Cyber Security October 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

495 Comments

  1. Tomi Engdahl says:

    EU Leaders Vow Tough Action on Cyber Attacks
    https://www.securityweek.com/eu-leaders-vow-tough-action-cyber-attacks

    EU leaders on Thursday condemned the attempted hack on the global chemical weapons watchdog and vowed to step up the bloc’s efforts to tackle cyber attacks.

    With concerns growing about the malign cyber activities of several countries around the world, notably Russia, the bloc’s leaders called for work to begin to set up sanctions to punish hackers.

    “Work on the capacity to respond to and deter cyber attacks through EU restrictive measures should be taken forward,” the 28 leaders said in their summit communique.

    The statement condemned the bid, revealed this month, by Russia’s GRU military intelligence agency to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague.

    “Such threats and attacks strengthen our common resolve to further enhance the EU’s internal security and our ability and capabilities to detect, prevent, disrupt and respond to hostile activities of foreign intelligence networks,” the summit statement said.

    Reply
  2. Tomi Engdahl says:

    You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone’s web privacy
    Never-closed browsers and persistent session tickets make tracking a doddle
    https://www.theregister.co.uk/2018/10/19/tls_handshake_privacy/

    Transport Layer Security underpins much of the modern internet. It is the foundation of secure connections to HTTPS websites, for one thing. However, it can harbor a sting in its tail for those concerned about staying anonymous online.

    Privacy advocates have long warned about the risks posed by various forms of web tracking. These include cookies, web beacons, and too many forms of fingerprinting to name.

    The privacy risks associated with web tracking, however, persist, and now it appears there’s yet another mechanism for following people online. Blame researchers from the University of Hamburg in Germany for the latest expansion of the privacy attack surface.

    In a paper distributed through ArXiv this week, computer science boffins Erik Sy, Hannes Federrath, Christian Burkert, and Mathias Fischer describe a novel tracking technique involving Transport Layer Security (TLS) session resumption.

    Reply
  3. Tomi Engdahl says:

    Google warns Apple: Missing bugs in your security bulletins are ‘disincentive to patch’
    https://www.zdnet.com/article/google-warns-apple-missing-bugs-in-your-security-bulletins-are-disincentive-to-patch/

    Google’s Project Zero has again called Apple out for silently patching flaws.

    Reply
  4. Tomi Engdahl says:

    Facebook Finds Hack Was Done by Spammers, Not Foreign State
    Company believes hackers who accessed 30 million accounts masqueraded as digital marketers
    https://www.wsj.com/articles/facebook-tentatively-concludes-recent-hack-was-perpetrated-by-spammers-1539821869

    Reply
  5. Tomi Engdahl says:

    Spotted: Miscreants use pilfered NSA hacking tools to pwn boxes in nuke, aerospace worlds
    High-value servers targeted by cyber-weapons dumped online by Shadow Brokers
    https://www.theregister.co.uk/2018/10/19/leaked_nsa_malware/

    Miscreants are using a trio of NSA hacking tools, leaked last year by the Shadow Brokers, to infect and spy on computer systems used in aerospace, nuclear energy, and other industries.

    Reply
  6. Tomi Engdahl says:

    APT reports
    DarkPulsar
    https://securelist.com/darkpulsar/88199/

    By Andrey Dolgushev, Dmitry Tarakanov, Vasily Berdnikov on October 19, 2018. 10:00 am

    In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.

    DanderSpritz consists entirely of plugins to gather intelligence, use exploits and examine already controlled machines. It is written in Java and provides a graphical windows interface similar to botnets administrative panels as well as a Metasploit-like console interface. It also includes its own backdoors and plugins for not-FuzzBunch-controlled victims.

    Reply
  7. Tomi Engdahl says:

    EU under cyber attack by Russia and China
    https://en.rebaltica.lv/2018/10/eu-under-cyber-attack-by-russia-and-china/

    Investigation shows the attack on Czech Ministry of Foreign Affairs was larger and lasted longer than previously reported, but it is still enveloped in extreme secrecy.

    On that day, he was travelling light. The other passengers on the flight to the Estonian capital, Tallinn, had no idea that his cabin luggage contains the secret of who has broken into the servers of the EU and NATO country’s foreign office and stolen hundreds of the private emails of Czech diplomats, including the foreign minister himself.

