The Bloomberg News report said the chips, the size of a grain of rice, were used on equipment made for Amazon, which first alerted US authorities, and Apple, and possibly for other companies and government agencies.
Apple:
Apple says it has never found malicious chips in its servers, calls Bloomberg reporters’ claims unsubstantiated and untrue, says it is not under a gag order
The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.
Apple provided Bloomberg Businessweek with the following statement before their story was published
“Researchers at threat intelligence firm Digital Shadows report that companies don’t even need to be hacked to spill their address books and email archives. Careless backups of email archives on publicly-accessible rsync, FTP, SMB, S3 buckets, and NAS drives have exposed some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information” – writes Graham Cluley for Tripwire Blog
Bloomberg:
Sources: Supermicro firmware portal was breached in 2015 and some customers downloaded malware; Facebook was among them, says no servers were used in production — It wasn’t just hardware. An online portal for firmware updates hid and distributed malware.
It wasn’t just hardware. An online portal for firmware updates hid and distributed malware.
Even as Amazon, Apple, and U.S. officials were investigating malicious microchips embedded in Supermicro server motherboards, Supermicro was the target of at least two other possible forms of attack, people familiar with multiple corporate probes say.
The first of the other two prongs involved a Supermicro online portal that customers used to get critical software updates, and that was breached by China-based attackers in 2015. The problem, which was never made public, was identified after at least two Supermicro customers downloaded firmware
“In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs,” Facebook said in an emailed statement.
The victims considered the faulty code a serious breach. Firmware updates obtained directly from the manufacturer are usually assumed to be secure.
Apple:
Apple says it has never found malicious chips in its servers, calls Bloomberg reporters’ claims unsubstantiated and untrue, says it is not under a gag order — The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/
Zack Whittaker / TechCrunch:
Questions about Bloomberg’s story citing 10+ sources on China hacking, after strong denials by companies mentioned, show limits of national security reporting
To recap, Chinese spies reportedly infiltrated the supply chain and installed tiny chips the size of a pencil tip on the motherboards built by Supermicro, which are used in data center servers across the U.S. tech industry — from Apple to Amazon. That chip can compromise data on the server, allowing China to spy on some of the world’s most wealthy and powerful companies.
Apple, Amazon and Supermicro — and the Chinese government — strenuously denied the allegations.
Given the magnitude of the story, you don’t want to reveal all of your cards — but still want to seek answers and clarifications without having the subject tip off another news agency — a trick sometimes employed by the government in the hope of lighter coverage.
Yet, to Apple — and Amazon and other companies implicated by the report — they too might also be in the dark.
It’s worth casting your mind back to 2013, days after the first Edward Snowden documents were published.
I was hesitant to cover this at first given the complexity of the allegations and how explosive the claims are without also seeking confirmation. That’s not easy to do in an hour when Bloomberg’s reporters have been working for the best part of a year. Assuming Bloomberg did everything right — a cover story on its magazine, no less, which would have gone through endless editing and fact-checking before going to print — the reporters likely hit a wall and had nothing more to report, and went to print.
But Bloomberg’s delivery could have been better.
Journalism isn’t proprietary. It should be open to as many people as possible. If you’re not transparent in how you report things, you lose readers’ trust.
That’s where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you — and I — have to put a lot of trust and faith in Bloomberg and its reporters.
“The study examined 186 WiFi routers from 13 different manufacturers, including market-share leaders Linksys, Belkin, NETGEAR and D-Link. “Failing to address known security flaws leaves consumer devices vulnerable to having their data compromised, leading to malicious activity, identity theft, fraud and espionage,” according the report.”
One problem with blocking users from accessing a website, based on geographical region, legal or some other reason: if you’d like to change your password (or delete your account), you just can’t do it, even if you know your account has been compromised.
California passes law that bans default passwords in connected devices
Zack Whittaker
@zackwhittaker / 13 hours ago
MikroEM Tekhnologii, Russian manufacturer of electronic components
Good news!
California has passed a law banning default passwords like “admin,” “123456,” and the old classic “password” in all new consumer electronics starting in 2020.
Every new gadget built in the state from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.”
It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time.
Once upon a time, the Dutch authorities might have kept all these things to themselves. But not now. On Thursday, the Dutch defense minister presented this plethora of documents, scans, photographs and screenshots on large slides at a lengthy news conference. Within seconds, the images spread around the world. Within hours, Bellingcat, the independent research group that pioneered the new science of open source investigation, had checked the men’s names against several open Russian databases.
Jigsaw, the division owned by Google parent Alphabet, has revealed Intra, a new app aimed at protecting users from state-sponsored censorship.
Intra is a new app that aims to prevent DNS manipulation attacks.
By passing all your browsing queries and app traffic through an encrypted connection to a trusted Domain Name Server, Intra says it ensures you can use your app without meddling or get to the right site without interference.
The company has admitted that user engagement on the service was low.
Following a massive data breach first reported on by The Wall Street Journal, Google announced today that it is shutting down its social network Google+ for consumers. The company finally admitted that Google+ never received the broad adoption or engagement with users that it had hoped for — according to a blog post, 90 percent of Google+ user sessions last for less than five seconds.
The company also didn’t tell users about the exposure.
Google exposed private data from hundreds of thousands of Google+ users and then chose not to inform those affected by the issue. The Wall Street Journal reports that sources close to the matter claim the decision to keep the exposure under wraps was made among fears of regulatory scrutiny. Google says it discovered and immediately fixed the issue in March of this year.
a software vulnerability gave outside developers access to private Google+ user data between 2015 and 2018. And an internal memo noted that while there wasn’t any evidence of misuse on behalf of developers, there wasn’t a way to know for sure whether any misuse took place.
Google said in a blog post that nearly 500,000 users may have been impacted, but because the company keeps the log data from this specific API for only two weeks at a time, it can’t fully confirm who was truly impacted and who was not.
if it was indeed disclosed, it could result in “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.”
In light of this issue, Google will be shutting down the consumer version of Google+ and will do so over the course of 10 months in order to allow users to transition out of the service.
Google is about to have its Cambridge Analytica moment. A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world.
Indeed, 496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access.
The company decided against informing the public because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” according to an internal memo.
The changes include stopping most third-party developers from accessing Android phone SMS data, call logs and some contact info. Gmail will restrict building add-ons to a small number of developers. Google+ will cease all its consumer services while winding down over the next 10 months with an opportunity for users to export their data https://techcrunch.com/2018/10/08/google-plus-hack/?sr_share=facebook&utm_source=tcfbpage
Google opted not to disclose to users its discovery of a bug that gave outside developers access to private data. It found no evidence of misuse.
Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.
FOR YEARS, THE Kremlin’s increasingly aggressive hackers have reached across the globe to hit targets with everything from simple phishing schemes to worms built from leaked NSA zero day vulnerabilities. Now, law enforcement agencies in the US and Europe have detailed another, far more hands-on tactic: Snooping on Wi-Fi from a vehicle parked a few feet away from a target office—or even from a laptop inside their hotel.
