Cyber Security October 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

495 Comments

  1. Tomi Engdahl says:

    New biometric fingerprint technology meets liveness detection standard
    https://www.cablinginstall.com/articles/pt/2018/10/new-biometric-fingerprint-technology-meets-liveness-detection-standard.html?cmpid=enl_cim_cim_data_center_newsletter_2018-10-15&pwhid=6b9badc08db25d04d04ee00b499089ffc280910702f8ef99951bdbdad3175f54dcae8b7ad9fa2c1f5697ffa19d05535df56b8dc1e6f75b7b6f6f8c7461ce0b24&eid=289644432&bid=2268410

    HID Global announced its patented Lumidigm multispectral imaging solution is the first fingerprint technology certified to the ISO/IEC 30107-3 Presentation Attack Detection (PAD) standard. The standard focuses on anti-spoofing and liveness detection to determine whether fingerprint data captured from the sensor is from a real, living person or from a plastic fake or other artificial copy.

    Reply
  2. Tomi Engdahl says:

    http://www.etn.fi/index.php/13-news/8566-ilmaisista-hakkerityokaluista-varoitetaan

    Varoituksessa on lueteltu seuraavat työkalut: HUC Packet Transmitter, PowerShell Empire, Mimikatz, China Chopper, JBiFrost ja RAT eli Remote Access Trojan.

    Reply
  3. Tomi Engdahl says:

    http://www.etn.fi/index.php/13-news/8570-tutkimus-puolet-yrityksista-joutunut-kyberiskun-kohteeksi

    Half of the companies have faced a cyber attack against them in UK

    Cyber Security for Manufacturing
    https://www.eef.org.uk/resources-and-knowledge/research-and-intelligence/industry-reports/cyber-security-for-manufacturers

    Nearly half of manufacturers have been the victim of cyber-crime, with the sector now the third most targeted for attack, according to a new report published today.

    This report, published by EEF and AIG and carried out by The Royal United Services Institute (RUSI), pinpoints the susceptibility of manufacturers to cyber risk, revealing that 41 per cent of companies do not believe they have access to enough information to even assess their true cyber risk. And 45 per cent feel that they do not have access to the right tools for the job.

    Cyber threat is holding back companies from investing in digital technologies, with a third of those surveyed nervous of digital improvement. Moreover, a worryingly large 12 per cent of manufacturers admit they have no technical or managerial processes in place to even start assessing the real risk.

    Reply
  4. Tomi Engdahl says:

    Old dog, new tricks – Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
    https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html#more

    Reply
  5. Tomi Engdahl says:

    Modernizing Transport Security
    https://security.googleblog.com/2018/10/modernizing-transport-security.html

    TLS (Transport Layer Security) is the protocol which secures HTTPS. It has a long history stretching back to the nearly twenty-year-old TLS 1.0 and its even older predecessor, SSL. Over that time, we have learned a lot about how to build secure protocols. TLS 1.2 was published ten years ago to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then. Today only 0.5% of HTTPS connections made by Chrome use TLS 1.0 or 1.1. These old versions of TLS rely on MD5 and SHA-1, both now broken, and contain other flaws. TLS 1.0 is no longer PCI-DSS compliant and the TLS working group has adopted a document to deprecate TLS 1.0 and TLS 1.1. In line with these industry standards, Google Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72.

    Site administrators should immediately enable TLS 1.2 or later. Depending on server software (such as Apache or nginx), this may be a configuration change or a software update.

    Chrome’s current criteria for modern TLS is the following:

    TLS 1.2 or later.
    An ECDHE- and AEAD-based cipher suite. AEAD-based cipher suites are those using AES-GCM or ChaCha20-Poly1305. ECDHE_RSA_WITH_AES_128_GCM_SHA256 is the recommended option for most sites.
    The server signature should use SHA-2. Note this is not the signature in the certificate, made by the CA. Rather, it is the signature made by the server itself, using its private key.

    Reply
  6. Tomi Engdahl says:

    Octopus-infested seas of Central Asia
    Russian-language actor exploits hype over Telegram ban in Central Asia
    https://securelist.com/octopus-infested-seas-of-central-asia/88200/

    For the last two years we have been monitoring a Russian-language cyberespionage actor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. In this blogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities.

