Cyber Security October 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

495 Comments

  1. Tomi Engdahl says:

    China Used Tiny Chips on US Computers to Steal Secrets: Report
    https://www.securityweek.com/china-used-tiny-chips-us-computers-steal-secrets-report

    The Bloomberg News report said the chips, the size of a grain of rice, were used on equipment made for Amazon, which first alerted US authorities, and Apple, and possibly for other companies and government agencies.

    Reply
  2. Tomi Engdahl says:

    Apple:
    Apple says it has never found malicious chips in its servers, calls Bloomberg reporters’ claims unsubstantiated and untrue, says it is not under a gag order

    What Businessweek got wrong about Apple
    https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/

    The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.
    Apple provided Bloomberg Businessweek with the following statement before their story was published

    Reply
  3. Tomi Engdahl says:

    Malicious Component Found on Server Motherboards Supplied to Numerous Companies
    https://hackaday.com/2018/10/04/malicious-component-found-on-server-motherboards-supplied-to-numerous-companies/

    This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a

    malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design.

    These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components

    and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

    Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden

    chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing

    hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China.

    Reply
  4. Tomi Engdahl says:

    “Researchers at threat intelligence firm Digital Shadows report that companies don’t even need to be hacked to spill their address books and email archives. Careless backups of email archives on publicly-accessible rsync, FTP, SMB, S3 buckets, and NAS drives have exposed some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information” – writes Graham Cluley for Tripwire Blog

    https://www.tripwire.com/state-of-security/security-data-protection/bec-as-a-service-offers-hacked-business-accounts-for-as-little-as-150/

    Reply
  5. Tomi Engdahl says:

    Bloomberg:
    Sources: Supermicro firmware portal was breached in 2015 and some customers downloaded malware; Facebook was among them, says no servers were used in production — It wasn’t just hardware. An online portal for firmware updates hid and distributed malware.

    The Big Hack: The Software Side of China’s Supply Chain Attack
    https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-the-software-side-of-china-s-supply-chain-attack

    It wasn’t just hardware. An online portal for firmware updates hid and distributed malware.

    Even as Amazon, Apple, and U.S. officials were investigating malicious microchips embedded in Supermicro server motherboards, Supermicro was the target of at least two other possible forms of attack, people familiar with multiple corporate probes say.

    The first of the other two prongs involved a Supermicro online portal that customers used to get critical software updates, and that was breached by China-based attackers in 2015. The problem, which was never made public, was identified after at least two Supermicro customers downloaded firmware

    “In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs,” Facebook said in an emailed statement.

    The victims considered the faulty code a serious breach. Firmware updates obtained directly from the manufacturer are usually assumed to be secure.

    Reply
  6. Tomi Engdahl says:

    Apple:
    Apple says it has never found malicious chips in its servers, calls Bloomberg reporters’ claims unsubstantiated and untrue, says it is not under a gag order — The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015.
    https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/

    Reply
  7. Tomi Engdahl says:

    Bloomberg:
    Amazon, Apple, Supermicro, and the Chinese government issue statements disputing the allegations of Bloomberg Businessweek’s hacking story

    The Big Hack: Statements From Amazon, Apple, Supermicro, and the Chinese Government
    https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond

    Reply
  8. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Questions about Bloomberg’s story citing 10+ sources on China hacking, after strong denials by companies mentioned, show limits of national security reporting

    Bloomberg’s spy chip story reveals the murky world of national security reporting
    https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/

    To recap, Chinese spies reportedly infiltrated the supply chain and installed tiny chips the size of a pencil tip on the motherboards built by Supermicro, which are used in data center servers across the U.S. tech industry — from Apple to Amazon. That chip can compromise data on the server, allowing China to spy on some of the world’s most wealthy and powerful companies.

    Apple, Amazon and Supermicro — and the Chinese government — strenuously denied the allegations.

    Given the magnitude of the story, you don’t want to reveal all of your cards — but still want to seek answers and clarifications without having the subject tip off another news agency — a trick sometimes employed by the government in the hope of lighter coverage.

    Yet, to Apple — and Amazon and other companies implicated by the report — they too might also be in the dark.

