IoT malware strain Qbot that leaked online several years ago.
Security researcher at NewSky Security, Ankit Anubhav told ZDNet that the first version of the botnet was unsophisticated and rarely active. However, the author of the botnet initially wanted publicity and requested that Anubhav cover it.
The Hakai botnet then began to takeover user devices in July using the CVE-2017-17215 vulnerability to infect Huawei Hg352 routers. By August though, the botnet gained the attention of other security researchers as it began to spread to even more devices including D-Link routers using the HNAP protocol as well as Realtek routers and IoT devices.
Dozens of people reported receiving an email from Google revealing a potential FBI investigation into people who purchased malware.
At least dozens of people have received an email from Google informing them that the internet giant responded to a request from the FBI demanding the release of user data, according to several people who claimed to have received the email. The email did not specify whether Google released the requested data to the FBI.
The unusual notice appears to be related to the case of Colton Grubbs, one of the creators of LuminosityLink, a $40 remote access tool (or RAT), that was marketed to hack and control computers remotely. Grubs pleaded guilty last year to creating and distributing the hacking tool to hundreds of people.
In June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces WPA2. Users should employ the new standards as WPA3 devices become available.
What security threats do enterprise wireless networks face?
Unlike wired networks, which have robust security tools—such as firewalls, intrusion prevention systems, content filters, and antivirus and anti-malware detection programs—wireless networks (also called Wi-Fi) provide wireless access points that can be susceptible to infiltration. Because they may lack the same protections as wired networks, wireless networks and devices can fall victim to a variety of attacks designed to gain access to an enterprise network. An attacker could gain access to an organization’s network through a wireless access point to conduct malicious activities—including packet sniffing, creating rouge access points, password theft, and man-in-the-middle attacks.
IT security professionals and network administrators should also consider these additional best practices to help safeguard their enterprise Wi-Fi networks:
Lily Hay Newman / Wired:
Google is considering big changes to how URLs are displayed in Chrome so that web identity can be better understandable, plans to share ideas by next spring
Google’s Chrome browser turns 10 today, and in its short life it has introduced a lot of radical changes to the web. From popularizing auto-updates to aggressively promoting HTTPS web encryption, the Chrome security team likes to grapple with big, conceptual problems. That reach and influence can be divisive, though, and as Chrome looks ahead to its next 10 years, the team is mulling its most controversial initiative yet: fundamentally rethinking URLs across the web.
Uniform Resource Locators are the familiar web addresses you use every day.
And on mobile devices there isn’t room to display much of a URL at all.
The resulting opacity has been a boon for cyber criminals who build malicious sites to exploit the confusion. They impersonate legitimate institutions, launch phishing schemes, hawk malicious downloads, and run phony web services—all because it’s difficult for web users to keep track of who they’re dealing with. Now the Chrome team says it’s time for a massive change.
“People have a really hard time understanding URLs,”
“They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone”
If you’re having a tough time thinking of what could possibly be used in place of URLs, you’re not alone. Academics have considered options over the years, but the problem doesn’t have an easy answer
The focus right now, they say, is on identifying all the ways people use URLs to try to find an alternative that will enhance security and identity integrity on the web while also adding convenience for everyday tasks like sharing links on mobile devices.
Google recently launched a new Titan security key that helps add extra security to your account.
Only someone with the key can access your Google account, or others you’ve configured, like Facebook and Dropbox.
The $50 bundle gives peace of mind, but losing the keys could mean being locked out of your accounts for days.
Opinion: To sign up for Google’s Advanced protection program, you must buy security keys from a Chinese vendor. Security questions have since been raised considering current intelligence laws in China.
Google is offering a Chinese security product to those who need protection the most.
On Thursday, Sam Srinivas, Director of Product Management at Google Cloud, revealed the launch of Titan Security Keys in the Google Store.
The Titan Security Keys, which are now up for sale in the official US store, are described as “phishing-resistant two-factor authentication (2FA) devices that help protect high-value users such as IT admins.”
“Titan Security Keys work with popular browsers and a growing ecosystem of services that support FIDO standards,” the company added. “They are built with a hardware chip that includes firmware engineered by Google to verify the integrity of the key.”
In a separate blog post written by Christiaan Brand, Product Manager of Google Cloud, the executive says that the Titan Security Keys “can be used anywhere security keys are supported as a second factor of authentication, including Google’s Advanced Protection Program.”
The Advanced Protection Program is directed at those who may be at more risk of targeted attacks, such as journalists, activists, executives, and politicians.
However, should you sign up, you are not forwarded to the Google Store to purchase the keys imbued with Google’s “special sauce” — instead, if you click “get started,” you are directed to a page which says you will need two security keys, one for primary use and another as a backup.
While the backup option required as a purchase from Amazon, the Yubico FIDO U2F Security Key, looks legitimate, the first and main key you are asked to buy is potentially problematic.
At the time of writing, that option is the Feitian MultiPass FIDO Security Key.
those in the UK are directed to the Chinese vendor’s website
As noted in July by an IT consultant, it appears the Titan is the same hardware, just sold under a different brand name.
Founded in 1998, Feitian Technologies is based in China and provides security solutions for the banking, financial, telecommunications and government sectors.
“companies in China aren’t able to refuse to engage in intelligence activities.”
The problem here is not that Feitian is responsible for any cyberthreats, surveillance, or direct attacks against those who need additional protection the most. Rather, the decisions Google seems to be making by being so deeply connected to a Chinese company could potentially undermine the entire protection program.
Google’s program is designed to protect the sort of individuals whom the Chinese government may have serious interest in, such as activists and those speaking out against the country’s government.
By directing those in the protection program directly to the vendor for hardware which is not implemented with Google’s own brand of firmware — the so-called “special sauce” — there is the possibility of different firmware being used, backdoors imbued at both the hardware and firmware level, or other forms of tampering at the manufacturing stage — all of which would be outside Google’s control.
So why does the variant of the key on the Google Store offer Google firmware, whilst the keys required for the protection program do not?
The backup key is produced by Yubico.
The once-celebrated Google motto of “Don’t be evil” may be a thing of the past but the idea that Google is promoting the use of hardware to those that require additional security — which may, one day, become the very thing that compromises their privacy and identities — is deeply unsettling.
A cyber attack that kills someone is getting ever more likely. What happens then is a big — and scary –question.
The increasing sophistication and power of state-backed cyber attacks has led some experts to fear that, sooner or later, by design or by accident, one of these incidents will result in somebody getting killed.
“Nation-states are getting more sophisticated and they’re getting more brazen. They’re getting less worried about being caught and being named — and of course that’s a feature of geopolitics,”
The Hakai IoT botnet is a dangerous threat that is being distributed in a global attack campaign targeting home routers of all popular brands. It is built on the foundations of an older threat featuring heavy upgrades.
The attacks began by probing Huawei Hg352 routers with the CVE-2017-17215 exploit.
Affected systems will react if malicious packets are sent over port 37215. To counter any possible abuse the owners of these devices should update their firmware to the latest available version.