    Reply
  7. Tomi Engdahl says:

    Tech Giants Concerned About Australia’s Encryption Laws
    https://www.securityweek.com/tech-giants-concerned-about-australias-encryption-laws

    Cyber law changes proposed in Australia specifically state that companies will not be required to implement encryption backdoors, but tech giants are still concerned that the current form of the legislation is too vague and leaves a lot of room for interpretation.

    Australia’s Telecommunications and Other Legislation Amendment (Assistance and Access) Bill of 2018 aims to compel local and international technology service providers to cooperate with law enforcement and intelligence agencies on investigations into criminal and terrorist activity or face fines of millions of dollars.

    The bill wants to give agencies the ability to make three types of requests: a Technical Assistance Request (TAR), which provides a framework for making requests and which includes provisions for compensating firms that provide voluntary assistance; a Technical Assistance Notice (TAN), which compels companies to provide assistance, if they can; and a Technical Capability Notice (TCN), which compels companies to develop new capabilities in anticipation of a future TAN or TAR.

    The bill specifically mentions that the goal of the government is not to weaken encryption, but tech giants are still concerned.

    Reply
  8. Tomi Engdahl says:

    Feds Investigate After Hackers Attack Water Utility
    https://www.securityweek.com/feds-investigate-after-hackers-attack-water-utility

    Federal and state officials are working with a North Carolina water utility after hackers attacked some of its computer systems.

    The head of the Onslow Water and Sewer Authority said in a news release Monday that its internal computer system, including servers and personal computers, were subjected to what was characterized as “a sophisticated ransomware attack.”

    CEO Jeffrey Hudson said while customer information wasn’t compromised in the attack, many other databases have to be recreated. He added that the FBI, the Department of Homeland Security and the state of North Carolina have been called in.

    Hudson said the utility began experiencing virus attacks from a malware system on Oct. 4. He said it was believed the virus was brought under control, but security specialists were called when the problem persisted.

    Reply
  9. Tomi Engdahl says:

    New IBM Security Platform Connects Data, Tools From Several Vendors
    https://www.securityweek.com/new-ibm-security-platform-connects-data-tools-several-vendors

    IBM Security on Monday unveiled a new cloud-based platform that combines the company’s own capabilities with data, applications and tools from more than a dozen other vendors.

    IBM Security Connect, expected to become available in the first quarter of 2019, has been described by IBM as an AI-powered community platform for security applications.

    An analysis conducted by the company showed that, on average, cybersecurity teams are using more than 80 cybersecurity tools from 40 different vendors. IBM found not only that many of the capabilities provided by these tools are not used, but also that integration problems can pose a challenge.

    https://www.ibm.com/security/connect/

    Reply
  10. Tomi Engdahl says:

    FDA Warns of Flaws in Medtronic Programmers
    https://www.securityweek.com/fda-warns-flaws-medtronic-programmers

    A vulnerability in the software update process of certain Medtronic Programmer models has determined the vendor to block the functionality on affected devices, the U.S. Food and Drug Administration (FDA) informs.

    The flaw was found to impact the Internet connection of Medtronic’s Carelink 2090 and Carelink Encore 29901 programmers, and could allow malicious attackers to tamper with the programmers or implanted devices, the FDA reveals.

    The programmers are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors.

    Cybersecurity Updates Affecting Medtronic Implantable Cardiac Device Programmers: FDA Safety Communication
    https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm623184.htm

    Devices

    Medtronic CareLink and CareLink Encore Programmers, models 2090 and 29901, are used during implantation and regular follow-up visits for Medtronic cardiac implantable electrophysiology devices (CIEDs). CIEDs include pacemakers to provide pacing for slow heart rhythms, implantable defibrillators to provide an electrical shock or pacing to stop dangerously fast heart rhythms, cardiac resynchronization devices to pace the heart to improve contraction to treat heart failure, and insertable cardiac monitors for long-term cardiac monitoring for irregular or abnormal heart rhythms.

    Medtronic Programmers allow physicians to obtain device performance data, check battery status, and adjust or reprogram device settings from a CIED. When necessary, the Programmers are also used by Medtronic staff to update software in the implanted device. The programmer software can be downloaded and updated either through internet connection to the Medtronic Software Distribution Network (SDN) or by a Medtronic representative plugging a universal serial bus device (USB) into the programmer.