Russian hackers caught red-handed: Parking vehicles outside of target buildings, and infiltrating Wi-Fi networks to hack victims.
Justice Department’s indictment reads. “Using specialized equipment, and with the remote support of conspirators in Russia, these on-site teams hacked into Wi-Fi networks used by victim organizations or their personnel, including hotel Wi-Fi networks.”
During the Soviet era, the country’s top computer scientists and programmers largely worked for the secret services.
That practice appears to have resumed under President Vladimir Putin, as Russia faces accusations of waging a global campaign of cyber attacks.
Dutch officials on Thursday accused four Russians from the GRU military intelligence agency of attempting to hack into the global chemical weapons watchdog in The Hague.
The agency has investigated both the fatal poisoning of Russian former double-agent Sergei Skripal; and an alleged chemical attack by Moscow-allied Syrian President Bashar al-Assad.
The Baltic states were the first to accuse Moscow of mounting attacks to knock out their sites back in 2007.
Estonia said one such attack had put the country’s main emergency service phone number out of action for over an hour.
Since then, accusations of cyber attacks have continued against Moscow.
Google announced Monday it is shutting down the consumer version of its online social network after fixing a bug exposing private data in as many as 500,000 accounts.
The US internet giant said it will “sunset” the Google+ social network for consumers, which failed to gain meaningful traction after being launched in 2011 as a challenge to Facebook.
A Google spokesperson cited “significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations” along with “very low usage” as the reasons for the move.
In March, a security audit revealed a software bug that gave third-party apps access to Google+ private profile data that people meant to share only with friends.
Google said it was unable to confirm which accounts were affected by the bug, but an analysis indicated it could have been as many as 500,000 Google+ accounts.
A significant number of vulnerabilities have been found recently in products from China-based WECON, but the vendor has been slow to release patches.
WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.
An advisory published recently by ICS-CERT reveals that researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON’s PI Studio HMI software.
According to ICS-CERT, WECON has confirmed the vulnerabilities, but it has yet to release any patches.
The hackers made eight different kinds of misattribution OPSEC errors in the course of their attacks that exposed their fake identities: account reuse, IP / computer reuse, known malware phylogeny, identifying metadata, writing style, financial tracing, late timing, and forgetting to use their tools. The Russian hackers needed to achieve three goals for their misattribution efforts to be effective. First, they needed to hide the fact that Russia was involved in the activity at all. Second, they wanted Guccifer 2.0, the “hacker”, to be seen to be a Romanian lone wolf. Third, they wanted the DCLeaks website, which released the stolen documents, to appear to be run by American hacktivists who were completely independent of the hacker.
We can see several errors in just the initial hacking activities. The hackers used malware called “X-Agent” and “X-Tunnel” which are known to the security community. That malware is part of a malware family used by a group referred to as “FancyBear”, long associated with the Russian government.
The hackers sent the phishing emails used to compromise the DNC and DCCC computers from [email protected], a Russian email service. That would probably not be the first choice of non-Russian hackers.
Sources outside the indictment show that Guccifer 2.0’s Romanian identity was also contradicted by his poor facility with the Romanian language.
California Bill Requires Unique Passwords in Connected Devices
The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.
The bill, meant to combat the widespread use of weak passwords in connected devices such as Internet of Things (IoT) products, also demands that manufacturers implement a security feature in their devices to require users to select new means of authentication upon first use.
The use of weak passwords in connected devices is a well-known security issue that has fueled a broad range of cyber-attacks, including the emergence of numerous, large IoT botnets.
By targeting devices improperly secured with default or easy-to-guess passwords, IoT botnets such as Mirai (and its many variants), Gafgyt (also known as Bashlite), Reaper, Hide ‘N Seek, and Torii can then be leveraged to launch massive distributed denial of service attacks, to send spam emails, for malware distribution, and for various other nefarious activities.
However, it’s not only IoT devices that are impacted by the use of default or weak passwords. The issue was also found in industrial control system (ICS) products, and security researchers even published a list of default credentials for ICS devices.
One Year After Release, Google Fuzzer Still Finds Many Flaws in Safari
One year after it was released as open source by Google Project Zero, the Domato fuzzer has still found a significant number of vulnerabilities in Apple’s Safari web browser.
In September 2017, Google Project Zero researcher Ivan Fratric announced the release of a new Document Object Model (DOM) fuzzer designed for testing web browser engines. At the time, he revealed that Domato had helped him find more than 30 vulnerabilities, including two flaws in Chrome’s Blink engine, four in Firefox’s Gecko, four in Internet Explorer’s Trident, six in EdgeHtml, and 17 in Safari’s WebKit.
Dina Temple-Raston / NPR:
The tech industry wants federal control over data privacy laws because state frameworks, like California’s new privacy law, are seen as a major threat
New laws in Europe and California are forcing tech companies to protect users’ privacy or risk big fines.
Now, the industry is fearing that more states will enact tough restrictions. So it’s moving to craft federal legislation that would pre-empt state laws and might put the Federal Trade Commission in charge of enforcement.
Europe enacted a tough law in May which requires, among other things, that companies make data breaches public within 72 hours of discovering them.
That’s why Facebook had to promptly announce last month that its systems had been hacked and at least 50 million user accounts were compromised.
In June, California passed legislation that — if it is enacted as written — would go even farther, allowing users to sue for damages for exactly the kind of data breach Facebook suffered.
“They don’t want to entertain the possibility that they would liable to individuals for doing some sort of harm from all the data that they collect,”
The American Consumer Institute examined 186 small office/home office Wi-Fi routers from 14 vendors and found that the firmware in 155 of those routers had known vulnerabilities to cyberattacks.
“Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample,” ACI stated.
Relying on various embedded and connected technologies to improve agricultural and livestock management, precise agriculture is exposed to vulnerabilities and cyber-threats, a new report from the United States Department of Homeland Security (DHS) warns.
The adoption of precision agriculture technology has increased, which has also introduced various cyber risks. By exploiting vulnerabilities in precision agriculture technologies, an attacker could not only access sensitive data and steal resources, but also tamper with or destroy equipment.
Technologies used in precision agriculture “rely on remote sensing, global positioning systems, and communication systems to generate big data, data analytics, and machine learning,” the DHS report (PDF) says.
Ben Smith / The Keyword:
In the wake of WSJ story, Alphabet shuts down Google+ for consumers, debuts more granular Google Account permissions, adds restrictions to Gmail API — Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience.
Company didn’t disclose leak for months to avoid a public relations headache and potential regulatory enforcement
This March, as Facebook was coming under global scrutiny over the harvesting of personal data for Cambridge Analytica, Google discovered a skeleton in its own closet: a bug in the API for Google+ had been allowing third-party app developers to access the data not just of users who had granted permission, but of their friends.
