Cyber Security September 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

 

493 Comments

  1. Tomi Engdahl says:

    Crypto Mining in a Windows Headless Browser
    https://isc.sans.edu/forums/diary/Crypto+Mining+in+a+Windows+Headless+Browser/24078/

    Crypto miners in the browser are not new. Delivery through malicious or compromised piece of javascript code is common these days (see my previous diary about this topic[1]). This time, it’s another way to deliver the crypto miner that we found in a sample reported by one of our readers.

    What if the victim does not run a browser? What happens if the victim closes it? No problem, just fire one in headless mode to remain stealthy! Indeed, all modern browsers can be run in headless mode (read: without graphical interface).

    Reply
  2. Tomi Engdahl says:

    Vulnerability Spotlight: CVE-2018-3952 / CVE-2018-4010 – Multi-provider VPN Client Privilege Escalation Vulnerabilities
    https://blog.talosintelligence.com/2018/09/vulnerability-spotlight-Multi-provider-VPN-Client-Privilege-Escalation.html

    Reply
  3. Tomi Engdahl says:

    Veeam server lapse leaks over 440 million email addresses
    https://techcrunch.com/2018/09/11/veeam-security-lapse-leaked-over-440-million-email-addresses/?sr_share=facebook&utm_source=tcfbpage

    You know what isn’t a good look for a data management software company? A massive mismanagement of your own customer data.

    Veeam, a backup and data recovery company, bills itself as a data giant that among other things can “anticipate need and meet demand, and move securely across multi-cloud infrastructures,” but is believed to have mislaid its own database of customer records.

    Security researcher Bob Diachenko found an exposed database containing more than 200 gigabytes of customer records, mostly names, email addresses, and in some cases IP addresses.

    It’s not the first time a massive database of email addresses has leaked online. An exposed database run by River City Media leaked over 393 million email addresses in 2017

    Reply
  4. Tomi Engdahl says:

    Novel Attack Technique Uses Smart Light Bulbs to Steal Data
    https://www.bleepingcomputer.com/news/security/novel-attack-technique-uses-smart-light-bulbs-to-steal-data/

    Researchers have determined that some light bulbs are suitable for covert data exfiltration from personal devices, and can leak multimedia preferences by recording their luminance patterns from afar.

    For the light sources to become an attack surface, they need to meet some requirements such as support for multimedia visualizations and infrared capabilities.

    The adversary does not need to attack the internal network of the victim to extract the information. They only need a direct connection between the target device and the lights, and line-of-sight with bulbs during the exfiltration process.

    Reply
  5. Tomi Engdahl says:

    Hacker exploits EOS betting platform to ‘win’ jackpot 24 times in a row
    EOS gambling dApps are being picked apart
    https://thenextweb.com/hardfork/2018/09/10/eos-betting-platform-hacked/

    An EOS-based decentralized app (dApp) has been paying out big time. Betting platform DEOSGames was drained of a significant chunk of its operating funds in a heist that netted one ‘lucky’ punter almost $24,000.

    Over less than an hour, a decentralized dice betting game paid its jackpot 24 times to just one individual.

    The wins were seemingly automatic. Each and every time runningsnail deposited 10 EOS, the jackpot was paid within an average of 30 seconds.

    DEOSGames has confirmed the exploit on its social channels. “Yesterday, we got a malicious contract exploit our contract, ” a statement read. “It is a good stress test and we got significant improvements on contract level.”

    DEOSGames has confirmed the exploit on its social channels. “Yesterday, we got a malicious contract exploit our contract, ” a statement read. “It is a good stress test and we got significant improvements on contract level.”

    Reply
  6. Tomi Engdahl says:

    32 East Bay street gang members arrested in million-dollar fraud scheme
    https://m.sfgate.com/crime/article/32-East-Bay-street-gang-members-arrested-in-13218991.php

    The BullyBoys and CoCo Boys street gangs, who both have roots in Antioch, Pittsburg, and Bay Point, allegedly burglarized medical and dental businesses in 13 counties in Northern California.

    According to authorities, suspects stole and ran fraudulent returns on credit card terminals, placing the money on debit cards for their own use.

    Reply
  7. Tomi Engdahl says:

    Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims
    https://www.riskiq.com/blog/labs/magecart-british-airways-breach/

    On September 6th, British Airways announced it had suffered a breach resulting in the theft of customer data. In interviews with the BBC, the company noted that around 380,000 customers could have been affected and that the stolen information included personal and payment information but not passport information.

