Cyber Security October 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

495 Comments

  1. Tomi Engdahl says:

    Exposed Docker APIs Continue to Be Used for Cryptojacking
    https://www.bleepingcomputer.com/news/security/exposed-docker-apis-continue-to-be-used-for-cryptojacking/

    Exposed Docker APIs continue to be used by attackers to create new containers that perform cryptojacking.

    Earlier this year we reported on attackers utilizing insecure Docker and Kubernetes systems to deploy containers that were used to mine coins. For those who are not familiar with containers, they are packages that contain an application and all the dependencies that are required to run it. These packages can then be deployed as containers to Docker or Kubernetes systems as needed.

    Reply
  2. Tomi Engdahl says:

    Windows 10:stä paljastui urkinnan mahdollistava aukko – näin tarkistat, onko koneesi turvassa
    https://www.is.fi/digitoday/tietoturva/art-2000005881077.html

    Reply
  3. Tomi Engdahl says:

    Security Tip (ST18-005)
    Proper Disposal of Electronic Devices
    https://www.us-cert.gov/ncas/tips/18-005

    Reply
  4. Tomi Engdahl says:

    Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments
    https://blog.trendmicro.com/trendlabs-security-intelligence/same-old-yet-brand-new-new-file-types-emerge-in-malware-spam-attachments/

    In our annual roundup report for 2017, we found that the most common file types used in malware-related spam campaigns are .XLS, .PDF, .JS, .VBS, .DOCX, .DOC, .WSF, .XLSX, .EXE, and .HTML. But cybercriminals are expanding the file types they abuse. The following details how cybercriminals make use of old file types in brand-new ways, proving that they are regularly experimenting to evade spam filters.

    .ARJ and .Z files

    .PDF Files

    .IQY Files

    .PUB

    SettingContents-ms

    Reply
  5. Tomi Engdahl says:

    Cathay Pacific Suffers World’s Largest Airline Data Breach
    https://www.pandasecurity.com/mediacenter/news/cathay-pacific-data-breach/

    Cathay Pacific, Hong Kong’s flag carrier, announced that they’d discovered a cyber-breach affecting millions of their customers.

    The sensitive information of nearly 10 million people might have been accessed by cybercriminals. According to the Asian airline operator, hackers might have stolen personal records that include name; nationality; date of birth; phone number; passport number; credit card numbers; email; address; customer service remarks and historical travel information. According to CNN Business, the data leak included approximately 860,000 passport numbers and roughly 250,000 identity card numbers. Cathay might be based in Asia but serves multiple countries across four continents, and the victims include US residents.

    Reply
  6. Tomi Engdahl says:

    Google Launches reCAPTCHA v3
    https://www.securityweek.com/google-launches-recaptcha-v3

    Google on Monday announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges.

    reCAPTCHA is the security service provided by Google for protecting websites from spam and abuse. reCAPTCHA v1 asked every user to read a distorted text and enter it into a box. The second version has brought significant improvements as it leverages various other types of data to determine if a request comes from a bot or a human, allowing many users to access content simply by ticking a box.

    With reCAPTCHA v3, Google is making user experience even more frictionless by running adaptive risk analysis in the background and providing a score that tells website owners how suspicious an interaction is.

    Reply
  7. Tomi Engdahl says:

    US Election Integrity Depends on Security-Challenged Firms
    https://www.securityweek.com/us-election-integrity-depends-security-challenged-firms

    It was the kind of security lapse that gives election officials nightmares. In 2017, a private contractor left data on Chicago’s 1.8 million registered voters — including addresses, birth dates and partial Social Security numbers — publicly exposed for months on an Amazon cloud server.

    Later, at a tense hearing , Chicago’s Board of Elections dressed down the top three executives of Election Systems & Software, the nation’s dominant supplier of election equipment and services.

    The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed that there was no evidence hackers downloaded the data.

    The Chicago lapse provided a rare moment of public accountability for the closely held businesses that have come to serve as front-line guardians of U.S. election security.

    A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia’s 2016 election meddling.

    Reply
  8. Tomi Engdahl says:

    X.Org Flaw Exposes Unix-Like OSes to Attacks
    https://www.securityweek.com/xorg-flaw-exposes-unix-oses-attacks

    Several Unix-like operating systems are affected by a potentially serious X.Org vulnerability that can be exploited for privilege escalation and arbitrary code execution

    Narendra Shinde discovered that X.Org X Server versions 1.19 and later are affected by an arbitrary file overwrite vulnerability that can be exploited by an authenticated attacker to elevate permissions and execute arbitrary code with root privileges.

