The patch for a recently disclosed cross-site scripting (XSS) vulnerability in Branch.io introduced another similar flaw, a security researcher revealed last week.
California-based Branch.io provides customers with solutions that help create deep links for referral systems, invitations, and sharing links for attribution and analytics purposes. The service is used by many popular web platforms, including imgur, Shopify, Tinder and Yelp.
Recently, researchers at vpnMentor discovered a vulnerability in Branch.io that potentially exposed hundreds of millions of users to XSS attacks. The bug has been addressed fast and there was no evidence of malicious exploitation.
There are thousands of servers using libssh to implement the Secure Shell (SSH) remote login protocol (many operated by Verizon Wireless and Sprint PCS), but not all of them might be impacted, Winter-Smith suggested. Only libssh operating in server mode, but not the usual client mode, appears affected.
The Japanese government on Monday ordered Facebook to improve protection of users’ personal information following data breaches affecting tens of millions of people worldwide.
Facebook said early this month that hackers accessed the personal data of 29 million users in a breach at the world’s leading social network first disclosed late September.
Google further improved the security of Android with the inclusion of a new API in the latest operating system release.
Called Protected Confirmation, the API would take advantage of a hardware-protected user interface (Trusted UI) to perform critical transactions. When an application uses the API, the user is presented with a prompt, asking them to confirm the transaction.
After user confirmation is received, the information is cryptographically authenticated, meaning that Protected Confirmation can better secure the transaction. The Trusted UI, which is in control, keeps the data safe from fraudulent apps or a compromised operating system.
The API, Google says, can also be used to boost the security of other forms of secondary authentication, such as a one-time password or a transaction authentication number (TAN), mechanisms that fail to provide protection if the device has been compromised.
ATLANTA — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE — Israel-based Cyberbit on Monday announced the launch of SCADAScan, a portable solution designed to help organizations assess the security of their industrial control networks.
A subsidiary of Elbit Systems, Cyberbit offers cybersecurity simulation solutions, along with a platform for detecting and responding to incidents across IT and OT networks. The company recently raised $30 million.
The firm’s latest product, SCADAScan, uses deep packet inspection (DPI) to monitor traffic passing through the ICS/SCADA network and provide a map of assets, as well as information on vulnerabilities and other potential threats. SCADAScan is immediately available.
Särkän mukaan vanha malli, jossa luotetaan palomuuriin tai muunlaiseen suojakilpeen, on vanhentunut ja heikko, eikä ole välttämättä toiminut kunnolla viimeiseen 20 vuoteen. Esimerkiksi kirjanpidon avulla huomataan selkeästi enemmän kyberhyökkäyksiä kuin yhdelläkään suoranaisella tietoturvaan liittyvällä yksittäisellä toimenpiteellä.
Käytetty teknologia tai tietoturvan parissa työskentelevät ihmiset eivät kuitenkaan ole tilanteeseen syypäitä. Suurin ongelma tulee siitä, että saatavilla oleva uhkatieto on usein jo vanhentunutta, kun se saadaan. Uhkatiedot voivat nykyisin olla ajankohtaisia, tarkkoja tai vastatoimet mahdollistavia, mutta vain kahta näistä kerrallaan.
Palomuurin taakse suojautumisen sijasta kannattaakin siirtyä aktiiviseen puolustukseen.
Särkkä tarjoili tähän myös useita konkreettisia keinoja. Porttiskannauksia varten kannattaa pitää joitakin portteja hunajapurkkeina, vaikkapa avoimen lähdekoodin Honeyports-sovelluksella. Porttiskannauksen tehnyt ip voidaan lisätä suoraan palomuuriin ja estää siltä kaikki yhteydet.
Organisaation verkkosivuille voi myös lisätä näkymättömän linkin, jota tavallinen käyttäjä ei edes näe, eikä siten koskaan klikkaa. Sivustoa nuuskiva robotti sitä vastoin etenee jokaista löytämäänsä linkkiä pitkin. Piilotettu linkki ottaakin puolestaan selville nuuskijan ip-osoitteen kautta tämän sijainnin, joka oikeilla työkaluilla selviää noin 1,5 metrin tarkkuudella.
Milloin mennään rajan yli?
Kysymykseen siitä, missä vaiheessa oman verkon puolustus muuttuu laittomaksi hyökkäykseksi Särkkä otti kantaa varovaisesti. Mikäli omalle palvelimelleen asettaa tarjolle vaikkapa saastutettuja pdf-tiedostoja, joiden kautta pääsee suoraan käsiksi hyökkääjän järjestelmiin, on astunut jo itse lain väärälle puolelle.
This Cyber Security Awareness Month, we’re delighted to have the opportunity to join Stay Safe Online in bringing you and fellow cyber security leaders the latest insight, comments and predictions
President Trump has three iPhones — two of them are “secure” and his third is a regular personal device. But whenever the commander-in-chief takes a call, his adversaries are said to be listening.
Trump reluctantly gave up his old and outdated Android-powered Samsung Galaxy phone when he took office in 2016 and was transitioned to Apple devices.
iPhones have historically been seen as more secure than their Android counterparts.
the two other iPhones for official business have been modified and locked down by the National Security Agency to prevent eavesdropping.
Except — even when you’re in the White House, you can’t escape the aging, ailing and insecure cell network that blankets the capital and the vast majority of the U.S.
Those largely unfixed flaws make it far easier for governments — and anyone else — to tap into calls as they’re being made. That includes China, Russia — and any reasonably knowledgable attacker with the resources to pull off a successful intercept.
Wired neighborhood planned by Google sister company has raised questions over data protection
When it was announced last year that a district in Toronto would be handed over to a company hoping to build a model for new tech-driven smart city, critics were quick to voice concerns.
Despite Justin Trudeau’s exclamation that, through a partnership with Google’s sister company Sidewalk Labs, the waterfront neighborhood could help turn the area into a “thriving hub for innovation”, questions immediately arose over how the new wired town would collect and protect data.
A year into the project, those questions have resurfaced following the resignation of a privacy expert, Dr Ann Cavoukian
Cavoukian isn’t the first to resign amid worries about privacy protection.
The UpGuard Cyber Risk team can now report that 73 gigabytes of downloadable data belonging to Washington-based internet service provider Pocket iNet was publicly exposed in a misconfigured Amazon S3 storage bucket. According to their website, Pocket iNet “makes use of bleeding edge and emerging technologies such as native IPv6, Carrier Ethernet and local fiber to the premise delivering the highest possible service levels to connected customers.”
As drive-by attacks get harder, hackers exploit the trust we have in software providers.
Most of us don’t think twice about installing software or updates from a trusted developer.
As developers continue to make software and webpages harder to hack, blackhats over the past few years have increasingly exploited this trust to spread malicious wares. Over the past week, two such supply-chain attacks have come to light.