    On its website, British Airways placed an article explaining details of the incident that answered as many questions as possible for customers. The technical details were sparse but included the following pieces of information:

    Payments through its main website were affected
    Payments through its mobile app were affected
    Payments were affected from 22:58 BST August 21, 2018, until 21:45 BST September 5, 2018

    The report also stated very clearly that information was stolen from the British Airways website and mobile app but did not mention breaches of anything else, namely databases or servers—anything indicating the breach affected more than the payment information entered into the website. Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart.

    Magecart: A Familiar Adversary

    Since 2016, RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart. Traditionally, criminals use devices known as card skimmers—devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day—to steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Magecart uses a digital variety of these devices.

    Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.

    Finding the Breach of British Airways

    Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits. Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code. Customer notifications through our products are automated, but our research team searches for any instances outside of these workspaces manually and adds them to our global blacklists. In the case of the British Airways breach, we had no hits in our blacklist incidents or suspects because the Magecart actors customized their skimmer in this case.

    Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2 to be precise. The script was loaded from the baggage claim information page on the British Airways website

    The noted change was at the bottom of the script, a technique we often see when attackers modify JavaScript files to not break functionality.

    On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.

    This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.

    The infrastructure used in this attack was set up only with British Airways in mind

    Mobile Skimming

    In the security advisory from British Airways, the company made note that both the web app and the mobile app users were affected. We found the skimmer on the webpage for British Airways, but how does that translate to mobile? To figure this out we’ll look at the British Airways Android application

    Often, when developers build a mobile app, they make an empty shell and loads content from elsewhere. In the case of British Airways, a portion of the app is native but the majority of its functionality loads from web pages from the official British Airways website.

    Reply
  8. Tomi Engdahl says:

    Generally Disclosing Pretty Rapidly: GDPR strapped a jet engine on hacked British Airways
    Suddenly, corps in a rush to fess up to e-break-ins
    https://www.theregister.co.uk/2018/09/12/ba_equifax_breach_notification_speed/

    Analysis If Equifax’s mother-of-all-security-disasters last year underlined one thing, it was that big companies think they can weather just about anything cybercriminals – and regulators – can throw at them.

    It all stands in fascinating contrast to what is happening in the UK and Europe, where the mood over database security breaches is darkening. It’s not that there are necessarily more of them so much as the speed with which they are being revealed.

    Last week’s British Airways hack makes an interesting case study, not simply because of the technically embarrassing fact cybercriminals were able to skim up to 380,000 transactions in real time but the speed with which the company owned up to the calamity.

    Confessions
    According to BA, the attack began at 22.58 BST on August 21, and was stopped at 21:45 BTS on September 5. This meant BA had taken 15 days to notice hackers were grabbing its customers’ card numbers, but under 24 hours to tell the world via Twitter and email – a contender for a world record for computer security breach confessions.

    Security analysts RiskIQ have speculated that the same gang was behind June’s Ticketmaster web breach, which took a still fairly rapid five days to surface after being discovered on June 23.

    Compare this haste to Equifax, which detected its breach on July 29 last year, but only told the world months later on September 7.

    Why the sudden hurry? In the case of BA, officially, the answer is Article 33 of Europe’s GDPR, under which cyber-break-ins involving personal data must be reported within 72 hours.

    “This is definitely due to the awareness and the run up to the GDPR,”

    “Crisis management is a relatively new yet vitally important area to focus on. As more chief staff realise that it’s a case of when rather than if a breach occurs, it is highly possible that more businesses have a ready-made crisis procedure waiting for a potential strike,” said ESET security specialist, Jake Moore.

    Reply
  9. Tomi Engdahl says:

    Address Bar Spoofing Flaw Found in Edge, Safari
    https://www.securityweek.com/address-bar-spoofing-flaw-found-edge-safari

    A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.

    Reply
  10. Tomi Engdahl says:

    Microsoft Patches Windows Zero-Day Disclosed via Twitter
    https://www.securityweek.com/microsoft-patches-windows-zero-day-disclosed-twitter

    Microsoft’s Patch Tuesday updates for September 2018 address over 60 vulnerabilities, including a zero-day disclosed by a researcher and exploited shortly after by a threat actor.

