Cyber Security October 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

495 Comments

  1. Tomi Engdahl says:

    Flatpak – a security nightmare
    https://flatkill.org/

    Red Hat’s flatpak has been getting a lot of attention lately, it’s the self-proclaimed new way of distributing desktop applications on Linux. It’s secure they say ..

    New Website Claims Flatpak is a “Security Nightmare”
    https://www.omgubuntu.co.uk/2018/10/new-website-claims-flatpak-is-a-security-nightmare

    A newly launched website is warning users about Flatpak, branding the tech a “security nightmare”.

    The ‘Flatkills.org’ web page takes aim at a number of security claims routinely associated with the fledgling Flatpak app packaging and distribution format.

    Three areas are flagged by the site — which is currently doing the rounds on social media — that its author contends are not readily apparent to users:

    Many Flatpak apps have filesystem write permission
    Most Flatpak apps do not run in a sandbox
    Slow/no critical security updates to apps and runtimes

    Reply
  2. Tomi Engdahl says:

    Zero-day exploit (CVE-2018-8453) used in targeted attacks
    https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/

    Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. We reported this vulnerability to Microsoft on August 17, 2018. Microsoft confirmed the vulnerability and designated it CVE-2018-8453.

    Reply
  3. Tomi Engdahl says:

    Kanye West’s iPhone passcode is 000000
    West also proposed replacing Air Force One with the ‘iPlane 1’ from Apple
    https://www.theverge.com/tldr/2018/10/11/17964848/kanye-west-iphone-passcode-trump-iplane-apple-meeting

    Kanye West may need a new iPhone password. The outspoken musician accidentally revealed his password when unlocking his iPhone X on video during a meeting with President Trump, shown to be the incredibly weak combination of 000000.

    West revealed the password as part of a stream of consciousness speech to the president

    Despite using an iPhone X or XS — which both support Face ID, therefore negating the need for a typed-in password — West chose to unlock his phone manually. (Whether Face ID failed, was disabled, or is simply not fast enough for West is unclear.)

    Apple doesn’t recommend that users set such a simple password on its iOS devices. If you attempt to change your password to something like 000000 or 123456, a notification will pop up, suggesting that the combination can be easily guessed and recommending that you choose something else.

    West went on to say, “We’re going to have Apple — an American company — work on this plane.”

    Reply
  4. Tomi Engdahl says:

    Chrome 70′s Upcoming Security Change Will Break Hundreds of Sites
    https://it.slashdot.org/story/18/10/09/008210/chrome-70s-upcoming-security-change-will-break-hundreds-of-sites?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    When Chrome 70 arrives on October 16th, it will drop trust for a major HTTPS certificate provider, putting hundreds of popular websites at risk of breaking. “Chrome 70 is expected to be released on or around October 16, when the browser will start blocking sites that run older Symantec certificates issued before June 2016, including legacy branded Thawte, VeriSign, Equifax, GeoTrust and RapidSSL certificates,” reports TechCrunch.

    With Chrome 70, hundreds of popular websites are about to break
    https://techcrunch.com/2018/10/08/chrome-hundreds-of-sites-to-break/

    Reply
  5. Tomi Engdahl says:

    https://www.tivi.fi/Kumppaniblogit/dna/algoritmit-mellastavat-pian-pilvessa-pahat-mielessa-6742440

    Weaponized drones. Machines that attack on their own. ‘That day is going to come’
    https://www.cnbc.com/2018/07/20/ai-cyberattacks-artificial-intelligence-threatens-cybersecurity.html

    Artificial intelligence has clear positive uses, but it could be used to teach machines to attack people and their computer networks on their own.
    Drones and autonomous vehicles could be hacked using AI and turned into weapons
    Traditional cybersecurity methods won’t know how to cope with new attacks carried out by smart machines.

    Reply
  6. Tomi Engdahl says:

    Cops Arrest Infamous SIM Swapper Who Allegedly Stole $14 Million in Cryptocurrency
    https://motherboard.vice.com/en_us/article/7x3may/cops-arrest-sim-swapper-14-million-cryptocurrency

    A California task force caught another big name in the criminal underground world of SIM hijackers.

    Reply
  7. Tomi Engdahl says:

    How to level up your organization’s security expertise
    https://opensource.com/article/18/10/how-level-security-expertise-your-organization?sc_cid=7016000000127ECAAY

    These best practices will make your employees more savvy and your organization more secure.

    Reply
  8. Tomi Engdahl says:

    Facebook breach saw 15M users’ names & contact info stolen, 14M’s bios too
    https://techcrunch.com/2018/10/12/facebook-breach/?sr_share=facebook&utm_source=tcfbpage

    Facebook has now detailed what data was scraped and stolen in the breach it revealed two weeks ago. 30 million users, not 50 million as it initially estimated, had their access tokens stolen by hackers.