    The security hole, tracked as CVE-2018-14665, was introduced nearly two years ago and it affects operating systems that run X Server with elevated privileges.

    “Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user),” X.Org developers said in an advisory.

    Reply
  9. Tomi Engdahl says:

    Logical Bug in Microsoft Word’s ‘Online Video’ Allows Code Execution
    https://www.securityweek.com/logical-bug-microsoft-words-online-video-allows-code-execution

    Microsoft Office is impacted by a logical bug that allows an attacker to abuse the “online video” feature in Word to execute malicious code, Cymulate security researchers warn.

    The issue, which supposedly impacts all users of Office 2016 and older, can be exploited without special configuration, the security researchers say. Furthermore, no security warning is presented to the user when a malicious document abusing the flaw is opened.

    Reply
  10. Tomi Engdahl says:

    McAfee says cloud security not as bad as we feared… it’s much worse
    Quick takeaway: most everyone sucks at IaaS
    https://www.theregister.co.uk/2018/10/30/mcafee_cloud_security_terrible/

    The average business has around 14 improperly configured IaaS instances running at any given time and roughly one in every 20 AWS S3 buckets are left wide open to the public internet.

    Reply
  11. Tomi Engdahl says:

    Strengthening Industry Collaboration Through the Charter of Trust for a Secure Digital World
    https://securityintelligence.com/strengthening-industry-collaboration-through-the-charter-of-trust-for-a-secure-digital-world/

    Cybersecurity awareness month wraps up this week in Europe and the U.S., and it’s the perfect time to reiterate that digital transformation will only succeed if people and organizations can rely on the security of data and connected systems. Digitization and cybersecurity must progress in close association.

    Security providers are responsible not only for innovating and implementing solutions, but also for building digital trust. Earlier this year, we saw the start of an initiative with great potential to make our digital world more secure and increase trust. This Charter of Trust brings together companies and players from a variety of industries to work with governments to “establish a reliable basis upon which confidence in a networked, digital world can take root and grow.”

    Reply
  12. Tomi Engdahl says:

    Feds Expand Security Researchers’ Ability To Hack Without Going To Jail
    https://yro.slashdot.org/story/18/10/29/236237/feds-expand-security-researchers-ability-to-hack-without-going-to-jail?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Friday, the Librarian of Congress and U.S. Copyright Office renewed several key exemptions (and added a few new ones) to the Digital Millennium Copyright Act. This go round, they’ve extended some essential exemptions ensuring that computer security researchers won’t be treated like nefarious criminals for their contributions to society.

    Feds Expand Security Researchers’ Ability to Hack Without Going to Jail
    https://motherboard.vice.com/en_us/article/pa9jbg/feds-expand-security-researchers-ability-to-hack-without-going-to-jail

    “No researcher wants to end up in jail for discovering a vulnerability.”

    Reply
  13. Tomi Engdahl says:

    Demand for cryptocurrency skills surges, but lacks cyber security expertise
    http://www.itpro.co.uk/business-strategy/careers-training/32230/demand-for-cryptocurrency-skills-surges-but-lacks-cyber

    Trend Micro warns the lack of cybersecurity skills in cryptocurrency environments could be dangerous for firms

    Demand for skills in cryptocurrencies is growing, but security expertise isn’t keeping up, leaving businesses open to attack, a report by Trend Micro has revealed.

    In the cryptocurrency world, businesses are seeking employees with a knowledge of blockchain, finance, Java, bitcoin and Javascript, but crucially missing from the list is cybersecurity knowledge.

    Reply
  14. Tomi Engdahl says:

    Civil servant who watched porn at work blamed for infecting a US government network with malware
    https://techcrunch.com/2018/10/29/porn-sites-blamed-after-government-network-infected-malware/

    A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.

    The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.

    Investigators found that his Android cell phone “was also infected with malware.”

    The findings were made public in a report earlier this month but buried on the U.S. government’s oversight website and went largely unreported.

    Reply
  15. Tomi Engdahl says:

    Jimmy Kimmel Live
    https://m.youtube.com/watch?feature=youtu.be&v=UzvPP6_LRHc

    as a service to the public we asked people passing by our theater today what password they use to protect their personal information. Did they tell us? Watch to find out!

    Reply
  16. Tomi Engdahl says:

    The Masquerade Ball: Train Yourself to Detect Spoofed Files
    https://www.tripwire.com/state-of-security/security-data-protection/masquerade-train-yourself-detect-spoofed-files/

    Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted.

    This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe.

