Cyber Security October 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

495 Comments

  1. Tomi Engdahl says:

    Cyber Thieves Steal Millions from Mexican Banks
    https://securityboulevard.com/2018/10/cyber-thieves-steal-millions-from-mexican-banks/

    Another massive cyberattack ravaged Mexican banks in an attack earlier this year. The thieves created hundreds of false orders that wire-transferred funds to fake accounts and then immediately withdrew the money. Then these thieves sent hundreds of fake orders to move money to fake accounts in other banks.

    stolen amounts as ranging from 300 million pesos to as much as 400 million pesos. The SPEI® attack is similar in some ways to the SWIFT® attacks.

    SPEI is a system developed and operated by Banco de México that provides similar services to both commercial and business customers to enable secure electronic funds transfers, via the bank, the Internet, or mobile banking

    Reply
  2. Tomi Engdahl says:

    NATO cyber command to be fully operational in 2023
    https://www.reuters.com/article/us-nato-cyber/nato-cyber-command-to-be-fully-operational-in-2023-idUSKCN1MQ1Z9

    A new NATO military command center to deter computer hackers should be fully staffed in 2023 and able to mount its own cyber attacks but the alliance is still grappling with ground rules for doing so

    While NATO does not have its own cyber weapons, the U.S.-led alliance established an operations center on Aug. 31 at its military hub in Belgium. The United States, Britain, Estonia and other allies have since offered their cyber capabilities.

    “This is an emerging domain and the threat is growing,”

    Reply
  3. Tomi Engdahl says:

    Swedish Election 2018 — A Preliminary Assessment
    Mikael Tofvesson, Head of Global Monitoring and Analysis, Swedish Civil Contingencies Agency
    https://medium.com/election-interference-in-the-digital-age/swedish-election-2018-a-preliminary-assessment-bc84f5c5529a

    As a part of Sweden’s preparations to protect the Swedish election, the Swedish Civil Contingencies Agency (MSB) investigated influence activities targeting elections in other countries and conducted a vulnerability study regarding the Swedish election process and organisation.

    Looking at other elections and comparing the methods of the attacks, MSB assessed that four areas, relevant to Sweden, were targeted:

    The election process and its integrity
    The will and ability of the population to vote
    The political preferences
    The trustworthiness of the political leadership

    Influence campaigns against elections were effective when:

    There was a lack of awareness about the threat and the vulnerabilities to the threats in a society.
    There was a weak or non-existing cooperation between the political decisions makers, agencies and authorities conducting the election and among the agencies protecting the country against foreign influence.

    MSB developed and implemented capabilities in four areas:

    Identifying information influence activities by monitoring vulnerable areas in our society and threat actor’s activities.
    Coordination/Cooperation between the authorities and agencies conducting and protecting the election.
    Information sharing among all relevant stakeholders.
    Awareness about our own vulnerabilities and the threat with a whole of society approach.

    Reply
  4. Tomi Engdahl says:

    Unauthorised access to 72 HealthHub accounts prompts shutdown of e-service for six days
    https://www.todayonline.com/singapore/72-healthhub-accounts-accessed-without-authorisation-higher-usual-attempted-log-ins?cid=emarsys-today_TODAY%27s%20evening%20briefing%20for%20Oct%2018,%202018%20%28ACTIVE%29_newsletter_18102018_today

    SINGAPORE — Seventy-two accounts on the Health Promotion Board’s (HPB) HealthHub portal were recently accessed without authorisation, prompting authorities here to shut down access to the electronic service for six days early this month.

    The agencies had found “higher than usual attempted log-ins” to the portal on four days – Sept 28, Oct 3, Oct 8 and Oct 9 – using more than 27,000 unique IDs or email addresses.

    98 per cent of the email addresses used were not related to HealthHub account IDs – and these attempts were unsuccessful – 72 accounts were successfully logged into

    The suspected hacking attempt came on the heels of a cyber attack on SingHealth in June

    Reply
  5. Tomi Engdahl says:

    Facebook thinks the hackers that stole 29 million users’ info were spammers not a nation state
    https://nordic.businessinsider.com/facebook-thinks-spammers-responsible-hack-stole-info-from-29-million-users-2018-10?r=US&IR=T

    Facebook has “tentatively” concluded that spammers pretending to be a digital marketing firm are responsible for the biggest hack in the company’s history, according to a report in The Wall Street Journal.
    Anonymous sources told the WSJ that the company does not believe a nation-state was involved.
    The hacker stole personal information of 29 million Facebook users.