The first involves VestaCP, a control-panel interface that system administrators use to manage servers.
“The VestaCP installation script was altered to report back generated admin credentials to vestacp.com after a successful installation,”
The attackers, Léveillé said, then likely used the passwords to log in to servers over their secure shell interface.
Using SSH, the attackers infected the servers with ChachaDDoS, a relatively new strain of malware used to wage denial-of-service attacks on other sites.
Chacha runs on 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. On Tuesday, researchers from security firm Sophos described a newly discovered DDoS botnet they call Chalubo
Clipboard hijacker sneaked into PyPI
The second supply-chain attack to come to light this week involves a malicious package that was slipped into the official repository for the widely used Python programming language. Called “Colourama,” the package looked similar to Colorama, which is one of the top-20 most-downloaded legitimate modules in the Python repository. The doppelgänger Colourama package contained most of the legitimate functions of the legitimate module, with one significant difference: Colourama added code that, when run on Windows servers, installed this Visual Basic script. It constantly monitors the server’s clipboard for signs a user is about to make a cryptocurrency payment.
One of the largest consumer internet hacks has bred one of the largest class action settlements after Yahoo agreed to pay $50 million to victims of a security breach that’s said to have affected up to 200 million U.S. consumers and some three billion email accounts worldwide.
In what appears to be the closing move to the two-year-old lawsuit, Yahoo — which is now part of Verizon’s Oath business [which is the parent company of TechCrunch] — has proposed to pay $50 million in compensation to an estimated 200 million users in the U.S. and Israel, according to a court filing.
Apple’s CEO Tim Cook has joined the chorus of voices warning that data itself is being weaponized again people and societies — arguing that the trade in digital data has exploded into a “data industrial complex”.
Cook did not namecheck the adtech elephants in the room: Google, Facebook and other background data brokers that profit from privacy-hostile business models. But his target was clear.
“Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency,” warned Cook.
Every month, a security team at Google releases a new set of patches for Android — and every month, carriers and manufacturers struggle to get them installed on actual phones. It’s a complex, long-standing problem, but confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google.
A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch. Security updates are mandated within the second year as well, though without a specified minimum number of releases.
The McAfee Mobile Research team recently found an active phishing campaign using text messages (SMS) that tricks users into downloading and installing a fake voice-message app which allows cybercriminals to use infected devices as network proxies without users’ knowledge. If the fake application is installed, a background service starts a Socks proxy that redirects all network traffic from a third-party server via an encrypted connection through a secure shell tunnel—allowing potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors. McAfee Mobile Security detects this malware as Android/TimpDoor.
Devices running TimpDoor could serve as mobile backdoors for stealthy access to corporate and home networks because the malicious traffic and payload are encrypted.
A French government report warns of an “unprecedented threat” to security after nearly 4,000 leading French civil servants, scientists and senior executives were found to have been accosted by Chinese spies using the popular social media network LinkedIn. The report was authored by France’s main intelligence agencies, the General Directorate for Internal Security (DGSI) and the General Directorate for External Security (DGSE). According to the Paris-based Le Figaro newspaper, which published a summary of the classified report, the two intelligence agencies presented it to the French government on October 19.
The report describes Chinese efforts to approach senior French scientists, business executives, academics and others, as “widespread and elaborate”, and warns that it poses an “unprecedented threat against the national interests” of the French state. It goes on to state that nearly 4,000 carefully selected French citizens have been approached by Chinese intelligence operatives via the LinkedIn social media platform.
A security researcher has disclosed a Windows zero-day vulnerability on Twitter for the second time in the span of two months. The researcher, who goes online by the pseudonym of SandboxEscaper, also published proof-of-concept (PoC) on GitHub.
This second Windows zero-day affects the Microsoft Data Sharing (dssvc.dll), a local service that provides data brokering between applications.
Exposed data includes information on thousands of fundraisers and even credentials for databases of voter records.
A Maryland consulting firm that handles political fundraisers for the Democratic Party has left fundraiser data and passwords to databases storing voter records exposed online via an unsecured network attached storage (NAS) device.
New York Times:
Sources: US intelligence has determined that China and Russia spy on phone calls Trump makes using his iPhones instead of his secure White House landline — WASHINGTON — When President Trump calls old friends on one of his iPhones to gossip, gripe or solicit their latest take on how he is doing …
Michelle Castillo / CNBC:
Responding to Tim Cook’s privacy speech, ex-Facebook CSO Alex Stamos calls out Apple’s anti-privacy moves in China and tech media for ignoring them in coverage — – Former Facebook chief security officer Alex Stamos said on Twitter Apple needs to “come clean” about how it blocks ways … https://www.cnbc.com/2018/10/24/ex-facebook-exec-alex-stamos-calls-out-apple-practices-in-china.html
The Department of Defense announced on Wednesday that its “Hack the Pentagon” bug bounty program will run all year long and will target the organization’s high-value assets.
The continuous Hack the Pentagon project is powered by crowdsourced security platform Bugcrowd, which is the third Silicon Valley company awarded a contract by the DoD for bug bounty programs.
Google says it recently blocked a new ad fraud scheme spread across a large number of applications and websites and monetizing with numerous advertising platforms.
Previously, the company had blocked websites from its ad network for violating its policies, but now it also took action against applications that were involved in the fraud scheme, after being tipped off by BuzzFeed News.
Not only did the web search company ensure that these apps can no longer monetize with Google, it also blacklisted additional apps and websites outside of its ad network, “to ensure that advertisers using Display & Video 360 (formerly known as DoubleClick Bid Manager) do not buy any of this traffic.”
Firefox 63 was released on Tuesday with a new cookie policy meant to prevent cross-site tracking by effectively blocking cookies and other site data from third-party tracking resources.
The move was announced in August, when the feature entered the initial testing phase. Now, all desktop versions of Firefox include the experimental cookie policy that not only protects against cross-site tracking, but also aims to minimize site breakage associated with traditional cookie blocking.
A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.
Dubbed Chalubo (ChaCha-Lua-bot), the malware incorporates code from the Xor.DDoS and Mirai families, but also brings improvements in the form of anti-analysis techniques. Specifically, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.
In late August, the attackers were observed using three malicious components for the threat, namely a downloader, the main bot, and the Lua command script. The bot ran only on systems with an x86 architecture.
Several weeks ago, the cybercriminals started using the Elknot dropper to deliver the rest of Chalubo. More importantly, Sophos Labs security researchers observed a variety of bot versions, designed to target different architectures, including 32-bit and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.
Thomas Brewster / Forbes:
Sources: GrayKey, which some law enforcement agencies bought to break the passcodes of iOS devices, can no longer do so for any iPhone running iOS 12 or above — Apple has managed to prevent the hottest iPhone hacking company in the world from doing its thing.