    Reply
  17. Tomi Engdahl says:

    EU: Leak reveals states are ready to put human rights defenders at risk to protect surveillance industry
    https://rsf.org/en/news/eu-leak-reveals-states-are-ready-put-human-rights-defenders-risk-protect-surveillance-industry

    Search

    Search
    COUNTRIES
    OUR ACTIONS
    GET INVOLVED
    Helping journalists
    Who are we?
    Switch langEN
    MAKE A DONATION
    NEWS
    October 29, 2018
    EU: Leak reveals states are ready to put human rights defenders at risk to protect surveillance industry

    ORGANISATION
    RSF_en
    EU member states must back proposed curbs on the export of surveillance equipment to abusive regimes, Access Now, Amnesty International, and Reporters Without Borders said, after leaked documents revealed that several EU countries, particularly Sweden and Finland, are pushing for weakening human rights protections in relation to European export controls of surveillance technology. The leaked documents were published earlier today by digital rights reporters at netzpolitik.org and Reporters Without Borders.

    Reply
  18. Tomi Engdahl says:

    Privacy group calls on U.S. government to adopt universal AI guidelines to protect safety, security and civil liberties
    https://techcrunch.com/2018/10/29/us-government-universal-artificial-intelligence-guidelines/?sr_share=facebook&utm_source=tcfbpage

    After months of work, a set of guidelines designed to protect humanity from a range of threats posed by artificial intelligence have been proposed.

    Now, a privacy group wants the U.S. government to adopt them too.

    The set of 12 universal guidelines revealed at a meeting in Brussels last week are designed to “inform and improve the design and use of AI” by maximizing the benefits while reducing the risks. AI has been for years a blanket term for machine-based decision making, but as the technology gets better and are more widely adopted, the results of AI-based outcomes are having a greater effect on human lives — from gaining credit, employment, and even to criminal sentencing.

    Reply
  19. Tomi Engdahl says:

    Radisson Hotel Group ‘fesses up to ‘security incident’
    Loyalty card members deets exposed
    https://www.theregister.co.uk/2018/10/31/radisson_hotel_group_fesses_up_to_security_incident/

    Radisson Hotel Group has told members of its loyalty scheme that their personal details were exposed in a data breach.

    The mail sent by the group stated:

    This data security incident did not compromise any credit card or password information. Our ongoing investigation has determined that the information accessed was restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flier numbers on file.

    The breach affected a “small percentage” of the Radisson Rewards members, the email stated, but didn’t provide any specifics about numbers.

    Reply
  20. Tomi Engdahl says:

    The Linux Kernel’s Speck Death Sentence Finally Being Carried Out
    https://www.phoronix.com/scan.php?page=news_item&px=Linux-Kernel-Die-Speck-Die

    Earlier this year the Speck encryption algorithm was added to the Linux kernel as at the time Google intended to use it for EXT4/fscrypt file-system encryption with low-end Android devices. But Speck with all its controversy due to being developed by the US National Security Agency (NSA) led to immediate backlash. The removal of Speck from the Linux kernel tree is finally happening.

    Google decided in August they wouldn’t use Speck as planned but rather work on the new HPolyC crypto code for use in future Android Go devices. Following that was the call to remove Speck from the Linux kernel with no real users of the code, but that didn’t happen for the Linux 4.19 cycle.

    Reply
  21. Tomi Engdahl says:

    GitHub lost a network link for 43 seconds, went TITSUP for a day
    Database replication is hard
    https://www.theregister.co.uk/2018/10/31/github_lost_a_network_link_for_43_seconds_went_titsup_for_a_day/

    A 43-second loss of connectivity on the US East Coast helped trigger GitHub’s 24-hour TITSUP (Total Inability To Support User Pulls) earlier this month.

    The bit bucket today published a detailed analysis of the outage, and explained that the brief loss of connectivity between its US East Coast network hub and the primary US East Coast data centre left it with an inconsistency between two MySQL databases.

    The TITSUP began with planned maintenance work, GitHub’s head of technology Jason Warner explained, to “replace failing 100G optical equipment”.

    Reply
  22. Tomi Engdahl says:

    50 ways to leave your lover, but four to sniff browser history
    Vulnerabilities that expose browsing history yet to be fixed
    https://www.theregister.co.uk/2018/10/31/web_browsers_privacy/

    “History sniffing” promises a nose full of dust or, you’re talking about web browsers, a whiff of the websites you’ve visited.

    Reply
  23. Tomi Engdahl says:

    Pain in the brain! Kaspersky warns of hackable brain implants
    That furious clicking you hear is Charlie Brooker frantically writing his next script
    https://www.theregister.co.uk/2018/10/29/hacked_brain_implants/

    Reply
  24. Tomi Engdahl says:

    Civil servant who watched porn at work blamed for infecting a US government network with malware
    https://techcrunch.com/2018/10/29/porn-sites-blamed-after-government-network-infected-malware/

    Reply
  25. Tomi Engdahl says:

    The Google Home Hub is deeply insecure
    https://techcrunch.com/2018/10/31/the-google-home-hub-is-deeply-insecure/?sr_share=facebook&utm_source=tcfbpage

    Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device.