    Reply
  6. Tomi Engdahl says:

    Why aren’t we using SHA-3?
    https://www.csoonline.com/article/3256088/hacking/why-arent-we-using-sha3.html

    The Secure Hash Algorithm version 3 fixes flaws in the now-standard SHA-2 cipher. Here’s how to prepare for a migration to SHA-3 when SHA-2 is inevitably compromised.

    Reply
  7. Tomi Engdahl says:

    Daniel Palmer / CoinDesk:
    Crypto exchange Coinbase open sources its automated security scaling tool Salus and makes it available on GitHub

    Crypto Exchange Coinbase Open-Sources Its Security Scaling Tool
    https://www.coindesk.com/coinbase-makes-new-security-scaling-tool-open-source/

    U.S.-based cryptocurrency exchange Coinbase is making a recently developed automated security scaling tool available to the public.

    Called Salus, after the Roman the goddess of safety and well-being, the program can automatically choose to run and configure different security scanners and issue a report on the results, according to a Thursday blog post from Coinbase developer Julian Borrey.

    Available as an open-source tool on GitHub from today, Salus is said to offer the advantage of being able to centrally coordinate security scans across a large number of software storage repositories, avoiding having to configure a scanner for each different project.

    https://github.com/coinbase/salus

    Reply
  8. Tomi Engdahl says:

    Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months
    https://www.zdnet.com/article/researcher-finds-simple-way-of-backdooring-windows-pcs-and-nobody-notices-for-ten-months/

    “RID Hijacking” technique lets hackers assign admin rights to guest and other low-level accounts.

    A security researcher from Colombia has found a way of assigning admin rights and gaining boot persistence on Windows PCs that’s simple to execute and hard to stop –all the features that hackers and malware authors are looking for from an exploitation technique.

    What’s more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns.

    The technique does not allow a hacker to remotely infect a computer unless that computer has been foolishly left exposed on the Internet without a password.

    “RID HIJACKING” security conference material
    https://csl.com.co/rid-hijacking-security-conference-material/

    Reply
  9. Tomi Engdahl says:

    Zero-day in popular jQuery plugin actively exploited for at least three years
    https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/

    A fix is out but the plugin is used in hundreds, if not thousands, of projects. Patching will take ages!

    For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned.

    The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp.

    The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

    A vulnerability in this plugin would be devastating

    This worse case scenario is exactly what happened. Earlier this year, Larry Cashdollar, a security researcher for Akamai’s SIRT (Security Intelligence Response Team), has discovered a vulnerability in the plugin’s source code that handles file uploads to PHP servers.

    Cashdollar says that attackers can abuse this vulnerability to upload malicious files on servers, such as backdoors and web shells.

    The Akamai researcher says the vulnerability has been exploited in the wild. “I’ve seen stuff as far back as 2016,” the researcher told ZDNet in an interview.

    The vulnerability was one of the worst kept secrets of the hacker scene and appears to have been actively exploited, even before 2016.

    Cashdollar found several YouTube videos containing tutorials on how one could exploit the jQuery File Upload plugin vulnerability to take over servers. One of three YouTube videos Cashdollar shared with ZDNet is dated August 2015.

    It is pretty clear from the videos that the vulnerability was widely known to hackers, even if it remained a mystery for the infosec community.

    All jQuery File Upload versions before 9.22.1 are vulnerable.

    The developer’s investigation identified the true source of the vulnerability not in the plugin’s code, but in a change made in the Apache Web Server project dating back to 2010, which indirectly affected the plugin’s expected behavior on Apache servers.

    Blueimp’s jQuery File Upload plugin was coded to rely on a custom .htaccess file to impose security restrictions to its upload folder, without knowing that five days before, the Apache HTTPD team made a breaking change that undermined the plugin’s basic design.

    “The internet relies on many security controls every day in order to keep our systems, data, and transactions safe and secure,” Cashdollar said in a report published today. “If one of these controls suddenly doesn’t exist it may put security at risk unknowingly to the users and software developers relying on them.”

    “I did test 1000 out of the 7800 of the plugin’s forks from GitHub, and they all were exploitable,” Cashdollar told ZDNet. The code he’s been using for these tests is available on GitHub, along with a proof-of-concept for the actual flaw.

    Identifying all affected projects and stomping out this vulnerability will take years.

    https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206

    Reply
  10. Tomi Engdahl says:

    Flaws in telepresence robots allow hackers access to pictures, video feeds
    https://www.zdnet.com/article/flaws-in-telepresence-robots-allow-hackers-access-to-pictures-video-feeds/

    Vendor has patched two of five reported bugs. Three patches are in the works.