Hakai IoT botnet was upgraded to act against a wider range of devices — D-Link Routers using the HNAP protocol, generic IoT devices and Realtek routers.
Cisco informed customers on Wednesday that patches are available for over a dozen critical and high severity vulnerabilities affecting the company’s RV series, SD-WAN, Umbrella and other products.
Two of the flaws have been rated “critical” by Cisco. One of them, CVE-2018-0423, is a buffer overflow vulnerability in the web-based management interface of various RV series firewalls and routers. The security hole allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or to execute arbitrary code.
The second flaw assigned a “critical” rating by the networking giant is CVE-2018-0435 and it impacts the Cisco Umbrella API. A remote attacker could leverage the vulnerability to read or modify data across multiple organizations, but exploitation requires authentication. Cisco noted that the bug has been addressed in the API and no user interaction is required to apply the patch.
A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.
The flaw was disclosed on August 27 by a researcher who uses the online moniker “SandboxEscaper.” The security hole was not reported to Microsoft before its details were made public – including a compiled exploit and its source code – as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.
Other members of the industry quickly confirmed the vulnerability, which seems to affect the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to SYSTEM by overwriting files that should normally be protected by filesystem access control lists (ACLs).
The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.
The group has been persistently targeting government entities in the Middle East with previously identified tools and tactics, including the OopsIE Trojan that was first identified in February 2018. Unlike previously observed samples, the new iteration packs anti-analysis and anti-virtual machine capabilities, which allows it to further evade detection.
Mozilla on Tuesday announced that Alan Davidson has been named the organization’s new Vice President of Global Policy, Trust and Security.
According to Mozilla Chief Operating Officer Denelle Dixon, Davidson will work with her on scaling and reinforcing the organization’s “policy, trust and security capabilities and impact.”
His responsibilities will also include leading Mozilla’s public policy work on promoting an open and “healthy” Internet, and supervising a security and trust team whose focus is on promoting “innovative privacy and security features.”
Google this week celebrates 10 years of its Chrome web browser with the release of a new version that provides users with security improvements, new features, and patches for 40 vulnerabilities.
The highly popular web browser now has an improved password manager that makes it easier for users to have a unique and strong password for each site. When a user is setting a new password, Chrome can generate it and save it, so that it is easily accessible on both computers and phones.
Chrome 69 also brings updated site indicators, as it no longer marks HTTPS websites with a green lock. Instead, the indicator is now grey, given that Google considers HTTPS connections the norm.
We have recently been notified of phishing emails that target WordPress users. The content informs site owners that their database requires an update
The email’s appearance resembles that of a legitimate WordPress update message, however the content includes typos and uses an older messaging style. Another suspicious item in the content is the deadline. WordPress wouldn’t define deadlines without a valid explanation, and hosting providers wouldn’t either
Fake Upgrade
If you click on the “Upgrade” button, a fake WordPress login page opens ready to collect your credentials. That page was created on a hacked but legitimate website. In one sample, it was in the /lop/ subdirectory, and in another case it was in the /so/ subdirectory.
Clicking on the “Upgrade WordPress Database” button completes the final step of the attack and sends your credentials and website address to the attackers.
Precautions
Even if your site software is up to date and fully patched, hackers may still be able to break into it if you give them your credentials. Phishing attacks against common CMS’ often try to fool webmasters into opening a web page that resembles a standard login page and type their credentials there without verifying the address of the page.
In the case above, attackers used a mailer on a compromised website as a delivery mechanism to send their phishing email campaign and collect the credentials of other WordPress users.
The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. As observed in previous attack campaigns, the tools used are not an exact duplicate of the previous attack and instead is an iterative variant. In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment. The attachment was identified as a variant of the OopsIE trojan we identified in February 2018. In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems.
What is an IQY file attachment, and why is it the flavor of the month for threat actors? Microsoft Excel uses this type of file to pull data from the internet into a spreadsheet. To do that, a URL is embedded into an IQY file, and the file facilitates pulling the data from the specified webpage.
While IQY file extensions may sound foreign to many users, if you look at enterprise-level networks that use SharePoint, a web-based collaborative platform that integrates with Microsoft Office, for example, you would be sure to find many instances where IQY files are used.
Warning! If you are using Chrome browser extension from the MEGA file storage service, uninstall it right now.
The official Chrome extension for the MEGA.nz cloud storage service had been compromised and replaced with a malicious version that can steal users’ credentials for popular websites like Amazon, Microsoft, Github, and Google, as well as private keys for users’ cryptocurrency wallets.
On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA’s Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company.
US Treasury sanctions North Korea over Sony hack and WannaCry attack
Zack Whittaker
@zackwhittaker / 11 minutes ago
Sony Pictures Entertainment Inc. Studios As Cyber Attack Repercussions Continue
The US government has issued sanctions against a North Korea individual and an entity over historical cyberattacks, which wreaked billions of dollars in damages.
In a statement, the US Treasury named North Korean programmer Park Jin Jyok for working on behalf of Pyongyang for his involvement in carrying out several cyberattacks against US and global targets. The statement said Park was responsible for a hack on Sony Pictures in 2016
“North Korea has demonstrated a pattern of disruptive and harmful cyber activity that is inconsistent with the growing consensus on what constitutes responsible state behavior in cyberspace,” the Treasury statement read.
“Our policy is to hold North Korea accountable and demonstrate to the regime that there is a cost to its provocative and irresponsible actions.”
Chris Ip / Engadget:
How 30+ popular tech companies, from social networks to dating apps, responded to requests for personal data; how they interpret that data remains opaque http://www.engadget.com/2018/09/04/who-controls-your-data/
Joe Uchill / Axios:
A year after the Equifax breach became public, Congress has failed to advance any legislation and the Trump administration has halted a CFPB investigation
The Equifax data breach was supposed to change everything about cybersecurity regulation on Capitol Hill. One year later, it’s not clear it changed much of anything.
Why it matters: A year ago Friday, Equifax — one of the major credit reporting agencies — announced that 145.5 million U.S. adults had their social security numbers stolen in an easily preventable breach. If any data breach was going to be able to shock Washington into enacting sweeping privacy reforms, this should have been it.
But that didn’t happen: “The initial interest that was implied by congressional actions didn’t pan out,” said Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology (CDT).
What was supposed to happen: After the first of several hearings involving Equifax, Sen. Chuck Grassley (R-Iowa), chair of the Judiciary Committee, said it was “long past time” for federal standards for how companies like Equifax secure data.
What went wrong:
“A lot of issues fall through cracks in the early days of an administration, especially one with so much controversy,” said CDT’s Richardson.
Congress often has difficulty focusing on more than one cybersecurity-related topic at a time. Russia and election security are now in the spotlight.
“Regulation is tough in this political climate,” said Tom Gann, chief public policy officer at McAfee.
The cybersecurity field averages one “this-changes-everything” event a year, none of which actually changes everything. A year before Equifax, there were attacks on the election. In 2015, China hit the Office of Personnel Management. In 2014, North Korea hit Sony.