Apple has managed to prevent the hottest iPhone hacking company in the world from doing its thing.
Uncloaked by Forbes in March, Atlanta-based Grayshift promised governments its GrayKey tech could crack the passcodes of the latest iOS models, right up to the iPhone X. From then on, Apple continued to invest in security in earnest, continually putting up barriers for Grayshift to jump over. Grayshift continued to grow, however, securing contracts with Immigration and Customs Enforcement, and the Secret Service.
Now, though, Apple has put up what may be an insurmountable wall. Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.
Elisan Bug Bounty -ohjelmaan voi hakea mukaan HackerOne-palvelun kautta. Saman palvelun kautta hoidetaan myös palkkion maksu, jonka suuruus perustuu siihen, kuinka vakavan riskin löydös aiheuttaa liiketoiminnalle. Palkkiot liikkuvat tuhansissa euroissa löydöksestä riippuen.
The U.K. Information Commissioner’s Office (ICO) has confirmed that it has hit Facebook with a maximum £500,000 ($645,000) fine around the way it mishandled user data following the Cambridge Analytica scandal earlier this year.
While £500,000 is a drop in the ocean for the U.S. company, it represents the maximum allowable punishment under UK law, which is the significant part to focus on here.
The introduction of GDPR has given the ICO the power to issue fines of up to £17 million ($22 million) or four percent of a company’s global turnover — that’s potentially up to $1.6 billion in Facebook’s case.
It’s increasingly difficult to expect privacy when you’re browsing online, so a non-profit in the UK is working to build the power of Tor’s anonymity network right into the heart of your smartphone.
Brass Horn Communications is experimenting with all sorts of ways to improve Tor’s usability for UK residents. The Tor browser bundle for PCs can help shield your IP address from snoopers and data-collection giants.
Revelation comes as FSIN election assembly begins today in Saskatoon
The hacker gained control of the FSIN’s internal files and email system, holding it ransom. A wide range of data was taken.
The hack went undetected for an undetermined amount of time. In May, an FSIN staff member got an email from the hacker demanding a ransom of more than $100,000.
The Germany-based spyware startup Wolf Intelligence exposed its own data, including surveillance target’s information, passports scans of its founder and family, and recordings of meetings.
Brit grocer says it shouldn’t be held responsible for criminal actions of worker
Morrisons has vowed to take its hack liability fight to the UK Supreme Court after failing to convince Court of Appeal judges it should not be held responsible for the actions of a rogue employee who leaked the supermarket’s entire payroll via Tor.
The under-fire chain is battling a class action lawsuit brought by 5,000 of its current and former employees, who were enraged when angry IT auditor Andrew Skelton dumped all 100,000 workers’ details online.
After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick.
Skelton was arrested after a few days and in 2015 was jailed for eight years for fraud, securing unauthorised access to computer material and disclosing personal data.
SecureAuth Labs security researchers have discovered multiple vulnerabilities in low-level drivers installed by ASRock utilities.
Established in 2002, ASRock is the third largest motherboard brand globally. Headquartered in Taipei, Taiwan, the company has branches in Europe and the United States. The maker offers a series of utilities that provide users control over certain settings and functions.
SecureAuth discovered a series of security flaws in AsrDrv101.sys and AsrDrv102.sys low-level drivers that the ASRock RGBLED and other ASRock branded utilities install. By exploiting these vulnerabilities, a local attacker can elevate privileges on the system.
British Airways owner IAG on Thursday said that a further 185,000 customers may have had their personal details stolen in a cyber attack earlier this year.
This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information have potentially been compromised.
A further 108,000 people’s personal details without card verification value have also been compromised, the airline said in a statement.
“While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” it said.
A newly discovered piece of Android malware creates a Socks proxy on infected devices, potentially allowing access to internal networks, McAfee reports.
Dubbed TimpDoor, the threat is distributed through phishing text messages that attempt to trick users into installing a fake voice message app. As soon as the app is installed, however, a background service starts a Socks proxy to “redirect all network traffic from a third-party server via an encrypted connection through a secure shell tunnel.”
Not only do infected devices serve as backdoors, but the attackers could also abuse a network of compromised devices to send spam and phishing emails, perform ad click fraud, or launch distributed denial-of-service (DDoS) attacks, McAfee’s security researchers say.
The McAfee Mobile Research team recently found an active phishing campaign using text messages (SMS) that tricks users into downloading and installing a fake voice-message app which allows cybercriminals to use infected devices as network proxies without users’ knowledge. If the fake application is installed, a background service starts a Socks proxy that redirects all network traffic from a third-party server via an encrypted connection through a secure shell tunnel—allowing potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors. McAfee Mobile Security detects this malware as Android/TimpDoor.
Hong Kong carrier Cathay Pacific came under pressure Thursday to explain why it had taken five months to admit it had been hacked and compromised the data of 9.4 million customers, including passport numbers and credit card details.
The airline said Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.
However, chief customer and commercial officer Paul Loo said officials wanted to have an accurate grasp on the situation before making an announcement and did not wish to “create unnecessary panic”.
News of the leak sent shares in Cathay, which was already under pressure as it struggles for customers, plunging more than six percent to a nine-year low in Hong Kong trading.
Local politicians slammed the carrier, saying its response had only fuelled worries.
Google recently removed 29 applications from Google Play after learning that they were actually containing code to steal users’ banking information.
The applications, found in the official app store from August until early October 2018, were masquerading as utility programs, including device boosters, cleaners and battery managers, as well as horoscope-themed apps.
A newly discovered piece of malware targeting macOS devices is capable of injecting ads into encrypted web traffic, Malwarebytes security researchers warn.
Detected as OSX.SearchAwesome, the malware is delivered through a malicious installer that arrives as a cracked app downloaded via a torrent file. The threat’s installer is a disk image file that lacks the usual decorations used to make it look legitimate.
We recently observed cases of abuse of the systems running misconfigured Docker Engine-Community with Docker application program interface (API) ports exposed. We also noticed that the malicious activities were focused on scanning for open ports 2375/TCP and 2376/TCP, which are used by the Docker engine daemon (dockerd). The intrusion attempts to deploy a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.SH.MALXMR.ATNE) on the misconfigured systems.
One of the US Government recommendations is to use “Domain-based message authentication, Reporting and Conformance (DMARC)”, a mechanism used to assess if an email is genuine. DMARC relies on two technologies; “Sender Policy Framework” (SPF) and “Domainkeys Identified Mail” (DKIM). Either one can be used individually or together.
When using DKIM, the header of a sent email contains instructions and a DKIM public key certificate. When the recipient’s mail server receives the DKIM marked email, the server contacts the sender domain and follows the instructions from within the email header. The instructions enable the discovery of the unique key found within the _domainkeys.DOMAIN address, which is used to confirm the sender is authorised to distribute emails for that domain.