    Recommendations for Health Care Providers

    Continue to use the Programmers for programming, testing and evaluation of CIED patients. Network connectivity is not required for normal CIED programming and similar operation.

    Do not attempt to update the Programmer through the SDN. If you select the “Install from Medtronic” button, it will not result in software installation because access to the external SDN is no longer available.
    Operate the Programmers within well-managed IT networks. Consult with your IT department regarding the security of your network.

    Reply
  11. Tomi Engdahl says:

    Google Boosts Protection of Backups in Android
    https://www.securityweek.com/google-boosts-protection-backups-android

    The latest Android iteration leverages Google Cloud’s Titan technology to better protect users’ backed-up application data, Google says.

    The functionality combines Android’s Backup Service and Google Cloud’s Titan technology, ensuring that user privacy is maintained, the Internet giant explains.

    Backed-up application data in Android 9 can only be decrypted by a key generated at the client and encrypted using the user’s lock-screen PIN/pattern/passcode.

    Reply
  12. Tomi Engdahl says:

    Microsoft Incompletely Patches JET Database Vulnerability
    https://www.securityweek.com/microsoft-incompletely-patches-jet-database-vulnerability

    An out-of-bounds (OOB) write bug in the Microsoft JET Database Engine that could be exploited for remote code execution has been incompletely addressed with the latest Patch Tuesday security updates, 0patch says.

    Tracked as CVE-2018-8423, the flaw was publicly revealed in late September, after Microsoft failed to provide a patch for it in the September 2018 Patch Tuesday set of updates. As 120 days had passed since the vendor was informed of the bug, Trend Micro’s Zero Day Initiative (ZDI) shared the information publicly.

    Reply
  13. Tomi Engdahl says:

    Web Isolation Firm Garrison Technologies Raises $30 Million
    https://www.securityweek.com/web-isolation-firm-garrison-technologies-raises-30-million

    Garrison provides hardware-based web isolation that allows users free and unrestricted — but secure — access to the internet. Its product, Silicon Assured Video Isolation technology (Garrison SAVI) converts potentially dangerous web content to a stream of harmless pixels.

    “Organizations today recognize the ever-growing threat to their most sensitive data and systems posed simply by allowing employees to browse the web, but until now they’ve faced an unhappy choice: restrict web access and allow productivity to suffer, or run the risk of exposure to hackers,” comments Garrison CEO David Garfield.

    “We’ve designed the world’s first truly secure web browser to solve this problem, applying national-security-grade levels of protection to the commercial environment — at an accessible price point — in a way that doesn’t destroy the user experience as employees go about their work,” the company claims.

    ‘National-security-grade’, like ‘military-grade encryption’, is one of those meaningless marketing terms used to impress potential customers.

    “The security industry has long suffered from overblown claims and overinflated prices, without ever ensuring organizations remain truly protected from even some of the most basic threats — this is particularly true of web browsing security,” continued Garfield. “From day one our mission has been developing practical security tools that actually do what they’re supposed to.”

    Reply
  14. Tomi Engdahl says:

    ‘Do Not Track,’ the Privacy Tool Used by Millions of People, Doesn’t Do Anything
    https://gizmodo.com/do-not-track-the-privacy-tool-used-by-millions-of-peop-1828868324

    When you go into the privacy settings on your browser, there’s a little option there to turn on the “Do Not Track” function, which will send an invisible request on your behalf to all the websites you visit telling them not to track you. A reasonable person might think that enabling it will stop a porn site from keeping track of what she watches, or keep Facebook from collecting the addresses of all the places she visits on the internet, or prevent third-party trackers she’s never heard of from following her from site to site. According to a recent survey by Forrester Research, a quarter of American adults use “Do Not Track” to protect their privacy. (Our own stats at Gizmodo Media Group show that 9% of visitors have it turned on.) We’ve got bad news for those millions of privacy-minded people, though: “Do Not Track” is like spray-on sunscreen, a product that makes you feel safe while doing little to actually protect you.