    It’s worth casting your mind back to 2013, days after the first Edward Snowden documents were published.

    I was hesitant to cover this at first given the complexity of the allegations and how explosive the claims are without also seeking confirmation. That’s not easy to do in an hour when Bloomberg’s reporters have been working for the best part of a year. Assuming Bloomberg did everything right — a cover story on its magazine, no less, which would have gone through endless editing and fact-checking before going to print — the reporters likely hit a wall and had nothing more to report, and went to print.

    But Bloomberg’s delivery could have been better.

    Journalism isn’t proprietary. It should be open to as many people as possible. If you’re not transparent in how you report things, you lose readers’ trust.

    That’s where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you — and I — have to put a lot of trust and faith in Bloomberg and its reporters.

    Reply
  9. Tomi Engdahl says:

    “The study examined 186 WiFi routers from 13 different manufacturers, including market-share leaders Linksys, Belkin, NETGEAR and D-Link. “Failing to address known security flaws leaves consumer devices vulnerable to having their data compromised, leading to malicious activity, identity theft, fraud and espionage,” according the report.”

    via Threatpost
    https://threatpost.com/threatlist-83-of-routers-contain-vulnerable-code/137966/

    Reply
  10. Tomi Engdahl says:

    One problem with blocking users from accessing a website, based on geographical region, legal or some other reason: if you’d like to change your password (or delete your account), you just can’t do it, even if you know your account has been compromised.

    Reply
  11. Tomi Engdahl says:

    California passes law that bans default passwords in connected devices
    https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/?sr_share=facebook&utm_source=tcfbpage

    AdChoices

    California passes law that bans default passwords in connected devices
    Zack Whittaker
    @zackwhittaker / 13 hours ago

    MikroEM Tekhnologii, Russian manufacturer of electronic components
    Good news!

    California has passed a law banning default passwords like “admin,” “123456,” and the old classic “password” in all new consumer electronics starting in 2020.

    Every new gadget built in the state from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.”

    It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time.

    Reply
  12. Tomi Engdahl says:

    Russian hackers were caught in the act — and the results are devastating
    https://www.washingtonpost.com/amphtml/opinions/global-opinions/russian-hackers-were-caught-in-the-act–and-the-results-are-devastating/2018/10/05/5e72495a-c8b5-11e8-b1ed-1d2d65b86d0c_story.html?noredirect=on

    Once upon a time, the Dutch authorities might have kept all these things to themselves. But not now. On Thursday, the Dutch defense minister presented this plethora of documents, scans, photographs and screenshots on large slides at a lengthy news conference. Within seconds, the images spread around the world. Within hours, Bellingcat, the independent research group that pioneered the new science of open source investigation, had checked the men’s names against several open Russian databases.

    Reply
  13. Tomi Engdahl says:

    NYC wants to build a cyber army
    https://techcrunch.com/2018/10/02/nyc-wants-to-build-a-cyber-army/?sr_share=facebook&utm_source=tcfbpage

    Through five new startup programs, Cyber NYC is the city’s bold plan to dominate cybersecurity this century

    Reply
  14. Tomi Engdahl says:

    Google’s cyber unit Jigsaw introduces Intra, a new security app dedicated to busting censorship
    https://techcrunch.com/2018/10/03/googles-cyber-unit-jigsaw-introduces-intra-a-security-app-dedicated-to-busting-censorship/?sr_share=facebook&utm_source=tcfbpage

    Jigsaw, the division owned by Google parent Alphabet, has revealed Intra, a new app aimed at protecting users from state-sponsored censorship.

    Intra is a new app that aims to prevent DNS manipulation attacks.

    By passing all your browsing queries and app traffic through an encrypted connection to a trusted Domain Name Server, Intra says it ensures you can use your app without meddling or get to the right site without interference.

    Reply
  15. Tomi Engdahl says:

    Google is shutting down Google+ following massive data exposure
    https://www.engadget.com/2018/10/08/google-shutting-down-google-plus/

    The company has admitted that user engagement on the service was low.