    15 million of the 30 million users had their name plus phone number and/or email accessed. 14 million had that info plus potentially more biographical info accessed, including “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches”. The remaining 1 million users’ information wasn’t accessed.

    Reply
  9. Tomi Engdahl says:

    Russian hackers in The Hague not alone, other hacking attempts on file
    https://www.dutchnews.nl/news/2018/10/russian-hackers-in-the-hague-not-alone-other-hacking-attempts-on-file/

    Hackers from various other countries are also active in the Netherlands alongside Russian hackers and at least nine different groups have aroused suspicion, web security group Kaspersky has told broadcaster NOS. ‘The Netherlands is not often in the news as a country where hacking takes place so we dug back into our files,’

    Read more at DutchNews.nl:

    Reply
  10. Tomi Engdahl says:

    Here’s how to find out if your Facebook was hacked in the breach
    https://techcrunch.com/2018/10/12/was-my-facebook-hacked/?utm_source=tcfbpage&sr_share=facebook

    Are you one of the 30 million users hit by Facebook’s access token breach announced two weeks ago? Here’s how to find out.

    Reply
  11. Tomi Engdahl says:

    Facebook mass hack last month was so totally overblown – only 30 million people affected
    Good news: 20m feared pwned are safe. Bad news: That’s still 30m profiles snooped…
    https://www.theregister.co.uk/2018/10/12/hack_of_facebook/

    Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

    Basically everything you need to, say, answer someone’s security questions to gain control of their account on a website.

    The social network previously confirmed to The Register that the accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among those affected.

    the attackers took advantage of a vulnerability in Facebook’s code that existed between July 2017 and September 2018.

    The anomalous traffic began on September 14.

    Rosen said Facebook has been working with the FBI to investigate the incident

    With an initial set of accounts under their control, the attackers, said Rosen, exploited the vulnerable code to run a script that collected access tokens from their friends and the friends of their friends, representing a group of about 400,000 people. They then used the friend lists of those 400,000 seed accounts to steal access tokens from 30 million accounts.

    Facebook has posted a summary of the incident in its Help Center and plans to send customized messages to the 30 million people affected –

    The company offered no details about how many of those affected reside in the EU where the data protection regime (GDPR) allows for penalties that bring tears to the eyes of accountants.

    Reply
  12. Tomi Engdahl says:

    How An Amateur Rap Crew Stole Surveillance Tech That Tracks Almost Every American
    https://www.forbes.com/sites/thomasbrewster/2018/10/12/how-an-amateur-rap-crew-stole-surveillance-tech-that-tracks-almost-every-american/#1762aacf50f1

    From January to June 2018, seven members of Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte.

    mia_Forbes_SurveillanceXX3
    EDITOR’S PICK|15 952 views|Oct 12, 2018,9:56 am
    How An Amateur Rap Crew Stole Surveillance Tech That Tracks Almost Every American
    Thomas BrewsterForbes Staff
    Cybersecurity
    I cover crime, privacy and security in digital and physical forms.
    O

    n a June day last year, a skinny, dreadlocked 29-year-old rapper known as Tony Da Boss lay in bed in a redbrick apartment on a tree-lined street in Charlotte, North Carolina. It was not the kind of place you’d associate with a million-dollar criminal conspiracy. But Da Boss (real name Damonte Withers) was a leader of the FreeBandz Gang, an amateur hip-hop crew of twentysomethings who were into much more nefarious activities than laying down tracks.

    There were warning signs that things were going to get real. Alerts on Da Boss’ iPhone warned that his Google Nest surveillance cameras with views into and outside the apartment had picked up movement. Outside, a full cast of law enforcement personnel from the Secret Service, the U.S. Postal Inspection Service and the local police department were primed to swoop in.

    Inside, they found piles of marijuana and multiple firearms. More intriguing, there were bundles of cash alongside fake-ID-card printers, 36 credit card blanks and reams of printouts containing American citizens’ personal data. Investigators spotted the Nest cameras and would soon make the first publicly known federal government demand for customer information and surveillance footage from Google’s smart home division.

    From January to June 2018, seven members of Da Boss’ gang pleaded guilty to various identity theft charges. In total they had caused about $1.2 million in damage, using stolen identities to buy luxury cars and iPhones and to lease apartments in Charlotte. Both they and their crimes would have been quickly forgotten as garden variety larceny were it not for the way they stole those identities.

    Cops alleged Da Boss and his co-conspirators had access to the Holy Grail for any Internet-age scam artist: a surveillance technology that police and debt collectors use to track most of the United States’ 325 million inhabitants via their Social Security numbers, license plates, address histories, names and dates of birth. The mass-monitoring tech, called TLO, is a product of the Chicago-based credit reporting giant TransUnion

    It’s used not just by cops but also by debt collectors and private companies carrying out background checks. Private investigators use it to track cheating spouses. But in the wrong hands it can be used to steal the identity of almost anyone in America. And Da Boss and his crew got access to it.