    Vecna has already patched two of the five vulnerabilities and is in the process of addressing the other three.

    CVE-2018-8858: Insufficiently Protected Credentials – Wi-Fi, XMPP – Patch Pending
    CVE-2018-8860: Cleartext Transmission of Sensitive Information – Firmware – Patched
    CVE-2018-8866: Improper Neutralization of Special Elements – RCE – Patched
    CVE-2018-17931: Improper Access Control (USB) – Patch Pending
    CVE-2018-17933: Improper Authorization (XMPP Client) – Patch Pending

    The flaws were discovered earlier this year by Dan Regalado, a security researcher with IoT cyber-security firm Zingbox.

    Reply
  11. Tomi Engdahl says:

    GitHub security alerts now support Java and .NET projects
    https://www.zdnet.com/article/github-security-alerts-now-support-java-and-net-projects/

    GitHub also launches Token Scanning tool and new Security Advisory API.

    Reply
  12. Tomi Engdahl says:

    Open source web hosting software compromised with DDoS malware
    https://www.zdnet.com/article/open-source-web-hosting-software-compromised-with-ddos-malware/

    Some VestaCP servers were infected with a new malware strain named Linux/ChachaDDOS.

    Reply
  13. Tomi Engdahl says:

    Hostile states will attempt deadly cyber attacks on UK, warns NCSC
    https://www.zdnet.com/article/hostile-states-will-attempt-deadly-cyber-attacks-on-uk-warns-ncsc/

    The UK has faced hundreds of cyber incidents in the past two years, but the biggest test is probably still to come.

    It’s only a matter of time before the UK faces a cyber attack that threatens loss of life and other major social consequences, the National Cyber Security Centre (NCSC) has warned.

    Since the GCHQ’s specialised cybersecurity arm’s creation in 2016, it has dealt with 1,167 cyber incidents, with 557 of these in the past year, the equivalent of over 10 a week, according to figures in its second annual review.

    Most of these attacks are thought to be the work of hostile governments or hacking groups working on their behalf.

    “The majority of these incidents were, we believe, perpetrated from within nation states in some way hostile to the UK,” said Ciaran Martin, chief executive of the NCSC.

    While the NCSC has been tested by many high-profile cyber attacks in the past two years, the annual review shows that the WannaCry ransomware attack remains the most prominent attack it has faced. But Martin believes bigger, potentially much more dangerous challenges lie ahead.

    “I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead, what we would call a Category 1 attack,” said Martin.

    According to the NCSC’s own definition, a Category 1 attack, or ‘national cyber emergency’, is a cyber attack that causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.

    Reply
  14. Tomi Engdahl says:

    GreyEnergy: New malware campaign targets critical infrastructure companies
    https://www.zdnet.com/article/greyenergy-new-malware-campaign-targets-critical-infrastructure-companies/

    Security researchers warn of cyber-espionage activity by group which has links to some of the most destructive cyber attacks of recent times.

    The hacking group which took down Ukrainian power grids is systematically targeting critical infrastructure in Ukraine and beyond in what security researchers believe could be cyber espionage and reconnaissance ahead of future attacks.

    Dubbed GreyEnergy by researchers at ESET, the group is believed to have been active over the last three years and to be linked to BlackEnergy, the attack group whose actions left 230,000 people in Ukraine without electricity in December 2015.

    Dubbed GreyEnergy by researchers at ESET, the group is believed to have been active over the last three years and to be linked to BlackEnergy, the attack group whose actions left 230,000 people in Ukraine without electricity in December 2015.

    Reply
  15. Tomi Engdahl says:

    Popular Kodi add-on ‘phones home’ — and could get you into serious legal trouble
    https://betanews.com/2018/08/19/popular-kodi-add-on-phones-home/

    If you’re a Kodi user you’ll know add-ons occasionally disappear, stop working, or — more rarely — turn bad.

    While the risk of using Kodi to stream illegal content is usually relatively small, it’s worth being informed when an add-on compromises your privacy and could get you into serious trouble.

    This is the case with Gaia. The popular Kodi addon recently introduced a new feature called Orion, which, according to unofficial Kodi add-on provider TVAddons, phones home with “with streaming links scraped by end users”.

    Orion used to be a paid feature, but now users can make use of it for free, by signing up to the service.