    The officer of the Czech secret service was going to Estonia, equipped with the files downloaded from Ministry of Foreign Affairs (MFA) servers, for help. A tiny Baltic nation which in 2007 faced the first massive Russian cyber attack on its government institutions, banks and media, is recognized as having excellent expertise in the field. The cooperation with Tallinn and other EU capitals ultimately helped Prague to reveal the identity of the hackers. But the story turned out more complicated than expected.

    Russia and China did not act in a coordinated manner. However, as the Czech investigation has established, they knew about each other, did not move against one other, monitored their illegal activity, and tolerated the other’s presence. The attacks at the time were directed against several EU countries, a source related to country’s intelligence service said to Re:Baltica.

    “Russian behaviour in cyberspace has been different from that of other cyber powers on two different accounts. One is related to how Russia has been feeding the fruits of cyber-espionage into disinformation campaigns. It is quite possible that China has even more access to sensitive political, security, technical or business information from the entire world, and is quietly passing what is relevant to its companies, manufacturers, or the military.”

    Reply
  8. Tomi Engdahl says:

    How Americans Took Down a Latvian Laundromat
    https://en.rebaltica.lv/2018/03/how-americans-took-down-a-latvian-laundromat/

    The main unanswered question after closure of ABLV is allegations of the corruption.

    The end of ABLV, Latvia’s third largest bank, was fast and brutal.

    On February 13, 2018 the Financial Crimes Enforcement Network (FinCEN) at the US Treasury proposed to ban ABLV from having a correspondence account in the United States due to money laundering concerns. The agency accused the lender of institutionalising money laundering as a pillar of the bank’s business practices and failing to implement effective anti-measures, allowing its clients with ties to North Korea anti-ballistic program to circumvent the United Nations’ sanctions.

    Reply
  9. Tomi Engdahl says:

    Post 0×17.1: Analyzing Turla’s Keylogger
    https://0ffset.wordpress.com/2018/09/14/post-0×17-1-turla-keylogger/

    Post 0×17.2: Analyzing Turla’s Keylogger
    https://0ffset.wordpress.com/2018/10/05/post-0×17-2-turla-keylogger/

    You can download this keylogger off of VirusBay. So far we have decrypted a whole lot of text using a simple XOR method, which revealed information on how different keys could be logged, file names in which the data could be logged to, and a possible name for the keylogger: KSL0T.

    Reply
  10. Tomi Engdahl says:

    Czech intelligence service shuts down Hezbollah hacking operation
    https://www.zdnet.com/article/czech-intelligence-service-shuts-down-hezbollah-hacking-operation/

    Hezbollah agents used Facebook profiles for attractive women to trick targets into installing spyware-infected apps.

    Reply
  11. Tomi Engdahl says:

    Security
    Vendors confirm products affected by libssh bug as PoC code pops up on GitHub

    Vendors confirm products affected by libssh bug as PoC code pops up on GitHub
    https://www.zdnet.com/article/vendors-confirm-products-affected-by-libssh-bug-as-poc-code-pops-up-on-github/

    Red Hat and F5 Networks acknowledge that some products are vulnerable to the libssh authentication bug.

    “This vulnerability affects libssh shipped in Red Hat Enterprise Linux 7 Extras,” the company said in an advisory.

    Red Hat plans to update the libssh library version to a new one that’s not affected.

    Reply
  12. Tomi Engdahl says:

    Czech counterintelligence helps uncover Hezbollah hacking scheme
    https://www.radio.cz/en/section/curraffrs/czech-counterintelligence-helps-uncover-hezbollah-hacking-scheme

    A network of Hezbollah hackers used old tricks on social media to hack into mobile devices across the world. Posing as attractive girls on Facebook, they would contact users and start chatting. After steering the conversation to increasingly sensual topics, the profiles would then ask the user to install a ‘more private and secure application‘.

    According to the counterintelligence service’s press release, some impassioned users, mostly men, would comply and install the app. Unaware that it gave hackers access to their sensitive information, including contacts, photographs, calls, text messages, GPS data and the option to secretely record the owner via the mobile device.

    Reply
  13. Tomi Engdahl says:

    Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
    https://dragos.com/whitepapers/CrashOverride2018.html

    CRASHOVERRIDE is the first publicly-known malware designed to impact electric grid operations. While some attention has already been paid to CRASHOVERRIDE’s ICS-specific effects, the broader scope of the attack – and the necessary prerequisites to its execution – have been woefully unexamined. Reviewing previously unavailable data covering log, forensics, and various incident data, this paper will outline the CRASHOVERIDE attack in its entirety, from breach of the ICS network through delivery and execution of ICS-specific payloads. This examination will show that, aside from the requirement to develop and deploy ICS-targeting software for final effects, CRASHOVERRIDE largely relied upon fairly standard intrusion techniques in order to achieve its results. By understanding this methodology and how these techniques can be monitored and detected, ICS asset owners and defenders can begin identifying detection and visibility gaps to catch such techniques in the future. While CRASHOVERRIDE represents an effectively new application of malware to produce a physical impact, the underlying techniques for intrusion and deployment would be immediately recognizable to a junior penetration tester.