“For people who think of themselves as privacy experts, they keep waiting for the straw that will break the camel’s back,” said Steven Weber, director of UC-Berkeley’s Center for Long Term Cybersecurity. “The fact is these don’t change the public’s view.”
The London-based airline, the largest in the UK, did not disclose much about the breach, only that hackers stole customer data from its website, ba.com.
In a statement, BA said that the “personal and financial details” of customers who made bookings on BA’s site or app between August 21 and September 5 were compromised, but travel or passport information was not taken.
A spokesperson told TechCrunch that “around 380,000 card payments” were compromised. BA had more than 45 million passengers last year.
Under the new European GDPR data protections laws, the airline can face fines
The U.S. Department of Justice on Thursday announced charges against a North Korean national who is believed to be a member of the notorious Lazarus Group, to which governments and the cybersecurity industry have attributed several high profile attacks.
The suspect is Park Jin Hyok, who according to the DOJ worked for a North Korean government front company known as Chosun Expo Joint Venture and Korea Expo Joint Venture (KEJV). The Democratic People’s Republic of Korea allegedly used this company, which also has offices in China, to support its cyber activities.
The complaint, filed on June 8 in a U.S. District Court in Los Angeles and made public on Thursday, accuses Park and other members of the Lazarus Group of conducting destructive cyberattacks that resulted in “damage to massive amounts of computer hardware and extensive loss of data, money and other resources.”
Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.
The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.
Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.
British Airways said Thursday that the personal and financial details of customers making bookings between August 21 and September 5 were stolen in a data breach involving 380,000 bank cards.
“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details,” the airline said in a statement.
“The personal and financial details of customers making bookings on our website and app were compromised,” it said.
“The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.
GRU isn’t as well-known a baleful acronym as KGB or FSB. But Russia’s military intelligence service is attracting increasing attention as allegations mount of devious and deadly operations on and off the field of battle.
The latest charge came Wednesday, when Britain identified two suspects in this year’s nerve-agent poisonings as GRU agents.
A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).
The flaw was identified by Yehonatan Kfir, CTO of industrial cybersecurity firm Radiflow, as part of an ongoing project whose goal is finding new ICS vulnerabilities. Advisories for this security hole were published recently by both Schneider Electric and ICS-CERT.
The vulnerability, tracked as CVE-2018-7789 and described as an issue related to improper checking for unusual or exceptional conditions, can be exploited by an attacker to remotely reboot Modicon M221 controllers.
According to Schneider, all Modicon M221 controllers running firmware versions prior to 1.6.2.0, which includes a patch for the issue, are impacted.
Beware using your web browser’s autofill feature to log into your broadband router via Wi-Fi and unprotected HTTP. A nearby attacker can attempt to retrieve the username and password.
The problem – found by SureCloud’s Elliott Thompson and detailed here – is the result of a mismatch in browser behavior and router configuration security.
It’s not a particularly scary or an easy-to-leverage vulnerability, and we think most miscreants will find it too much of a faff to exploit. However, it is interesting and quirky, and worth checking out.
Since we published our original report, Google has now resolved the underlying vulnerability. The latest update of Chrome (tested against version 69.0.3497.81) addresses the issue we highlighted in this blog, where credentials are auto-filled on unencrypted HTTP pages. This makes the attack require significantly more user interaction, in the same way that Firefox, Edge Internet Explorer and Safari do. This makes the exploit much closer to a phishing attack and much less likely to succeed.
Tesla recently added to its responsible disclosure guidelines with clarifications that welcome researchers to probe software in its cars for security bugs.
Well-known for its security-aware attitude, the company is now spelling it out to security researchers that they can hack Tesla cars without fear of ending up with a non-running automobile, of voiding the warranty, or of legal liability.
There are some conditions, though. Both the security expert and the vehicle must be registered and approved for carrying security tests as part of the company’s vulnerability reporting program, and the effort must be in good faith.
If these requirements are met, Tesla will offer over-the-air (OTA) assistance to researchers that need their research-registered car to be updated.
Open .git directories are a bigger cybersecurity problem than many might imagine, at least according to a Czech security researcher who discovered almost 400,000 web pages with an open .git directory possibly exposing a wide variety of data.
“Information about the website’s structure, and sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on. However, this data shouldn’t be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices,” Smitka wrote.
Smitka queried 230 million websites to discover the 390,000 allowing access to their .git directories. The vast majority of the websites with open directories had a .com TLD with .net, .de, .org and uk comprising most of the others.
What tends to happen is developers leave the .git folder in a publicly accessible portion of their site and when they go to verify whether or not the folder is protected many are fooled when they use /.git/ and receive an Error 403 message. Smitka noted that this might make it appear as if the folder is inaccessible, but in fact the error message is a false positive.
“Actually, the 403 error is caused by the missing index.html or index.php and disabled autoindex functionality. However, access to the files is still possible,” he said adding the files can possibly even be viewable on Google.
Instead he recommends using /.git/HEAD to ensure the folder is secure.
A 19-year-old man from the United Kingdom who headed a cybercriminal group whose motto was “Feds Can’t Touch Us” pleaded guilty this week to making bomb threats against thousands of schools.
On Aug. 31, officers with the U.K.’s National Crime Agency (NCA) arrested Hertfordshire resident George Duke-Cohan, who admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the U.K. to San Francisco last month.
Tor Project, the not-for-profit body behind the anonymizing Tor browser that lets you access the internet without being tracked, has launched the first official Tor mobile browser app.
Tor Browser for Android is available to install from Google Play now, or the .APK can be downloaded directly from the Tor Project website.
Tom Spring / Threatpost:
Popular anti-adware app in Apple’s Mac App Store, Adware Doctor, surreptitiously steals users’ browsing history and sends it to a Chinese domain
British Airways’s boss has apologised for what he says was a sophisticated breach of the firm’s security systems, and has promised compensation.
Alex Cruz told the BBC that hackers carried out a “sophisticated, malicious criminal attack” on its website.
The airline said personal and financial details of customers making or changing bookings had been compromised.
About 380,000 transactions were affected, but the stolen data did not include travel or passport details.
“We are 100% committed to compensate them, period,” Mr Cruz told the BBC’s Today programme.
“We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack.
“The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”
Washington (CNN)A federal government transparency website made public dozens, if not hundreds, of Social Security numbers and other personal information in a design error during a system upgrade.
The error, on a Freedom of Information Act request portal, was fixed after CNN alerted the government to the situation.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
493 Comments
Tomi Engdahl says:
Belgium adds 28 new scam sites to its cryptocurrency blacklist
People still falling foul of the fake cryptomonnaies sites
https://thenextweb.com/hardfork/2018/09/04/belgium-cryptocurrency-blacklist/
The Belgian Financial Services and Markets Authority (FSMA) has warned netizens about the spread of illegitimate cryptomonnaies and blockchain platforms, as tricksters continue to dupe the general public.
The FSMA has strengthened its warning with an updated list of “cryptomonnaies” (Belgium’s surprizingly mellifluous word for cryptocurrencies) trading sites, which has grown to include over 70 known scams, with 28 being added in the latest update.