    “Users would have unlimited access and resources to commit identity theft and fraud.”

    “The opportunity for misuse is massive,” says Cooper Quintin, a technologist with the Electronic Frontier Foundation, which advocates for Internet civil rights. “Even if one were to require a court order for access to this database it could still be stolen by hackers, spies or rogue employees and used for illegal and harmful purposes.”

    Founded in 2009, TLO was the brainchild of the data mining pioneer Hank Asher

    According to a 2004 report in Vanity Fair, Asher’s software helped identify associates of the 9/11 terrorists. It was later celebrated by Dick Cheney and Rudy Giuliani, though privacy activists warned it was a dangerous surveillance tool.

    Today TransUnion says TLO is capable of “processing trillions of records at sub-second speeds.” It can quickly uncover relevant data like individuals’ family members and social media profiles.

    combines photos from surveillance cameras with a huge trove of license plate numbers to nearly instantly track suspect vehicles. Among its biggest government clients are the Department of Justice, the Secret Service and the U.S. Navy. A license for a single user costs less than $1,500 a month.

    Onsite visits would be made to clients, who would undergo a strict vetting process. Only those who passed muster were given a login, Walters says. “We were very selective.”

    From the very beginning, the software was made available to any cop in the country who wanted it.

    It remains unclear just how many routes Da Boss and his crew had into TLO. But they had more than one.

    Norman would query the database, find people with good credit ratings who were ripe targets for identity theft and sell their information, including name, Social Security number and date of birth. Norman did this for at least 20 people, charging just $100 for each victim’s data.

    “Their whole business is supposedly identifying people,” says Jay Stanley, a senior policy analyst at the ACLU, “but they can’t even authenticate people who’re their customers.”

    “As long as such a database exists,” says the EFF’s Quintin, “it is a threat to the privacy of every American.”

    Reply
  13. Tomi Engdahl says:

    Pentagon Slow to Protect Weapons From Cyber Attacks
    https://www.google.fi/amp/s/www.bloomberg.com/amp/news/articles/2018-10-09/pentagon-slow-to-protect-weapons-from-cyber-attacks-gao-says

    The Pentagon hasn’t made cybersecurity for its multibillion-dollar weapons systems a major focus until recently despite years of warnings, according to Congress’s watchdog agency.

    “Instead, for many years,” until about 2014, the Pentagon “focused cybersecurity efforts on protecting networks and traditional IT systems, such as accounting systems, rather than weapons,” the Government Accountability Office said in a report released Tuesday entitled: “DOD Just Beginning to Grapple with Scale of Vulnerabilities.”

    Reply
  14. Tomi Engdahl says:

    The Diceware Passphrase Home Page
    http://world.std.com/~reinhold/diceware.html

    This page offers a better way to create a strong, yet easy to remember passphrase for use with encryption and security programs.

    Reply
  15. Tomi Engdahl says:

    Facebook says personal information swept up by hackers in breach
    https://www.axios.com/facebook-personal-information-hackers-breach-01c17b6c-22c8-4914-843c-d84070965acc.html

    Facebook confirmed for the first time Friday that hackers who stole the keys to millions of accounts used some of them to access a wide variety of personal information about users.

    Why it matters: The breach is under investigation in Ireland, and there have been calls for a similar investigation in the United States. It affected 30 million people — though that’s a lower number than Facebook initially believed.

    Reply
  16. Tomi Engdahl says:

    A mysterious grey-hat is patching people’s outdated MikroTik routers
    https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/

    Internet vigilante claims he patched over 100,000 MikroTik routers already.

    A Russian-speaking grey-hat hacker is breaking into people’s MikroTik routers and patching devices so they can’t be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned.

    The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already.

    Alexey has not been trying to hide his actions

    Reply
  17. Tomi Engdahl says:

    Cops Told ‘Don’t Look’ at New iPhones to Avoid Face ID Lock-Out
    https://motherboard.vice.com/en_us/article/5984jq/cops-dont-look-iphonex-face-id-unlock-elcomsoft

    After five failed attempts with the ‘wrong’ face, Apple’s Face ID system will fall back to asking a passcode; a tricky situation for investigators.

    Last month, Forbes reported the first known instance of a search warrant being used to unlock a suspect’s iPhone X with their own face, leveraging the iPhone X’s Face ID feature.

    But Face ID can of course also work against law enforcement—too many failed attempts with the ‘wrong’ face can force the iPhone to request a potentially harder to obtain passcode instead. Taking advantage of legal differences in how passcodes are protected, US law enforcement have forced people to unlock their devices with not just their face but their fingerprints too.

    “iPhone X: don’t look at the screen, or else… The same thing will occur as happened on Apple’s event,”

    “This is quite simple. Passcode is required after five unsuccessful attempts to match a face,”

    “So by looking into suspect’s phone, [the] investigator immediately lose one of [the] attempts.”