    Reply
  14. Tomi Engdahl says:

    Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption
    https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-connecting-to-bleepingcomputer-during-encryption/

    As we cover ransomware extensively at BleepingComputer, some ransomware developers tend to interact with our site in various ways. This includes coming to the site to communicate with victims, releasing ransomware keys in our forums, or naming their command & control servers after our site’s name.

    Over the weekend, the Kraken Cryptor Ransomware released version 2.0.6, which now connects to BleepingComputer during different stages of their encryption process.

    Reply
  15. Tomi Engdahl says:

    GitHub.com freezes up as techies race to fix dead data storage gear
    TITSUP: Total Inability To Support Users’ Pushes
    https://www.theregister.co.uk/2018/10/22/github_down_storage_failure/

    GitHub’s website remains broken after a data storage system failed several hours ago.

    Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com – and possibly failing miserably as a result of the outage.

    Repairs

    From the status page, it appears a data storage system died, forcing the platform’s engineers to move the dot-com’s files over to another box. In the meantime, some older versions of repos are being served to visitors and users.

    https://status.github.com/messages

    Reply
  16. Tomi Engdahl says:

    NFCdrip Attack Proves Long-Range Data Exfiltration via NFC
    https://www.securityweek.com/nfcdrip-attack-proves-long-range-data-exfiltration-nfc

    Researchers have demonstrated that the near-field communication (NFC) protocol can be used to exfiltrate small amounts of data, such as passwords and encryption keys, over relatively long distances.

    NFC enables two devices to communicate over distances of up to 10 cm (4 in). The system, present in most modern smartphones, is often used for making payments, sharing files, and authentication.

    Reply
  17. Tomi Engdahl says:

    Triangulating Beyond the Hack: Stolen Records Just One Tool in a Comprehensive Kit
    https://www.securityweek.com/triangulating-beyond-hack-stolen-records-just-one-tool-comprehensive-kit

    Technical Hacks to Compromise Sensitive Systems Are Just One Tool in a Much Larger Toolkit

    In simpler times, cybersecurity was a fairly straightforward proposition. You had your firewall, your gateway. You monitored traffic and scanned for viruses. The bad guys weren’t even always that bad, per se. Sometimes they were just there for kicks.

    But these are not simpler times. In today’s world of sophisticated criminals, hacktivism, espionage and cyber warfare, threats can come from anywhere, and for a variety of more malevolent reasons than 10 or 15 years ago.

    One of the most pressing security challenges is the way “hacks” are evolving to include more than just an intrusion to an IT system. Yes, hacking into protected information is still a critical concern. And we’re seeing more efforts to triangulate information from separate hacks to increase its value, as well as an evolution of how stolen information is used.

    Reply
  18. Tomi Engdahl says:

    Windows 10 1809 Zip Extraction Bug Overwrites Files without Confirmation
    https://www.bleepingcomputer.com/news/security/windows-10-1809-zip-extraction-bug-overwrites-files-without-confirmation/

    Windows 10 October 2018 Update, otherwise known as Build 1809, has been having trouble with bugs since it was released. While most of the bugs have since been fixed, reports of a new bug related to extracting zip files using Windows built-in zip functionality has popped up.

    With this new build 1809 bug, when you extract a zip archive or drag a file from a zip archive to a location where the same files exist, Windows will not display a confirmation prompt. Instead it will either automatically overwrite the file or simply do nothing.

    Reply
  19. Tomi Engdahl says:

    “Smart home” companies refuse to say whether law enforcement is using your gadgets to spy on you
    https://boingboing.net/2018/10/20/the-walls-have-ears.html

    Transparency reports are standard practice across the tech industry, disclosing the nature, quantity and scope of all the law enforcement requests each company receives in a given year.

    But there’s a notable exception to this practice: the “smart home” companies who sell you products that fill your house with gadgets that know every intimate fact of your life — all-seeing eyes, all-listening ears, all-surveillance network taps. The companies that sell these products refuse to say whether (or how) they are being suborned to serve as state surveillance adjuncts by law enforcement.