Unfortunately, threat actors have discovered a mechanism to circumvent DMARC controls by using the technique known as domain hijacking. Domain hijacking is an attack with the intention to control an existing domain name, redirecting traffic once destined for a legitimate server to a new malicious destination. This attack fools both human and technology elements that may have once whitelisted the domain.
IN 2016, I bought two voting machines online for less than $100 apiece. I didn’t even have to search the dark web. I found them on eBay.
Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online.
If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
495 Comments
Tomi Engdahl says:
Recent Branch.io Patch Creates New XSS Flaw
https://www.securityweek.com/recent-branchio-patch-creates-new-xss-flaw
The patch for a recently disclosed cross-site scripting (XSS) vulnerability in Branch.io introduced another similar flaw, a security researcher revealed last week.
California-based Branch.io provides customers with solutions that help create deep links for referral systems, invitations, and sharing links for attribution and analytics purposes. The service is used by many popular web platforms, including imgur, Shopify, Tinder and Yelp.
Recently, researchers at vpnMentor discovered a vulnerability in Branch.io that potentially exposed hundreds of millions of users to XSS attacks. The bug has been addressed fast and there was no evidence of malicious exploitation.
https://www.securityweek.com/branchio-flaws-exposed-tinder-shopify-yelp-users-xss-attacks
Tomi Engdahl says:
Cisco, F5 Networks Investigate libssh Vulnerability Impact
https://www.securityweek.com/cisco-f5-networks-investigate-libssh-vulnerability-impact
There are thousands of servers using libssh to implement the Secure Shell (SSH) remote login protocol (many operated by Verizon Wireless and Sprint PCS), but not all of them might be impacted, Winter-Smith suggested. Only libssh operating in server mode, but not the usual client mode, appears affected.
Tomi Engdahl says:
Japan Orders Facebook to Improve Data Protection
https://www.securityweek.com/japan-orders-facebook-improve-data-protection
The Japanese government on Monday ordered Facebook to improve protection of users’ personal information following data breaches affecting tens of millions of people worldwide.
Facebook said early this month that hackers accessed the personal data of 29 million users in a breach at the world’s leading social network first disclosed late September.
Tomi Engdahl says:
Google Boosts Android Security with Protected Confirmation
https://www.securityweek.com/google-boosts-android-security-protected-confirmation
Google further improved the security of Android with the inclusion of a new API in the latest operating system release.
Called Protected Confirmation, the API would take advantage of a hardware-protected user interface (Trusted UI) to perform critical transactions. When an application uses the API, the user is presented with a prompt, asking them to confirm the transaction.
After user confirmation is received, the information is cryptographically authenticated, meaning that Protected Confirmation can better secure the transaction. The Trusted UI, which is in control, keeps the data safe from fraudulent apps or a compromised operating system.
The API, Google says, can also be used to boost the security of other forms of secondary authentication, such as a one-time password or a transaction authentication number (TAN), mechanisms that fail to provide protection if the device has been compromised.
Android Protected Confirmation: Taking transaction security to the next level
https://security.googleblog.com/2018/10/android-protected-confirmation-taking.html
Tomi Engdahl says:
Cyberbit Launches Portable ICS Security Assessment Solution
https://www.securityweek.com/cyberbit-launches-portable-ics-security-assessment-solution
ATLANTA — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE — Israel-based Cyberbit on Monday announced the launch of SCADAScan, a portable solution designed to help organizations assess the security of their industrial control networks.
A subsidiary of Elbit Systems, Cyberbit offers cybersecurity simulation solutions, along with a platform for detecting and responding to incidents across IT and OT networks. The company recently raised $30 million.
The firm’s latest product, SCADAScan, uses deep packet inspection (DPI) to monitor traffic passing through the ICS/SCADA network and provide a map of assets, as well as information on vulnerabilities and other potential threats. SCADAScan is immediately available.
Tomi Engdahl says:
https://www.vpnranks.com/reddit/
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/nailla-tempuilla-lannistuu-sinnikkainkin-hakkeri-ohjaa-lopulta-vaikka-usa-n-puolustushallinnon-kimppuun-6746155
Särkän mukaan vanha malli, jossa luotetaan palomuuriin tai muunlaiseen suojakilpeen, on vanhentunut ja heikko, eikä ole välttämättä toiminut kunnolla viimeiseen 20 vuoteen. Esimerkiksi kirjanpidon avulla huomataan selkeästi enemmän kyberhyökkäyksiä kuin yhdelläkään suoranaisella tietoturvaan liittyvällä yksittäisellä toimenpiteellä.
Käytetty teknologia tai tietoturvan parissa työskentelevät ihmiset eivät kuitenkaan ole tilanteeseen syypäitä. Suurin ongelma tulee siitä, että saatavilla oleva uhkatieto on usein jo vanhentunutta, kun se saadaan. Uhkatiedot voivat nykyisin olla ajankohtaisia, tarkkoja tai vastatoimet mahdollistavia, mutta vain kahta näistä kerrallaan.
Palomuurin taakse suojautumisen sijasta kannattaakin siirtyä aktiiviseen puolustukseen.
Särkkä tarjoili tähän myös useita konkreettisia keinoja. Porttiskannauksia varten kannattaa pitää joitakin portteja hunajapurkkeina, vaikkapa avoimen lähdekoodin Honeyports-sovelluksella. Porttiskannauksen tehnyt ip voidaan lisätä suoraan palomuuriin ja estää siltä kaikki yhteydet.
Organisaation verkkosivuille voi myös lisätä näkymättömän linkin, jota tavallinen käyttäjä ei edes näe, eikä siten koskaan klikkaa. Sivustoa nuuskiva robotti sitä vastoin etenee jokaista löytämäänsä linkkiä pitkin. Piilotettu linkki ottaakin puolestaan selville nuuskijan ip-osoitteen kautta tämän sijainnin, joka oikeilla työkaluilla selviää noin 1,5 metrin tarkkuudella.
Milloin mennään rajan yli?
Kysymykseen siitä, missä vaiheessa oman verkon puolustus muuttuu laittomaksi hyökkäykseksi Särkkä otti kantaa varovaisesti. Mikäli omalle palvelimelleen asettaa tarjolle vaikkapa saastutettuja pdf-tiedostoja, joiden kautta pääsee suoraan käsiksi hyökkääjän järjestelmiin, on astunut jo itse lain väärälle puolelle.