    Following a massive data breach first reported on by The Wall Street Journal, Google announced today that it is shutting down its social network Google+ for consumers. The company finally admitted that Google+ never received the broad adoption or engagement with users that it had hoped for — according to a blog post, 90 percent of Google+ user sessions last for less than five seconds.

    Google exposed data for hundreds of thousands of users
    https://www.engadget.com/2018/10/08/google-reportedly-exposed-data-for-hundreds-of-thousands-of-user/

    The company also didn’t tell users about the exposure.

    Google exposed private data from hundreds of thousands of Google+ users and then chose not to inform those affected by the issue. The Wall Street Journal reports that sources close to the matter claim the decision to keep the exposure under wraps was made among fears of regulatory scrutiny. Google says it discovered and immediately fixed the issue in March of this year.

    a software vulnerability gave outside developers access to private Google+ user data between 2015 and 2018. And an internal memo noted that while there wasn’t any evidence of misuse on behalf of developers, there wasn’t a way to know for sure whether any misuse took place.

    Google said in a blog post that nearly 500,000 users may have been impacted, but because the company keeps the log data from this specific API for only two weeks at a time, it can’t fully confirm who was truly impacted and who was not.

    if it was indeed disclosed, it could result in “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.”

    In light of this issue, Google will be shutting down the consumer version of Google+ and will do so over the course of 10 months in order to allow users to transition out of the service.

    Reply
  16. Tomi Engdahl says:

    Google+ to shut down after coverup of data-exposing bug
    https://techcrunch.com/2018/10/08/google-plus-hack/?sr_share=facebook&utm_source=tcfbpage

    Google is about to have its Cambridge Analytica moment. A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world.

    Indeed, 496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access.

    The company decided against informing the public because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” according to an internal memo.

    Reply
  17. Tomi Engdahl says:

    The changes include stopping most third-party developers from accessing Android phone SMS data, call logs and some contact info. Gmail will restrict building add-ons to a small number of developers. Google+ will cease all its consumer services while winding down over the next 10 months with an opportunity for users to export their data
    https://techcrunch.com/2018/10/08/google-plus-hack/?sr_share=facebook&utm_source=tcfbpage

    Reply
  18. Tomi Engdahl says:

    Google Exposed User Data, Feared Repercussions of Disclosing to Public
    https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194

    Google opted not to disclose to users its discovery of a bug that gave outside developers access to private data. It found no evidence of misuse.

    Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.

    Reply
  19. Tomi Engdahl says:

    HOW RUSSIAN SPIES INFILTRATED HOTEL WI-FI TO HACK VICTIMS UP CLOSE
    https://www.wired.com/story/russian-spies-indictment-hotel-wi-fi-hacking/

    FOR YEARS, THE Kremlin’s increasingly aggressive hackers have reached across the globe to hit targets with everything from simple phishing schemes to worms built from leaked NSA zero day vulnerabilities. Now, law enforcement agencies in the US and Europe have detailed another, far more hands-on tactic: Snooping on Wi-Fi from a vehicle parked a few feet away from a target office—or even from a laptop inside their hotel.

    Russian hackers caught red-handed: Parking vehicles outside of target buildings, and infiltrating Wi-Fi networks to hack victims.

    Justice Department’s indictment reads. “Using specialized equipment, and with the remote support of conspirators in Russia, these on-site teams hacked into Wi-Fi networks used by victim organizations or their personnel, including hotel Wi-Fi networks.”

    Reply
  20. Tomi Engdahl says:

    Russia’s Hackers Long Tied to Military, Secret Services
    https://www.securityweek.com/russias-hackers-long-tied-military-secret-services

    During the Soviet era, the country’s top computer scientists and programmers largely worked for the secret services.

    That practice appears to have resumed under President Vladimir Putin, as Russia faces accusations of waging a global campaign of cyber attacks.

    Dutch officials on Thursday accused four Russians from the GRU military intelligence agency of attempting to hack into the global chemical weapons watchdog in The Hague.

    The agency has investigated both the fatal poisoning of Russian former double-agent Sergei Skripal; and an alleged chemical attack by Moscow-allied Syrian President Bashar al-Assad.