    The actively exploited flaw, identified as CVE-2018-8440, was disclosed on August 27 by a researcher who uses the online moniker SandboxEscaper. The security hole was not reported to Microsoft before its existence was disclosed via Twitter as SandboxEscaper was apparently frustrated with the company’s vulnerability reporting process.

    The privilege escalation vulnerability, which according to Microsoft exists when Windows improperly handles calls to the Advanced Local Procedure Call (ALPC) interface of the Task Scheduler, can be exploited by an authenticated attacker to execute code with elevated privileges.

    Reply
  11. Tomi Engdahl says:

    British Airways, Another Victim of Ongoing Magecart Attacks
    https://www.securityweek.com/british-airways-another-victim-ongoing-magecart-attacks

    The data breach that British Airways said last week to have impacted 380,000 of its users was caused by an attack from Magecart, a threat group known for the use of web-based card skimmers.

    Reply
  12. Tomi Engdahl says:

    Adobe Patches Vulnerabilities in Flash Player, ColdFusion
    https://www.securityweek.com/adobe-patches-vulnerabilities-flash-player-coldfusion

    Adobe’s Patch Tuesday updates for September 2018 address a total of 10 vulnerabilities in Flash Player and ColdFusion, but none of the flaws appear too serious.

    Only one security hole has been patched in Flash Player. Version 31.0.0.108 fixes CVE-2018-15967, a privilege escalation issue that can lead to information disclosure.

    The vulnerability, reported to Adobe by Microsoft’s Security Response Center, has been rated “important” with a priority rating of 2, which indicates that the vendor does not expect to see it being exploited in the wild.

    Reply
  13. Tomi Engdahl says:

    OpenSSL 1.1.1 Released With TLS 1.3, Security Improvements
    https://www.securityweek.com/openssl-111-released-tls-13-security-improvements

    The OpenSSL Project on Tuesday announced the release of OpenSSL 1.1.1, the new Long Term Support (LTS) version of the cryptographic software library.

    According to the organization, the most important new feature in OpenSSL 1.1.1 is TLS 1.3, which the Internet Engineering Task Force (IETF) published last month as RFC 8446.

    Since OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0, most applications that work with the older version can take advantage of the benefits provided by TLS 1.3 simply by updating to the newer version.

    Other noteworthy changes in OpenSSL 1.1.1 include a complete rewrite of the random number generator, support for several new cryptographic algorithms, security improvements designed to mitigate side-channel attacks, support for the Maximum Fragment Length TLS extension, and a new STORE module that implements a uniform and URI-based reader of stores that contain certificates, keys, CRLs and other objects.

    The new crypto algorithms include SHA3, SHA512/224 and SHA512/256, EdDSA, X448, multi-prime RSA, SM2, SM3, SM4, SipHash and ARIA.

    Reply
  14. Tomi Engdahl says:

    Hackers Can Clone Tesla Key Fobs in Seconds
    https://www.securityweek.com/hackers-can-clone-tesla-key-fobs-seconds

    Researchers claim to have discovered a new attack method that can be used to quickly clone the wireless key fob of Tesla Model S and possibly other vehicles.

    The Passive Keyless Entry and Start (PKES) system is used by many high-end cars to unlock the doors and start the engine. The system relies on a paired key fob that needs to be in proximity of the vehicle.

    PKES has been known to be vulnerable to relay attacks, which have been used to steal luxury vehicles. These attacks involved relaying messages between the car and the smart key by placing one hacking device near the key and one device in proximity of the car. This allows an attacker to open the door and start the engine even if the key is at a considerable distance from the vehicle. However, in these relay attacks, the car can only be unlocked and started once, while the legitimate key fob is in range.

    Reply
  15. Tomi Engdahl says:

    HOW HACKERS SLIPPED BY BRITISH AIRWAYS’ DEFENSES
    https://www.wired.com/story/british-airways-hack-details/

    RiskIQ published details tracking the British Airways hackers’ strategy on Tuesday, also linking the intrusion to a criminal hacking gang that has been active since 2015. The group, which RiskIQ calls Magecart, is known for web-based credit card skimming—finding websites that don’t secure payment data entry forms, and vacuuming up everything that gets submitted. But while Magecart has previously been known to use the same broadly targeted code to scoop up data from various third-party processors, RiskIQ found that the attack on British Airways was much more tailored to the company’s specific infrastructure.