Scams in these cases are pretty simple. Users will go to a fake website looking to buy Bitcoin, Ethereum, or other cryptomonnaies. The buyer will send their fiat to the merchant, who then simply walks away, without ever sending the cryptomonnaies owed to the buyer.
Even though the FSMA has issued numerous warnings, and has been updating its list of known scammers since the end of February this year, complaints continue to roll in.
Tomi Engdahl says:
Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records
https://yro.slashdot.org/story/18/09/04/2236213/mobile-spyware-maker-mspy-leaks-millions-of-sensitive-records?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.
For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records
https://krebsonsecurity.com/2018/09/for-2nd-time-in-3-years-mobile-spyware-maker-mspy-leaks-millions-of-sensitive-records/
Tomi Engdahl says:
MikroTik Routers Are Forwarding Owners’ Traffic To Unknown Attackers
https://it.slashdot.org/story/18/09/04/2116202/mikrotik-routers-are-forwarding-owners-traffic-to-unknown-attackers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Attackers have been exploiting vulnerabilities in MikroTik routers to forward network traffic to a handful of IP addresses under their control. “The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files,” reports Bleeping Computer. “Exploit code is freely available from at least three sources from at least three sources.”
Thousands of Compromised MikroTik Routers Send Traffic to Attackers
https://www.bleepingcomputer.com/news/security/thousands-of-compromised-mikrotik-routers-send-traffic-to-attackers/
Tomi Engdahl says:
Public IP Addresses of Tor Sites Exposed via SSL Certificates
https://www.bleepingcomputer.com/news/security/public-ip-addresses-of-tor-sites-exposed-via-ssl-certificates/
A security researcher has found a method that can be used to easily identify the public IP addresses of misconfigured dark web servers. While some feel that this researcher is attacking Tor or other similar networks, in reality he is exposing the pitfalls of not knowing how to properly configure a hidden service.
One of the main purposes of setting up a dark web web site on Tor is to make it difficult to identify the owner of the site. In order to properly anonymize a dark web site, though, the administrator must configure the web server properly so that it is only listens on localhost (127.0.0.1) and not on an IP address that is publicly exposed to the Internet.
Yonathan Klijnsma, a threat researcher lead for RiskIQ, has discovered that there are many Tor sites that utilize SSL certificates and also misconfigure a hidden service so that it is accessible via the Internet. As RiskIQ crawls the web and associates any SSL certificate it discovers to it’s hosted IP address, it was easy for Klijnsma to map a misconfigured hidden Tor service with its corresponding public IP address.
Tomi Engdahl says:
Germany concerned about possible ‘sleeper’ cyber sabotage
https://www.reuters.com/article/us-germany-security/germany-concerned-about-possible-sleeper-cyber-sabotage-idUSKCN1LK1DX
BERLIN (Reuters) – A growing number of countries can hack into private computer networks and install malicious software to sabotage another country’s infrastructure, Germany’s domestic spy chief said.
Tomi Engdahl says:
New Banking Trojan Poses As A Security Module
https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/
A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components.
CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.
Tomi Engdahl says:
Hakai IoT botnet infects popular router brands
https://www.itproportal.com/news/hakai-iot-botnet-infects-popular-router-brands/
The growing IoT botnet has now infected routers from D-Link, Huawei and Realtek.
Security researchers have identified a new IoT botnet that has recently made its presence known online after lying dormant for months online.
The Hakai IoT botnet, named after the Japanese word for destruction, was first discovered in June by security researchers at NewSky Security. The first version of this new IoT botnet was based on the IoT malware strain Qbot that leaked online several years ago.
Security researcher at NewSky Security, Ankit Anubhav told ZDNet that the first version of the botnet was unsophisticated and rarely active. However, the author of the botnet initially wanted publicity and requested that Anubhav cover it.
The Hakai botnet then began to takeover user devices in July using the CVE-2017-17215 vulnerability to infect Huawei Hg352 routers. By August though, the botnet gained the attention of other security researchers as it began to spread to even more devices including D-Link routers using the HNAP protocol as well as Realtek routers and IoT devices.
Tomi Engdahl says:
You can’t contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows
https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-exploiting-an-elevation-of-privilege-in-docker-for-windows.html
Tomi Engdahl says:
Google Notifies People Targeted by Secret FBI Investigation
https://motherboard-vice-com.cdn.ampproject.org/c/s/motherboard.vice.com/amp/en_us/article/pawjjn/google-email-secret-fbi-investigation
Dozens of people reported receiving an email from Google revealing a potential FBI investigation into people who purchased malware.
At least dozens of people have received an email from Google informing them that the internet giant responded to a request from the FBI demanding the release of user data, according to several people who claimed to have received the email. The email did not specify whether Google released the requested data to the FBI.
The unusual notice appears to be related to the case of Colton Grubbs, one of the creators of LuminosityLink, a $40 remote access tool (or RAT), that was marketed to hack and control computers remotely. Grubs pleaded guilty last year to creating and distributing the hacking tool to hundreds of people.
Tomi Engdahl says:
Opinion
Australia Wants to Take Government Surveillance to the Next Level
https://www.nytimes.com/2018/09/04/opinion/australia-encryption-surveillance-bill.html
A new bill will help its intelligence agencies circumvent encryption. And what starts Down Under won’t necessarily stay there.
Tomi Engdahl says:
Securing Enterprise Wireless Networks
https://ghoststar.xyz/securing-enterprise-wireless-networks/
In June 2018, the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected Access 3 (WPA3), which replaces WPA2. Users should employ the new standards as WPA3 devices become available.
What security threats do enterprise wireless networks face?
Unlike wired networks, which have robust security tools—such as firewalls, intrusion prevention systems, content filters, and antivirus and anti-malware detection programs—wireless networks (also called Wi-Fi) provide wireless access points that can be susceptible to infiltration. Because they may lack the same protections as wired networks, wireless networks and devices can fall victim to a variety of attacks designed to gain access to an enterprise network. An attacker could gain access to an organization’s network through a wireless access point to conduct malicious activities—including packet sniffing, creating rouge access points, password theft, and man-in-the-middle attacks.
IT security professionals and network administrators should also consider these additional best practices to help safeguard their enterprise Wi-Fi networks:
Tomi Engdahl says:
Maciej Ceglowski / Washington Post:
Democratic campaigns are still struggling with basic email security after two years of constant news reports about the dangers of political hacking
http://www.washingtonpost.com/outlook/2018/09/04/im-teaching-email-security-democratic-campaigns-its-bad/
Tomi Engdahl says:
Lily Hay Newman / Wired:
Google is considering big changes to how URLs are displayed in Chrome so that web identity can be better understandable, plans to share ideas by next spring
Google Wants to Kill the URL
https://www.wired.com/story/google-wants-to-kill-the-url
Google’s Chrome browser turns 10 today, and in its short life it has introduced a lot of radical changes to the web. From popularizing auto-updates to aggressively promoting HTTPS web encryption, the Chrome security team likes to grapple with big, conceptual problems. That reach and influence can be divisive, though, and as Chrome looks ahead to its next 10 years, the team is mulling its most controversial initiative yet: fundamentally rethinking URLs across the web.