    The Baltic states were the first to accuse Moscow of mounting attacks to knock out their sites back in 2007.

    Estonia said one such attack had put the country’s main emergency service phone number out of action for over an hour.

    Since then, accusations of cyber attacks have continued against Moscow.

    Reply
  21. Tomi Engdahl says:

    Google Says Social Network Bug Exposed Private Data
    https://www.securityweek.com/google-says-social-network-bug-exposed-private-data

    Google announced Monday it is shutting down the consumer version of its online social network after fixing a bug exposing private data in as many as 500,000 accounts.

    The US internet giant said it will “sunset” the Google+ social network for consumers, which failed to gain meaningful traction after being launched in 2011 as a challenge to Facebook.

    A Google spokesperson cited “significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations” along with “very low usage” as the reasons for the move.

    In March, a security audit revealed a software bug that gave third-party apps access to Google+ private profile data that people meant to share only with friends.

    Google said it was unable to confirm which accounts were affected by the bug, but an analysis indicated it could have been as many as 500,000 Google+ accounts.

    Reply
  22. Tomi Engdahl says:

    Code Execution Flaws Found in WECON Industrial Products
    https://www.securityweek.com/code-execution-flaws-found-wecon-industrial-products

    A significant number of vulnerabilities have been found recently in products from China-based WECON, but the vendor has been slow to release patches.

    WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.

    An advisory published recently by ICS-CERT reveals that researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON’s PI Studio HMI software.

    According to ICS-CERT, WECON has confirmed the vulnerabilities, but it has yet to release any patches.

    Reply
  23. Tomi Engdahl says:

    The DNC Hacker Indictment: A Lesson in Failed Misattribution
    https://www.securityweek.com/dnc-hacker-indictment-lesson-failed-misattribution

    The hackers made eight different kinds of misattribution OPSEC errors in the course of their attacks that exposed their fake identities: account reuse, IP / computer reuse, known malware phylogeny, identifying metadata, writing style, financial tracing, late timing, and forgetting to use their tools. The Russian hackers needed to achieve three goals for their misattribution efforts to be effective. First, they needed to hide the fact that Russia was involved in the activity at all. Second, they wanted Guccifer 2.0, the “hacker”, to be seen to be a Romanian lone wolf. Third, they wanted the DCLeaks website, which released the stolen documents, to appear to be run by American hacktivists who were completely independent of the hacker.

    We can see several errors in just the initial hacking activities. The hackers used malware called “X-Agent” and “X-Tunnel” which are known to the security community. That malware is part of a malware family used by a group referred to as “FancyBear”, long associated with the Russian government.

    The hackers sent the phishing emails used to compromise the DNC and DCCC computers from [email protected], a Russian email service. That would probably not be the first choice of non-Russian hackers.

    Sources outside the indictment show that Guccifer 2.0’s Romanian identity was also contradicted by his poor facility with the Romanian language.

    Reply
  24. Tomi Engdahl says:

    California to Ban Weak Passwords
    https://www.securityweek.com/california-ban-weak-passwords

    California Bill Requires Unique Passwords in Connected Devices

    The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.

    The bill, meant to combat the widespread use of weak passwords in connected devices such as Internet of Things (IoT) products, also demands that manufacturers implement a security feature in their devices to require users to select new means of authentication upon first use.

    The use of weak passwords in connected devices is a well-known security issue that has fueled a broad range of cyber-attacks, including the emergence of numerous, large IoT botnets.

    By targeting devices improperly secured with default or easy-to-guess passwords, IoT botnets such as Mirai (and its many variants), Gafgyt (also known as Bashlite), Reaper, Hide ‘N Seek, and Torii can then be leveraged to launch massive distributed denial of service attacks, to send spam emails, for malware distribution, and for various other nefarious activities.

    However, it’s not only IoT devices that are impacted by the use of default or weak passwords. The issue was also found in industrial control system (ICS) products, and security researchers even published a list of default credentials for ICS devices.

    Reply
  25. Tomi Engdahl says:

    Silk Road Admin Pleads Guilty
    https://www.securityweek.com/silk-road-admin-pleads-guilty

    An Irish man pled guilty in a United States court to his role in the administration of Silk Road, a black-market website.