    While there is unlikely to be any malicious intent with Orion, users should be aware of the potential risks associated with add-ons

    Reply
  16. Tomi Engdahl says:

    EU ryhtyy määräämään pakotteita kyberhyökkäyksistä
    https://www.hs.fi/teknologia/art-2000005868901.html

    Theresa May to urge EU leaders to take action on cyber-attacks
    https://www.theguardian.com/technology/2018/oct/17/theresa-may-to-urge-eu-leaders-to-take-action-on-cyber-attacks

    Prime minister wants tougher response to states responsible – including sanctions

    Reply
  17. Tomi Engdahl says:

    FYI: Drone maker DJI’s ‘Get it on Google Play’ website button definitely does not get the app from Google Play…
    Quadcopter slinger rudely palms folk off to .apk download
    https://www.theregister.co.uk/2018/10/19/dji_android_code/

    Reply
  18. Tomi Engdahl says:

    You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone’s web privacy
    Never-closed browsers and persistent session tickets make tracking a doddle
    https://www.theregister.co.uk/2018/10/19/tls_handshake_privacy/

    Transport Layer Security underpins much of the modern internet. It is the foundation of secure connections to HTTPS websites, for one thing. However, it can harbor a sting in its tail for those concerned about staying anonymous online.

    Privacy advocates have long warned about the risks posed by various forms of web tracking. These include cookies, web beacons, and too many forms of fingerprinting to name.

    The privacy risks associated with web tracking, however, persist, and now it appears there’s yet another mechanism for following people online. Blame researchers from the University of Hamburg in Germany for the latest expansion of the privacy attack surface.

    In a paper distributed through ArXiv this week, computer science boffins Erik Sy, Hannes Federrath, Christian Burkert, and Mathias Fischer describe a novel tracking technique involving Transport Layer Security (TLS) session resumption.
    Tricky negotiations

    TLS (SSL in an earlier incarnation) should be widely familiar as the cryptographic protocol used to keep web communication protected as it travels between client and server. The latest version is 1.3.

    Establishing a TLS connection, say, when visiting a HTPPS website, involves some back-and-forth negotiation over the network. So it makes sense to have a way to resume previously a established session with less ritual: TLS session resumption.

    The techniques for doing so vary between TLS 1.3 and older versions of the spec – 0-RTT/1-RTT (round-trip time) via pre-shared keys (PSK) represents the latest mechanism while the legacy approach involves sessions IDs and session tickets.

    Tracking Users across the Web via TLS Session Resumption
    https://arxiv.org/pdf/1810.07304.pdf

    Reply
  19. Tomi Engdahl says:

    Illegal file-sharing: You can’t get away with blaming a family member, says top court
    https://www.zdnet.com/article/illegal-file-sharing-you-cant-get-away-with-blaming-a-family-member-says-top-court/

    Shifting the blame onto a family member for illegal file-sharing on your internet connection is not good enough without specifics, says EU’s top court.

    Reply
  20. Tomi Engdahl says:

    IT analyst ‘tried to blackmail Apple for £130,000 in Bitcoin and £800 iTunes vouchers after posting video showing him hacking into iCloud accounts and threatening to sell personal details of 319million users’
    https://www.dailymail.co.uk/news/article-6289963/IT-analyst-tried-blackmail-Apple-130-000-Bitcoin.html

    IT analyst posted videos on YouTube showing him hacking iCloud account
    Kerem Albayrak, 21, allegedly demanded more than £133,000 worth of Bitcoin
    He warned Apple he would sell the personal details of 319million iCloud users
    Albayrak granted unconditional bail ahead of a trial at Southwark Crown Court

    Reply
  21. Tomi Engdahl says:

    Google Pixel 3 Improves Data Protection with Security Chip
    https://www.securityweek.com/google-pixel-3-improves-data-protection-security-chip

    Google has packed the recently launched Pixel 3 and Pixel 3 XL devices with Titan M, a hardened security microcontroller that can better protect information at hardware level.

    Designed and manufactured by Google, Titan M is a second-generation, low-power security module meant to help with the Android Verified Boot, storing secrets, providing backing for the Android Strongbox Keymaster module, and enforcing factory-reset policies.

    Reply
  22. Tomi Engdahl says:

    Scotty Doesn’t Know: prankster takes over Scott Morrison’s website
    https://www.theguardian.com/australia-news/2018/oct/19/scotty-doesnt-know-prankster-takes-over-scott-morrisons-website

    Melbourne man says it’s the ‘most fun I’ve had with $50 in a long time’

    Scott Morrison’s personal website has been taken over and now plays a lewd rock song called Scotty Doesn’t Know.