Uniform Resource Locators are the familiar web addresses you use every day.
And on mobile devices there isn’t room to display much of a URL at all.
The resulting opacity has been a boon for cyber criminals who build malicious sites to exploit the confusion. They impersonate legitimate institutions, launch phishing schemes, hawk malicious downloads, and run phony web services—all because it’s difficult for web users to keep track of who they’re dealing with. Now the Chrome team says it’s time for a massive change.
“People have a really hard time understanding URLs,”
“They’re hard to read, it’s hard to know which part of them is supposed to be trusted, and in general I don’t think URLs are working as a good way to convey site identity. So we want to move toward a place where web identity is understandable by everyone”
If you’re having a tough time thinking of what could possibly be used in place of URLs, you’re not alone. Academics have considered options over the years, but the problem doesn’t have an easy answer
The focus right now, they say, is on identifying all the ways people use URLs to try to find an alternative that will enhance security and identity integrity on the web while also adding convenience for everyday tasks like sharing links on mobile devices.
Tomi Engdahl says:
Google’s new $50 gadget is the best way to keep your accounts safe
https://www.cnbc.com/2018/08/29/google-titan-security-key-review.html?__source=facebook%7Cmain
Google recently launched a new Titan security key that helps add extra security to your account.
Only someone with the key can access your Google account, or others you’ve configured, like Facebook and Dropbox.
The $50 bundle gives peace of mind, but losing the keys could mean being locked out of your accounts for days.
Tomi Engdahl says:
Why is Google selling potentially compromised Chinese security keys?
https://www.zdnet.com/article/google-launches-titan-security-keys-but-recommends-keys-from-chinese-firm-with-military-links-in/
Opinion: To sign up for Google’s Advanced protection program, you must buy security keys from a Chinese vendor. Security questions have since been raised considering current intelligence laws in China.
Google is offering a Chinese security product to those who need protection the most.
On Thursday, Sam Srinivas, Director of Product Management at Google Cloud, revealed the launch of Titan Security Keys in the Google Store.
The Titan Security Keys, which are now up for sale in the official US store, are described as “phishing-resistant two-factor authentication (2FA) devices that help protect high-value users such as IT admins.”
“Titan Security Keys work with popular browsers and a growing ecosystem of services that support FIDO standards,” the company added. “They are built with a hardware chip that includes firmware engineered by Google to verify the integrity of the key.”
In a separate blog post written by Christiaan Brand, Product Manager of Google Cloud, the executive says that the Titan Security Keys “can be used anywhere security keys are supported as a second factor of authentication, including Google’s Advanced Protection Program.”
The Advanced Protection Program is directed at those who may be at more risk of targeted attacks, such as journalists, activists, executives, and politicians.
However, should you sign up, you are not forwarded to the Google Store to purchase the keys imbued with Google’s “special sauce” — instead, if you click “get started,” you are directed to a page which says you will need two security keys, one for primary use and another as a backup.
While the backup option required as a purchase from Amazon, the Yubico FIDO U2F Security Key, looks legitimate, the first and main key you are asked to buy is potentially problematic.
At the time of writing, that option is the Feitian MultiPass FIDO Security Key.
those in the UK are directed to the Chinese vendor’s website
As noted in July by an IT consultant, it appears the Titan is the same hardware, just sold under a different brand name.
Founded in 1998, Feitian Technologies is based in China and provides security solutions for the banking, financial, telecommunications and government sectors.
“companies in China aren’t able to refuse to engage in intelligence activities.”
The problem here is not that Feitian is responsible for any cyberthreats, surveillance, or direct attacks against those who need additional protection the most. Rather, the decisions Google seems to be making by being so deeply connected to a Chinese company could potentially undermine the entire protection program.
Google’s program is designed to protect the sort of individuals whom the Chinese government may have serious interest in, such as activists and those speaking out against the country’s government.
By directing those in the protection program directly to the vendor for hardware which is not implemented with Google’s own brand of firmware — the so-called “special sauce” — there is the possibility of different firmware being used, backdoors imbued at both the hardware and firmware level, or other forms of tampering at the manufacturing stage — all of which would be outside Google’s control.
So why does the variant of the key on the Google Store offer Google firmware, whilst the keys required for the protection program do not?
The backup key is produced by Yubico.
The once-celebrated Google motto of “Don’t be evil” may be a thing of the past but the idea that Google is promoting the use of hardware to those that require additional security — which may, one day, become the very thing that compromises their privacy and identities — is deeply unsettling.
Tomi Engdahl says:
Cyberwar: What happens when a nation-state cyber attack kills?
https://www.zdnet.com/article/cyberwar-what-happens-when-a-nation-state-issued-cyber-attack-kills/
A cyber attack that kills someone is getting ever more likely. What happens then is a big — and scary –question.
The increasing sophistication and power of state-backed cyber attacks has led some experts to fear that, sooner or later, by design or by accident, one of these incidents will result in somebody getting killed.
“Nation-states are getting more sophisticated and they’re getting more brazen. They’re getting less worried about being caught and being named — and of course that’s a feature of geopolitics,”
Tomi Engdahl says:
Hakai Iot Botnet Wages War Against D-Link and Huawei Routers
https://securityboulevard.com/2018/09/hakai-iot-botnet-wages-war-against-d-link-and-huawei-routers/
The Hakai IoT botnet is a dangerous threat that is being distributed in a global attack campaign targeting home routers of all popular brands. It is built on the foundations of an older threat featuring heavy upgrades.
The attacks began by probing Huawei Hg352 routers with the CVE-2017-17215 exploit.
Affected systems will react if malicious packets are sent over port 37215. To counter any possible abuse the owners of these devices should update their firmware to the latest available version.
Hakai IoT botnet was upgraded to act against a wider range of devices — D-Link Routers using the HNAP protocol, generic IoT devices and Realtek routers.
Tomi Engdahl says:
Cisco Patches Serious Flaws in RV, SD-WAN, Umbrella Products
https://www.securityweek.com/cisco-patches-serious-flaws-rv-sd-wan-umbrella-products
Cisco informed customers on Wednesday that patches are available for over a dozen critical and high severity vulnerabilities affecting the company’s RV series, SD-WAN, Umbrella and other products.
Two of the flaws have been rated “critical” by Cisco. One of them, CVE-2018-0423, is a buffer overflow vulnerability in the web-based management interface of various RV series firewalls and routers. The security hole allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or to execute arbitrary code.
The second flaw assigned a “critical” rating by the networking giant is CVE-2018-0435 and it impacts the Cisco Umbrella API. A remote attacker could leverage the vulnerability to read or modify data across multiple organizations, but exploitation requires authentication. Cisco noted that the bug has been addressed in the API and no user interaction is required to apply the patch.
Tomi Engdahl says:
Windows Zero-Day Exploited in Targeted Attacks by ‘PowerPool’ Group
https://www.securityweek.com/windows-zero-day-exploited-targeted-attacks-powerpool-group
A threat group tracked by security firm ESET as “PowerPool” has been exploiting a Windows zero-day vulnerability to elevate the privileges of a backdoor in targeted attacks.