If that sounds familiar, it’s because it’s almost exactly the scenario that got Mark Zuckerberg dragged in front of the US Congress. The parallel was not lost on Google, and the company chose not to disclose the data leak
Navionics, an electronic navigational chart maker owned by tech giant Garmin, has secured an exposed database that contained hundreds of thousands of customer records.
The MongoDB database wasn’t secured with a password, allowing anyone who knew where to look to access and download the data
Bob Diachenko, Hacken.io’s newly appointed director of cyber risk research, said in a blog post that the 19 gigabyte database contained 261,259 unique records, including customer names and email addresses. The data also and information about their boat — such as latitude and longitude, boat speed and other navigational details
Software patching becomes a new reality for smart TV owners.
As the number of smart TVs grows, so does the number of vulnerabilities inside of them. On Thursday, security researchers revealed that eight Sony Bravia smart TV models are vulnerable to three separate bugs, one rated critical.
A government watchdog has said the Department of Defense has not done enough to protect critical weapons systems from cyberattacks.
The new report out of the Government Accountability Office on Tuesday said that the Pentagon has “not make weapon cybersecurity a priority,” and, although there have been some improvements over the years, the department’s “nascent understanding” of how to secure weapons systems has left officials scrambling on “how best to address weapon systems cybersecurity.”
In late September, Instagram announced that it would be adding non SMS-based two-factor authentication to the app. Instagram confirmed to TechCrunch that the company rolled out the security feature last week and that non-SMS two-factor authentication is live now for all users.
Heathrow Airport has been fined £120,000 by the Information Commissioner’s Office for “serious” data protection failings.
It comes after a staff member lost a USB stick last October containing “sensitive personal data”, which was later found by a member of the public.
Reports at the time claimed this included the Queen’s security and travel arrangements, although the ICO would not confirm this.
Heathrow said it regretted the breach.
The Information Commissioner’s Office (ICO) said the memory stick, which contained 76 folders and more than 1,000 files, was not encrypted or password-protected.
However, a report in the Mirror newspaper at the time suggested the breach had also posed a risk to national security.
It reported a man had found the memory stick on a West London street and viewed its contents at a local library, discovering information including:
A timetable of patrols that was used to guard the site against suicide bombers and terror attacks
Routes and safeguards for Cabinet ministers and foreign dignitaries
The exact route the Queen took when using the airport and security measures used to protect her.
The ICO confirmed the memory stick had been passed on to an unnamed national newspaper.
The ICO added that only 2% of the airport’s 6,500-strong workforce had been trained in data protection.
New US weapons systems being developed by the US Department of Defense can be easily be hacked by adversaries, a new government report said on Tuesday.
The Government Accountability Office said the Pentagon was unaware of how easy it could be for an adversary to gain access to the computer brains and software of the weapons systems and operate inside them undetected.
The weak points began with poor password management and unencrypted communications, it said.
But it said access points for the systems continued to grow in number and are not always well-understood by the operators themselves, leaving even non-networked systems deeply vulnerable.
More critically, the report faulted the US military for not incorporating cybersecurity into the design and acquisition process for the computer-dependent weapons
One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.
The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.
The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm’s systems detected an exploitation attempt. Kaspersky said it had reported the vulnerability to Microsoft on August 17 – it’s unclear why Microsoft waited so long to release a fix.
Microsoft’s Patch Tuesday updates for October 2018 resolve nearly 50 vulnerabilities, including a Windows zero-day flaw exploited by an advanced persistent threat (APT) actor known as FruityArmor.
The zero-day, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. The company says an authenticated attacker can exploit the security hole to elevate privileges and take control of the affected system.
Google this week announced improved user control over data shared with apps, redesigned app permissions, and diminished app access to sensitive information such as contacts, SMS, and phone.
The changes, the search giant says, are being rolled out as part of Project Strobe, which represents an overall review of third-party developer access to Google account and Android device data. The idea was to have a look at privacy controls, data privacy concerns, and the access developers enjoy, and make adjustments where necessary.
Apple on Monday released patches for iOS devices to address a recently disclosed vulnerability that could result in the bypass of the lockscreen.
The issue was found by iPhone enthusiast Jose Rodriguez, known for his YouTube channel “videosdebarraquito,” who revealed several other passcode bypass techniques in the past.
Exploitation requires both physical access to the device and for Siri to be enabled and Face ID to be disabled.
Google was supposed to be focusing Tuesday on its launch of a new smartphone and other devices, but the event was being overshadowed by a firestorm over a privacy glitch that forced it to shut down its struggling social network.
Researchers who last year discovered security issues in the Wi-Fi Protected Access II (WPA2) protocol that made them vulnerable to an attack known as Key Reinstallation Attack, or KRACK, have just revealed more practical versions of the attacks.
KRACK, Mathy Vanhoef and Frank Piessens explained last year, could provide malicious actors within range of a victim with the ability to access information otherwise believed to be safely encrypted. Residing in the Wi-Fi standard itself, the bugs impact all implementations, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others.
Targeting several handshakes in the 802.11 standard, the KRACKs manipulate handshake messages to reinstall an already-in-use key, which results in nonce reuse and replay attacks, Vanhoef and Piessens explained last year.
Customer Experience (CX) has gone from a buzzword to an imperative in just a few short years. A reported 80 percent of companies responding to Gartner’s marketing leaders survey now say they expect to compete mainly based on CX. Forrester has created a Customer Experience Index by which they measure and rank CX leaders. And there are hundreds of customer experience conferences to choose from every year.
Improved security leads to improved customer experience – and improved customer experience leads to improved security. Here are four key ways.
1. Simplicity of the solution
2. Dedicated customer success teams
3. Integration
4. A “solutions” focus
CX is becoming a key driver of success in the security industry, not just for companies that deliver superior customer experiences but – more importantly – for the organizations and security professionals they serve. The nuance and interplay between the two is a powerful proposition.
While investigating a recent threat campaign, F5 researchers encountered a strange behaviour where malicious requests were originating from legitimate Googlebot servers. This relatively infrequent behavior could potentially have serious consequences in environments where the trust level given to Googlebot influences an organization’s security decisions.
Google’s official support site advises to “make sure Googlebot is not blocked”1 and provides instructions to verify that Googlebot is real.2 Both imply that trusting Googlebot traffic is somewhat mandatory if you’d like your site to show up in Google search engine results.
Cyberattacks have always been, well, cyber. Their immediate effects were on our data, our digital information, and our devices…until they weren’t. The interconnected nature of the world and the way it’s built in 2018 has brought us exciting and revolutionary innovations, but it has also been leveraged by hackers to extend the impact of a cyberattack beyond the digital sphere into the physical. Pacemakers can be hacked, shocks can be sent to patients remotely. Critical infrastructure can be taken down, rendering cities powerless. Large corporations we trust with our data are violating that trust by collecting our data unknowingly, and even tracking our locations without consent. Cybercrime is no longer just cyber, and it can compromise a lot more than just data.