Tomi Engdahl says:
Cyber Security Awareness Month 2018
https://www.fireeye.com/company/events/cyber-security-awareness-month-2018.html?utm_source=fbc&utm_medium=cpc&utm_campaign=OLA-CSAM
This Cyber Security Awareness Month, we’re delighted to have the opportunity to join Stay Safe Online in bringing you and fellow cyber security leaders the latest insight, comments and predictions
Tomi Engdahl says:
Cathay Pacific says 9.4M passenger records affected by data breach
https://techcrunch.com/2018/10/24/cathay-pacific-passenger-data-stolen-breach/?sr_share=facebook&utm_source=tcfbpage
Cathay Pacific, one of the main airlines in Hong Kong, says records on as many as 9.4 million passengers may have been stolen in a data breach.
https://news.cathaypacific.com/cathay-pacific-announces-data-security-event-affecting-passenger-data
Tomi Engdahl says:
Trump has two ‘secure’ iPhones, but the Chinese are still listening
https://techcrunch.com/2018/10/24/trump-has-two-secure-iphones-but-the-chinese-are-still-listening/?utm_source=tcfbpage&sr_share=facebook
President Trump has three iPhones — two of them are “secure” and his third is a regular personal device. But whenever the commander-in-chief takes a call, his adversaries are said to be listening.
Trump reluctantly gave up his old and outdated Android-powered Samsung Galaxy phone when he took office in 2016 and was transitioned to Apple devices.
iPhones have historically been seen as more secure than their Android counterparts.
the two other iPhones for official business have been modified and locked down by the National Security Agency to prevent eavesdropping.
Except — even when you’re in the White House, you can’t escape the aging, ailing and insecure cell network that blankets the capital and the vast majority of the U.S.
Those largely unfixed flaws make it far easier for governments — and anyone else — to tap into calls as they’re being made. That includes China, Russia — and any reasonably knowledgable attacker with the resources to pull off a successful intercept.
Tomi Engdahl says:
‘City of surveillance’: privacy expert quits Toronto’s smart-city project
https://www.theguardian.com/world/2018/oct/23/toronto-smart-city-surveillance-ann-cavoukian-resigns-privacy
Wired neighborhood planned by Google sister company has raised questions over data protection
When it was announced last year that a district in Toronto would be handed over to a company hoping to build a model for new tech-driven smart city, critics were quick to voice concerns.
Despite Justin Trudeau’s exclamation that, through a partnership with Google’s sister company Sidewalk Labs, the waterfront neighborhood could help turn the area into a “thriving hub for innovation”, questions immediately arose over how the new wired town would collect and protect data.
A year into the project, those questions have resurfaced following the resignation of a privacy expert, Dr Ann Cavoukian
Cavoukian isn’t the first to resign amid worries about privacy protection.
Tomi Engdahl says:
Out of Pocket: How an ISP Exposed Administrative System Credentials
https://www.upguard.com/breaches/out-of-pocket-how-an-isp-exposed-administrative-system-credentials?hs_amp=true&__twitter_impression=true
The UpGuard Cyber Risk team can now report that 73 gigabytes of downloadable data belonging to Washington-based internet service provider Pocket iNet was publicly exposed in a misconfigured Amazon S3 storage bucket. According to their website, Pocket iNet “makes use of bleeding edge and emerging technologies such as native IPv6, Carrier Ethernet and local fiber to the premise delivering the highest possible service levels to connected customers.”
Tomi Engdahl says:
Two new supply-chain attacks come to light in less than a week
https://arstechnica.com/information-technology/2018/10/two-new-supply-chain-attacks-come-to-light-in-less-than-a-week/
As drive-by attacks get harder, hackers exploit the trust we have in software providers.
Most of us don’t think twice about installing software or updates from a trusted developer.
As developers continue to make software and webpages harder to hack, blackhats over the past few years have increasingly exploited this trust to spread malicious wares. Over the past week, two such supply-chain attacks have come to light.
The first involves VestaCP, a control-panel interface that system administrators use to manage servers.
“The VestaCP installation script was altered to report back generated admin credentials to vestacp.com after a successful installation,”
The attackers, Léveillé said, then likely used the passwords to log in to servers over their secure shell interface.
Using SSH, the attackers infected the servers with ChachaDDoS, a relatively new strain of malware used to wage denial-of-service attacks on other sites.
Chacha runs on 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC. On Tuesday, researchers from security firm Sophos described a newly discovered DDoS botnet they call Chalubo
Clipboard hijacker sneaked into PyPI
The second supply-chain attack to come to light this week involves a malicious package that was slipped into the official repository for the widely used Python programming language. Called “Colourama,” the package looked similar to Colorama, which is one of the top-20 most-downloaded legitimate modules in the Python repository. The doppelgänger Colourama package contained most of the legitimate functions of the legitimate module, with one significant difference: Colourama added code that, when run on Windows servers, installed this Visual Basic script. It constantly monitors the server’s clipboard for signs a user is about to make a cryptocurrency payment.
Tomi Engdahl says:
Yahoo agrees to $50M settlement package for users hit by massive security breach
https://techcrunch.com/2018/10/23/yahoo-agrees-50m-settlement-package/?sr_share=facebook&utm_source=tcfbpage
One of the largest consumer internet hacks has bred one of the largest class action settlements after Yahoo agreed to pay $50 million to victims of a security breach that’s said to have affected up to 200 million U.S. consumers and some three billion email accounts worldwide.
In what appears to be the closing move to the two-year-old lawsuit, Yahoo — which is now part of Verizon’s Oath business [which is the parent company of TechCrunch] — has proposed to pay $50 million in compensation to an estimated 200 million users in the U.S. and Israel, according to a court filing.
Tomi Engdahl says:
Apple’s Tim Cook makes blistering attack on the “data industrial complex”
http://www.epanorama.net/newepa/2018/10/01/cyber-security-october-2018/comment-page-8/#comment-1609645
Apple’s CEO Tim Cook has joined the chorus of voices warning that data itself is being weaponized again people and societies — arguing that the trade in digital data has exploded into a “data industrial complex”.
Cook did not namecheck the adtech elephants in the room: Google, Facebook and other background data brokers that profit from privacy-hostile business models. But his target was clear.
“Our own information — from the everyday to the deeply personal — is being weaponized against us with military efficiency,” warned Cook.
Tomi Engdahl says:
Google mandates two years of security updates for popular phones in new Android contract
https://www.theverge.com/2018/10/24/18019356/android-security-update-mandate-google-contract
Every month, a security team at Google releases a new set of patches for Android — and every month, carriers and manufacturers struggle to get them installed on actual phones. It’s a complex, long-standing problem, but confidential contracts obtained by The Verge show many manufacturers now have explicit obligations about keeping their phones updated written into their contract with Google.
A contract obtained by The Verge requires Android device makers to regularly install updates for any popular phone or tablet for at least two years. Google’s contract with Android partners stipulates that they must provide “at least four security updates” within one year of the phone’s launch. Security updates are mandated within the second year as well, though without a specified minimum number of releases.