    “Do Not Track,” as it was first imagined a decade ago by consumer advocates, was going to be a “Do Not Call” list for the internet, helping to free people from annoying targeted ads and creepy data collection. But only a handful of sites respect the request, the most prominent of which are Pinterest and Medium. (Pinterest won’t use offsite data to target ads to a visitor who’s elected not to be tracked, while Medium won’t send their data to third parties.) The vast majority of sites, including this one, ignore it.

    Reply
  15. Tomi Engdahl says:

    New Exploit for MikroTik Router WinBox Vulnerability Gives Full Root Access
    https://thehackernews.com/2018/10/router-hacking-exploit.html?m=1

    A known vulnerability in MikroTik routers is potentially far more dangerous than previously thought.
    A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year.
    The vulnerability, identified as CVE-2018-14847, was initially rated as medium in severity but should now be rated critical

    New Hack Turned ‘Medium’ MikroTik Vulnerability Into ‘Critical’

    A PoC exploit, called “By the Way,” released by Tenable Research Jacob Baines, first uses directory traversal vulnerability to steal administrator login credentials from user database file and the then writes another file on the system to gain root shell access remotely.

    The technique is yet another security blow against MikroTik routers, which was previously targeted by the VPNFilter malware and used in an extensive cryptojacking campaign uncovered a few months ago.

    Reply
  16. Tomi Engdahl says:

    CIA, NSA and the Pentagon still aren’t using a basic email security feature
    https://techcrunch.com/2018/10/16/cia-nsa-defense-dept-dmarc-email-security/?utm_source=tcfbpage&sr_share=facebook

    Some of the most sensitive U.S. government departments and agencies still aren’t using a basic email security feature that would significantly cut down on incoming spam or phishing emails.

    Fifteen percent of all U.S. government domains still aren’t employing DMARC, or domain-based message authentication, reporting, and conformance policy on their domains,

    Reply
  17. Tomi Engdahl says:

    https://en.m.wikipedia.org/wiki/Machine_Identification_Code

    A Machine Identification Code (MIC), also known as printer steganography, yellow dots, tracking dots or secret dots, is a digital watermark which certain color laser printers and copiers leave on every single printed page, allowing to identify the device with which a document was printed and giving clues to the originator.

    Reply
  18. Tomi Engdahl says:

    Major browsers simultaneously drop support for old security standards
    Major browsers simultaneously drop support for old security standards

    Reply
  19. Tomi Engdahl says:

    DNA Home Kits Can Be Used To Track You Down, Even If You’ve Never Taken One
    https://www.iflscience.com/editors-blog/dna-home-kits-can-be-used-to-track-you-down-even-if-youve-never-taken-one/

    In spring this year, police managed to track down the suspected Golden State Killer – a fugitive responsible for 12 murders, 51 rapes, and over 120 burglaries – thanks to publicly shared genetic information gathered from spit-in-a-cup consumer DNA testing kits like 23andMe and Ancestry. Although he had never used one of these kits himself, some of his distant relatives had, allowing detectives to compare their DNA to DNA gathered from the crime scenes and identify the killer.

    It turns out, this was not just a lucky break

    Reply
  20. Tomi Engdahl says:

    Slipshod Cybersecurity for U.S. Defense Dept. Weapons Systems
    https://spectrum.ieee.org/riskfactor/computing/it/us-department-of-defenses-weapon-systems-slipshod-cybersecurity

    Last week, the U.S. Government Accountability Office (GAO) released yet another report on the state of the U.S. Department of Defense’s cybersecurity. The GAO’s conclusions can be summed up in two words: unsurprisingly abysmal. The report states, “Nearly all major acquisition programs that were operationally tested between 2012 and 2017 had mission-critical cyber vulnerabilities that adversaries could compromise.”

    Reply
  21. Tomi Engdahl says:

    Medical device maker Medtronic finally fixes its hackable pacemaker
    https://techcrunch.com/2018/10/16/medical-device-maker-medtronic-finally-fixes-its-hackable-pacemaker/?utm_source=tcfbpage&sr_share=facebook

    Medtronic, a maker of medical devices and implants, has pulled the plug on its internet-based software update system, which security researchers had found had a dangerous security vulnerability

    The company said in a notice this week that it’s switching off the software distribution network after researchers found that a hacker could update the pacemaker’s software with malicious software that could manipulate the impulses that regulate a patient’s heartbeat. The researchers, Jonathan Butts and Billy Rios, revealed the vulnerability at the Black Hat conference in August, more than a year after first reporting the vulnerability to Medtronic.