    A Melbourne man is taking responsibility for claiming the website scottmorrison.com.au after the domain licence lapsed.

    “So, the PM forgot to renew his website and it expired today … Most fun I’ve had with $50 in a long time,” Jack Genesin wrote on Facebook.

    Reply
  23. Tomi Engdahl says:

    Serious D-Link router security flaws may never be patched
    https://nakedsecurity.sophos.com/2018/10/19/serious-d-link-router-security-flaws-may-never-be-patched/

    In May, Polish researcher Błażej Adamczyk of the Silesian University of Technology contacted D-Link to tell it he’d discovered a trio of important security flaws affecting eight of its Wi-Fi routers.

    According to Adamczyk, D-Link replied two weeks later to say that two of the products would be patched in due course but that the remaining six were considered end of life (EOL), the implication being that they wouldn’t be updated.

    Reply
  24. Tomi Engdahl says:

    Buggy software in popular connected storage drives can let hackers read private data
    https://techcrunch.com/2018/10/19/flaws-connected-storage-drives-can-let-hackers-read-private-data/?sr_share=facebook&utm_source=tcfbpage

    Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user’s private and sensitive data.

    The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested — NetGear Stora, Seagate Home and Medion LifeCloud — can allow an attacker to remotely read, change and delete data without requiring a password.

    Reply
  25. Tomi Engdahl says:

    Fraudster Targets Cryptocurrency Wallets with a Variety of Info Stealers
    https://www.bleepingcomputer.com/news/security/fraudster-targets-cryptocurrency-wallets-with-a-variety-of-info-stealers/

    An online scammer targeting thousands of victims interested in cryptocurrencies runs a large and diverse business that includes phishing and fraud operations.

    The crook tempts users with offers to make digital coins the easy way, to trick them into installing information-stealing malware and backdoors that provide access to sensitive data.

    Reply
  26. Tomi Engdahl says:

    Critical Flaw Found in Streaming Library Used by VLC and Other Media Players
    https://thehackernews.com/2018/10/critical-flaw-found-in-streaming.html?fbclid=IwAR0uI3Pi0_X9uZxXBcgj8ZNg9yAkhXmLUhveWRvbHqMh-KsWykRQ49ftQ14&m=1

    Security researchers have discovered a serious code execution vulnerability in the LIVE555 Streaming Media library—which is being used by popular media players including VLC and MPlayer, along with a number of embedded devices capable of streaming media.
    LIVE555 streaming media, developed and maintained by Live Networks, is a set of C++ libraries companies and application developers use to stream multimedia over open standard protocols like RTP/RTCP, RTSP or SIP.

    resides in the HTTP packet-parsing functionality of the LIVE555 RTSP

    Reply
  27. Tomi Engdahl says:

    DoD barely understands cybersecurity
    https://www.edn.com/electronics-blogs/brianwaves/4461193/DoD-barely-understands-cybersecurity?utm_source=Aspencore&utm_medium=EDN&utm_campaign=social

    The US Department of Defense (DoD) only began to take cybersecurity seriously in 2017, according to a report released on Tuesday by the Government Accounting Office (GAO). The DoD’s failure to address cybersecurity concerns is abject enough to make it into the name of the report: “Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities.” The GAO’s investigation was focused on weapon systems and weapons systems acquisition.

    The DoD has made efforts to secure its networks and IT systems, according to the GAO, but until recently it failed to realize that when you connect weapon systems to a network, they are subject to the same risks and also need protective measures.

    The DoD is beginning to respond but, “It looks grim unless they really see this as a wake-up call and start taking actions in a serious manner,”

    https://www.gao.gov/assets/700/694913.pdf

    Reply
  28. Tomi Engdahl says:

    Washington Post:
    DOJ charges Russian national involved in “Project Lakhta”, an alleged foreign influence operation to interfere in US midterms by pushing misinformation online

    Justice Dept. charges Russian woman with interference in midterm elections
    http://www.washingtonpost.com/world/national-security/director-of-national-intelligence-warns-of-ongoing-campaigns-to-interfere-with-elections/2018/10/19/64973a7a-d3b4-11e8-b2d2-f397227b43f0_story.html

    The Justice Department on Friday charged a Russian woman for her alleged role in a conspiracy to interfere with the 2018 U.S. election, marking the first criminal case prosecutors have brought against a foreign national for interfering in the upcoming midterms.