    As Apple has improved its security protections against attackers who have physical access to a phone—Touch and Face ID, the Secure Enclave Processor that handles these tools, and robust encryption used by default—law enforcement agencies have come up with varying techniques for getting into devices they seize.

    In the US, however, law enforcement agencies have used both technical and legal means to get into devices. Courts have compelled suspects to unlock their device with their face or fingerprint, but the same approach does not necessarily work for demanding a passcode; under the Fifth Amendment, which protects people from incriminating themselves, a passcode may be considered as “testimonial” evidence.

    Reply
  18. Tomi Engdahl says:

    Around 62% of all Internet sites will run an unsupported PHP version in 10 weeks
    https://www.zdnet.com/article/around-62-of-all-internet-sites-will-run-an-unsupported-php-version-in-10-weeks/

    The highly popular PHP 5.x branch will stop receiving security updates at the end of the year.

    According to statistics from W3Techs, roughly 78.9 percent of all Internet sites today run on PHP.

    But on December 31, 2018, security support for PHP 5.6.x will officially cease, marking the end of all support for any version of the ancient PHP 5.x branch.

    This means that starting with next year, around 62 percent of all Internet sites still running a PHP 5.x version will stop receiving security updates for their server and website’s underlying technology, exposing hundreds of millions of websites, if not more, to serious security risks.

    If a hacker finds a vulnerability in PHP after the New Year, lots of sites and users would be at risk.

    Reply
  19. Tomi Engdahl says:

    Pentagon discloses card breach
    https://www.zdnet.com/article/pentagon-discloses-card-breach/

    Around 30,000 DOD civilian and military personnel are believed to be affected.

    Pentagon official said on Friday that the Department of Defense had suffered a security breach thanks to a third-party contractor.

    An investigation is still underway, so the exact details haven’t been made public, but according to an Associated Press report, a DOD official said that roughly 30,000 DOD military and civilian personnel are believed to be affected. This number is expected to grow as the Pentagon’s investigation continues.

    The official said the breach was discovered on October 4, last week. An attacker (or multiple attackers) appear to have compromised a third-party contractor and used the vendor’s access to the Pentagon network to steal travel data for DOD personnel.

    Pentagon reveals cyber breach of travel records
    https://www.apnews.com/7f6f4db35b0041bdbc5467848225e67d

    Reply
  20. Tomi Engdahl says:

    Maryland told its voter registration vendor financed by Russian oligarch
    https://www.cbsnews.com/news/maryland-voter-registration-platform-russian-oligarch/

    Top Maryland officials say the FBI told them this week that the state’s voter registration platform was purchased by a Russian oligarch in 2015, without state officials knowing. The FBI did not indicate a breach occurred, but state officials say they’re moving forward with a full review.

    “We were briefed late yesterday, along with Governor Hogan, by the Federal Bureau of Investigation that the software vendor who maintains portions of the State Board of Elections voter registration platform was purchased by a Russian investor in 2015, without the knowledge of state officials,”

    “While the FBI did not indicate that there was a breach, we were concerned enough to ask Attorney General [Brian] Frosh to review the existing contractual obligation of the state, as well as asked for a review of the system to ensure there have been no breaches,” Miller and Busch said.

    The state’s voter registration system, according to the Maryland State Board of Elections, was not the hacked state system mentioned in a new indictment from special counsel Robert Mueller’s investigation Friday.

    Maryland was one of the states the Department of Homeland Security was concerned had suspicious activity leading up to the election

    Reply
  21. Tomi Engdahl says:

    Hackers Are Using Stolen Apple IDs to Swipe Cash in China
    https://www.bloomberg.com/news/articles/2018-10-11/alipay-says-hackers-used-stolen-apple-ids-to-siphon-off-money

    China’s top digital wallet didn’t say how much was stolen
    Ant Financial and Tencent are working with Apple on the case

    Ant Financial’s Alipay and Tencent Holdings Ltd. warned that cyber-attackers employed stolen Apple IDs to break into customers’ accounts and made off with an unknown amount of cash, in a rare security breach for China’s top digital payments providers.

    Reply
  22. Tomi Engdahl says:

    The Sony Smart TV Exploit: An Inside View of Hijacking Your Living Room
    https://www.fortinet.com/blog/threat-research/sony-smart-tv-exploit-inside-view-hijacking-your-living-room.html

    More and more Smart TVs are connected to the Internet than ever before, with an estimated 760 million of them now connected globally. As new threats increasingly target IoT devices, such as Smart TVs, that include always-on connectivity and high-performance GPUs that can be hijacked for malicious purposes, FortiGuard Labs took the opportunity to look at the current security status of these devices.