    Smart home tech makers don’t want to say if the feds come for your data
    https://techcrunch.com/2018/10/19/smart-home-devices-hoard-data-government-demands/

    Device makers won’t say if your smart home gadgets spied on you

    Reply
  20. Tomi Engdahl says:

    Saudi Arabia’s ‘Davos in the Desert’ website was hacked and defaced
    https://techcrunch.com/2018/10/22/saudi-future-investments-conference-site-hacked-defaced-jamal-khashoggi/?sr_share=facebook&utm_source=tcfbpage

    The website of the Saudi government’s upcoming Future Investment Initiative conference was hacked and defaced with images of the murdered Saudi journalist Jamal Khashoggi.

    Several reporters tweeted screenshots of the site after its defacement, purporting to show Saudi crown prince Mohammed bin Salman — the kingdom’s de facto ruler — brandishing a sword. A portion of text on the site was replaced with an accusation the kingdom of “barbaric and inhuman action,”

    Reply
  21. Tomi Engdahl says:

    Poliisi sai pakottaa puhelimen auki – sormenjälkitunnistus on eri asia kuin salasana tai pin-koodi
    https://www.is.fi/digitoday/art-2000005872876.html?ref=rss

    Reply
  22. Tomi Engdahl says:

    How smartphone apps track users and share data
    https://ig.ft.com/mobile-app-data-trackers/

    Almost 9 in 10 Android apps are able to share data with Google, says study

    Researchers at Oxford university analysed approximately a third of the apps available in Google’s Play Store in 2017 and found that the median app could transfer data to 10 third parties, with one in five apps able to share data with more than 20.

    This year has seen unprecedented scrutiny over how websites use the data they collect from their users, but little attention has so far been paid to the sprawling and fast-growing world of smartphone apps.

    Users, regulators and sometimes even the app developers and advertisers are unaware of the extent to which data flow from smartphones to digital advertising groups, data brokers and intermediaries that buy, sell and blend information, he said.

    “This industry was growing already on the web . . . when smartphones came along, that was a new opportunity,”

    The rapid growth of the app economy has seen almost 10m apps released in the decade

    Reply
  23. Tomi Engdahl says:

    Flaw in Media Library Impacts VLC, Other Software
    https://www.securityweek.com/flaw-media-library-impacts-vlc-other-software

    A serious vulnerability in the LIVE555 Streaming Media RTSP server affects popular applications, including VLC, MPlayer and others, Cisco Talos has discovered.

    Developed by Live Networks, Inc, LIVE555 Streaming Media represents a set of open-source C++ libraries meant for multimedia streaming. The libraries provide support for open standards used in streaming, but can also be used for the management of various popular video and audio formats. In addition to media players, the libraries are used for cameras and other embedded devices.

    http://www.live555.com/liveMedia/

    Reply
  24. Tomi Engdahl says:

    Hackers Deface Website of Saudi Investment Forum
    https://www.securityweek.com/hackers-deface-website-saudi-investment-forum

    A website for a Saudi investment summit was down on Monday after an apparent cyber attack, just a day before the three-day conference overshadowed by the murder of journalist Jamal Khashoggi begins.

    There was no immediate claim of responsibility for the apparent attack on the Future Investment Initiative (FII) website, as organisers scrambled to prepare for the summit after a string of cancellations from global business titans over the murder.

    The forum, nicknamed “Davos in the desert”, was meant to project the historically insular petro-state as a lucrative business destination and set the stage for new ventures and multi-billion dollar contracts.

    But it has been overshadowed by growing global outrage over the murder of Khashoggi inside the kingdom’s consulate in Istanbul.

    Reply
  25. Tomi Engdahl says:

    Securing the Vote Against Increasing Threats
    https://www.securityweek.com/securing-vote-against-increasing-threats

    With the U.S. mid-term elections just a couple of weeks away, there are continuing concerns over the security of the electronic voting procedures used by many states. These concerns range from the integrity of state voter registration databases through the compromise of individual voting machines to the accuracy of their calibration without a paper audit trail to confirm accurate vote tallying.

    Reply
  26. Tomi Engdahl says:

    Signal Desktop Leaves Message Decryption Key in Plain Sight
    https://www.bleepingcomputer.com/news/security/signal-desktop-leaves-message-decryption-key-in-plain-sight/?fbclid=IwAR3TAf4gU12usHpbbxFSplIbCddMJsDDAp38CShR_6Klk3l5udA7vsdmNfQ

    A mistake in the process used by the Signal Desktop application to encrypt locally stored messages leaves them wide open to an attacker.