    In its initial disclosure, British Airways said that the breach didn’t impact passport numbers or other travel data. But the company later clarified that the compromised data included payment card expiration dates and Card Verification Value codes—the extra three or four-digit numbers that authenticate a card—even though British Airways has said it does not store CVVs.

    Reply
  16. Tomi Engdahl says:

    Guardant Exposed to Cybersecurity Threat from Phishing Scheme
    https://www.mddionline.com/guardant-exposed-cybersecurity-threat-phishing-scheme?ADTRK=UBM&elq_mid=5635&elq_cid=876648

    The Redwood City, CA based company said that private information from about 1,100 individuals was exposed due to the cybersecurity attack.

    Liquid Biopsy specialist, Guardant Health faced a cybersecurity attack about two months ago, according to an SEC filing for the firm’s initial public offering. The Redwood City, CA-based company said that private information from about 1,100 individuals was compromised.

    Reply
  17. Tomi Engdahl says:

    Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs
    https://thehackernews.com/2018/09/browser-address-spoofing-vulnerability.html

    A security researcher has discovered a serious vulnerability that could allow attackers to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS.

    While Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates, Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks.

    Reply
  18. Tomi Engdahl says:

    Dramatic Increase of DDoS Attack Sizes Attributed to IoT Devices
    https://www.bleepingcomputer.com/news/security/dramatic-increase-of-ddos-attack-sizes-attributed-to-iot-devices/

    A new report released today shows that distributed denial of service (DDoS) attacks have increased dramatically in the first two quarters of 2018 compared to 2017. The increase in attacks is being attributed to large scale botnets being created by attackers using insecure IoT devices.

    According to a report released by DDoS mitigation company NexusGuard, denial-of-service attacks have increased by 29% since Q2 2017, with the average attack size increased by 543% to 26.37 Gbps.

    Reply
  19. Tomi Engdahl says:

    APT reports
    LuckyMouse signs malicious NDISProxy driver with certificate of Chinese IT company
    https://securelist.com/luckymouse-ndisproxy-driver/87914/

    What happened?

    Since March 2018 we have discovered several infections where a previously unknown Trojan was injected into the lsass.exe system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.

    Reply
  20. Tomi Engdahl says:

    Bad Actors Sizing Up Systems Via Lightweight Recon Malware
    https://threatpost.com/bad-actors-sizing-up-systems-via-lightweight-recon-malware/137364/

    These stealthy downloaders initially infect systems and then only install additional malware on systems of interest.

    Well-known financial crime gang Cobalt Group and other threat actors have recently shifted tactics to incorporate lightweight modular downloaders that “vet” target machines for their attractiveness before proceeding with a full-fledged attack.

    The emergence of the AdvisorsBot and Marap malwares, as well a zero-day attack by the PowerPool actors and Cobalt Group’s use of its custom CobInt code, indicate a new trend for financial adversaries.

    Reply
  21. Tomi Engdahl says:

    The Vulnerability Disclosure Process: Still Broken
    https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/

    Despite the advent to bug bounty programs and enlightened vendors, researchers still complain of abuse, threats and lawsuits.

    Despite huge progress in the vulnerability disclosure process, things remain broken when it comes to vendor-researcher relationships.

    Case in point: Last year when Leigh-Anne Galloway (a cybersecurity resilience lead at Positive Technologies) found a gaping hole in the Myspace website, she reported it to Myspace owner Time Inc. But then days, weeks and then three months later – crickets.

    The Myspace bug wasn’t small. It allowed a hacker to log in to any one of the 3.6 million Myspace active users’ accounts in a few easy steps. “It was a straightforward bug, and easy to execute and reproduce,” Galloway told Threatpost.

    After giving up on Time Inc., Galloway weighed the public risk of the bug versus going public. Galloway decided to publish her research. “Within hours of my blog posting, the bug was fixed,” she said. Neither Time Inc. or Myspace ever got back to her.

    A year later, things haven’t improved much: Last month, Galloway found several bugs in mobile point-of-sale platforms. After privately disclosing the bugs to the vendors, they didn’t ignore her, but she was threatened with multiple lawsuits for reverse-engineering copyright-protected intellectual property.