    Reply
  23. Tomi Engdahl says:

    An Increase in PowerShell Attacks: Observations From IBM X-Force IRIS
    https://securityintelligence.com/an-increase-in-powershell-attacks-observations-from-ibm-x-force-iris/

    PowerShell, a Microsoft framework that is both a scripting language and a command line executor, useful for simplifying network administration and automating mundane tasks such as pushing updates to multiple devices. PowerShell first appeared in 2006 and has been a standard feature of the Windows operating system (OS) since Windows 7. Moreover, PowerShell 6.0 was released under the Massachusetts Institute of Technology (MIT) open source license in 2016 in an effort to encourage cross-platform adoption and increase usage.

    PowerShell is a versatile tool that can execute code from memory and provide entry directly to a device’s core. That includes unbounded access to Windows application programming interfaces (APIs), full access to the Windows Management Instrumentation (WMI) and access to the .NET Framework.

    Despite its multiple benefits, PowerShell — like GPS systems — can be used by threat actors.

    Reply
  24. Tomi Engdahl says:

    MuddyWater expands operationa
    https://securelist.com/muddywater/88059/

    MuddyWater is a relatively new APT that surfaced in 2017. It has focused mainly on governmental targets in Iraq and Saudi Arabia, according to past telemetry. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US.

    Reply
  25. Tomi Engdahl says:

    BEC-as-a-service offers hacked business accounts for as little as $150
    https://www.tripwire.com/state-of-security/security-data-protection/bec-as-a-service-offers-hacked-business-accounts-for-as-little-as-150/

    Everyone responsible for securing organisations today recognises the significant growth in BEC (Business Email Compromise) attacks, also sometimes known as “Whaling” or “CEO fraud”.

    BEC scammers trick accounting and finance departments into wiring considerable amounts of money into bank accounts under their control, posing as genuine suppliers invoicing for services delivered, or senior company executives.

    Individually, some firms have lost millions through the scam emails, and the FBI has estimated that globally over the past five years firms have lost a jaw-dropping $12 billion as a result of the scams.

    Reply
  26. Tomi Engdahl says:

    Chinese Intelligence Officer Under Arrest for Trade Secret Theft
    https://www.darkreading.com/attacks-breaches/chinese-intelligence-officer-under-arrest-for-trade-secret-theft/d/d-id/1333025

    Yanjun Xu attempted to steal data on advanced aviation technology that GE Aviation, among others, had spent billions developing.

    US authorities have arrested a Chinese intelligence officer for attempting to steal trade secrets that would have helped China unfairly advance in the aviation and aerospace sectors.

    Reply
  27. Tomi Engdahl says:

    WannaCry attack cost the NHS £92m
    By Sead Fadilpašić 2018-10-12T15:19:46ZBusiness
    NHS reveals bill for last May’s ransomware attack.
    https://www.itproportal.com/news/wannacry-cost-the-nhs-pound92m/

    We now know how much last year’s WannaCry ransomware attack had cost the NHS, and it’s £92m. The news was revealed by the Department of Health and Social Care this Thursday, albeit tentatively, saying these are just estimates. Knowing the exact cost would “impose a disproportionate financial burden on the system”.

    With reduced access to information, the NHS has had a lower output of patient care, costing the organisation some £19m in the seven days following the attack.

    Then there was the bill for roughly £500,000, for IT support during the attack, as well as the £72m for the two months in the aftermath of the attack.

    Reply
  28. Tomi Engdahl says:

    Google Adds Control-Flow Integrity to Beef up Android Kernel Security
    https://thehackernews.com/2018/10/android-linux-kernel-cfi.html

    Google has added a new security feature to the latest Linux kernels for Android devices to prevent it against code reuse attacks that allow attackers to achieve arbitrary code execution by exploiting control-flow hijacking vulnerabilities.

    In code reuse attacks, attackers exploit memory corruption bugs (buffer overflows, type confusion, or integer overflows) to take over code pointers stored in memory and repurpose existing code in a way that directs control flow of their choice, resulting in a malicious action.

    Reply
  29. Tomi Engdahl says:

    Facebook disables accounts for Russian firm claiming to sell scraped user data
    https://www.cnet.com/news/facebook-disables-accounts-for-russian-company-claiming-to-sell-scraped-user-data/

    Facebook says it’s still investigating what kinds of user data Social Data

    Facebook disabled 66 profiles and pages run by a company claiming to sell user data scraped off the social network’s platform. Facebook also sent a a cease and desist letter to the company, called Social Data Hub, whose CEO was quoted in Russian telling Inc. that his company is similar to Cambridge Analytica.

    “Scraping of all kinds continues to be a challenge across the internet,” Facebook said in a statement. “Since it’s difficult to prevent and often hard to detect once it’s happened, we will be working more closely with other companies and independent experts to share information so we can more quickly disrupt this activity.”

    In an emailed statement, Social Data Hub CEO Artur Khachuyan said the company doesn’t scrape data outside of Russia. “No one just downloaded Facebook profiles, especially the data of citizens of other countries, except Russia,” Khachuyan said. “In Russia, such work is permitted by federal law No. 152 (this is analogous to the GDPR).”