    Reply
  26. Tomi Engdahl says:

    Google Criticizes Apple Over Safari Security, Flaw Disclosures
    https://www.securityweek.com/google-criticizes-apple-over-safari-security-flaw-disclosures

    One Year After Release, Google Fuzzer Still Finds Many Flaws in Safari

    One year after it was released as open source by Google Project Zero, the Domato fuzzer has still found a significant number of vulnerabilities in Apple’s Safari web browser.

    In September 2017, Google Project Zero researcher Ivan Fratric announced the release of a new Document Object Model (DOM) fuzzer designed for testing web browser engines. At the time, he revealed that Domato had helped him find more than 30 vulnerabilities, including two flaws in Chrome’s Blink engine, four in Firefox’s Gecko, four in Internet Explorer’s Trident, six in EdgeHtml, and 17 in Safari’s WebKit.

    Reply
  27. Tomi Engdahl says:

    Dina Temple-Raston / NPR:
    The tech industry wants federal control over data privacy laws because state frameworks, like California’s new privacy law, are seen as a major threat

    Why The Tech Industry Wants Federal Control Over Data Privacy Laws
    https://www.npr.org/2018/10/08/654893289/why-the-tech-industry-wants-federal-control-over-data-privacy-laws?t=1539081573081

    New laws in Europe and California are forcing tech companies to protect users’ privacy or risk big fines.

    Now, the industry is fearing that more states will enact tough restrictions. So it’s moving to craft federal legislation that would pre-empt state laws and might put the Federal Trade Commission in charge of enforcement.

    Europe enacted a tough law in May which requires, among other things, that companies make data breaches public within 72 hours of discovering them.

    That’s why Facebook had to promptly announce last month that its systems had been hacked and at least 50 million user accounts were compromised.

    In June, California passed legislation that — if it is enacted as written — would go even farther, allowing users to sue for damages for exactly the kind of data breach Facebook suffered.

    “They don’t want to entertain the possibility that they would liable to individuals for doing some sort of harm from all the data that they collect,”

    Reply
  28. Tomi Engdahl says:

    The American Consumer Institute examined 186 small office/home office Wi-Fi routers from 14 vendors and found that the firmware in 155 of those routers had known vulnerabilities to cyberattacks.
    “Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample,” ACI stated.

    https://semiengineering.com/week-in-review-iot-security-auto-13/

    Reply
  29. Tomi Engdahl says:

    DHS Warns of Threats to Precision Agriculture
    https://www.securityweek.com/dhs-warns-threats-precision-agriculture

    Relying on various embedded and connected technologies to improve agricultural and livestock management, precise agriculture is exposed to vulnerabilities and cyber-threats, a new report from the United States Department of Homeland Security (DHS) warns.

    The adoption of precision agriculture technology has increased, which has also introduced various cyber risks. By exploiting vulnerabilities in precision agriculture technologies, an attacker could not only access sensitive data and steal resources, but also tamper with or destroy equipment.

    Technologies used in precision agriculture “rely on remote sensing, global positioning systems, and communication systems to generate big data, data analytics, and machine learning,” the DHS report (PDF) says.

    https://www.dhs.gov/sites/default/files/publications/2018%20AEP_Threats_to_Precision_Agriculture.pdf

    Reply
  30. Tomi Engdahl says:

    Ben Smith / The Keyword:
    In the wake of WSJ story, Alphabet shuts down Google+ for consumers, debuts more granular Google Account permissions, adds restrictions to Gmail API — Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience.

    Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+
    https://www.blog.google/technology/safety-security/project-strobe/

    Reply
  31. Tomi Engdahl says:

    Google to shut down Google+ after failing to disclose user data breach
    https://www.theguardian.com/technology/2018/oct/08/google-plus-security-breach-wall-street-journal

    Company didn’t disclose leak for months to avoid a public relations headache and potential regulatory enforcement

    This March, as Facebook was coming under global scrutiny over the harvesting of personal data for Cambridge Analytica, Google discovered a skeleton in its own closet: a bug in the API for Google+ had been allowing third-party app developers to access the data not just of users who had granted permission, but of their friends.