    “I can’t say personally I’m seeing a lot changing,” she said.

    Reply
  22. Tomi Engdahl says:

    ThreatList: Attacks on Industrial Control Systems on the Rise
    https://threatpost.com/threatlist-attacks-on-industrial-control-systems-on-the-rise/137251/

    The main source of infection on industrial control systems was the internet, researchers at Kaspersky Lab found in a new report.

    The systems that power the manufacturing, power and water plants, the oil and gas industry, and many other sectors are increasingly in the crosshairs of cyber-attackers: A full 41.2 percent of industrial control system (ICS) were attacked by malicious software at least once in the first half of 2018.

    That’s according to Kaspersky Lab, which analyzed telemetry information from customers using industrial automation computers through the end of June. The data indicates a consistent rise in the percentage of attacks on this segment; the year-ago data showed the percentage of ICS computers attacked to be 36.61 percent; that then ticked upward to 37.75 percent in the second half of 2017.

    Reply
  23. Tomi Engdahl says:

    New modular downloaders fingerprint systems – Part 3: CobInt
    https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint

    Proofpoint researchers discovered two new modular downloaders this summer: Marap [1] and AdvisorsBot [2], both of which were noteworthy for their small footprints, stealthy infections, and apparent focus on reconnaissance. We have also observed an actor commonly known as Cobalt Gang (or Group) using another new downloader that shares many of these characteristics since early 2018.

    Reply
  24. Tomi Engdahl says:

    The UK’s mass surveillance regime has broken the law again
    https://www.wired.co.uk/article/uk-mass-surveillance-echr-ruling

    The UK government’s bulk interception of data was against human rights, the European Court of Human Rights has ruled. It’s another surveillance loss for the government

    Reply
  25. Tomi Engdahl says:

    California bill regulates IoT for first time in US
    https://nakedsecurity.sophos.com/2018/09/13/california-bill-regulates-iot-for-first-time-in-us/

    California looks set to regulate IoT devices, becoming the first US state to do so and beating the Federal Government to the post.

    The State legislature approved ‘SB-327 Information privacy: connected devices’ last Thursday and handed it over to the Governor to sign. The legislation introduces security requirements for connected devices sold in the US. It defines them as any device that connects directly or indirectly to the internet and has an IP or Bluetooth address. That covers an awful lot of devices.

    “This bill, beginning on January 1, 2020, would require a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.”

    Reply
  26. Tomi Engdahl says:

    Security Risks of Government Hacking
    https://www.schneier.com/blog/archives/2018/09/security_risks_14.html

    Some of us — myself included — have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include:

    Disincentive for vulnerability disclosure
    Cultivation of a market for surveillance tools
    Attackers co-opt hacking tools over which governments have lost control
    Attackers learn of vulnerabilities through government use of malware
    Government incentives to push for less-secure software and standards
    Government malware affects innocent users.

    These risks are real, but I think they’re much less than mandating backdoors for everyone.

    Reply
  27. Tomi Engdahl says:

    Malicious Kodi Add-ons Install Windows & Linux Coin Mining Trojans
    https://www.bleepingcomputer.com/news/security/malicious-kodi-add-ons-install-windows-and-linux-coin-mining-trojans/#.W5pzLczJYMI.facebook

    Some unofficial repositories for Kodi open-source media player serve a modified add-on that leads to downloading cryptomining malware on Windows and Linux platforms.

    Security researchers discovered a campaign that infects machines running Kodi via a legitimate add-on that has been altered by cybercriminals looking to mine the Monero cryptocurrency with the resources of Kodi users.

    Criminals take advantage of the update verification system
    Security researchers from ESET spotted the campaign in the XvBMC repository, which was recently shut down for copyright infringement, but other repositories are likely to offer the tampered file.

    Reply
  28. Tomi Engdahl says:

    Prison for man who assisted scareware scheme that targeted newspaper website
    https://www.tripwire.com/state-of-security/security-data-protection/prison-for-man-who-assisted-scareware-scheme-that-targeted-newspaper-website/#.W5pk39JQvrU.facebook

    A man who spent years on the run from the FBI for his part in a lucrative criminal operation that spread scareware via the Minnesota Star Tribune website has finally been sent to prison.