    Steinfeld said that companies that scrape publicly posted data from Facebook are the hardest for the company to detect, because they don’t have to register an account with Facebook to carry out their activities. Facebook does have techniques for detecting such companies. Steinfeld declined to discuss the techniques on the record, so that the companies wouldn’t learn about them in the press.

    Reply
  30. Tomi Engdahl says:

    Outline: secure access to the open web
    https://opensource.googleblog.com/2018/10/outline-secure-access-to-open-web.html

    Censorship and surveillance are challenges that many journalists around the world face on a daily basis. Some of them use a virtual private network (VPN) to provide safer access to the open internet, but not all VPNs are equally reliable and trustworthy, and even fewer are open source.

    That’s why Jigsaw created Outline, a new open source, independently audited platform that lets any organization easily create and operate their own VPN.

    https://getoutline.org/en/home

    Reply
  31. Tomi Engdahl says:

    Now this might be going out on a limb, but here’s how a branch.io bug left ’685 million’ netizens open to website hacks
    Tinder subdomain flaw turns into massive everybody flaw
    https://www.theregister.co.uk/2018/10/12/branchio_xss_flaw/

    Bug-hunters have told how they uncovered a significant security flaw that affected the likes of Tinder, Yelp, Shopify, and Western Union – and potentially hundreds of millions of folks using these sites and apps.

    The software sniffers said they first came across the exploitable programming blunder while digging into webpage code on dating websites.

    As it turned out, the vulnerability they discovered went far beyond one subdomain on a site for lonely hearts. The team at VPNMentor said the since-patched security hole had left as many as 685 million netizens vulnerable to cross-site-scripting attacks, during which hackers attempt to steal data and hijack accounts. To pull off one of these scripting attacks, a victim would have to click on a malicious link or open a booby-trapped webpage while logged into a vulnerable service.

    That staggering nine-figure number is because the security issue was actually within a toolkit, called branch.io, that tracks website and app users to figure out where they’ve come from, be it Facebook, email links, Twitter, etc. With the bug lurking in branch.io’s code and embedded in a ton of services and mobile applications, the number of people potentially at risk of being hacked via cross-site scripting soared past the half-a-billion mark, we’re told.

    “Immediately after finding these vulnerabilities, we contacted Tinder via their responsible disclosure program and started working with them,” one of the bug-stalkers, Ariel Hochstadt, explained earlier this week. “We learned that the vulnerable endpoint isn’t owned by Tinder, but by branch.io, an attribution platform used by many big corporations around the globe.”

    The bug itself was a particularly nasty form of DOM cross-site-scripting that would have let an attacker slip cross-site calls past basic security checks. “In DOM-based XSS, the HTML source code and response of the attack will be exactly the same,”

    Hochstadt said it privately reported the issue to branch.io, which, we’re told, was able to patch it, and there was no indication the flaw was being actively exploited at any point.

    Reply
  32. Tomi Engdahl says:

    Largest Cyber Attack Against Iceland Driven by Complex Phishing Scheme
    https://www.bleepingcomputer.com/news/security/largest-cyber-attack-against-iceland-driven-by-complex-phishing-scheme/

    A brazen phishing campaign took Iceland by surprise the last weekend, sending out malicious emails to thousands of individuals, in an attempt to fool them into installing a powerful remote access tool.

    Even if the number of potential victims may seem low, local police say this is the largest cyber attack to hit the country. One must take into consideration that the population of Iceland is around 350,000, with about half of the citizens living in the capital city Reykjavik. By comparison, in 2016 London lived over 8.5 million people.

    Remcos RAT is once again used for malicious purposes

    Speaking to BleepingComputer, Cyren senior threat analyst Magni Sigurdsson says that the threat is a completely new one for Iceland, referring to the complexity of the phishing scheme.

    The tool used by the attacker is Remcos, a powerful tool available commercially as a legitimate solution for access to remote computers, used before for malicious purposes.

    The developer of the remote access tool (RAT) is aware that his Remcos is sometimes used for malicious purposes and told BleepingComputer that for this reason he implemented a mechanism to prevent abuse.

    “Apart from blocking the customer license (preventing him to use our software), we provide help into removing the software from the compromised system. This can be done very easily from us,” he said over email.

    He added that when Remcos was used maliciously, the attacker relied on other tools, too. In this case it was a VBSscript that ran at startup to ensure the execution of Remcos.

    Reply
  33. Tomi Engdahl says:

    It’s the real Heart Bleed: Medtronic locks out vulnerable pacemaker programmer kit
    A pulse-racing tale of biotech bug fixing
    https://www.theregister.co.uk/2018/10/12/medtronic_pacemaker_programmer_security/

    The US Food and Drug Administration (FDA) is advising health professionals to keep an eye on some of the equipment they use to monitor pacemakers and other heart implants.