The flaw was disclosed on August 27 by a researcher who uses the online moniker “SandboxEscaper.” The security hole was not reported to Microsoft before its details were made public – including a compiled exploit and its source code – as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.
Other members of the industry quickly confirmed the vulnerability, which seems to affect the Advanced Local Procedure Call (ALPC) interface of the Windows Task Scheduler. Malicious actors with local access to the targeted device can exploit the flaw to escalate privileges to SYSTEM by overwriting files that should normally be protected by filesystem access control lists (ACLs).
Tomi Engdahl says:
Iranian Hackers Improve Recently Used Cyber Weapon
https://www.securityweek.com/iranian-hackers-improve-recently-used-cyber-weapon
The Iran-linked cyberespionage group OilRig was recently observed using a variant of the OopsIE Trojan that was updated with new evasion capabilities, Palo Alto Networks reports.
The group has been persistently targeting government entities in the Middle East with previously identified tools and tactics, including the OopsIE Trojan that was first identified in February 2018. Unlike previously observed samples, the new iteration packs anti-analysis and anti-virtual machine capabilities, which allows it to further evade detection.
Tomi Engdahl says:
Mozilla Appoints New Policy, Security Chief
https://www.securityweek.com/mozilla-appoints-new-policy-security-chief
Mozilla on Tuesday announced that Alan Davidson has been named the organization’s new Vice President of Global Policy, Trust and Security.
According to Mozilla Chief Operating Officer Denelle Dixon, Davidson will work with her on scaling and reinforcing the organization’s “policy, trust and security capabilities and impact.”
His responsibilities will also include leading Mozilla’s public policy work on promoting an open and “healthy” Internet, and supervising a security and trust team whose focus is on promoting “innovative privacy and security features.”
Tomi Engdahl says:
Latest Version of Chrome Improves Password Management, Patches 40 Flaws
https://www.securityweek.com/latest-version-chrome-improves-password-management-patches-40-flaws
Google this week celebrates 10 years of its Chrome web browser with the release of a new version that provides users with security improvements, new features, and patches for 40 vulnerabilities.
The highly popular web browser now has an improved password manager that makes it easier for users to have a unique and strong password for each site. When a user is setting a new password, Chrome can generate it and save it, so that it is easily accessible on both computers and phones.
Chrome 69 also brings updated site indicators, as it no longer marks HTTPS websites with a green lock. Instead, the indicator is now grey, given that Google considers HTTPS connections the norm.
Tomi Engdahl says:
WordPress Database Upgrade Phishing Campaign
https://blog.sucuri.net/2018/09/wordpress-database-upgrade-phishing-campaign.html
We have recently been notified of phishing emails that target WordPress users. The content informs site owners that their database requires an update
The email’s appearance resembles that of a legitimate WordPress update message, however the content includes typos and uses an older messaging style. Another suspicious item in the content is the deadline. WordPress wouldn’t define deadlines without a valid explanation, and hosting providers wouldn’t either
Fake Upgrade
If you click on the “Upgrade” button, a fake WordPress login page opens ready to collect your credentials. That page was created on a hacked but legitimate website. In one sample, it was in the /lop/ subdirectory, and in another case it was in the /so/ subdirectory.
Clicking on the “Upgrade WordPress Database” button completes the final step of the attack and sends your credentials and website address to the attackers.
Precautions
Even if your site software is up to date and fully patched, hackers may still be able to break into it if you give them your credentials. Phishing attacks against common CMS’ often try to fool webmasters into opening a web page that resembles a standard login page and type their credentials there without verifying the address of the page.
In the case above, attackers used a mailer on a compromised website as a delivery mechanism to send their phishing email campaign and collect the credentials of other WordPress users.
Tomi Engdahl says:
OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. As observed in previous attack campaigns, the tools used are not an exact duplicate of the previous attack and instead is an iterative variant. In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment. The attachment was identified as a variant of the OopsIE trojan we identified in February 2018. In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems.
Tomi Engdahl says:
Threat Actors Peddling Weaponized IQY Files Via Necurs Botnet
https://securityintelligence.com/threat-actors-peddling-weaponized-iqy-files-via-necurs-botnet/
IQ What? Why?
What is an IQY file attachment, and why is it the flavor of the month for threat actors? Microsoft Excel uses this type of file to pull data from the internet into a spreadsheet. To do that, a URL is embedded into an IQY file, and the file facilitates pulling the data from the specified webpage.
While IQY file extensions may sound foreign to many users, if you look at enterprise-level networks that use SharePoint, a web-based collaborative platform that integrates with Microsoft Office, for example, you would be sure to find many instances where IQY files are used.
Tomi Engdahl says:
PowerPool malware exploits ALPC LPE zero-day vulnerability
https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
Malware from newly uncovered group PowerPool exploits zero-day vulnerability in the wild, only two days after its disclosure
Tomi Engdahl says:
Someone Hijacked MEGA Chrome Extension to Steal Users’ Passwords
https://thehackernews.com/2018/09/mega-file-upload-chrome-extension.html
Warning! If you are using Chrome browser extension from the MEGA file storage service, uninstall it right now.
The official Chrome extension for the MEGA.nz cloud storage service had been compromised and replaced with a malicious version that can steal users’ credentials for popular websites like Amazon, Microsoft, Github, and Google, as well as private keys for users’ cryptocurrency wallets.
On 4 September at 14:30 UTC, an unknown attacker managed to hack into MEGA’s Google Chrome web store account and upload a malicious version 3.39.4 of an extension to the web store, according to a blog post published by the company.
https://mega.nz/blog_47
Tomi Engdahl says:
US Treasury sanctions North Korea over Sony hack and WannaCry attack
https://techcrunch.com/2018/09/06/us-treasury-sanctions-north-korean-hackers-over-sony-hack-wannacry-attack/?sr_share=facebook&utm_source=tcfbpage
AdChoices
US Treasury sanctions North Korea over Sony hack and WannaCry attack
Zack Whittaker
@zackwhittaker / 11 minutes ago
Sony Pictures Entertainment Inc. Studios As Cyber Attack Repercussions Continue
The US government has issued sanctions against a North Korea individual and an entity over historical cyberattacks, which wreaked billions of dollars in damages.
In a statement, the US Treasury named North Korean programmer Park Jin Jyok for working on behalf of Pyongyang for his involvement in carrying out several cyberattacks against US and global targets. The statement said Park was responsible for a hack on Sony Pictures in 2016
“North Korea has demonstrated a pattern of disruptive and harmful cyber activity that is inconsistent with the growing consensus on what constitutes responsible state behavior in cyberspace,” the Treasury statement read.
“Our policy is to hold North Korea accountable and demonstrate to the regime that there is a cost to its provocative and irresponsible actions.”
Tomi Engdahl says:
Cisco warns customers of critical security flaws, advisory includes Apache Struts
https://www.zdnet.com/article/cisco-warns-customers-of-critical-security-flaws-advisory-includes-apache-struts/
The massive security update includes a patch for the recently-disclosed Apache bug — but not all products will be fixed yet.