    Reply
  22. Tomi Engdahl says:

    How to train your employees to avoid online scams: 5 tips
    https://www.techrepublic.com/article/how-to-train-your-employees-to-avoid-online-scams-5-tips/

    According to Microsoft, online scammers are still tricking people with tech support scams, but there are ways to stay safe.

    it’s still a huge problem, with about 20% of consumers engaging with a tech support scammer and some of those losing money. Microsoft receives about 11,000 complaints a month from victims of tech support scams, the release noted.

    The big takeaways for tech leaders:
    Tech support scams are still rampant, with Generation Z and Millennials most likely to fall victim. — Microsoft, 2018
    Microsoft receives 11,000 complaints per month from people who have been the victim of tech support scams that purported to represent major tech companies.

    Reply
  23. Tomi Engdahl says:

    Salvador Rodriguez / CNBC:
    Irish Data Protection Commission says about 3M Europeans were affected by Facebook’s security breach, announced in Sept., where personal info was accessed

    Facebook hack affected 3 million in Europe, creating the first big test for privacy regulation there
    https://www.cnbc.com/2018/10/16/facebook-hack-affected-3-million-in-europe-first-big-test-for-gdpr.html

    A September Facebook security breach affected about 3 million European users, according to a spokesperson from the Irish Data Protection Commission.
    This will be the first major test of a strict new European privacy regulation called GDPR, under which Facebook could be fined up to 4 percent of its annual revenue.

    Reply
  24. Tomi Engdahl says:

    Insurer Anthem Will Pay Record $16M for Massive Data Breach
    https://www.securityweek.com/insurer-anthem-will-pay-record-16m-massive-data-breach

    The nation’s second-largest health insurer has agreed to pay the government a record $16 million to settle potential privacy violations in the biggest known health care hack in U.S. history, officials said Monday.

    The personal information of nearly 79 million people — including names, birthdates, Social Security numbers and medical IDs — was exposed in the cyberattack, discovered by the company in 2015.

    The settlement between Anthem Inc. and the Department of Health and Human Services represents the largest amount collected by the agency in a health care data breach, officials said.

    Severino said the Anthem settlement is nearly three times larger than the previous record amount paid to the government in a privacy case. That sends a message to the industry that “hackers are out there always and large health care entities in particular are targets,” he added.

    The Blue Cross-Blue Shield insurer also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

    HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers. The company lacked an enterprisewide risk analysis, had insufficient procedures to monitor activity on its systems, failed to identify and respond to suspected or known security incidents, and did not implement “adequate minimum access controls” to shut down intrusions from as early as February 2014.

    Reply
  25. Tomi Engdahl says:

    China is ahead of Russia as ‘biggest state sponsor of cyber-attacks on the West’
    https://www.telegraph.co.uk/technology/2018/10/09/china-ahead-russia-biggest-state-sponsor-cyber-attacks-west/

    China has become the biggest state sponsor of cyber-attacks on the West, primarily in its bid to steal commercial secrets, according to a report today by one of the world’s largest cybersecurity firms.

    Crowdstrike, which revealed the Russian hack on the Democratic National Committee in 2016, said China was now ahead of Russia as the most prolific nation-state mounting attacks on firms, universities, government departments, think tanks and NGOs.

    Reply
  26. Tomi Engdahl says:

    SMS-based two-factor authentication is not safe — consider these alternative 2FA methods instead
    https://www.kaspersky.com/blog/2fa-practical-guide/24219/

    In the past couple of years, the concept of two-factor authentication (2FA), long the preserve of geeks, has found its way into the mainstream. However, the talk is still largely confined to using 2FA for one-time passwords over SMS. Sad to say, this is not the most reliable option. Here’s why:

    It’s easy to sneak a peek at passwords sent by SMS if lock-screen notifications are enabled.
    Even if notifications are turned off, a SIM card can be removed and installed in another smartphone, giving access to SMS messages with passwords.
    Password-bearing SMS messages can be intercepted by a Trojan lurking inside the smartphone.
    Using various underhanded tactics (persuasion, bribery, etc.), criminals can get hold of a new SIM card with the victim’s number from a mobile phone store. SMS messages will then go to this card, and the victim’s phone will be disconnected from the network.
    SMS messages with passwords can be intercepted through a basic flaw in the SS7 protocol used to transmit the messages.