Tomi Engdahl says:
Android/TimpDoor Turns Mobile Devices Into Hidden Proxies
https://securingtomorrow.mcafee.com/mcafee-labs/android-timpdoor-turns-mobile-devices-into-hidden-proxies/
The McAfee Mobile Research team recently found an active phishing campaign using text messages (SMS) that tricks users into downloading and installing a fake voice-message app which allows cybercriminals to use infected devices as network proxies without users’ knowledge. If the fake application is installed, a background service starts a Socks proxy that redirects all network traffic from a third-party server via an encrypted connection through a secure shell tunnel—allowing potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors. McAfee Mobile Security detects this malware as Android/TimpDoor.
Devices running TimpDoor could serve as mobile backdoors for stealthy access to corporate and home networks because the malicious traffic and payload are encrypted.
Tomi Engdahl says:
French government report says thousands approached by Chinese spies on LinkedIn
https://intelnews.org/2018/10/24/01-2423/
A French government report warns of an “unprecedented threat” to security after nearly 4,000 leading French civil servants, scientists and senior executives were found to have been accosted by Chinese spies using the popular social media network LinkedIn. The report was authored by France’s main intelligence agencies, the General Directorate for Internal Security (DGSI) and the General Directorate for External Security (DGSE). According to the Paris-based Le Figaro newspaper, which published a summary of the classified report, the two intelligence agencies presented it to the French government on October 19.
The report describes Chinese efforts to approach senior French scientists, business executives, academics and others, as “widespread and elaborate”, and warns that it poses an “unprecedented threat against the national interests” of the French state. It goes on to state that nearly 4,000 carefully selected French citizens have been approached by Chinese intelligence operatives via the LinkedIn social media platform.
Tomi Engdahl says:
Microsoft Windows zero-day disclosed on Twitter, again
Zero-day impacts Windows 10, Server 2016, and Server 2019 only.
https://www.zdnet.com/article/microsoft-windows-zero-day-disclosed-on-twitter-again/
A security researcher has disclosed a Windows zero-day vulnerability on Twitter for the second time in the span of two months. The researcher, who goes online by the pseudonym of SandboxEscaper, also published proof-of-concept (PoC) on GitHub.
This second Windows zero-day affects the Microsoft Data Sharing (dssvc.dll), a local service that provides data brokering between applications.
Tomi Engdahl says:
Data leak at consulting firm handling fundraisers for the Democratic party
https://www.zdnet.com/article/data-leak-at-consulting-firm-handling-fundraisers-for-the-democratic-party/
Exposed data includes information on thousands of fundraisers and even credentials for databases of voter records.
A Maryland consulting firm that handles political fundraisers for the Democratic Party has left fundraiser data and passwords to databases storing voter records exposed online via an unsecured network attached storage (NAS) device.
Tomi Engdahl says:
Free decryption tool released for multiple GandCrab ransomware versions
https://www.zdnet.com/article/free-decryption-tool-released-for-multiple-gandcrab-ransomware-versions/
New decryption tool can recover files locked by GandCrab versions 1, 4, and 5.
Tomi Engdahl says:
New York Times:
Sources: US intelligence has determined that China and Russia spy on phone calls Trump makes using his iPhones instead of his secure White House landline — WASHINGTON — When President Trump calls old friends on one of his iPhones to gossip, gripe or solicit their latest take on how he is doing …
When Trump Phones Friends, the Chinese and the Russians Listen and Learn
https://www.nytimes.com/2018/10/24/us/politics/trump-phone-security.html
Tomi Engdahl says:
Natasha Lomas / TechCrunch:
Tim Cook attacks the “data industrial complex” and calls for comprehensive US privacy laws in speech at conference on data protection and privacy in Brussels
https://techcrunch.com/2018/10/24/apples-tim-cook-makes-blistering-attack-on-the-data-industrial-complex/
Michelle Castillo / CNBC:
Responding to Tim Cook’s privacy speech, ex-Facebook CSO Alex Stamos calls out Apple’s anti-privacy moves in China and tech media for ignoring them in coverage — – Former Facebook chief security officer Alex Stamos said on Twitter Apple needs to “come clean” about how it blocks ways …
https://www.cnbc.com/2018/10/24/ex-facebook-exec-alex-stamos-calls-out-apple-practices-in-china.html
Tomi Engdahl says:
Pentagon Launches Continuous Bug Bounty Program
https://www.securityweek.com/pentagon-launches-continuous-bug-bounty-program
The Department of Defense announced on Wednesday that its “Hack the Pentagon” bug bounty program will run all year long and will target the organization’s high-value assets.
The continuous Hack the Pentagon project is powered by crowdsourced security platform Bugcrowd, which is the third Silicon Valley company awarded a contract by the DoD for bug bounty programs.
Tomi Engdahl says:
Google Blocks New Ad Fraud Scheme
https://www.securityweek.com/google-blocks-new-ad-fraud-scheme
Google says it recently blocked a new ad fraud scheme spread across a large number of applications and websites and monetizing with numerous advertising platforms.
Previously, the company had blocked websites from its ad network for violating its policies, but now it also took action against applications that were involved in the fraud scheme, after being tipped off by BuzzFeed News.
Not only did the web search company ensure that these apps can no longer monetize with Google, it also blacklisted additional apps and websites outside of its ad network, “to ensure that advertisers using Display & Video 360 (formerly known as DoubleClick Bid Manager) do not buy any of this traffic.”
Tomi Engdahl says:
Firefox 63 Blocks Tracking Cookies
https://www.securityweek.com/firefox-63-blocks-tracking-cookies
Firefox 63 was released on Tuesday with a new cookie policy meant to prevent cross-site tracking by effectively blocking cookies and other site data from third-party tracking resources.
The move was announced in August, when the feature entered the initial testing phase. Now, all desktop versions of Firefox include the experimental cookie policy that not only protects against cross-site tracking, but also aims to minimize site breakage associated with traditional cookie blocking.
Tomi Engdahl says:
DDoS-Capable IoT Botnet ‘Chalubo’ Rises
https://www.securityweek.com/ddos-capable-iot-botnet-chalubo-rises
A new piece of malware is targeting Internet of Things (IoT) devices in an attempt to ensnare them into a botnet capable of launching distributed denial-of-service (DDoS) attacks, Sophos Labs reports.
Dubbed Chalubo (ChaCha-Lua-bot), the malware incorporates code from the Xor.DDoS and Mirai families, but also brings improvements in the form of anti-analysis techniques. Specifically, the authors have encrypted both the main component and its corresponding Lua script using the ChaCha stream cipher.
In late August, the attackers were observed using three malicious components for the threat, namely a downloader, the main bot, and the Lua command script. The bot ran only on systems with an x86 architecture.