When you think of one’s well-being, physical health often comes to mind. Hospitals, health care, and medical tools and devices have evolved to become members of an interconnected ecosystem. Many health care systems connect to the internet to operate, the same holds true with numerous medical devices such as pacemakers. But that makes the latter part of the ”Internet of Things,” a growing collection of connected devices which are potentially vulnerable to cyberattack. In fact, there have already been reports of threats to these medical devices.
We’ve seen a handful of hospitals taken offline in recent ransomware attacks, all due to the use of outdated or vulnerable systems.
In fact, cybercriminals have recently begun hitting critical infrastructure hard and fast, with dramatic results emerging from their efforts. They’ve infamously put an entire city in the Ukraine out of power for about an hour. Then there was the Schneider Electric hack, in which cybercriminals leveraged a zero-day vulnerability within an industrial plant’s safety system for a cyberattack.
There are also cyber issues that impact our physical safety that don’t even come in the form of an attack. Lately, news has been circulating about big-name companies tracking users’ locations or data
Ramifications such as these have changed the nature of privacy, as well as digital and physical safety as we know it.
Last month, the White House released the “National Cyber Strategy of the United States of America. I generally don’t have much to say about these sorts of documents. They’re filled with broad generalities.
Who can argue with:
Defend the homeland by protecting networks, systems, functions, and data;
Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;
Preserve peace and security by strengthening the ability of the United States in concert with allies and partners to deter and, if necessary, punish those who use cyber tools for malicious purposes; and
Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.
The devil is in the details, of course. And the strategy includes no details.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
495 Comments
Tomi Engdahl says:
China Used Tiny Chips on US Computers to Steal Secrets: Report
https://www.securityweek.com/china-used-tiny-chips-us-computers-steal-secrets-report
The Bloomberg News report said the chips, the size of a grain of rice, were used on equipment made for Amazon, which first alerted US authorities, and Apple, and possibly for other companies and government agencies.
Tomi Engdahl says:
Apple:
Apple says it has never found malicious chips in its servers, calls Bloomberg reporters’ claims unsubstantiated and untrue, says it is not under a gag order
What Businessweek got wrong about Apple
https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/
The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims.
Apple provided Bloomberg Businessweek with the following statement before their story was published
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8525-kiinalainen-vakoilupiiri-ujutettiin-palvelinkorteille
Tomi Engdahl says:
Malicious Component Found on Server Motherboards Supplied to Numerous Companies
https://hackaday.com/2018/10/04/malicious-component-found-on-server-motherboards-supplied-to-numerous-companies/
This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a
malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design.
These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components
and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.
Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden
chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing
hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China.
Tomi Engdahl says:
“Researchers at threat intelligence firm Digital Shadows report that companies don’t even need to be hacked to spill their address books and email archives. Careless backups of email archives on publicly-accessible rsync, FTP, SMB, S3 buckets, and NAS drives have exposed some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information” – writes Graham Cluley for Tripwire Blog
https://www.tripwire.com/state-of-security/security-data-protection/bec-as-a-service-offers-hacked-business-accounts-for-as-little-as-150/
Tomi Engdahl says:
Bloomberg:
Sources: Supermicro firmware portal was breached in 2015 and some customers downloaded malware; Facebook was among them, says no servers were used in production — It wasn’t just hardware. An online portal for firmware updates hid and distributed malware.
The Big Hack: The Software Side of China’s Supply Chain Attack
https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-the-software-side-of-china-s-supply-chain-attack
It wasn’t just hardware. An online portal for firmware updates hid and distributed malware.
Even as Amazon, Apple, and U.S. officials were investigating malicious microchips embedded in Supermicro server motherboards, Supermicro was the target of at least two other possible forms of attack, people familiar with multiple corporate probes say.
The first of the other two prongs involved a Supermicro online portal that customers used to get critical software updates, and that was breached by China-based attackers in 2015. The problem, which was never made public, was identified after at least two Supermicro customers downloaded firmware
“In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs,” Facebook said in an emailed statement.
The victims considered the faulty code a serious breach. Firmware updates obtained directly from the manufacturer are usually assumed to be secure.
Tomi Engdahl says:
Apple:
Apple says it has never found malicious chips in its servers, calls Bloomberg reporters’ claims unsubstantiated and untrue, says it is not under a gag order — The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015.
https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/
Tomi Engdahl says:
Bloomberg:
Amazon, Apple, Supermicro, and the Chinese government issue statements disputing the allegations of Bloomberg Businessweek’s hacking story
The Big Hack: Statements From Amazon, Apple, Supermicro, and the Chinese Government
https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Questions about Bloomberg’s story citing 10+ sources on China hacking, after strong denials by companies mentioned, show limits of national security reporting
Bloomberg’s spy chip story reveals the murky world of national security reporting
https://techcrunch.com/2018/10/04/bloomberg-spy-chip-murky-world-national-security-reporting/
To recap, Chinese spies reportedly infiltrated the supply chain and installed tiny chips the size of a pencil tip on the motherboards built by Supermicro, which are used in data center servers across the U.S. tech industry — from Apple to Amazon. That chip can compromise data on the server, allowing China to spy on some of the world’s most wealthy and powerful companies.
Apple, Amazon and Supermicro — and the Chinese government — strenuously denied the allegations.
Given the magnitude of the story, you don’t want to reveal all of your cards — but still want to seek answers and clarifications without having the subject tip off another news agency — a trick sometimes employed by the government in the hope of lighter coverage.
Yet, to Apple — and Amazon and other companies implicated by the report — they too might also be in the dark.
It’s worth casting your mind back to 2013, days after the first Edward Snowden documents were published.
I was hesitant to cover this at first given the complexity of the allegations and how explosive the claims are without also seeking confirmation. That’s not easy to do in an hour when Bloomberg’s reporters have been working for the best part of a year. Assuming Bloomberg did everything right — a cover story on its magazine, no less, which would have gone through endless editing and fact-checking before going to print — the reporters likely hit a wall and had nothing more to report, and went to print.
But Bloomberg’s delivery could have been better.
Journalism isn’t proprietary. It should be open to as many people as possible. If you’re not transparent in how you report things, you lose readers’ trust.
That’s where the story rests on shaky ground. Admittedly, as detailed and as well-sourced as the story is, you — and I — have to put a lot of trust and faith in Bloomberg and its reporters.
Tomi Engdahl says:
“The study examined 186 WiFi routers from 13 different manufacturers, including market-share leaders Linksys, Belkin, NETGEAR and D-Link. “Failing to address known security flaws leaves consumer devices vulnerable to having their data compromised, leading to malicious activity, identity theft, fraud and espionage,” according the report.”
via Threatpost
https://threatpost.com/threatlist-83-of-routers-contain-vulnerable-code/137966/
Tomi Engdahl says:
One problem with blocking users from accessing a website, based on geographical region, legal or some other reason: if you’d like to change your password (or delete your account), you just can’t do it, even if you know your account has been compromised.