    When Signal Desktop is installed, it will create an encrypted SQLite database called db.sqlite, which is used to store the user’s messages. The encryption key for this database is automatically generated by the program when it is installed without any interaction by the user.

    As the encryption key will be required each time Signal Desktop opens the database, it will store it in plain text to a local file called %AppData%\Signal\config.json on PCs and on a Mac at ~/Library/Application Support/Signal/config.json.

    Reply
  27. Tomi Engdahl says:

    Hack on 8 adult websites exposes oodles of intimate user data
    https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/

    A recovered 98MB file underscores the risks of trusting personal info to strangers.

    Reply
  28. Tomi Engdahl says:

    In its first cyberoperation against Russian trolls, U.S. takes a gentle approach
    https://techcrunch.com/2018/10/23/first-cyber-operation-gentle-approach-russian-trolls/?utm_source=tcfbpage&sr_share=facebook

    Now, the U.S. is striking back ahead of the midterm elections in an unconventionally gentle way.

    U.S. Cyber Command, the military wing tasked with offensive cyberoperations, is directly reaching out to Russian trolls to warn the state-backed spreaders of false news that the U.S. is watching. It’s the command’s first cyberoperation since Obama-era rules governing offensive operations were relaxed

    Reply
  29. Tomi Engdahl says:

    A Washington ISP exposed the ‘keys to the kingdom’ after leaving a server unsecured
    https://techcrunch.com/2018/10/23/washington-isp-pocketinet-server-leak/?sr_share=facebook&utm_source=tcfbpage

    A Washington state internet provider left an unprotected server online without a password, exposing network schematics, passwords and other sensitive files for at least six months.

    Worse, it took the company a week to shut off the leak, despite several phone calls and emails warning of the exposure.

    The little-known internet provider, PocketiNet

    the company put its customers and its network at risk after it left open an Amazon S3 storage bucket — an all too common cause of data exposures — containing tens of gigabytes of files.

    Chris Vickery, director of cyber risk research at security firm UpGuard, found the data

    plaintext password files belonging to employees and network devices — like firewalls, switches and wireless points

    Reply
  30. Tomi Engdahl says:

    The Cybersecurity 202: The FDA is embracing ethical hackers in its push to secure medical devices
    https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/17/the-cybersecurity-202-the-fda-is-embracing-ethical-hackers-in-its-push-to-secure-medical-devices/5bc6156b1b326b7c8a8d1a01/?noredirect=on&utm_term=.0f7d2efa7028

    With cyberattacks on medical devices on the rise, the Food and Drug Administration is turning to ethical hackers to help regulators and manufacturers root out vulnerabilities on machines that could put patients’ lives at risk.

    As an example, the FDA points to its recent collaboration with a pair of security researchers who uncovered bugs in devices used to program pacemakers that could allow attackers to remotely change settings on patients’ cardiac implants. The researchers’ findings led the FDA and the manufacturer, Medtronic, to issue rare cybersecurity warnings last week.

    The rapid spread of connected medical devices has left the health-care sector more exposed to cyberattacks than ever before — and the FDA’s embrace of ethical hackers shows the agency is willing to use nontraditional approaches to tackle the problem. While government officials and manufacturers alike have long been hesitant to showcase findings from outside researchers, the FDA is joining a growing group of federal agencies that are beginning to incorporate their work into their cybersecurity strategies.

    The Cybersecurity 202: Lawmakers are ready to embrace ethical hackers, even if DHS isn’t
    https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/09/19/the-cybersecurity-202-lawmakers-are-ready-to-embrace-ethical-hackers-even-if-dhs-isn-t/5ba12d481b326b47ec9596d9/?utm_term=.1a8e40ae61c3

    Lawmakers are going to bat in a big way for ethical hackers.

    The House Homeland Security Committee advanced a pair of bipartisan bills late last week that would force the Department of Homeland Security to open the door to security researchers to probe the agency for cybersecurity vulnerabilities. DHS has resisted such a move, but lawmakers are ready to force the agency’s hand, saying independent testing is an important step toward improving its cyber hygiene.

    One bill, called the Hack DHS Act, would create a bug bounty pilot program that would pay security researchers to root out bugs in the agency’s networks.