    If that sounds familiar, it’s because it’s almost exactly the scenario that got Mark Zuckerberg dragged in front of the US Congress. The parallel was not lost on Google, and the company chose not to disclose the data leak

    Reply
  32. Tomi Engdahl says:

    Garmin-owned navigation unit exposed thousands of boat owners’ data
    https://techcrunch.com/2018/10/08/garmin-owned-navigation-unit-exposed-thousands-of-boat-owners-data/?sr_share=facebook&utm_source=tcfbpage

    Navionics, an electronic navigational chart maker owned by tech giant Garmin, has secured an exposed database that contained hundreds of thousands of customer records.

    The MongoDB database wasn’t secured with a password, allowing anyone who knew where to look to access and download the data

    Bob Diachenko, Hacken.io’s newly appointed director of cyber risk research, said in a blog post that the 19 gigabyte database contained 261,259 unique records, including customer names and email addresses. The data also and information about their boat — such as latitude and longitude, boat speed and other navigational details

    Reply
  33. Tomi Engdahl says:

    Sony Smart TV Bug Allows Remote Access, Root Privileges
    https://threatpost.com/sony-smart-tv-bug-allows-remote-access-root-privileges/138063/

    Software patching becomes a new reality for smart TV owners.

    As the number of smart TVs grows, so does the number of vulnerabilities inside of them. On Thursday, security researchers revealed that eight Sony Bravia smart TV models are vulnerable to three separate bugs, one rated critical.

    Reply
  34. Tomi Engdahl says:

    Government watchdog says U.S. weapons systems are vulnerable to hacks, but the Pentagon is slow to act
    https://techcrunch.com/2018/10/09/watchdog-pentagon-weapons-hack/?sr_share=facebook&utm_source=tcfbpage

    A government watchdog has said the Department of Defense has not done enough to protect critical weapons systems from cyberattacks.

    The new report out of the Government Accountability Office on Tuesday said that the Pentagon has “not make weapon cybersecurity a priority,” and, although there have been some improvements over the years, the department’s “nascent understanding” of how to secure weapons systems has left officials scrambling on “how best to address weapon systems cybersecurity.”

    https://www.gao.gov/products/GAO-19-128

    Reply
  35. Tomi Engdahl says:

    Instagram’s app-based 2FA is live now, here’s how to turn it on
    https://techcrunch.com/2018/10/09/instagram-2fa-two-factor-authentication/?utm_source=tcfbpage&sr_share=facebook

    In late September, Instagram announced that it would be adding non SMS-based two-factor authentication to the app. Instagram confirmed to TechCrunch that the company rolled out the security feature last week and that non-SMS two-factor authentication is live now for all users.

    Reply
  36. Tomi Engdahl says:

    Heathrow fined for USB stick data breach
    https://www.bbc.com/news/business-45785227

    Heathrow Airport has been fined £120,000 by the Information Commissioner’s Office for “serious” data protection failings.

    It comes after a staff member lost a USB stick last October containing “sensitive personal data”, which was later found by a member of the public.

    Reports at the time claimed this included the Queen’s security and travel arrangements, although the ICO would not confirm this.

    Heathrow said it regretted the breach.

    The Information Commissioner’s Office (ICO) said the memory stick, which contained 76 folders and more than 1,000 files, was not encrypted or password-protected.

    However, a report in the Mirror newspaper at the time suggested the breach had also posed a risk to national security.

    It reported a man had found the memory stick on a West London street and viewed its contents at a local library, discovering information including:

    A timetable of patrols that was used to guard the site against suicide bombers and terror attacks
    Routes and safeguards for Cabinet ministers and foreign dignitaries
    The exact route the Queen took when using the airport and security measures used to protect her.

    The ICO confirmed the memory stick had been passed on to an unnamed national newspaper.

    The ICO added that only 2% of the airport’s 6,500-strong workforce had been trained in data protection.