Tomi Engdahl says:
California passes law that bans default passwords in connected devices
https://techcrunch.com/2018/10/05/california-passes-law-that-bans-default-passwords-in-connected-devices/?sr_share=facebook&utm_source=tcfbpage
AdChoices
California passes law that bans default passwords in connected devices
Zack Whittaker
@zackwhittaker / 13 hours ago
MikroEM Tekhnologii, Russian manufacturer of electronic components
Good news!
California has passed a law banning default passwords like “admin,” “123456,” and the old classic “password” in all new consumer electronics starting in 2020.
Every new gadget built in the state from routers to smart home tech will have to come with “reasonable” security features out of the box. The law specifically calls for each device to come with a preprogrammed password “unique to each device.”
It also mandates that any new device “contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time,” forcing users to change the unique password to something new as soon as it’s switched on for the first time.
Tomi Engdahl says:
Russian hackers were caught in the act — and the results are devastating
https://www.washingtonpost.com/amphtml/opinions/global-opinions/russian-hackers-were-caught-in-the-act–and-the-results-are-devastating/2018/10/05/5e72495a-c8b5-11e8-b1ed-1d2d65b86d0c_story.html?noredirect=on
Once upon a time, the Dutch authorities might have kept all these things to themselves. But not now. On Thursday, the Dutch defense minister presented this plethora of documents, scans, photographs and screenshots on large slides at a lengthy news conference. Within seconds, the images spread around the world. Within hours, Bellingcat, the independent research group that pioneered the new science of open source investigation, had checked the men’s names against several open Russian databases.
Tomi Engdahl says:
NYC wants to build a cyber army
https://techcrunch.com/2018/10/02/nyc-wants-to-build-a-cyber-army/?sr_share=facebook&utm_source=tcfbpage
Through five new startup programs, Cyber NYC is the city’s bold plan to dominate cybersecurity this century
Tomi Engdahl says:
Computer Networks Are Now Permanently Hackable. Have Fun With That.
https://www.bloomberg.com/view/articles/2018-10-04/the-big-hack-global-supply-village-is-stuck-with-trapdoors?utm_source=facebook&utm_campaign=socialflow-organic&utm_medium=social&cmpid=socialflow-facebook-business&utm_content=business
The web of parts makers, assemblers, testers and contractors is almost impossible to untangle.
Tomi Engdahl says:
Google’s cyber unit Jigsaw introduces Intra, a new security app dedicated to busting censorship
https://techcrunch.com/2018/10/03/googles-cyber-unit-jigsaw-introduces-intra-a-security-app-dedicated-to-busting-censorship/?sr_share=facebook&utm_source=tcfbpage
Jigsaw, the division owned by Google parent Alphabet, has revealed Intra, a new app aimed at protecting users from state-sponsored censorship.
Intra is a new app that aims to prevent DNS manipulation attacks.
By passing all your browsing queries and app traffic through an encrypted connection to a trusted Domain Name Server, Intra says it ensures you can use your app without meddling or get to the right site without interference.
Tomi Engdahl says:
Google is shutting down Google+ following massive data exposure
https://www.engadget.com/2018/10/08/google-shutting-down-google-plus/
The company has admitted that user engagement on the service was low.
Following a massive data breach first reported on by The Wall Street Journal, Google announced today that it is shutting down its social network Google+ for consumers. The company finally admitted that Google+ never received the broad adoption or engagement with users that it had hoped for — according to a blog post, 90 percent of Google+ user sessions last for less than five seconds.
Google exposed data for hundreds of thousands of users
https://www.engadget.com/2018/10/08/google-reportedly-exposed-data-for-hundreds-of-thousands-of-user/
The company also didn’t tell users about the exposure.
Google exposed private data from hundreds of thousands of Google+ users and then chose not to inform those affected by the issue. The Wall Street Journal reports that sources close to the matter claim the decision to keep the exposure under wraps was made among fears of regulatory scrutiny. Google says it discovered and immediately fixed the issue in March of this year.
a software vulnerability gave outside developers access to private Google+ user data between 2015 and 2018. And an internal memo noted that while there wasn’t any evidence of misuse on behalf of developers, there wasn’t a way to know for sure whether any misuse took place.
Google said in a blog post that nearly 500,000 users may have been impacted, but because the company keeps the log data from this specific API for only two weeks at a time, it can’t fully confirm who was truly impacted and who was not.
if it was indeed disclosed, it could result in “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.”
In light of this issue, Google will be shutting down the consumer version of Google+ and will do so over the course of 10 months in order to allow users to transition out of the service.
Tomi Engdahl says:
Google+ to shut down after coverup of data-exposing bug
https://techcrunch.com/2018/10/08/google-plus-hack/?sr_share=facebook&utm_source=tcfbpage
Google is about to have its Cambridge Analytica moment. A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world.
Indeed, 496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access.
The company decided against informing the public because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” according to an internal memo.
Tomi Engdahl says:
The changes include stopping most third-party developers from accessing Android phone SMS data, call logs and some contact info. Gmail will restrict building add-ons to a small number of developers. Google+ will cease all its consumer services while winding down over the next 10 months with an opportunity for users to export their data
https://techcrunch.com/2018/10/08/google-plus-hack/?sr_share=facebook&utm_source=tcfbpage
Tomi Engdahl says:
Google Exposed User Data, Feared Repercussions of Disclosing to Public
https://www.wsj.com/articles/google-exposed-user-data-feared-repercussions-of-disclosing-to-public-1539017194
Google opted not to disclose to users its discovery of a bug that gave outside developers access to private data. It found no evidence of misuse.
Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.
Tomi Engdahl says:
HOW RUSSIAN SPIES INFILTRATED HOTEL WI-FI TO HACK VICTIMS UP CLOSE
https://www.wired.com/story/russian-spies-indictment-hotel-wi-fi-hacking/
FOR YEARS, THE Kremlin’s increasingly aggressive hackers have reached across the globe to hit targets with everything from simple phishing schemes to worms built from leaked NSA zero day vulnerabilities. Now, law enforcement agencies in the US and Europe have detailed another, far more hands-on tactic: Snooping on Wi-Fi from a vehicle parked a few feet away from a target office—or even from a laptop inside their hotel.
Russian hackers caught red-handed: Parking vehicles outside of target buildings, and infiltrating Wi-Fi networks to hack victims.
Justice Department’s indictment reads. “Using specialized equipment, and with the remote support of conspirators in Russia, these on-site teams hacked into Wi-Fi networks used by victim organizations or their personnel, including hotel Wi-Fi networks.”
Tomi Engdahl says:
Russia’s Hackers Long Tied to Military, Secret Services
https://www.securityweek.com/russias-hackers-long-tied-military-secret-services
During the Soviet era, the country’s top computer scientists and programmers largely worked for the secret services.
That practice appears to have resumed under President Vladimir Putin, as Russia faces accusations of waging a global campaign of cyber attacks.