    Reply
  27. Tomi Engdahl says:

    The National Cyber Security Centre
    Annual Review 2018
    https://www.ncsc.gov.uk/news/annual-review-2018

    A note from CEO Ciaran Martin:

    “I’m extremely proud to show how the NCSC has strengthened the UK’s defences against those who seek to harm us online.

    “The Internet was not designed with security in mind and, from a security perspective, there are significant flaws in the way it operates.

    “As we move into our third year, I’m confident that the NCSC will continue to provide the best line of defence in the world to help us thrive in the digital age.”

    Reply
  28. Tomi Engdahl says:

    Podcast: behind the scenes of an incident
    https://www.ncsc.gov.uk/incidents-podcast

    A rare glimpse of the inner workings of the UK’s strongest asset against cyber attacks.

    The NCSC’s first ever podcast gives a rare peek behind the curtain of our world-class incident management service.

    Reply
  29. Tomi Engdahl says:

    VMware Patches Code Execution Flaw in Virtual Graphics Card
    https://www.securityweek.com/vmware-patches-code-execution-flaw-virtual-graphics-card
    VMware has patched a critical arbitrary code execution vulnerability in the SVGA virtual graphics card used by its Workstation, ESXi and Fusion products.
    According to an advisory published by the company on Tuesday, ESXi, Fusion and Workstation are affected by an out-of-bounds read vulnerability in the SVGA device. The flaw, tracked as CVE-2018-6974, can be exploited by a malicious guest to execute arbitrary code on the host.

    VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability
    https://www.vmware.com/security/advisories/VMSA-2018-0026.html
    Severity: Critical

    Reply
  30. Tomi Engdahl says:

    Chef Launches New Version for DevSecOps Automated Compliance
    https://www.securityweek.com/chef-launches-new-version-devsecops-automated-compliance

    Chef Software has announced the latest version of its InSpec compliance automation platform for DevSecOps. InSpec provides an open source high-level language to share security and compliance rules between development, security, and operations engineers. Compliance can be with internal security policy, infrastructure provisioning, and external regulatory requirements.

    InSpec allows security and compliance requirements to be expressed in a common language for all groups. So, if the security group specifies that an application requires a mandatory access control system, this can be added to InSpec as a few lines of simple code. As the development proceeds, InSpec checks that all such specified requirements are included within the application.

    “Due to the human-readable way InSpec code is written, we’ve had success getting buy-in from the non-technical decision makers, which has been crucial in supporting our transformation efforts,” comments Hans Nesbitt, cloud engineer at Pacific Life.

    Reply
  31. Tomi Engdahl says:

    Many Federal Agencies Fail to Meet DMARC Implementation Deadline
    https://www.securityweek.com/many-federal-agencies-fail-meet-dmarc-implementation-deadline

    The U.S. Department of Homeland Security (DHS) last year ordered government organizations to secure their email and web assets, but many agencies have failed to meet the deadline.

    The Binding Operational Directive (BOD) 18-01, issued by the DHS on October 16, 2017, instructs federal agencies to start using web and email security technologies such as HTTPS, STARTTLS, SPF and DMARC. Agencies were given one year to set their DMARC policy to “reject,” which completely blocks the delivery of unauthenticated emails.

    Several cybersecurity firms have been monitoring the progress, including Agari, Valimail and Proofpoint. They all found that while significant progress has been made, there are still many agencies that are not compliant one year after the directive was issued.

    Reply
  32. Tomi Engdahl says:

    Arm doodles server, comms CPUs in public before they leak out in open-source code…
    Data center blueprints get Neoverse brand, roadmap
    https://www.theregister.co.uk/2018/10/16/arm_neoverse_infrastructure/

    chip designer Arm has lightly sketched out in public its future processor designs that are aimed at powering internet servers and infrastructure.