    Reply
  37. Tomi Engdahl says:

    New Pentagon Weapons Systems Easily Hacked: Report
    https://www.securityweek.com/new-pentagon-weapons-systems-easily-hacked-report

    New US weapons systems being developed by the US Department of Defense can be easily be hacked by adversaries, a new government report said on Tuesday.

    The Government Accountability Office said the Pentagon was unaware of how easy it could be for an adversary to gain access to the computer brains and software of the weapons systems and operate inside them undetected.

    The weak points began with poor password management and unencrypted communications, it said.

    But it said access points for the systems continued to grow in number and are not always well-understood by the operators themselves, leaving even non-networked systems deeply vulnerable.

    More critically, the report faulted the US military for not incorporating cybersecurity into the design and acquisition process for the computer-dependent weapons

    Reply
  38. Tomi Engdahl says:

    Windows Zero-Day Exploited in Attacks Aimed at Middle East
    https://www.securityweek.com/windows-zero-day-exploited-attacks-aimed-middle-east

    One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.

    The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.

    The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm’s systems detected an exploitation attempt. Kaspersky said it had reported the vulnerability to Microsoft on August 17 – it’s unclear why Microsoft waited so long to release a fix.

    Microsoft Patches Windows Zero-Day Exploited by ‘FruityArmor’ Group
    https://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-fruityarmor-group

    Microsoft’s Patch Tuesday updates for October 2018 resolve nearly 50 vulnerabilities, including a Windows zero-day flaw exploited by an advanced persistent threat (APT) actor known as FruityArmor.

    The zero-day, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. The company says an authenticated attacker can exploit the security hole to elevate privileges and take control of the affected system.

    Reply
  39. Tomi Engdahl says:

    Google Tightens Rules Around App Permissions
    https://www.securityweek.com/google-tightens-rules-around-app-permissions

    Google this week announced improved user control over data shared with apps, redesigned app permissions, and diminished app access to sensitive information such as contacts, SMS, and phone.

    The changes, the search giant says, are being rolled out as part of Project Strobe, which represents an overall review of third-party developer access to Google account and Android device data. The idea was to have a look at privacy controls, data privacy concerns, and the access developers enjoy, and make adjustments where necessary.

    Reply
  40. Tomi Engdahl says:

    Apple Patches Passcode Bypass in iOS
    https://www.securityweek.com/apple-patches-passcode-bypass-ios

    Apple on Monday released patches for iOS devices to address a recently disclosed vulnerability that could result in the bypass of the lockscreen.

    The issue was found by iPhone enthusiast Jose Rodriguez, known for his YouTube channel “videosdebarraquito,” who revealed several other passcode bypass techniques in the past.

    Exploitation requires both physical access to the device and for Siri to be enabled and Face ID to be disabled.

    Reply
  41. Tomi Engdahl says:

    Google Launch Event Overshadowed by Privacy Firestorm
    https://www.securityweek.com/google-launch-event-overshadowed-privacy-firestorm

    Google was supposed to be focusing Tuesday on its launch of a new smartphone and other devices, but the event was being overshadowed by a firestorm over a privacy glitch that forced it to shut down its struggling social network.

    Reply
  42. Tomi Engdahl says:

    Researchers KRACK Wi-Fi Again, More Efficiently This Time
    https://www.securityweek.com/researchers-krack-wi-fi-again-more-efficiently-time

    Researchers who last year discovered security issues in the Wi-Fi Protected Access II (WPA2) protocol that made them vulnerable to an attack known as Key Reinstallation Attack, or KRACK, have just revealed more practical versions of the attacks.

    KRACK, Mathy Vanhoef and Frank Piessens explained last year, could provide malicious actors within range of a victim with the ability to access information otherwise believed to be safely encrypted. Residing in the Wi-Fi standard itself, the bugs impact all implementations, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others.

    Targeting several handshakes in the 802.11 standard, the KRACKs manipulate handshake messages to reinstall an already-in-use key, which results in nonce reuse and replay attacks, Vanhoef and Piessens explained last year.