    Reply
  31. Tomi Engdahl says:

    Revealed: Israel’s Cyber-spy Industry Helps World Dictators Hunt Dissidents and Gays
    https://www.haaretz.com/israel-news/.premium.MAGAZINE-israel-s-cyber-spy-industry-aids-dictators-hunt-dissidents-and-gays-1.6573027

    Haaretz investigation spanning 100 sources in 15 countries reveals Israel has become a leading exporter of tools for spying on civilians. Dictators around the world – even in countries with no formal ties to Israel – use them eavesdrop on human rights activists, monitor emails, hack into apps and record conversations

    Report: Saudi Arabia used Israeli cyberweapons to target dissident in Canada
    Israel sold advanced weapons to Myanmar during anti-Rohingya ethnic cleansing campaign
    Revealed: Israeli military monitors social media, blogs and forums in search of ‘security leaks’

    Reply
  32. Tomi Engdahl says:

    Google tackles new ad fraud scheme
    https://security.googleblog.com/2018/10/google-tackles-new-ad-fraud-scheme.html

    Fighting invalid traffic is essential for the long-term sustainability of the digital advertising ecosystem. We have an extensive internal system to filter out invalid traffic – from simple filters to large-scale machine learning models – and we collaborate with advertisers, agencies, publishers, ad tech companies, research institutions, law enforcement and other third party organizations to identify potential threats. We take all reports of questionable activity seriously, and when we find invalid traffic, we act quickly to remove it from our systems.

    Reply
  33. Tomi Engdahl says:

    Phishing Report Shows Microsoft, Paypal, & Netflix as Top Targets
    https://www.bleepingcomputer.com/news/security/phishing-report-shows-microsoft-paypal-and-netflix-as-top-targets/

    A new phishing report has been released that keeps track of the top 25 brands targeted by bad actors. Of these brands, Microsoft, Paypal, and Netflix are the top brands impersonated by phishing attacks.

    Email security provider Vade Secure tracks the 25 most spoofed brands in North America that are impersonated in phishing attacks. In their Q3 2018 report, a total of 86 brands are tracked, which consist of 95% of all attacks detected by the company.

    Reply
  34. Tomi Engdahl says:

    Dipping Into The Honeypot
    https://asert.arbornetworks.com/dipping-into-the-honeypot/

    Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation. Botnet operators with the best list will produce the larger botnet and obtain superior firepower for launching DDoS attacks. IOT bots are indiscriminate – they will randomly choose an address to attack and work through their list of usernames and passwords until either giving up or infecting the targeted device. For the month of September we observed 1,065 unique username and password combinations from 129 different countries. Taking a step back and looking at malware-agnostic regional trends for username and password combinations, local affinities for different types of IOT devices emerge.

    Key Findings

    • Interrogating botnets revealed 1,005 additional username and password combinations beyond Mirai’s default list, of the 1,065 total observed.
    • Combinations used across disparate regions surface trends regarding device type deployments.
    • Attacks from bots using specific manufacturer default passwords are often perpetrated from similarly compromised devices.

    The infamous IOT malware, Mirai, first burst on to the scene in late 2016, resulting in a number of variants emerging since, but much of their success belong to a simple propagation method – default usernames and passwords.

    Collecting the usernames and passwords used by IOT malware is a fertile field for analysis. By emulating enough of the telnet protocol to elicit usernames and passwords (and more!), bots will gladly share their hit list to anyone listening. With enough of these collectors, trends emerge.

    Reply
  35. Tomi Engdahl says:

    National Cybersecurity Awareness Month: Critical Infrastructure Cybersecurity
    https://www.us-cert.gov/ncas/current-activity/2018/10/23/National-Cybersecurity-Awareness-Month-Critical-Infrastructure

    October is National Cybersecurity Awareness Month, an annual campaign to raise awareness about cybersecurity. Building resilience in critical infrastructure is crucial to national security. The essential infrastructure systems that support our daily lives—such as electricity, financial institutions, and transportation—must be protected from cyber threats.

    Critical Infrastructure Sectors
    https://www.dhs.gov/critical-infrastructure-sectors

    There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.