Tomi Engdahl says:
Chris Ip / Engadget:
How 30+ popular tech companies, from social networks to dating apps, responded to requests for personal data; how they interpret that data remains opaque
http://www.engadget.com/2018/09/04/who-controls-your-data/
Tomi Engdahl says:
Joe Uchill / Axios:
A year after the Equifax breach became public, Congress has failed to advance any legislation and the Trump administration has halted a CFPB investigation
After Equifax’s mega-breach, nothing changed
https://www.axios.com/after-equifaxs-mega-breach-nothing-changed-1536241622-baf8e0cf-d727-43db-b4d4-77c7599fff1e.html
The Equifax data breach was supposed to change everything about cybersecurity regulation on Capitol Hill. One year later, it’s not clear it changed much of anything.
Why it matters: A year ago Friday, Equifax — one of the major credit reporting agencies — announced that 145.5 million U.S. adults had their social security numbers stolen in an easily preventable breach. If any data breach was going to be able to shock Washington into enacting sweeping privacy reforms, this should have been it.
But that didn’t happen: “The initial interest that was implied by congressional actions didn’t pan out,” said Michelle Richardson, director of the Privacy and Data Project at the Center for Democracy and Technology (CDT).
What was supposed to happen: After the first of several hearings involving Equifax, Sen. Chuck Grassley (R-Iowa), chair of the Judiciary Committee, said it was “long past time” for federal standards for how companies like Equifax secure data.
What went wrong:
“A lot of issues fall through cracks in the early days of an administration, especially one with so much controversy,” said CDT’s Richardson.
Congress often has difficulty focusing on more than one cybersecurity-related topic at a time. Russia and election security are now in the spotlight.
“Regulation is tough in this political climate,” said Tom Gann, chief public policy officer at McAfee.
The cybersecurity field averages one “this-changes-everything” event a year, none of which actually changes everything. A year before Equifax, there were attacks on the election. In 2015, China hit the Office of Personnel Management. In 2014, North Korea hit Sony.
“For people who think of themselves as privacy experts, they keep waiting for the straw that will break the camel’s back,” said Steven Weber, director of UC-Berkeley’s Center for Long Term Cybersecurity. “The fact is these don’t change the public’s view.”
Tomi Engdahl says:
British Airways customer data stolen in data breach
https://techcrunch.com/2018/09/06/british-airways-customer-data-stolen-in-data-breach/?utm_source=tcfbpage&sr_share=facebook
British Airways has confirmed a data breach.
The London-based airline, the largest in the UK, did not disclose much about the breach, only that hackers stole customer data from its website, ba.com.
In a statement, BA said that the “personal and financial details” of customers who made bookings on BA’s site or app between August 21 and September 5 were compromised, but travel or passport information was not taken.
A spokesperson told TechCrunch that “around 380,000 card payments” were compromised. BA had more than 45 million passengers last year.
Under the new European GDPR data protections laws, the airline can face fines
Tomi Engdahl says:
British Airways Loses Customer Payment Card Data in Breach
https://www.bleepingcomputer.com/news/security/british-airways-loses-customer-payment-card-data-in-breach/
British Airways today announced the theft of customer data from its website and mobile application.
Customers that used the airline’s website and mobile application to make bookings between August 21 and September 5 are affected by the incident.
personal and financial details of 380.000 customers were accessed by an unauthorized party.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8405-hp-haluaa-hakkerit-tulostimiensa-kimppuun
2018 State of Bug Bounty Report
https://www.bugcrowd.com/resource/2018-state-of-bug-bounty-report/
Tomi Engdahl says:
U.S. Charges North Korean Over Lazarus Group Hacks
https://www.securityweek.com/us-charges-north-korean-over-lazarus-group-hacks
The U.S. Department of Justice on Thursday announced charges against a North Korean national who is believed to be a member of the notorious Lazarus Group, to which governments and the cybersecurity industry have attributed several high profile attacks.
The suspect is Park Jin Hyok, who according to the DOJ worked for a North Korean government front company known as Chosun Expo Joint Venture and Korea Expo Joint Venture (KEJV). The Democratic People’s Republic of Korea allegedly used this company, which also has offices in China, to support its cyber activities.
The complaint, filed on June 8 in a U.S. District Court in Los Angeles and made public on Thursday, accuses Park and other members of the Lazarus Group of conducting destructive cyberattacks that resulted in “damage to massive amounts of computer hardware and extensive loss of data, money and other resources.”
Tomi Engdahl says:
Attackers Abuse Age Restrictions to Hide Apps on iOS Devices
https://www.securityweek.com/attackers-abuse-age-restrictions-hide-apps-ios-devices
Malicious actors leveraging an open source mobile device management (MDM) system have been abusing a legitimate iOS feature to hide legitimate applications and trick victims into using malicious counterparts.
The attacks, first exposed by Talos’ security researchers in July, involved the use of malicious versions of five programs (AppsSLoader, Telegram, WhatsApp, PrayTime, and MyApp) that were then deployed onto iOS devices to steal messages.
Given how the enrollment process for the MDM works, the security researchers assumed right from the start that the rogue applications were being installed either via direct access to the compromised devices or through sophisticated social engineering. Each step of the enrollment process required user interaction, Talos discovered.
Tomi Engdahl says:
British Airways Hacked With Details of 380,000 Cards Stolen
https://www.securityweek.com/british-airways-hacked-details-380000-cards-stolen
British Airways said Thursday that the personal and financial details of customers making bookings between August 21 and September 5 were stolen in a data breach involving 380,000 bank cards.
“We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app. The stolen data did not include travel or passport details,” the airline said in a statement.
“The personal and financial details of customers making bookings on our website and app were compromised,” it said.
“The breach has been resolved and our website is working normally. We have notified the police and relevant authorities.
Tomi Engdahl says:
Malware Found on USB Drives Shipped With Schneider Solar Products
https://www.securityweek.com/malware-found-usb-drives-shipped-schneider-solar-products
Tomi Engdahl says:
What’s GRU? A Look at Russia’s Shadowy Military Spies
https://www.securityweek.com/whats-gru-look-russias-shadowy-military-spies
GRU isn’t as well-known a baleful acronym as KGB or FSB. But Russia’s military intelligence service is attracting increasing attention as allegations mount of devious and deadly operations on and off the field of battle.
The latest charge came Wednesday, when Britain identified two suspects in this year’s nerve-agent poisonings as GRU agents.
An overview of the GRU
Tomi Engdahl says:
Flaw in Schneider PLC Allows Significant Disruption to ICS
https://www.securityweek.com/flaw-schneider-plc-allows-significant-disruption-ics
A vulnerability discovered in some of Schneider Electric’s Modicon programmable logic controllers (PLCs) may allow malicious actors to cause significant disruption to industrial control systems (ICS).
The flaw was identified by Yehonatan Kfir, CTO of industrial cybersecurity firm Radiflow, as part of an ongoing project whose goal is finding new ICS vulnerabilities. Advisories for this security hole were published recently by both Schneider Electric and ICS-CERT.