    Reply
  29. Tomi Engdahl says:

    New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs
    https://thehackernews.com/2018/09/cold-boot-attack-encryption.html

    Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.
    The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.

    a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM

    Now, researchers from Finnish cyber-security firm F-Secure figured out a new way to disable this overwrite security measure by physically manipulating the computer’s firmware, potentially allowing attackers to recover sensitive data stored on the computer after a cold reboot in a matter of few minutes.

    Using a simple tool, researchers were able to rewrite the non-volatile memory chip that contains the memory overwrite settings, disable it, and enable booting from external devices.

    Reply
  30. Tomi Engdahl says:

    Security flaw in ‘nearly all’ modern PCs and Macs exposes encrypted data
    https://techcrunch.com/2018/09/12/security-flaw-in-nearly-all-modern-pcs-and-macs-leaks-encrypted-data/?sr_share=facebook&utm_source=tcfbpage

    A firmware bug means existing security measures “aren’t enough to protect data in lost of stolen laptops,” say new security research.
    Zack Whittaker

    Reply
  31. Tomi Engdahl says:

    Osiris Banking Trojan Displays Modern Malware Innovation
    https://threatpost.com/osiris-banking-trojan-displays-modern-malware-innovation/137393/

    Osiris’ fundamental makeup positions it in the fore of malware trends, despite being based on old source code that’s been knocking around for years.

    While the behaviors exhibited by the newly spawned banking trojan are similar to many other prevalent banking malware (for instance, it implements Zeus-style G/P/L web-injects, a keylogger and a VNC server, according to Securonix researcher Oleg Kolesnikov), there are also significant differences.

    For one, it uses encrypted Tor traffic for command-and-control (C2).

    Reply
  32. Tomi Engdahl says:

    Security Vulnerability in Smart Electric Outlets
    https://www.schneier.com/blog/archives/2018/09/security_vulner_15.html

    A security vulnerability in Belkin’s Wemo Insight “smartplugs” allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network.

    Reply
  33. Tomi Engdahl says:

    Microsoft intercepting Firefox and Chrome installation on Windows 10
    https://www.ghacks.net/2018/09/12/microsoft-intercepting-firefox-chrome-installation-on-windows-10/

    When you try to install the Firefox pr Chrome web browser on a recent Windows 10 version 1809 Insider build, you may notice that the installation gets interrupted by the operating system.

    The intermediary screen that interrupts the installation states that Edge is installed on the device and that it is safer and faster than the browser that the user was about to install on the device.

    Reply
  34. Tomi Engdahl says:

    Surprising hidden order unites prime numbers and crystal-like materials
    https://m.phys.org/news/2018-09-hidden-prime-crystal-like-materials.html

    Reply
  35. Tomi Engdahl says:

    Ransomware attack shuts down small Canadian town; officials pay ransom
    https://securityboulevard.com/2018/09/ransomware-attack-shuts-down-small-canadian-town-officials-pay-ransom/

    The small Canadian town of Midland, Ontario, was hit by ransomware, and the municipality seems to be negotiating with hackers to pay ransom, reports Canadian news station CTV News.

    The attack on September 1 completely shut down the computer system, leaving the municipality unable to use its financial processing system. During the shutdown, debit and credit card payments were not accepted.

    The computer system is slowly returning to normal and everything should be fixed in a few days as negotiations are reaching a consensus

    Reply
  36. Tomi Engdahl says:

    Hacker blamed for pornography screened in Chinese college canteen
    https://m.scmp.com/news/china/society/article/2164092/pornography-screened-chinese-college-canteen-blamed-hackers

    Internet TV turns X-rated for three minutes while people eat their dinner

    Reply
  37. Tomi Engdahl says:

    A North Korean hacker accused by the US of orchestrating of a global cyber crime wave does not exist, Pyongyang said, warning that such “falsehoods” could jeopardise denuclearisation talks.

    N Korea denies existence of hacker accused of cyber crime wave
    https://www.ft.com/content/488df106-b7c2-11e8-bbc3-ccd7de085ffe

    Pyongyang warns such ‘falsehoods’ from US could jeopardise denuclearisation talks

    Reply
  38. Tomi Engdahl says:

    Remote Code Execution in Alpine Linux
    https://justi.cz/security/2018/09/13/alpine-apk-rce.html

    several bugs in apk, the default package manager for Alpine Linux. Alpine is a really lightweight distro that is very commonly used with Docker. The worst of these bugs, the subject of this blog post, allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code on the user’s machine. This is especially bad because packages aren’t served over TLS when using the default repositories. This bug has been fixed and the Alpine base images have been updated – you may want to rebuild your Alpine-derived images!