    Reply
  36. Tomi Engdahl says:

    TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
    https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

    TRITON Intrusion Demonstrates Russian Links; Likely Backed by Russian Research Institute

    FireEye Intelligence assesses with high confidence that intrusion activity that led to deployment of TRITON was supported by the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM; a.k.a. ЦНИИХМ), a Russian government-owned technical research institution located in Moscow

    Reply
  37. Tomi Engdahl says:

    ‘The inmates have taken over the asylum’: DNS godfather blasts DNS over HTTPS adoption
    Can those who need lookup privacy afford architectural purism?
    https://www.theregister.co.uk/2018/10/23/paul_vixie_slaps_doh_as_dns_privacy_feature_becomes_a_standard/

    The Internet Engineering Task Force (IETF) has formally adopted DNS-over-HTTPS as a standard, and reignited a debate over whether it’s a danger to the web’s infrastructure.

    The IETF gave the proposal its blessing late last week by elevating it to Request For Comment (RFC) level as RFC 8484.

    The idea was to guarantee the confidentiality and integrity of DNS lookups, as co-author Mozilla’s Patrick McManus explained to The Register in December 2017, because governments and bad actors alike interfere or snoop on DNS requests.

    Encryption provides confidentiality, quite simply because instead of sending a plain-text DNS request over UDP, RFC 8484 sends it over HTTPS, secured by Transport Layer Security (TLS). Integrity protection comes from using the server’s public key to guarantee that nobody’s spoofing the DNS server.

    Those sound like good things, but Mauritian coder and contributor to IETF work Logan Velvindron pointed out to The Reg that not everybody’s happy about the RFC.

    Paul Vixie, one of the architects of the DNS, reckoned it’s nothing short of a disaster. On Friday, he tweeted: “RFC 8484 is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum.”

    Vixie has said that DoH is incompatible with the basic architecture of the DNS because it moves control plane (signalling) messages to the data plane (message forwarding), and that’s a no-no.

    Network admins, he argued on Twitter, need to be able to see and analyse DNS activity, and DoH prevents that. “DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.”

    Reply
  38. Tomi Engdahl says:

    U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections
    https://www.nytimes.com/2018/10/23/us/politics/russian-hacking-usa-cyber-command.html

    Gen. Paul M. Nakasone, the head of Cyber Command and the National Security Agency, has warned that adversaries are looking to take on the United States through cyberoperations.

    Reply
  39. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/vakuutusyhtion-tempaus-varvasi-hakkerit-hommiin-haavoittuvuuksia-loytyi-roppakaupalla-palkkioita-ropisi-tuhdit-maarat-6745901

    LähiTapiolan kutsumat hakkerit löysivät lokakuun tempauksessa yrityksen järjestelmistä 28 haavoittuvuutta korjattavaksi. Haavoittuvuuksista maksettiin palkkioita yhteensä lähes 7 000 euroa ja lisäksi tapahtumasta kertyi lasten kooditaitojen kouluttamiseen 1 000 euron lahjoitus.

    Reply
  40. Tomi Engdahl says:

    Hack on 8 adult websites exposes oodles of intimate user data
    A recovered 98MB file underscores the risks of trusting personal info to strangers.
    https://arstechnica.com/information-technology/2018/10/hack-on-8-adult-websites-exposes-oodles-of-intimate-user-data/

    Reply
  41. Tomi Engdahl says:

    https://www.tivi.fi/Kaikki_uutiset/horjuuko-pankkitunnusten-asema-sahkoisen-tunnistamisen-hintaa-painetaan-alas-6745933

    Nykyisin tunnistustapahtuman välittämisen hinta on ministeriön mukaan 10 senttiä. Hinta halutaan muuttaa kiinteäksi, 3 senttiin.

    Suomessa käytössä olevia vahvoja sähköisiä tunnistusvälineitä tarjoavat pankkien lisäksi teleoperaattorit ja Väestörekisterikeskus. Lisäksi markkinoilla toimii muutama yritys, jotka tarjoavat pelkästään sähköisen tunnistamisen välityspalveluita. Pankkitunnisteilla on kuitenkin yli 90 prosentin markkinaosuus, joten ne saavat rahaa lähes kaikista vahvaa tunnistautumista edellyttävistä asiointitapahtumista.

    Reply
  42. Tomi Engdahl says:

    Tietoturvariskit puhuttavat energiamessuilla
    https://www.uusiteknologia.fi/2018/10/22/tietoturvariskit-puhuttavat-energiamessuilla/

    ’’Esimerkiksi sähkökatkon tullen energiayrityksen on löydettävä tärkeät tiedot välittömästi, jotta tilanne saadaan ratkaistua ripeästi. Olemmekin huomanneet, että monet energia-alan yritykset panostavat tehokkaaseen ja turvalliseen tiedonhallintaan erityisen paljon’’,

    Reply
  43. Tomi Engdahl says:

    North Korean hacker crew steals $571M in cryptocurrency across 5 attacks
    … and they are inspiring more attempts
    https://thenextweb.com/hardfork/2018/10/19/cryptocurrency-attack-report/

    North Korean hacking outfit “Lazarus” is the most profitable cryptocurrency-hacker syndicate in the world.