The vulnerability, tracked as CVE-2018-7789 and described as an issue related to improper checking for unusual or exceptional conditions, can be exploited by an attacker to remotely reboot Modicon M221 controllers.
According to Schneider, all Modicon M221 controllers running firmware versions prior to 1.6.2.0, which includes a patch for the issue, are impacted.
Tomi Engdahl says:
Take a pinch of autofill, mix in HTTP, and bake on a Wi-Fi admin page: Quirky way to swipe a victim’s router password
If they fall for this social-engineering trick, of course
https://www.theregister.co.uk/2018/09/06/wifi_browser_autofill_chrome/
Beware using your web browser’s autofill feature to log into your broadband router via Wi-Fi and unprotected HTTP. A nearby attacker can attempt to retrieve the username and password.
The problem – found by SureCloud’s Elliott Thompson and detailed here – is the result of a mismatch in browser behavior and router configuration security.
It’s not a particularly scary or an easy-to-leverage vulnerability, and we think most miscreants will find it too much of a faff to exploit. However, it is interesting and quirky, and worth checking out.
Wi-Jacking: Accessing your neighbour’s WiFi without cracking
https://www.surecloud.com/sc-blog/wifi-hijacking
Since we published our original report, Google has now resolved the underlying vulnerability. The latest update of Chrome (tested against version 69.0.3497.81) addresses the issue we highlighted in this blog, where credentials are auto-filled on unencrypted HTTP pages. This makes the attack require significantly more user interaction, in the same way that Firefox, Edge Internet Explorer and Safari do. This makes the exploit much closer to a phishing attack and much less likely to succeed.
Tomi Engdahl says:
Tesla Will Restore Car Firmware/OS When Hacking Goes Wrong
https://www.bleepingcomputer.com/news/security/tesla-will-restore-car-firmware-os-when-hacking-goes-wrong/
Tesla recently added to its responsible disclosure guidelines with clarifications that welcome researchers to probe software in its cars for security bugs.
Well-known for its security-aware attitude, the company is now spelling it out to security researchers that they can hack Tesla cars without fear of ending up with a non-running automobile, of voiding the warranty, or of legal liability.
There are some conditions, though. Both the security expert and the vehicle must be registered and approved for carrying security tests as part of the company’s vulnerability reporting program, and the effort must be in good faith.
If these requirements are met, Tesla will offer over-the-air (OTA) assistance to researchers that need their research-registered car to be updated.
Tomi Engdahl says:
400,000 websites vulnerable through exposed .git directories
https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/
Open .git directories are a bigger cybersecurity problem than many might imagine, at least according to a Czech security researcher who discovered almost 400,000 web pages with an open .git directory possibly exposing a wide variety of data.
“Information about the website’s structure, and sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on. However, this data shouldn’t be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices,” Smitka wrote.
Smitka queried 230 million websites to discover the 390,000 allowing access to their .git directories. The vast majority of the websites with open directories had a .com TLD with .net, .de, .org and uk comprising most of the others.
What tends to happen is developers leave the .git folder in a publicly accessible portion of their site and when they go to verify whether or not the folder is protected many are fooled when they use /.git/ and receive an Error 403 message. Smitka noted that this might make it appear as if the folder is inaccessible, but in fact the error message is a false positive.
“Actually, the 403 error is caused by the missing index.html or index.php and disabled autoindex functionality. However, access to the files is still possible,” he said adding the files can possibly even be viewable on Google.
Instead he recommends using /.git/HEAD to ensure the folder is secure.
Tomi Engdahl says:
U.S. Charges North Korean Spy Over WannaCry and Sony Pictures Hack
https://thehackernews.com/2018/09/wannacry-north-korea-hacks.html
Tomi Engdahl says:
Fallout Exploit Kit Used in Malvertising Campaign to Deliver GandCrab Ransomware
https://www.fireeye.com/blog/threat-research/2018/09/fallout-exploit-kit-used-in-malvertising-campaign-to-deliver-gandcrab-ransomware.html
Tomi Engdahl says:
Leader of DDoS-for-Hire Gang Pleads Guilty to Bomb Threats
https://krebsonsecurity.com/2018/09/leader-of-ddos-for-hire-gang-pleads-guilty-to-bomb-threats/
A 19-year-old man from the United Kingdom who headed a cybercriminal group whose motto was “Feds Can’t Touch Us” pleaded guilty this week to making bomb threats against thousands of schools.
On Aug. 31, officers with the U.K.’s National Crime Agency (NCA) arrested Hertfordshire resident George Duke-Cohan, who admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the U.K. to San Francisco last month.
Tomi Engdahl says:
Paul Sawers / VentureBeat:
Tor launches a mobile Tor browser, now available on Android through the Play store or as a direct download
Tor gets its first official mobile browser
https://venturebeat.com/2018/09/07/tor-gets-its-first-official-mobile-browser/
Tor Project, the not-for-profit body behind the anonymizing Tor browser that lets you access the internet without being tracked, has launched the first official Tor mobile browser app.
Tor Browser for Android is available to install from Google Play now, or the .APK can be downloaded directly from the Tor Project website.
https://play.google.com/store/apps/details?id=org.torproject.torbrowser_alpha
Tomi Engdahl says:
Tom Spring / Threatpost:
Popular anti-adware app in Apple’s Mac App Store, Adware Doctor, surreptitiously steals users’ browsing history and sends it to a Chinese domain
Top MacOS App Exfiltrates Browser Histories Behind Users’ Backs
https://threatpost.com/top-macos-app-exfiltrates-browser-histories-behind-users-backs/137247/
A macOS App called Adware Doctor blocks ads, but share’s user browser history with a China-based domain.
Tomi Engdahl says:
British Airways boss apologises for ‘malicious’ data breach
https://www.bbc.co.uk/news/uk-england-london-45440850
British Airways’s boss has apologised for what he says was a sophisticated breach of the firm’s security systems, and has promised compensation.
Alex Cruz told the BBC that hackers carried out a “sophisticated, malicious criminal attack” on its website.
The airline said personal and financial details of customers making or changing bookings had been compromised.
About 380,000 transactions were affected, but the stolen data did not include travel or passport details.
“We are 100% committed to compensate them, period,” Mr Cruz told the BBC’s Today programme.
“We discovered that something had happened but we didn’t know what it was [on Wednesday evening]. So overnight, teams were trying to figure out the extent of the attack.
“The first thing was to find out if it was something serious and who it affected or not. The moment that actual customer data had been compromised, that’s when we began immediate communication to our customers.”
Tomi Engdahl says:
Exclusive: Government transparency site revealed Social Security numbers, other personal info
https://edition.cnn.com/2018/09/03/politics/foia-revealed-social-security-numbers/index.html
Washington (CNN)A federal government transparency website made public dozens, if not hundreds, of Social Security numbers and other personal information in a design error during a system upgrade.
The error, on a Freedom of Information Act request portal, was fixed after CNN alerted the government to the situation.