    The watchdog’s alert this week comes after Irish medical device maker Medtronic said it will lock some of its equipment out of its software update service, meaning the hardware can’t download and install new code from its servers.

    To get the latest patches, the software will have to be installed by hand via USB by a Medtronic technician. Both the FDA and Medtronic said there is no immediate danger to any patients or doctors.

    Reply
  34. Tomi Engdahl says:

    Purging Long-Forgotten Online Accounts: Worth the Trouble?
    https://www.securityweek.com/purging-long-forgotten-online-accounts-worth-trouble

    The internet is riddled with long-forgotten accounts on social media, dating apps and various shopping sites used once or twice. Sure, you should delete all those unused logins and passwords. And eat your vegetables. And go to the gym.

    But is it even possible to delete your zombie online footprints — or worth your time to do so?

    It might not seem like a big deal to have these accounts linger. But with hacking in the news constantly, including a breach affecting 50 million Facebook accounts, you might not want all that data sitting around.

    Trouble is, cleaning up your digital past isn’t easy.

    For one, finding all the old accounts can be a pain. For some of us, it might not even be possible to recall every dating site and every would-be Twitter that never was, not to mention shopping or event ticketing sites you bought one thing from and forgot about.

    Then, you’ll have to figure out which of your many email accounts you used to log in to a service, then recover passwords and answer annoying security questions — assuming you even remember what your favorite movie or fruit was at the time. Only then might you discover that you can’t even delete your account.

    Even without these hurdles, real life gets in the way. There are probably good reasons you still haven’t organized your closet, either.

    Perhaps a better approach is to focus on the most sensitive accounts. It might not matter than a news site still has your log in, if you never gave it a credit card or other personal details (of course, if you reused your bank password you might be at risk).

    Dating sites, in particular, can be a trove of potentially damaging information. Once you’re in a relationship, delete those accounts.

    Reply
  35. Tomi Engdahl says:

    For starters, visit haveibeenpwned.com. This popular tool lets you enter your email addresses and check if it has been compromised in a data breach.
    https://haveibeenpwned.com/

    Reply
  36. Tomi Engdahl says:

    U.S. Senators Demand Internal Memo Related to Google+ Incident
    https://www.securityweek.com/us-senators-demand-internal-memo-related-google-incident

    A group of United States senators on Thursday sent a letter to Google, urging it to provide an internal memo that supposedly explains why the company did not disclose the Google+ data exposure that was discovered in March.

    Affecting a Google+ API, the vulnerability provided applications with access to data they were not supposed to access, and up to 500,000 user accounts might have been impacted. The API was apparently exposing user data since 2015.

    Reply
  37. Tomi Engdahl says:

    Industry Reactions to Google+ Security Incident: Feedback Friday
    https://www.securityweek.com/industry-reactions-google-security-incident-feedback-friday

    Paul Bischoff, Comparitech:

    “In my view, Google is basically pleading ignorance in order to shield itself from legal ramifications. It has conveniently left out some crucial figures in its response that would give us a more clear picture of the scope of this incident. For example, Google says 438 applications had unauthorized access to Google+ profile data, but it doesn’t say how many of its users used those apps. And while Google says it performed a cursory investigation and found nothing suspicious, it also notes that it didn’t actually contact or audit any of the developers of those apps.

    As popular and high-profile as Google is, and due to the fact that this vulnerability existed for the better part of three years, it would be reasonable to assume the number of occurrences in which Google+ data was obtained and misused is non-zero.

    Reply
  38. Tomi Engdahl says:

    ‘Five Eyes’ Agencies Release Joint Report on Hacking Tools
    https://www.securityweek.com/five-eyes-agencies-release-joint-report-hacking-tools

    Cybersecurity agencies in the United States, United Kingdom, Canada, Australia and New Zealand have released a joint report describing five of the most commonly used hacking tools.

    The report was written by experts at the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC), and the US National Cybersecurity and Communications Integration Center (NCCIC).

    The goal of the report, its authors said, is to provide network defenders and system administrators advice on how to detect the tools and limit their effectiveness.

    Five types of tools are described, including remote access trojans (RATs), web shells, lateral movement frameworks, command and control (C&C) obfuscators, and credential stealers – all of which can be used after the targeted system has been compromised.

    https://www.us-cert.gov/ncas/alerts/AA18-284A

    Reply
  39. Tomi Engdahl says:

    Around 62% of all Internet sites will run an unsupported PHP version in 10 weeks
    The highly popular PHP 5.x branch will stop receiving security updates at the end of the year.
    https://www.zdnet.com/article/around-62-of-all-internet-sites-will-run-an-unsupported-php-version-in-10-weeks/

    “PHP 7.2 will get a patch from the PHP team, for free, in a timely manner; PHP 5.6 will only get one if you’re paying for ongoing support from your OS vendor.