    Prosecutors said she managed the finances of “Project Lakhta,” a foreign influence operation they said was designed “to sow discord in the U.S. political system” by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and the National Football League national-anthem protests.

    In a statement, the ODNI said officials “do not have any evidence of a compromise or disruption of infrastructure that would enable adversaries to prevent voting, change vote counts or disrupt our ability to tally votes in the midterm elections.” But the statement noted: “We are concerned about ongoing campaigns by Russia, China and other foreign actors, including Iran, to undermine confidence in democratic institutions and influence public sentiment and government policies.”

    Reply
  29. Tomi Engdahl says:

    Ricardo Alonso-Zaldivar / Associated Press:
    Officials say a government computer system that interacts with HealthCare.gov was hacked earlier this month, compromising sensitive data for ~75,000 people

    Hackers breach HealthCare.gov system, get data on 75,000
    https://apnews.com/212e1e36b10945968704bd7e86598a65

    A government computer system that interacts with HealthCare.gov was hacked earlier this month, compromising the sensitive personal data of some 75,000 people, officials said Friday.

    The Centers for Medicare and Medicaid Services made the announcement late in the afternoon ahead of a weekend, a time slot agencies often use to release unfavorable developments.

    About 10 million people currently have private coverage under former President Barack Obama’s health care law.

    Reply
  30. Tomi Engdahl says:

    Khashoggi’s fate shows the flip side of the surveillance state
    https://techcrunch.com/2018/10/20/khashoggis-fate-shows-the-flip-side-of-the-surveillance-state/?sr_share=facebook&utm_source=tcfbpage

    It’s been over five years since NSA whistleblower Edward Snowden lifted the lid on government mass surveillance programs, revealing, in unprecedented detail, quite how deep the rabbit hole goes thanks to the spread of commercial software and connectivity enabling a bottomless intelligence-gathering philosophy of ‘bag it all’.

    Government spying practices are perhaps more scrutinized, as a result of awkward questions about out-of-date legal oversight regimes.

    Increasingly powerful state surveillance is seemingly here to stay, with or without adequately robust oversight. And commercial use of strong encryption remains under attack from governments.

    But there’s another end to the surveillance telescope.

    Technology is a double-edged sword – which means it’s also capable of lifting the lid on the machinery of power-holding institutions like never before.”

    We’re now seeing some of the impacts of this surveillance technology cutting both ways.

    Witness, for example, how quickly the Kremlin’s official line on the Skripal poisonings unravelled.

    Their investigation made use of a leaked database of Russian passport documents

    Right now, we’re in the midst of another fast-unfolding example of surveillance apparatus and public data standing in the way of dubious state claims — in the case of the disappearance of Washington Post journalist Jamal Khashoggi, who went into the Saudi consulate in Istanbul on October 2

    A marked element of the Khashoggi case has been the explicit descriptions of his fate leaked to journalists by Turkish government sources, who have said they have recordings of his interrogation, torture and killing inside the building — presumably via bugs either installed in the consulate itself or via intercepts placed on devices held by the individuals inside.

    This surveillance material has reportedly been shared with US officials, where it must be shaping the geopolitical response

    Attempts by the Saudis to construct a plausible narrative to explain what happened to Khashoggi when he stepped over its consulate threshold to pick up papers for his forthcoming wedding have failed in the face of all the contrary data.

    Reply
  31. Tomi Engdahl says:

    Lindsey O’Donnell / Threatpost:
    Researcher discovers and helps patch 13 vulnerabilities in open source IoT OS FreeRTOS and Amazon’s AWS secure connectivity modules using the OS — Researchers have found that a popular Internet of Things real-time operating system – FreeRTOS – is riddled with serious vulnerabilities.

    AWS FreeRTOS Bugs Allow Compromise of IoT Devices
    https://threatpost.com/aws-freertos-bugs-allow-compromise-of-iot-devices/138455/

    The bugs let hackers crash IoT devices, leak their information, and completely take them over.

    Researchers have found that a popular Internet of Things real-time operating system – FreeRTOS – is riddled with serious vulnerabilities.

    The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems, leak information from the devices’ memory, and take them over. And while patches have been issued, researchers warn that it still may take time for smaller vendors to update.

    FreeRTOS provides an OS for microcontrollers, which vendors can bundle together with other components in IoT devices and solutions – including the TCP/IP stack, connectivity modules, and over the air (OTA) updates.

    The kernel has gained traction in the IoT market, and in 2017, Amazon took stewardship of the OS and extended the FreeRTOS kernel to its with software libraries – so IoT devices could be connected to AWS cloud services like AWS IoT Core.