    The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as an in-room Google Assistant.

    Reply
  26. Tomi Engdahl says:

    Salvador Rodriguez / CNBC:NEW
    Facebook says it will move Workplace by Facebook, its Slack rival, to its own domain in 2019, Workplace.com, to appease businesses’ fears about data security — – Workplace by Facebook, the company’s enterprise business, is moving onto a website domain separate from Facebook.com in an effort …

    Facebook is separating Workplace from the main Facebook site to appease business customers concerned about security
    https://www.cnbc.com/2018/10/31/facebook-introduces-workplace-domain-to-calm-enterprise-security-fears.html

    Workplace by Facebook, the company’s enterprise business, is moving onto a website domain separate from Facebook.com in an effort to build trust with customers and build its brand.
    The Workplace by Facebook unit informed Walmart, a top customer, of the domain change the day Facebook disclosed a security breach that impacted millions of consumers.
    Workplace by Facebook expects to begin using the new domain for its customers in 2019.

    Reply
  27. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Audit finds a US Geological Survey network in South Dakota was infected with malware after an unnamed employee visited thousands of porn pages on his laptop

    Civil servant who watched porn at work blamed for infecting a US government network with malware
    https://techcrunch.com/2018/10/29/porn-sites-blamed-after-government-network-infected-malware/

    A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.

    The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.

    Investigators found that his Android cell phone “was also infected with malware.”

    Reply
  28. Tomi Engdahl says:

    Return of the Ping of Death

    Kernel RCE caused by buffer overflow in Apple’s ICMP packet-handling code (CVE-2018-4407)
    https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407

    This post is about a heap buffer overflow vulnerability which I found in Apple’s XNU operating system kernel. I have written a proof-of-concept exploit which can reboot any Mac or iOS device on the same network, without any user interaction. Apple have classified this vulnerability as a remote code execution vulnerability in the kernel, because it may be possible to exploit the buffer overflow to execute arbitrary code in the kernel.

    The following operating system versions and devices are vulnerable:

    Apple iOS 11 and earlier: all devices (upgrade to iOS 12)
    Apple macOS High Sierra, up to and including 10.13.6: all devices (patched in security update 2018-001)
    Apple macOS Sierra, up to and including 10.12.6: all devices (patched in security update 2018-005)
    Apple OS X El Capitan and earlier: all devices

    Reply
  29. Tomi Engdahl says:

    50 ways to leave your lover, but four to sniff browser history
    Vulnerabilities that expose browsing history yet to be fixed
    https://www.theregister.co.uk/2018/10/31/web_browsers_privacy/

    Reply
  30. Tomi Engdahl says:

    Check this out: Radisson Hotel Group ‘fesses up to ‘security incident’
    Loyalty card members deets exposed
    https://www.theregister.co.uk/2018/10/31/radisson_hotel_group_fesses_up_to_security_incident/

    Reply
  31. Tomi Engdahl says:

    Telegram Desktop Saves Conversations Locally in Plain Text
    https://www.bleepingcomputer.com/news/security/telegram-desktop-saves-conversations-locally-in-plain-text/

    The desktop variant for Telegram secure messaging app fails to protect chat content locally and offers access to plain text conversations and media that otherwise travel encrypted.

    Telegram’s focus on providing secure communication is well known. The app uses encryption to ensure that a third party cannot read the conversations on their way to the destination.

    A feature called ‘secret chats’ is available for those that want complete privacy for their communication, by using end-to-end encryption to guarantee that only the sender and the receiver can access the contents.

    Reply
  32. Tomi Engdahl says:

    Complete Works Of Shakespeare Hidden Inside Twitter Thumbnail Image
    https://www.bleepingcomputer.com/news/security/complete-works-of-shakespeare-hidden-inside-twitter-thumbnail-image/

    A security researcher has demonstrated how he could hide the Complete Works of Shakespeare into an image and use Twitter to distribute it using Steganography.

    Steganography is the act of hiding information or messages inside objects that are not themselves secret. This allows people to covertly distribute messages, files, and other types of data in files or data that appear to be non-secretive in nature.

    In a recent experiment, security researcher Dаvіd Вucһаnаn created a JPEG image of Shakespeare that also included a RARed copy of his complete works in HTML format. Buchanan went on to further show that this image could also be uploaded to Twitter, which would create a thumbnail that continued to contain the embedded RAR file.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*