Dutch officials on Thursday accused four Russians from the GRU military intelligence agency of attempting to hack into the global chemical weapons watchdog in The Hague.
The agency has investigated both the fatal poisoning of Russian former double-agent Sergei Skripal; and an alleged chemical attack by Moscow-allied Syrian President Bashar al-Assad.
The Baltic states were the first to accuse Moscow of mounting attacks to knock out their sites back in 2007.
Estonia said one such attack had put the country’s main emergency service phone number out of action for over an hour.
Since then, accusations of cyber attacks have continued against Moscow.
Tomi Engdahl says:
Google Says Social Network Bug Exposed Private Data
https://www.securityweek.com/google-says-social-network-bug-exposed-private-data
Google announced Monday it is shutting down the consumer version of its online social network after fixing a bug exposing private data in as many as 500,000 accounts.
The US internet giant said it will “sunset” the Google+ social network for consumers, which failed to gain meaningful traction after being launched in 2011 as a challenge to Facebook.
A Google spokesperson cited “significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations” along with “very low usage” as the reasons for the move.
In March, a security audit revealed a software bug that gave third-party apps access to Google+ private profile data that people meant to share only with friends.
Google said it was unable to confirm which accounts were affected by the bug, but an analysis indicated it could have been as many as 500,000 Google+ accounts.
Tomi Engdahl says:
Code Execution Flaws Found in WECON Industrial Products
https://www.securityweek.com/code-execution-flaws-found-wecon-industrial-products
A significant number of vulnerabilities have been found recently in products from China-based WECON, but the vendor has been slow to release patches.
WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.
An advisory published recently by ICS-CERT reveals that researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON’s PI Studio HMI software.
According to ICS-CERT, WECON has confirmed the vulnerabilities, but it has yet to release any patches.
Tomi Engdahl says:
The DNC Hacker Indictment: A Lesson in Failed Misattribution
https://www.securityweek.com/dnc-hacker-indictment-lesson-failed-misattribution
The hackers made eight different kinds of misattribution OPSEC errors in the course of their attacks that exposed their fake identities: account reuse, IP / computer reuse, known malware phylogeny, identifying metadata, writing style, financial tracing, late timing, and forgetting to use their tools. The Russian hackers needed to achieve three goals for their misattribution efforts to be effective. First, they needed to hide the fact that Russia was involved in the activity at all. Second, they wanted Guccifer 2.0, the “hacker”, to be seen to be a Romanian lone wolf. Third, they wanted the DCLeaks website, which released the stolen documents, to appear to be run by American hacktivists who were completely independent of the hacker.
We can see several errors in just the initial hacking activities. The hackers used malware called “X-Agent” and “X-Tunnel” which are known to the security community. That malware is part of a malware family used by a group referred to as “FancyBear”, long associated with the Russian government.
The hackers sent the phishing emails used to compromise the DNC and DCCC computers from [email protected], a Russian email service. That would probably not be the first choice of non-Russian hackers.
Sources outside the indictment show that Guccifer 2.0’s Romanian identity was also contradicted by his poor facility with the Romanian language.
Tomi Engdahl says:
California to Ban Weak Passwords
https://www.securityweek.com/california-ban-weak-passwords
California Bill Requires Unique Passwords in Connected Devices
The state of California recently passed a bill that requires the manufacturers of connected devices to use unique hardcoded passwords for each device manufactured.
The bill, meant to combat the widespread use of weak passwords in connected devices such as Internet of Things (IoT) products, also demands that manufacturers implement a security feature in their devices to require users to select new means of authentication upon first use.
The use of weak passwords in connected devices is a well-known security issue that has fueled a broad range of cyber-attacks, including the emergence of numerous, large IoT botnets.
By targeting devices improperly secured with default or easy-to-guess passwords, IoT botnets such as Mirai (and its many variants), Gafgyt (also known as Bashlite), Reaper, Hide ‘N Seek, and Torii can then be leveraged to launch massive distributed denial of service attacks, to send spam emails, for malware distribution, and for various other nefarious activities.
However, it’s not only IoT devices that are impacted by the use of default or weak passwords. The issue was also found in industrial control system (ICS) products, and security researchers even published a list of default credentials for ICS devices.
Tomi Engdahl says:
Silk Road Admin Pleads Guilty
https://www.securityweek.com/silk-road-admin-pleads-guilty
An Irish man pled guilty in a United States court to his role in the administration of Silk Road, a black-market website.
Tomi Engdahl says:
Google Criticizes Apple Over Safari Security, Flaw Disclosures
https://www.securityweek.com/google-criticizes-apple-over-safari-security-flaw-disclosures
One Year After Release, Google Fuzzer Still Finds Many Flaws in Safari
One year after it was released as open source by Google Project Zero, the Domato fuzzer has still found a significant number of vulnerabilities in Apple’s Safari web browser.
In September 2017, Google Project Zero researcher Ivan Fratric announced the release of a new Document Object Model (DOM) fuzzer designed for testing web browser engines. At the time, he revealed that Domato had helped him find more than 30 vulnerabilities, including two flaws in Chrome’s Blink engine, four in Firefox’s Gecko, four in Internet Explorer’s Trident, six in EdgeHtml, and 17 in Safari’s WebKit.
Tomi Engdahl says:
Dina Temple-Raston / NPR:
The tech industry wants federal control over data privacy laws because state frameworks, like California’s new privacy law, are seen as a major threat
Why The Tech Industry Wants Federal Control Over Data Privacy Laws
https://www.npr.org/2018/10/08/654893289/why-the-tech-industry-wants-federal-control-over-data-privacy-laws?t=1539081573081
New laws in Europe and California are forcing tech companies to protect users’ privacy or risk big fines.
Now, the industry is fearing that more states will enact tough restrictions. So it’s moving to craft federal legislation that would pre-empt state laws and might put the Federal Trade Commission in charge of enforcement.
Europe enacted a tough law in May which requires, among other things, that companies make data breaches public within 72 hours of discovering them.
That’s why Facebook had to promptly announce last month that its systems had been hacked and at least 50 million user accounts were compromised.
In June, California passed legislation that — if it is enacted as written — would go even farther, allowing users to sue for damages for exactly the kind of data breach Facebook suffered.
“They don’t want to entertain the possibility that they would liable to individuals for doing some sort of harm from all the data that they collect,”
Tomi Engdahl says:
The American Consumer Institute examined 186 small office/home office Wi-Fi routers from 14 vendors and found that the firmware in 155 of those routers had known vulnerabilities to cyberattacks.
“Our analysis shows that, on average, routers contained 12 critical vulnerabilities and 36 high-risk vulnerabilities, across the entire sample,” ACI stated.
https://semiengineering.com/week-in-review-iot-security-auto-13/
Tomi Engdahl says:
DHS Warns of Threats to Precision Agriculture
https://www.securityweek.com/dhs-warns-threats-precision-agriculture
Relying on various embedded and connected technologies to improve agricultural and livestock management, precise agriculture is exposed to vulnerabilities and cyber-threats, a new report from the United States Department of Homeland Security (DHS) warns.