    Since 2017, internet baddies have in total stolen $882 million worth of cryptocurrency from online exchanges, but none have done it quite as well as the infamous North Koreans.

    World-renowned cybersecurity unit Group-IB is prepping to release its annual report on trends in hi-tech cybercrime.

    A summary obtained by Hard Fork details 14 different attacks on cryptocurrency exchanges since January last year and calculates the state-sponsored Lazarus group is responsible for $571 million of the ill-gotten gains.

    Phishers responsible for 56% of stolen ICO funds

    The report also reveals 10 percent of the total funds raised by ICO platforms over the past year and a half have been stolen. A majority of the funds were lost to phishing.

    Group-IB attribute much of the losses to baddies taking advantage of “crypto-fever,” where investors are so overcome with a fear of missing out they rush to contribute to new cryptocurrency projects as fast as possible, without checking for fake domain names.

    Reply
  44. Tomi Engdahl says:

    Episode 14| Reinventing the Cold Boot Attack: Modern Laptop Version
    https://blog.f-secure.com/podcast-reinventing-cold-boot-attack/

    Reply
  45. Tomi Engdahl says:

    jQuery File Upload Plugin Vulnerable for 8 Years and Only Hackers Knew
    https://www.bleepingcomputer.com/news/security/jquery-file-upload-plugin-vulnerable-for-8-years-and-only-hackers-knew/

    Of the thousands of plugins for the jQuery framework, one of the most popular of them harbored for at least three years an oversight in code that eluded the security community, despite public availability of tutorials that explained how it could be exploited.

    The bug affects the widely used jQuery File Upload widget and allowed an attacker to upload arbitrary files on web servers, including command shells for sending out commands.

    Together with Sebastian Tschan, the developer of the plugin, the researcher discovered that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. Unless specifically enabled by the administrator, .htaccess files are ignored.

    One reason for this was to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Another one was to improve performance since the server no longer had to check the .htaccess file when accessing a directory.

    After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory.

    Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk.

    The researcher reached this conclusion after checking some of the forks, where he noticed three common variations. He created a proof-of-concept exploit that tries to find one of the differences and uploads a PHP shell.

    https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/index.php
    https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206

    Reply
  46. Tomi Engdahl says:

    Now Apps Can Track You Even After You Uninstall Them
    https://www.bloomberg.com/news/articles/2018-10-22/now-apps-can-track-you-even-after-you-uninstall-them

    New trackers make it easy for developers to identify fed-up users and pester them with targeted ads.

    If it seems as though the app you deleted last week is suddenly popping up everywhere, it may not be mere coincidence. Companies that cater to app makers have found ways to game both iOS and Android, enabling them to figure out which users have uninstalled a given piece of software lately—and making it easy to pelt the departed with ads aimed at winning them back.

    Adjust, AppsFlyer, MoEngage, Localytics, and CleverTap are among the companies that offer uninstall trackers, usually as part of a broader set of developer tools. Their customers include T-Mobile US, Spotify Technology, and Yelp. (And Bloomberg Businessweek parent Bloomberg LP, which uses Localytics.) Critics say they’re a fresh reason to reassess online privacy rights and limit what companies can do with user data. “Most tech companies are not giving people nuanced privacy choices, if they give them choices at all,”

    Reply
  47. Tomi Engdahl says:

    Strict password policy could prevent credential reuse, paper suggests
    https://www.welivesecurity.com/2018/10/22/strict-password-policy-prevent-credential-reuse/

    The solution to password recycling may be easier to implement than previously thought, according to a recent paper

    Mandating longer and more complex passwords reduces the likelihood that users will reuse them across multiple online services, researchers have found.

    A team of three academics from Indiana University set out to examine the impact of prescribing rules for password creation on password reuse. To do so, they first analyzed the password policies of 22 universities in the US. Then they dived into 1.3 billion username/password combinations that are available online as a result of past breaches. In the process, they found close to 7.4 million login credentials where the email addresses belonged to the domain name associated with universities.

    “Based on email addresses belonging to a university’s domain (we checked the .edu domain address), passwords were compiled and tested against a university’s prescribed password policy,” said the researchers.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*