    Reply
  43. Tomi Engdahl says:

    Better Customer Experience is More Than a “Nice to Have” for Security
    https://www.securityweek.com/better-customer-experience-more-nice-have-security

    Customer Experience (CX) has gone from a buzzword to an imperative in just a few short years. A reported 80 percent of companies responding to Gartner’s marketing leaders survey now say they expect to compete mainly based on CX. Forrester has created a Customer Experience Index by which they measure and rank CX leaders. And there are hundreds of customer experience conferences to choose from every year.

    Improved security leads to improved customer experience – and improved customer experience leads to improved security. Here are four key ways.

    1. Simplicity of the solution
    2. Dedicated customer success teams
    3. Integration
    4. A “solutions” focus

    CX is becoming a key driver of success in the security industry, not just for companies that deliver superior customer experiences but – more importantly – for the organizations and security professionals they serve. The nuance and interplay between the two is a powerful proposition.

    Reply
  44. Tomi Engdahl says:

    Abusing Googlebot Services to Deliver Crypto-Mining Malware
    https://www.f5.com/labs/articles/threat-intelligence/abusing-googlebot-services-to-deliver-crypto-mining-malware

    While investigating a recent threat campaign, F5 researchers encountered a strange behaviour where malicious requests were originating from legitimate Googlebot servers. This relatively infrequent behavior could potentially have serious consequences in environments where the trust level given to Googlebot influences an organization’s security decisions.

    Google’s official support site advises to “make sure Googlebot is not blocked”1 and provides instructions to verify that Googlebot is real.2 Both imply that trusting Googlebot traffic is somewhat mandatory if you’d like your site to show up in Google search engine results.

    Make sure Googlebot is not blocked
    https://support.google.com/webmasters/answer/2387297?hl=en

    Reply
  45. Tomi Engdahl says:

    When the Digital Impacts the Physical
    https://securingtomorrow.mcafee.com/mcafee-labs/when-the-digital-impacts-the-physical/

    Cyberattacks have always been, well, cyber. Their immediate effects were on our data, our digital information, and our devices…until they weren’t. The interconnected nature of the world and the way it’s built in 2018 has brought us exciting and revolutionary innovations, but it has also been leveraged by hackers to extend the impact of a cyberattack beyond the digital sphere into the physical. Pacemakers can be hacked, shocks can be sent to patients remotely. Critical infrastructure can be taken down, rendering cities powerless. Large corporations we trust with our data are violating that trust by collecting our data unknowingly, and even tracking our locations without consent. Cybercrime is no longer just cyber, and it can compromise a lot more than just data.

    When you think of one’s well-being, physical health often comes to mind. Hospitals, health care, and medical tools and devices have evolved to become members of an interconnected ecosystem. Many health care systems connect to the internet to operate, the same holds true with numerous medical devices such as pacemakers. But that makes the latter part of the ”Internet of Things,” a growing collection of connected devices which are potentially vulnerable to cyberattack. In fact, there have already been reports of threats to these medical devices.

    We’ve seen a handful of hospitals taken offline in recent ransomware attacks, all due to the use of outdated or vulnerable systems.

    In fact, cybercriminals have recently begun hitting critical infrastructure hard and fast, with dramatic results emerging from their efforts. They’ve infamously put an entire city in the Ukraine out of power for about an hour. Then there was the Schneider Electric hack, in which cybercriminals leveraged a zero-day vulnerability within an industrial plant’s safety system for a cyberattack.

    There are also cyber issues that impact our physical safety that don’t even come in the form of an attack. Lately, news has been circulating about big-name companies tracking users’ locations or data

    Ramifications such as these have changed the nature of privacy, as well as digital and physical safety as we know it.

    Reply
  46. Tomi Engdahl says:

    The US National Cyber Strategy
    https://www.schneier.com/blog/archives/2018/10/the_us_national.html

    Last month, the White House released the “National Cyber Strategy of the United States of America. I generally don’t have much to say about these sorts of documents. They’re filled with broad generalities.

    Who can argue with:

    Defend the homeland by protecting networks, systems, functions, and data;

    Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;

    Preserve peace and security by strengthening the ability of the United States in concert with allies and partners ­ to deter and, if necessary, punish those who use cyber tools for malicious purposes; and

    Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.

    The devil is in the details, of course. And the strategy includes no details.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*