    Think CPU cores, chip interconnects, memory subsystems, and so on, for semiconductor manufacturers to use in silicon brains for data center systems, edge devices, and networking and telecommunications gear. Arm really wants to nuzzle its way into server and telecoms racks, tiptoeing past Intel Xeons and AMD Epycs, and so here’s the intellectual property it hopes will do the trick.

    Right now, Arm has its 16nm Cosmos platform, which includes the Cortex-A72 and A75 CPU cores. We’re told infrastructure hardware using this platform is being used in production right now.

    Come 2019, and Arm hopes to launch the 7nm Ares platform, then the 7nm+ Zeus platform in 2020, and the 5nm Poseidon platform in 2021. These are all designs by Arm that will be licensed to chipmakers for powering backend infrastructure servers and related hardware. A roadmap out to 2021 is important: Arm wants to demonstrate to its customers and its customers’ customers that it has a long bench of blueprints they can rely on.

    Reply
  33. Tomi Engdahl says:

    Party like it’s 1987… SVGA code bug haunts VMware’s house, lets guests flee to host OS
    Malicious code in VMs can leap over ESXi, Workstation, Fusion hypervisor security
    https://www.theregister.co.uk/2018/10/17/vmware_svga_guest_escape_critical_bug/

    Reply
  34. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/ei-nain-facebook-laite-jonka-luvattiin-olevan-vakoilematta-vakoilee-sittenkin-6745197

    It turns out that Facebook could in fact use data collected from its Portal in-home video device to target you with ads
    Who you call and what apps you use could determine what ads you see.
    https://www.recode.net/2018/10/16/17966102/facebook-portal-ad-targeting-data-collection

    Reply
  35. Tomi Engdahl says:

    LibSSH Flaw Allows Hackers to Take Over Servers Without Password
    https://thehackernews.com/2018/10/libssh-ssh-protocol-library.html

    A four-year-old severe vulnerability has been discovered in the Secure Shell (SSH) implementation library known as Libssh that could allow anyone to completely bypass authentication and gain unfettered administrative control over a vulnerable server without requiring a password.

    The security vulnerability, tracked as CVE-2018-10933, is an authentication-bypass issue that was introduced in Libssh version 0.6 released earlier 2014, leaving thousands of enterprise servers open to hackers for the last four years.

    But before you get frightened, you should know that neither the widely used OpenSSH nor Github’s implementation of libssh was affected by the vulnerability.

    Reply
  36. Tomi Engdahl says:

    Hackers accused of ties to Russia hit three East European companies: cybersecurity firm
    https://www.reuters.com/article/us-russia-cyber/hackers-accused-of-ties-to-russia-hit-3-east-european-companies-cybersecurity-firm-idUSKCN1MR1BO

    Hackers have infected three energy and transport companies in Ukraine and Poland with sophisticated new malware and may be planning destructive cyber attacks, a software security firm said on Wednesday.

    Reply
  37. Tomi Engdahl says:

    LibSSH Vuln: You Don’t Need to See my Authentication
    https://hackaday.com/2018/10/16/libssh-vuln-you-dont-need-to-see-my-authentication/

    Another day, another CVE (Common Vulnerabilities and Exposures). Getting a CVE number assigned to a vulnerability is a stamp of authenticity that you have a real problem on your hands. CVE-2018-10933 is a worst case scenario for libssh. With a single response, an attacker can completely bypass authentication, giving full access to a system.

    Before you panic and yank the power cord on your server, know that libssh is not part of OpenSSH. Your Linux box almost certainly uses OpenSSH as the SSH daemon, and that daemon is not vulnerable to this particular problem.

    Reply
  38. Tomi Engdahl says:

    Vending Machine App Hacked for Unlimited Credit
    https://www.bleepingcomputer.com/news/security/vending-machine-app-hacked-for-unlimited-credit/

    A hacker enticed by the payment method used by the vending machines located on a university campus found a way to get free credit after looking at the inner workings of the machine’s accompanying mobile app.

    The vending machines are from Argenta, a popular provider of coffee services in Italy, now acquired by the Selecta Group B.V..

    They support Bluetooth Low Energy (BLE) and Near Field Communication (NFC)

    Searching for a weak spot, Matteo Pisani, an Italian hacker and CTO at Remoria VR, decompiled the Argenta mobile app that interacts with the vending machines and made it debuggable. He then repackaged an installed it on a smartphone and monitored its activity for anything that could be manipulated.