Several weeks ago, the cybercriminals started using the Elknot dropper to deliver the rest of Chalubo. More importantly, Sophos Labs security researchers observed a variety of bot versions, designed to target different architectures, including 32-bit and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8614-kryptolouhijat-ovat-taman-ajan-pahin-vitsaus
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8612-alypuhelin-on-kaappaajille-helppoa-riistaa
Tomi Engdahl says:
Thomas Brewster / Forbes:
Sources: GrayKey, which some law enforcement agencies bought to break the passcodes of iOS devices, can no longer do so for any iPhone running iOS 12 or above — Apple has managed to prevent the hottest iPhone hacking company in the world from doing its thing.
Apple Just Killed The ‘GrayKey’ iPhone Passcode Hack
https://www.forbes.com/sites/thomasbrewster/2018/10/24/apple-just-killed-the-graykey-iphone-passcode-hack/#9675c9053184
Apple has managed to prevent the hottest iPhone hacking company in the world from doing its thing.
Uncloaked by Forbes in March, Atlanta-based Grayshift promised governments its GrayKey tech could crack the passcodes of the latest iOS models, right up to the iPhone X. From then on, Apple continued to invest in security in earnest, continually putting up barriers for Grayshift to jump over. Grayshift continued to grow, however, securing contracts with Immigration and Customs Enforcement, and the Secret Service.
Now, though, Apple has put up what may be an insurmountable wall. Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.
Tomi Engdahl says:
Google makes it easier to clear your recent Search activity
https://www.zdnet.com/article/google-makes-it-easier-clear-your-recent-search-activity/
Over the next year, Google will add direct access to privacy controls from other products including Maps.
Tomi Engdahl says:
Elisa käynnisti Bug Bounty -ohjelman – haavoittuvuuksien löytäjille luvassa rahallinen palkkio
https://www.ficom.fi/ajankohtaista/j%C3%A4senist%C3%B6n-tiedotteet/elisa-k%C3%A4ynnisti-bug-bounty-ohjelman-%E2%80%93-haavoittuvuuksien
Elisan Bug Bounty -ohjelmaan voi hakea mukaan HackerOne-palvelun kautta. Saman palvelun kautta hoidetaan myös palkkion maksu, jonka suuruus perustuu siihen, kuinka vakavan riskin löydös aiheuttaa liiketoiminnalle. Palkkiot liikkuvat tuhansissa euroissa löydöksestä riippuen.
Tomi Engdahl says:
UK watchdog hands Facebook maximum £500K fine over Cambridge Analytica data breach
https://techcrunch.com/2018/10/25/uk-watchdog-hands-facebook-500k-fine/?utm_source=tcfbpage&sr_share=facebook
The U.K. Information Commissioner’s Office (ICO) has confirmed that it has hit Facebook with a maximum £500,000 ($645,000) fine around the way it mishandled user data following the Cambridge Analytica scandal earlier this year.
While £500,000 is a drop in the ocean for the U.S. company, it represents the maximum allowable punishment under UK law, which is the significant part to focus on here.
The introduction of GDPR has given the ICO the power to issue fines of up to £17 million ($22 million) or four percent of a company’s global turnover — that’s potentially up to $1.6 billion in Facebook’s case.
Tomi Engdahl says:
SIM Cards That Force Your Mobile Data Through Tor Are Coming
https://gizmodo.com/sim-cards-that-force-your-mobile-data-through-tor-are-c-1829932193
It’s increasingly difficult to expect privacy when you’re browsing online, so a non-profit in the UK is working to build the power of Tor’s anonymity network right into the heart of your smartphone.
Brass Horn Communications is experimenting with all sorts of ways to improve Tor’s usability for UK residents. The Tor browser bundle for PCs can help shield your IP address from snoopers and data-collection giants.
Tomi Engdahl says:
Federation of Sovereign Indigenous Nations pays hacker $20K in bitcoin after massive data breach, sources say
https://www.cbc.ca/news/canada/saskatoon/fsin-pays-hacker-20-000-in-bitcoin-after-massive-data-breach-sources-say-1.4875487
Revelation comes as FSIN election assembly begins today in Saskatoon
The hacker gained control of the FSIN’s internal files and email system, holding it ransom. A wide range of data was taken.
The hack went undetected for an undetermined amount of time. In May, an FSIN staff member got an email from the hacker demanding a ransom of more than $100,000.
Tomi Engdahl says:
Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See
https://motherboard.vice.com/amp/en_us/article/vbka8b/wolf-intelligence-leak-customer-victim-data-online?__twitter_impression=true
The Germany-based spyware startup Wolf Intelligence exposed its own data, including surveillance target’s information, passports scans of its founder and family, and recordings of meetings.
Tomi Engdahl says:
Morrisons supermarket: We’re taking payroll leak liability fight to UK Supreme Court
https://www.theregister.co.uk/2018/10/23/morrisons_loses_court_appeal_data_theft/
Brit grocer says it shouldn’t be held responsible for criminal actions of worker
Morrisons has vowed to take its hack liability fight to the UK Supreme Court after failing to convince Court of Appeal judges it should not be held responsible for the actions of a rogue employee who leaked the supermarket’s entire payroll via Tor.
The under-fire chain is battling a class action lawsuit brought by 5,000 of its current and former employees, who were enraged when angry IT auditor Andrew Skelton dumped all 100,000 workers’ details online.
After external auditor KPMG asked for copies of various data including the entire company payroll, Skelton made a private copy of it from an encrypted USB stick.
Skelton was arrested after a few days and in 2015 was jailed for eight years for fraud, securing unauthorised access to computer material and disclosing personal data.
Tomi Engdahl says:
Multiple Vulnerabilities Patched in ASRock Drivers
https://www.securityweek.com/multiple-vulnerabilities-patched-asrock-drivers
SecureAuth Labs security researchers have discovered multiple vulnerabilities in low-level drivers installed by ASRock utilities.
Established in 2002, ASRock is the third largest motherboard brand globally. Headquartered in Taipei, Taiwan, the company has branches in Europe and the United States. The maker offers a series of utilities that provide users control over certain settings and functions.
SecureAuth discovered a series of security flaws in AsrDrv101.sys and AsrDrv102.sys low-level drivers that the ASRock RGBLED and other ASRock branded utilities install. By exploiting these vulnerabilities, a local attacker can elevate privileges on the system.
Tomi Engdahl says:
BA Says 185,000 More Customers Affected in Cyber Attack
https://www.securityweek.com/ba-says-185000-more-customers-affected-cyber-attack
British Airways owner IAG on Thursday said that a further 185,000 customers may have had their personal details stolen in a cyber attack earlier this year.
This includes the holders of 77,000 payment cards whose name, billing address, email address, card payment information have potentially been compromised.