    Specifically impacted by these vulnerabilities was FreeRTOS V10.0.1 and below (with FreeRTOS+TCP), and AWS FreeRTOS V1.3.1 and below.

    Also affected are FreeRTOS’ commercial version WHIS OpenRTOS, and its “safety-oriented” version SafeRTOS which is based on the functional model of FreeRTOS, and is certified for use in safety critical systems.

    Reply
  32. Tomi Engdahl says:

    New Cyberdefenses to Protect Your Smart Appliances From Hackers
    https://www.wsj.com/articles/the-hackers-at-your-smart-door-new-cyberdefenses-planned-for-connected-devices-1539770321?utm_content=78572094&utm_medium=social&utm_source=facebook

    SoftBank-backed Arm and Cybereason are teaming up to protect some of the cyberworld’s most vulnerable targets

    some of the cyberworld’s most vulnerable targets: household appliances.

    Protecting such mundane internet-connected devices is the purpose of a partnership announced Wednesday between U.K.-based Arm,

    Reply
  33. Tomi Engdahl says:

    Experiment Shows How to Eavesdrop on Terahertz Frequencies
    https://spectrum.ieee.org/tech-talk/telecom/security/experiment-shows-terahertz-frequencies-are-vulnerable-to-hacking

    In a series of experiments, researchers at Brown University showed that it’s possible to use a metal plate to divert part of a wireless signal broadcast in the terahertz range.

    Reply
  34. Tomi Engdahl says:

    Interesting story:

    That Time the City of Seattle Accidentally Gave Me 32m Emails for 40 Dollars
    https://mchap.io/that-time-the-city-of-seattle-accidentally-gave-me-32m-emails-for-40-dollars4997.html

    adventure of requesting metadata for both phone calls and emails from the City of Chicago Office of the Mayor.

    Reply
  35. Tomi Engdahl says:

    Brian Barrett / Wired:
    Google says it will open source the firmware for Titan M, the secure chip in Pixel 3 phones that handles Verified Boot and has its own isolated storage and RAM

    The Tiny Chip That Powers Up Pixel 3 Security
    https://www.wired.com/story/google-titan-m-security-chip-pixel-3/

    The Google Pixel 3 has all the betterments you would expect from a flashy flagship smartphone: great camera, zippy processor, smarter AI. It also, though, comes with an unexpected bonus, one that works so deeply in the background you’ll likely never even know it’s there. The Titan M chip may be small and discreet, but it helps make the Pixel 3 and its beefier sibling, the Pixel 3 XL, among the most secure smartphones you can buy.

    The Titan M draws inspiration from the Titan chip that helps safeguard Google servers, and while they differ some in the details

    One such attack the Titan M is designed to protect against is the boot-time attack.

    Titan M heads off these boot-time attacks by tying into Verified Boot, a feature introduced in 2017 with Android Oreo. Verified Boot confirms that you’re running the correct version of Android as soon as you turn it on; by leveraging Titan M, the Pixel 3 ensures the integrity of that check before an attacker has a chance to downgrade you to something more vulnerable, or meddles with your bootloader.

    The chip also helps prevent fake log-ins, both by limiting the number of passcode attempts and by having a direct electrical connection to the Pixel’s side buttons so that an attacker can’t create fake button presses to make it seem like a user is present when none is.

    Having a secure, mobile hardware element isn’t especially novel; the ARM chips that power most higher-end Android smartphones have something called TrustZone

    But because it’s a separate chip altogether, Titan M takes that isolation to the extreme.

    By opting for a distinct, hardened chip, Google can better inoculate the Pixel 3 from the so-called side channel attacks that leverage hiccups in interactions between components. In fairness, the risk of that kind of advanced technique to the average user is relatively low, given the relative ease of software-based attacks. They still happen, though, which makes them worth defending against—especially if, as Drewry suspects, they become increasingly common over time.

    “It’s only a matter of time that these shared resource attacks become cheap enough that they become opportunistic,”

    “As technology shrinks, the opportunities change, and where you can place parts and how big they are changes, but practically supply chain attacks have always been there,”

    Reply
  36. Tomi Engdahl says:

    Hackers breach HealthCare.gov system, get data on 75,000
    https://apnews.com/212e1e36b10945968704bd7e86598a65

    Reply
  37. Tomi Engdahl says:

    https://semiengineering.com/week-in-review-iot-security-auto-15/
    Researchers at ESET, a software security firm in Slovakia, said three energy and transport companies in Ukraine and Poland were infected with malware over a period of three years, and that malware could be used to launch devastating cyberattacks, Reuters reports. The malware infections may have originated with Russia’s GRU spy agency, it was said. FireEye says a group known as Sandworm was likely responsible for causing power outages in Ukraine in December of 2015.