    Pisani was thus able to determine that the mobile app used a database called ‘argenta.db,’ which he located and extracted on his laptop.

    editable ‘walletCredit’ field.

    About a month before making them public, the hacker disclosed his findings to the company that developed the app.

    Reply
  39. Tomi Engdahl says:

    Anthem agrees to pay $16 million in data breach privacy settlement
    https://www.zdnet.com/article/anthem-agrees-to-pay-us-gov-16-million-in-data-breach-settlement/

    The insurer will shell out to settle a privacy violations case issued by the US government.

    Reply
  40. Tomi Engdahl says:

    Eric Geller / Politico:
    A look at how the Democratic National Committee has beefed up cybersecurity since 2016, hiring staff from Silicon Valley, warning about phishing, and more

    Inside the race to hack-proof the Democratic Party
    https://www.politico.com/story/2018/10/17/democrats-hacking-cybersecurity-dnc-909883

    The DNC’s chief technology officer has led a massive cybersecurity overhaul at the committee and its sister organizations.

    The Democratic National Committee has spent 14 months staffing up with tech talent from Silicon Valley, training staff to spot suspicious emails and giving the FBI someone to talk to if it spots signs of hackers targeting the party.

    Still, the party faces an enormous challenge in recovering from the damage inflicted by the hacking of DNC emails, strategy documents and other internal records in 2016, which U.S. intelligence agencies have said was part of a Moscow-backed effort to help President Donald Trump win the White House. Officials including Director of National Intelligence Dan Coats have warned that this year’s midterm elections remain a potential Russian target, and some Democratic senators have reported malicious email attacks on their offices this year — both indications that the threat from foreign and domestic hackers has far from vanished.

    The new focus on security has led to some high-profile misfires, too

    DNC chief security officer Bob Lord told POLITICO at the time that the real takeaway from the flub was how quickly the massive organization recognized its mistake. “I don’t know that that would have happened two or three years ago,” he said.

    Lord, a former Yahoo and Twitter security executive, was one of Krikorian’s most significant hires. He worked closely with the FBI when it investigated two massive data breaches at Yahoo, and he is now one of the DNC’s key ambassadors to the bureau.

    Krikorian says he is doing everything he can to prepare the organization for unexpected cyberattacks, as well as the more common threats that have already hurt the organization.

    Reply
  41. Tomi Engdahl says:

    Heather Murphy / New York Times:
    Profile of GEDmatch, a genealogy website that has helped crack more than a dozen cold cases after it was used to uncover the identity of the Golden State Killer

    How an Unlikely Family History Website Transformed Cold Case Investigations
    https://www.nytimes.com/2018/10/15/science/gedmatch-genealogy-cold-cases.html

    Fifteen murder and sexual assault cases have been solved since April with a single genealogy website. This is how GEDmatch went from a casual side project to a revolutionary tool.

    Reply
  42. Tomi Engdahl says:

    Kyberhyökkäyksiin tulee varautua myös Suomessa: “Ovien ja ikkunoiden lisäksi hyökkäyksiä tulee jo liesituulettimistakin”
    https://www.tivi.fi/Kaikki_uutiset/kyberhyokkayksiin-tulee-varautua-myos-suomessa-ovien-ja-ikkunoiden-lisaksi-hyokkayksia-tulee-jo-liesituulettimistakin-6745316

    Reply
  43. Tomi Engdahl says:

    Take a video tour of Facebook’s election security war room
    https://techcrunch.com/2018/10/18/facebook-election-war-room/

    Beneath an American flag, 20 people packed tight into a beige conference room are Facebook’s, and so too the Internet’s, first line of defence for democracy. This is Facebook election security war room. Screens visualize influxes of foreign political content and voter suppression attempts as high-ranking team members from across divisions at Facebook, Instagram, and WhatsApp coordinate rapid responses.

    Reply
  44. Tomi Engdahl says:

    Around 62 percent of all Internet sites will run an unsupported PHP version in 10 weeks
    https://www.zdnet.com/article/around-62-of-all-internet-sites-will-run-an-unsupported-php-version-in-10-weeks/

    The highly popular PHP 5.x branch will stop receiving security updates at the end of the year

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*