    Reply
  39. Tomi Engdahl says:

    Facebook Starts “Fact Checking” Photos And Videos Using AI
    https://www.zerohedge.com/news/2018-09-13/facebook-starts-fact-checking-photos-and-videos-using-ai

    Facebook on Thursday announced the expansion of their fact-checking army to send “photos and videos to all of our 27 partners in 17 countries around the world,” after using an artificial intelligence which will use “various engagement signals, including feedback from people on Facebook, to identify potentially false content.”

    The company says that because people share millions of photos and videos on Facebook each day, it creates an “easy opportunity for manipulation by bad actors.”

    Reply
  40. Tomi Engdahl says:

    Nellie Bowles / New York Times:
    A look at Standard Cognition’s tech, which uses cameras and AI to track who people are and what they buy, as it opens San Francisco’s first cashierless store

    Stealing From a Cashierless Store (Without You, or the Cameras, Knowing It)
    https://www.nytimes.com/2018/09/13/technology/standard-market-retail-automation-behavioral-data.html

    A start-up uses visual tracking and behavioral data to operate a new San Francisco market, which lets shoppers walk out unimpeded. And sometimes mischarged.

    Reply
  41. Tomi Engdahl says:

    New Cold Boot Attack Unlocks Disk Encryption On Nearly All Modern PCs
    https://thehackernews.com/2018/09/cold-boot-attack-encryption.html

    Security researchers have revealed a new attack to steal passwords, encryption keys and other sensitive information stored on most modern computers, even those with full disk encryption.

    The attack is a new variation of a traditional Cold Boot Attack, which is around since 2008 and lets attackers steal information that briefly remains in the memory (RAM) after the computer is shut down.

    However, to make the cold boot attacks less effective, most modern computers come bundled with a safeguard, created by the Trusted Computing Group (TCG), that overwrites the contents of the RAM when the power on the device is restored, preventing the data from being read.

    Reply
  42. Tomi Engdahl says:

    VLAN Hopping and Mitigation
    https://www.alienvault.com/blogs/security-essentials/vlan-hopping-and-mitigation
    A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as ‘VLAN Hopping’, an attacker is able to bypass these security implementations.

    Reply
  43. Tomi Engdahl says:

    New Firmware Flaws Resurrect Cold Boot Attacks
    https://www.securityweek.com/new-firmware-flaws-resurrect-cold-boot-attacks

    Researchers discovered that the firmware running on nearly all modern computers is vulnerable to cold boot attacks that can allow hackers to recover highly sensitive data from the device’s memory.

    A cold boot attack is a side-channel attack that allows an attacker with physical access to a computer to obtain encryption keys, passwords and other data from the device’s random access memory (RAM) after a cold or hard reboot (i.e. the computer is restarted suddenly without going through the normal shutdown process). The data can remain in memory for tens of seconds or several minutes, but the time window for an attack can be extended to hours by cooling memory modules with liquid nitrogen or compressed air to slow down the degradation process.

    https://en.wikipedia.org/wiki/Cold_boot_attack

    Reply
  44. Tomi Engdahl says:

    Senators Concerned About State Department’s Cybersecurity Failures
    https://www.securityweek.com/senators-concerned-about-state-departments-cybersecurity-failures

    A group of United States senators this week sent a letter to Secretary of State Mike Pompeo requesting clarifications regarding the Department of State’s failure to meet federal cybersecurity standards.

    Reply
  45. Tomi Engdahl says:

    Malware Delivered Through MHT Files
    https://isc.sans.edu/forums/diary/Malware+Delivered+Through+MHT+Files/24096/

    What are MHT files? Microsoft is a wonderful source of multiple file formats. MHT files are web page archives. Usually, a web page is based on a piece of HTML code with links to external resources, images and other media. MHT files contain all the data related to a web page in a single place and are therefore very useful to archive them. Also called MHTML[1] (MIME Encapsulation of Aggregate HTML Documents), there are encoded like email messages using MIME parts.

    To save a web page in MHT format, in Internet Explorer, just press CTRL-S, select the “MHT” file format and save

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*