The adoption of precision agriculture technology has increased, which has also introduced various cyber risks. By exploiting vulnerabilities in precision agriculture technologies, an attacker could not only access sensitive data and steal resources, but also tamper with or destroy equipment.
Technologies used in precision agriculture “rely on remote sensing, global positioning systems, and communication systems to generate big data, data analytics, and machine learning,” the DHS report (PDF) says.
https://www.dhs.gov/sites/default/files/publications/2018%20AEP_Threats_to_Precision_Agriculture.pdf
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8536-suomen-skannatun-passin-saa-pimeasti-7-eurolla
Tomi Engdahl says:
Ben Smith / The Keyword:
In the wake of WSJ story, Alphabet shuts down Google+ for consumers, debuts more granular Google Account permissions, adds restrictions to Gmail API — Many third-party apps, services and websites build on top of our various services to improve everyone’s phones, working life, and online experience.
Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+
https://www.blog.google/technology/safety-security/project-strobe/
Tomi Engdahl says:
Google to shut down Google+ after failing to disclose user data breach
https://www.theguardian.com/technology/2018/oct/08/google-plus-security-breach-wall-street-journal
Company didn’t disclose leak for months to avoid a public relations headache and potential regulatory enforcement
This March, as Facebook was coming under global scrutiny over the harvesting of personal data for Cambridge Analytica, Google discovered a skeleton in its own closet: a bug in the API for Google+ had been allowing third-party app developers to access the data not just of users who had granted permission, but of their friends.
If that sounds familiar, it’s because it’s almost exactly the scenario that got Mark Zuckerberg dragged in front of the US Congress. The parallel was not lost on Google, and the company chose not to disclose the data leak
Tomi Engdahl says:
Garmin-owned navigation unit exposed thousands of boat owners’ data
https://techcrunch.com/2018/10/08/garmin-owned-navigation-unit-exposed-thousands-of-boat-owners-data/?sr_share=facebook&utm_source=tcfbpage
Navionics, an electronic navigational chart maker owned by tech giant Garmin, has secured an exposed database that contained hundreds of thousands of customer records.
The MongoDB database wasn’t secured with a password, allowing anyone who knew where to look to access and download the data
Bob Diachenko, Hacken.io’s newly appointed director of cyber risk research, said in a blog post that the 19 gigabyte database contained 261,259 unique records, including customer names and email addresses. The data also and information about their boat — such as latitude and longitude, boat speed and other navigational details
Tomi Engdahl says:
Sony Smart TV Bug Allows Remote Access, Root Privileges
https://threatpost.com/sony-smart-tv-bug-allows-remote-access-root-privileges/138063/
Software patching becomes a new reality for smart TV owners.
As the number of smart TVs grows, so does the number of vulnerabilities inside of them. On Thursday, security researchers revealed that eight Sony Bravia smart TV models are vulnerable to three separate bugs, one rated critical.
Tomi Engdahl says:
Government watchdog says U.S. weapons systems are vulnerable to hacks, but the Pentagon is slow to act
https://techcrunch.com/2018/10/09/watchdog-pentagon-weapons-hack/?sr_share=facebook&utm_source=tcfbpage
A government watchdog has said the Department of Defense has not done enough to protect critical weapons systems from cyberattacks.
The new report out of the Government Accountability Office on Tuesday said that the Pentagon has “not make weapon cybersecurity a priority,” and, although there have been some improvements over the years, the department’s “nascent understanding” of how to secure weapons systems has left officials scrambling on “how best to address weapon systems cybersecurity.”
https://www.gao.gov/products/GAO-19-128
Tomi Engdahl says:
Instagram’s app-based 2FA is live now, here’s how to turn it on
https://techcrunch.com/2018/10/09/instagram-2fa-two-factor-authentication/?utm_source=tcfbpage&sr_share=facebook
In late September, Instagram announced that it would be adding non SMS-based two-factor authentication to the app. Instagram confirmed to TechCrunch that the company rolled out the security feature last week and that non-SMS two-factor authentication is live now for all users.
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/google-heads-scrap-heap-privacy/
Tomi Engdahl says:
Heathrow fined for USB stick data breach
https://www.bbc.com/news/business-45785227
Heathrow Airport has been fined £120,000 by the Information Commissioner’s Office for “serious” data protection failings.
It comes after a staff member lost a USB stick last October containing “sensitive personal data”, which was later found by a member of the public.
Reports at the time claimed this included the Queen’s security and travel arrangements, although the ICO would not confirm this.
Heathrow said it regretted the breach.
The Information Commissioner’s Office (ICO) said the memory stick, which contained 76 folders and more than 1,000 files, was not encrypted or password-protected.
However, a report in the Mirror newspaper at the time suggested the breach had also posed a risk to national security.
It reported a man had found the memory stick on a West London street and viewed its contents at a local library, discovering information including:
A timetable of patrols that was used to guard the site against suicide bombers and terror attacks
Routes and safeguards for Cabinet ministers and foreign dignitaries
The exact route the Queen took when using the airport and security measures used to protect her.
The ICO confirmed the memory stick had been passed on to an unnamed national newspaper.
The ICO added that only 2% of the airport’s 6,500-strong workforce had been trained in data protection.
Tomi Engdahl says:
New Pentagon Weapons Systems Easily Hacked: Report
https://www.securityweek.com/new-pentagon-weapons-systems-easily-hacked-report
New US weapons systems being developed by the US Department of Defense can be easily be hacked by adversaries, a new government report said on Tuesday.
The Government Accountability Office said the Pentagon was unaware of how easy it could be for an adversary to gain access to the computer brains and software of the weapons systems and operate inside them undetected.
The weak points began with poor password management and unencrypted communications, it said.
But it said access points for the systems continued to grow in number and are not always well-understood by the operators themselves, leaving even non-networked systems deeply vulnerable.
More critically, the report faulted the US military for not incorporating cybersecurity into the design and acquisition process for the computer-dependent weapons
Tomi Engdahl says:
Windows Zero-Day Exploited in Attacks Aimed at Middle East
https://www.securityweek.com/windows-zero-day-exploited-attacks-aimed-middle-east
One of the vulnerabilities patched by Microsoft with its latest Patch Tuesday updates is a Windows zero-day exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.
The flaw, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. An authenticated attacker can exploit the vulnerability to take control of an affected system.
The vulnerability was reported to Microsoft by Kaspersky Lab after one of the security firm’s systems detected an exploitation attempt. Kaspersky said it had reported the vulnerability to Microsoft on August 17 – it’s unclear why Microsoft waited so long to release a fix.