A further 108,000 people’s personal details without card verification value have also been compromised, the airline said in a statement.
“While British Airways does not have conclusive evidence that the data was removed from its systems, it is taking a prudent approach in notifying potentially affected customers, advising them to contact their bank or card provider as a precaution,” it said.
Tomi Engdahl says:
‘TimpDoor’ Malware Turns Android Devices into Proxies
https://www.securityweek.com/timpdoor-malware-turns-android-devices-proxies
A newly discovered piece of Android malware creates a Socks proxy on infected devices, potentially allowing access to internal networks, McAfee reports.
Dubbed TimpDoor, the threat is distributed through phishing text messages that attempt to trick users into installing a fake voice message app. As soon as the app is installed, however, a background service starts a Socks proxy to “redirect all network traffic from a third-party server via an encrypted connection through a secure shell tunnel.”
Not only do infected devices serve as backdoors, but the attackers could also abuse a network of compromised devices to send spam and phishing emails, perform ad click fraud, or launch distributed denial-of-service (DDoS) attacks, McAfee’s security researchers say.
Android/TimpDoor Turns Mobile Devices Into Hidden Proxies
https://securingtomorrow.mcafee.com/mcafee-labs/android-timpdoor-turns-mobile-devices-into-hidden-proxies/
The McAfee Mobile Research team recently found an active phishing campaign using text messages (SMS) that tricks users into downloading and installing a fake voice-message app which allows cybercriminals to use infected devices as network proxies without users’ knowledge. If the fake application is installed, a background service starts a Socks proxy that redirects all network traffic from a third-party server via an encrypted connection through a secure shell tunnel—allowing potential access to internal networks and bypassing network security mechanisms such as firewalls and network monitors. McAfee Mobile Security detects this malware as Android/TimpDoor.
Tomi Engdahl says:
Questions Mount Over Delay After Cathay Pacific Admits Huge Data Leak
https://www.securityweek.com/questions-mount-over-delay-after-cathay-pacific-admits-huge-data-leak
Hong Kong carrier Cathay Pacific came under pressure Thursday to explain why it had taken five months to admit it had been hacked and compromised the data of 9.4 million customers, including passport numbers and credit card details.
The airline said Wednesday it had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May.
However, chief customer and commercial officer Paul Loo said officials wanted to have an accurate grasp on the situation before making an announcement and did not wish to “create unnecessary panic”.
News of the leak sent shares in Cathay, which was already under pressure as it struggles for customers, plunging more than six percent to a nine-year low in Hong Kong trading.
Local politicians slammed the carrier, saying its response had only fuelled worries.
Tomi Engdahl says:
UK Regulator Hits Facebook With Maximum Fine
https://www.securityweek.com/uk-regulator-hits-facebook-maximum-fine
ICO Fines Facebook Maximum £500,000 Over its Role in the Cambridge Analytica Scandal
Tomi Engdahl says:
Researchers Find Command Injection Flaw in Cisco WebEx
https://www.securityweek.com/researchers-find-command-injection-flaw-cisco-webex
Tomi Engdahl says:
Banking Trojans in Google Play Pose as Utility Apps
https://www.securityweek.com/banking-trojans-google-play-pose-utility-apps
Google recently removed 29 applications from Google Play after learning that they were actually containing code to steal users’ banking information.
The applications, found in the official app store from August until early October 2018, were masquerading as utility programs, including device boosters, cleaners and battery managers, as well as horoscope-themed apps.
Tomi Engdahl says:
Mac Malware Injects Ads Into Encrypted Traffic
https://www.securityweek.com/mac-malware-injects-ads-encrypted-traffic
A newly discovered piece of malware targeting macOS devices is capable of injecting ads into encrypted web traffic, Malwarebytes security researchers warn.
Detected as OSX.SearchAwesome, the malware is delivered through a malicious installer that arrives as a cracked app downloaded via a torrent file. The threat’s installer is a disk image file that lacks the usual decorations used to make it look legitimate.
Tomi Engdahl says:
Abusing Microsoft Office Online Video
https://blog.cymulate.com/abusing-microsoft-office-online-video
Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code
Cymulate Finds Logical Bug in Microsoft Office Suite – Word Embedded Video Code Execution
https://www.businesswire.com/news/home/20181025005616/en/Cymulate-Finds-Logical-Bug-Microsoft-Office-Suite
Tomi Engdahl says:
Word up: Embedded vids in Office docs can hide embedded nasties, infosec bods warn
XML twiddling can lead to lock-and-loading dodgy JavaScript, we’re told
https://www.theregister.co.uk/2018/10/25/microsoft_office_word_video_vulnerability/
Tomi Engdahl says:
Misconfigured Container Abused to Deliver Cryptocurrency-mining Malware
https://blog.trendmicro.com/trendlabs-security-intelligence/misconfigured-container-abused-to-deliver-cryptocurrency-mining-malware/
We recently observed cases of abuse of the systems running misconfigured Docker Engine-Community with Docker application program interface (API) ports exposed. We also noticed that the malicious activities were focused on scanning for open ports 2375/TCP and 2376/TCP, which are used by the Docker engine daemon (dockerd). The intrusion attempts to deploy a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.SH.MALXMR.ATNE) on the misconfigured systems.
Tomi Engdahl says:
Malware Distributors Adopt DKIM to Bypass Mail Filters
https://www.bleepingcomputer.com/news/security/malware-distributors-adopt-dkim-to-bypass-mail-filters/
One of the US Government recommendations is to use “Domain-based message authentication, Reporting and Conformance (DMARC)”, a mechanism used to assess if an email is genuine. DMARC relies on two technologies; “Sender Policy Framework” (SPF) and “Domainkeys Identified Mail” (DKIM). Either one can be used individually or together.
When using DKIM, the header of a sent email contains instructions and a DKIM public key certificate. When the recipient’s mail server receives the DKIM marked email, the server contacts the sender domain and follows the instructions from within the email header. The instructions enable the discovery of the unique key found within the _domainkeys.DOMAIN address, which is used to confirm the sender is authorised to distribute emails for that domain.
Unfortunately, threat actors have discovered a mechanism to circumvent DMARC controls by using the technique known as domain hijacking. Domain hijacking is an attack with the intention to control an existing domain name, redirecting traffic once destined for a legitimate server to a new malicious destination. This attack fools both human and technology elements that may have once whitelisted the domain.
Tomi Engdahl says:
I BOUGHT USED VOTING MACHINES ON EBAY FOR $100 APIECE. WHAT I FOUND WAS ALARMING
https://www.wired.com/story/i-bought-used-voting-machines-on-ebay/
IN 2016, I bought two voting machines online for less than $100 apiece. I didn’t even have to search the dark web. I found them on eBay.
Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online.
If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.