    Hackers accused of ties to Russia hit 3 E.European companies – cybersecurity firm
    https://finance.yahoo.com/news/hackers-accused-ties-russia-hit-123749171.html?guccounter=1

    Investigators at ESET said the group responsible for a series of earlier attacks against the Ukrainian energy sector, which used malicious software known as BlackEnergy, had now developed and used a new malware suite called GreyEnergy.

    ESET has helped investigate a series of high-profile cyber attacks on Ukraine in recent years, including those on the Ukrainian energy grid which led to power outages in late 2015.

    Reply
  38. Tomi Engdahl says:

    The Malwarebytes cybersecurity firm reports cybercriminal activity targeting businesses increased 55% during the third quarter of this year, compared with the second quarter of 2018. It adds that cybercriminal activity aimed at consumers rose just 4%, in comparison.
    https://semiengineering.com/week-in-review-iot-security-auto-15/

    Reply
  39. Tomi Engdahl says:

    City Pays $2,000 in Computer Ransomware Attack
    https://www.securityweek.com/city-pays-2000-computer-ransomware-attack

    A Connecticut city has paid $2,000 to restore access to its computer system after a ransomware attack.

    Reply
  40. Tomi Engdahl says:

    Chinese Hackers Use ‘Datper’ Trojan in Recent Campaign
    https://www.securityweek.com/chinese-hackers-use-datper-trojan-recent-campaign

    A China-linked cyber espionage group known as Tick was observed using the Datper malware in a recent campaign, Cisco Talos security researchers reveal.

    Also referred to as Redbaldknight and Bronze Butler, Tick has been launching various cyber-attacks against entities in South Korea and Japan over the past couple of years. The campaign Talos analyzed also used compromised websites located in the two countries as command and control (C&C) servers.

    Although Tick has been using custom tools in each campaign, the researchers observed a series of recurring patterns in the use of infrastructure, such as overlaps in hijacked C&C domains or the use of the same IP.

    Reply
  41. Tomi Engdahl says:

    NSA-Linked ‘DarkPulsar’ Exploit Tool Detailed
    https://www.securityweek.com/nsa-linked-darkpulsar-exploit-tool-detailed

    Kaspersky Lab security researchers have analyzed another exploit tool that was supposedly stolen from the National Security Agency-linked Equation Group.

    Dubbed DarkPulsar, the tool is an administrative plugin, part of the NSA-linked exploits that the Shadow Brokers group made public in March 2017, specifically the DanderSpritz and FuzzBunch frameworks.

    Kaspersky Lab has determined that the DarkPulsar backdoor, which targets both 32-bit and 64-bit systems, was used on 50 victims located in Russia, Iran and Egypt, and that it typically infected machines running Windows Server 2003/2008. The victims are in the nuclear energy, telecommunications, IT, aerospace and R&D sectors.

    The security researchers believe that the victims were the targets of a long-term espionage campaign. The backdoor not only includes an advanced mechanism of persistence, but also functionality to bypass the need to enter a valid username and password during authentication. It also encapsulates its traffic into legitimate protocols.

    Reply
  42. Tomi Engdahl says:

    Splunk Patches Several Flaws in Enterprise, Light Products
    https://www.securityweek.com/splunk-patches-several-flaws-enterprise-light-products

    Splunk recently patched several vulnerabilities in its Enterprise and Light products, including flaws that have been rated “high severity.”

    Splunk Enterprise allows organizations to search, analyze and visualize data collected from websites, apps, sensors and other devices. Splunk Light is a solution that automates log searching and analysis, along with server and network monitoring, in small IT networks.

    The most serious of the vulnerabilities affecting these products – with a CVSS score of 8.1 (high severity) – is CVE-2018-7427, a cross-site scripting (XSS) issue in the Splunk Web interface.

    Reply
  43. Tomi Engdahl says:

    FreeRTOS Vulnerabilities Expose Many Systems to Attacks
    https://www.securityweek.com/freertos-vulnerabilities-expose-many-systems-attacks

    Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure, researchers warn.

    The commercial version of the operating system is called OpenRTOS and it’s maintained by WITTENSTEIN high integrity systems (WHIS), which also develops the safety-focused version SafeRTOS.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*