    Reply
  40. Tomi Engdahl says:

    We’re killing off passwords. But are we ready for what will replace them?
    https://www.zdnet.com/article/were-killing-off-passwords-but-are-we-ready-for-what-will-replace-them/

    Getting rid of passwords is a good idea, but we need to think through the consequences of the most likely replacement, too.

    Tech security people hate passwords because resetting forgotten passwords is the most tedious job in the world, and also they know everybody else is terrible at password security anyway.

    The rest of us don’t like passwords much either, mainly because the security people won’t let us use our old favourites like 1234 or pa55w0rd. And we don’t like having to remember complicated passwords, so we write them down on a piece of paper, and then lose it. And then we have to go and ask nicely for tech to reset the password. Again.

    Nobody likes passwords. Apart from the hackers who find them, steal them or crack them with ease, that is. That’s because passwords are still the keys to the kingdom in many cases; once a crook has them, there is often little else to stop them doing what they want.

    So what about the next step? Here smartphones are well ahead of the PC world, by using biometrics — fingerprints and facial recognition — as the standard way to log on. Something you have is replaced with something you are.

    Microsoft has already outlined how it plans to kill off passwords in Windows 10 using a combination of multi-factor authentication and biometrics via Windows Hello, a service it says is being used by more than 47 million people.

    Reply
  41. Tomi Engdahl says:

    Microsoft JET vulnerability still open to attacks, despite recent patch
    Microsoft’s patch for a JET database engine zero-day deemed incomplete.
    https://www.zdnet.com/article/microsoft-jet-vulnerability-still-open-to-attacks-despite-recent-patch/

    A vulnerability in the Microsoft JET database engine is still open to attacks, even after Microsoft shipped an update earlier this week during the October 2018 Patch Tuesday.

    The vulnerability came to light in mid-September after the Trend Micro Zero-Day Initiative (ZDI) posted details about it on its site.

    The vulnerability, which was a zero-day at the time of its disclosure, raised some alarms, mainly due to the fact that the JET database engine is included in all versions of Windows, and provided attackers with a huge attack vector they could target.

    JET has been deprecated and replaced by newer technologies in the meantime, but it is still included with Windows for legacy purpose.

    Information security experts criticized Microsoft for failing to patch the vulnerability, mainly because it allowed a remote full compromise of the user’s system.

    The good news is that until now, neither Microsoft nor 0Patch have seen hackers trying to exploit this vulnerability.

    Reply
  42. Tomi Engdahl says:

    Donald Daters, a dating app for Trump supporters, leaked its users’ data
    https://techcrunch.com/2018/10/15/donald-daters-a-dating-app-for-trump-supporters-leaked-its-users-data/?sr_share=facebook&utm_source=tcfbpage

    A new dating app for Trump supporters that wants to “make America date again” has leaked its entire database of users — on the day of its launch.

    On its launch day alone, the app had a little over 1,600 users and counting.

    We know because a security researcher found issues with the app that made it possible to download the entire user database.

    Elliot Alderson, a French security researcher, shared the database with TechCrunch, which included users’ names, profile pictures, device type, their private messages — and access tokens, which can be used to take over accounts.

    Reply
  43. Tomi Engdahl says:

    Epson is teaching the internet not to install security updates
    https://boingboing.net/2018/10/15/sleazy-output.html

    More on the story of how Epson tricked its customers into installing a fake “update” to their printers so that they would stop accepting third-party and refilled ink cartridges: not only does this force Epson customers to pay more for ink, but it puts everyone on the internet at risk, by teaching people not to update their devices.

    “By abusing the updating mechanism, Epson is poisoning the security well for all of us: when Epson teaches people not to update their devices, they put us all at risk from botnets, ransomware epidemics, denial of service, cyber-voyeurism and the million horrors of contemporary internet security,” Doctorow said.

    “Infosec may be a dumpster-fire, but that doesn’t mean Epson should pour gasoline on it,” he added.

    Reply
  44. Tomi Engdahl says:

    Firefox, Chrome, Safari and Edge Dropping TLS 1.0, 1.1
    https://www.tomshardware.com/news/major-browsers-deprecate-tls-1.0-1.1,37932.html

    Apple, Google, Microsoft and Mozilla all announced today that they will disable TLS versions 1.0 and 1.1 in their respective browsers by default by the first half of 2020. The TLS protocol is what browsers, instant messengers and even email servers primarily use to secure communications.

    TLS 1.0, 1.1 Deprecated
    Over the past few years, we’ve seen new attacks that exploit weaknesses in the design of the TLS 1.0 and TLS 1.1 protocols and algorithms that were used alongside them. These attacks include BEAST, which allows malicious actors to steal the TLS authentication tokens, Logjam and FREAK, which allow attackers to downgrade the security of a connection to a server, as well as insecure hash functions, such as MD5 and SHA-1.

    In addition to all of this, the TLS 1.2 protocol is more than a decade old, so both browsers and web developers have little excuse not to use it by now. Earlier this year, the IETF also finalized the TLS 1.3 specification

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*