Microsoft Patches Windows Zero-Day Exploited by ‘FruityArmor’ Group
https://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-fruityarmor-group
Microsoft’s Patch Tuesday updates for October 2018 resolve nearly 50 vulnerabilities, including a Windows zero-day flaw exploited by an advanced persistent threat (APT) actor known as FruityArmor.
The zero-day, tracked as CVE-2018-8453, has been described by Microsoft as a privilege escalation issue related to how the Win32k component of Windows handles objects in memory. The company says an authenticated attacker can exploit the security hole to elevate privileges and take control of the affected system.
Tomi Engdahl says:
Google Tightens Rules Around App Permissions
https://www.securityweek.com/google-tightens-rules-around-app-permissions
Google this week announced improved user control over data shared with apps, redesigned app permissions, and diminished app access to sensitive information such as contacts, SMS, and phone.
The changes, the search giant says, are being rolled out as part of Project Strobe, which represents an overall review of third-party developer access to Google account and Android device data. The idea was to have a look at privacy controls, data privacy concerns, and the access developers enjoy, and make adjustments where necessary.
Tomi Engdahl says:
Apple Patches Passcode Bypass in iOS
https://www.securityweek.com/apple-patches-passcode-bypass-ios
Apple on Monday released patches for iOS devices to address a recently disclosed vulnerability that could result in the bypass of the lockscreen.
The issue was found by iPhone enthusiast Jose Rodriguez, known for his YouTube channel “videosdebarraquito,” who revealed several other passcode bypass techniques in the past.
Exploitation requires both physical access to the device and for Siri to be enabled and Face ID to be disabled.
Tomi Engdahl says:
Google Launch Event Overshadowed by Privacy Firestorm
https://www.securityweek.com/google-launch-event-overshadowed-privacy-firestorm
Google was supposed to be focusing Tuesday on its launch of a new smartphone and other devices, but the event was being overshadowed by a firestorm over a privacy glitch that forced it to shut down its struggling social network.
Tomi Engdahl says:
Researchers KRACK Wi-Fi Again, More Efficiently This Time
https://www.securityweek.com/researchers-krack-wi-fi-again-more-efficiently-time
Researchers who last year discovered security issues in the Wi-Fi Protected Access II (WPA2) protocol that made them vulnerable to an attack known as Key Reinstallation Attack, or KRACK, have just revealed more practical versions of the attacks.
KRACK, Mathy Vanhoef and Frank Piessens explained last year, could provide malicious actors within range of a victim with the ability to access information otherwise believed to be safely encrypted. Residing in the Wi-Fi standard itself, the bugs impact all implementations, including Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others.
Targeting several handshakes in the 802.11 standard, the KRACKs manipulate handshake messages to reinstall an already-in-use key, which results in nonce reuse and replay attacks, Vanhoef and Piessens explained last year.
Tomi Engdahl says:
Better Customer Experience is More Than a “Nice to Have” for Security
https://www.securityweek.com/better-customer-experience-more-nice-have-security
Customer Experience (CX) has gone from a buzzword to an imperative in just a few short years. A reported 80 percent of companies responding to Gartner’s marketing leaders survey now say they expect to compete mainly based on CX. Forrester has created a Customer Experience Index by which they measure and rank CX leaders. And there are hundreds of customer experience conferences to choose from every year.
Improved security leads to improved customer experience – and improved customer experience leads to improved security. Here are four key ways.
1. Simplicity of the solution
2. Dedicated customer success teams
3. Integration
4. A “solutions” focus
CX is becoming a key driver of success in the security industry, not just for companies that deliver superior customer experiences but – more importantly – for the organizations and security professionals they serve. The nuance and interplay between the two is a powerful proposition.
Tomi Engdahl says:
Abusing Googlebot Services to Deliver Crypto-Mining Malware
https://www.f5.com/labs/articles/threat-intelligence/abusing-googlebot-services-to-deliver-crypto-mining-malware
While investigating a recent threat campaign, F5 researchers encountered a strange behaviour where malicious requests were originating from legitimate Googlebot servers. This relatively infrequent behavior could potentially have serious consequences in environments where the trust level given to Googlebot influences an organization’s security decisions.
Google’s official support site advises to “make sure Googlebot is not blocked”1 and provides instructions to verify that Googlebot is real.2 Both imply that trusting Googlebot traffic is somewhat mandatory if you’d like your site to show up in Google search engine results.
Make sure Googlebot is not blocked
https://support.google.com/webmasters/answer/2387297?hl=en
Tomi Engdahl says:
When the Digital Impacts the Physical
https://securingtomorrow.mcafee.com/mcafee-labs/when-the-digital-impacts-the-physical/
Cyberattacks have always been, well, cyber. Their immediate effects were on our data, our digital information, and our devices…until they weren’t. The interconnected nature of the world and the way it’s built in 2018 has brought us exciting and revolutionary innovations, but it has also been leveraged by hackers to extend the impact of a cyberattack beyond the digital sphere into the physical. Pacemakers can be hacked, shocks can be sent to patients remotely. Critical infrastructure can be taken down, rendering cities powerless. Large corporations we trust with our data are violating that trust by collecting our data unknowingly, and even tracking our locations without consent. Cybercrime is no longer just cyber, and it can compromise a lot more than just data.
When you think of one’s well-being, physical health often comes to mind. Hospitals, health care, and medical tools and devices have evolved to become members of an interconnected ecosystem. Many health care systems connect to the internet to operate, the same holds true with numerous medical devices such as pacemakers. But that makes the latter part of the ”Internet of Things,” a growing collection of connected devices which are potentially vulnerable to cyberattack. In fact, there have already been reports of threats to these medical devices.
We’ve seen a handful of hospitals taken offline in recent ransomware attacks, all due to the use of outdated or vulnerable systems.
In fact, cybercriminals have recently begun hitting critical infrastructure hard and fast, with dramatic results emerging from their efforts. They’ve infamously put an entire city in the Ukraine out of power for about an hour. Then there was the Schneider Electric hack, in which cybercriminals leveraged a zero-day vulnerability within an industrial plant’s safety system for a cyberattack.
There are also cyber issues that impact our physical safety that don’t even come in the form of an attack. Lately, news has been circulating about big-name companies tracking users’ locations or data
Ramifications such as these have changed the nature of privacy, as well as digital and physical safety as we know it.
Tomi Engdahl says:
The US National Cyber Strategy
https://www.schneier.com/blog/archives/2018/10/the_us_national.html
Last month, the White House released the “National Cyber Strategy of the United States of America. I generally don’t have much to say about these sorts of documents. They’re filled with broad generalities.
Who can argue with:
Defend the homeland by protecting networks, systems, functions, and data;
Promote American prosperity by nurturing a secure, thriving digital economy and fostering strong domestic innovation;
Preserve peace and security by strengthening the ability of the United States in concert with allies and partners to deter and, if necessary, punish those who use cyber tools for malicious purposes; and
Expand American influence abroad to extend the key tenets of an open, interoperable, reliable, and secure Internet.
The devil is in the details, of course. And the strategy includes no details.