Facebook has pulled the plug on 30 accounts and 85 Instagram accounts that the company says were engaged in “coordinated inauthentic behavior.”
The company didn’t have much more to share, only that the Facebook Pages associated with the accounts “appear to be in the French or Russian languages, while the Instagram accounts seem to have mostly been in English — some were focused on celebrities, others political debate,” he said.
Only earlier on Monday, a new report from Columbia University’s Tow Center for Digital Journalism found that election interference remains a major problem for the platform
The United States Air Force on Monday announced that it has launched its third bug bounty program in collaboration with HackerOne.
Hack the Air Force 3.0 is the largest bug bounty program run by the U.S. government to date, spanning 191 countries and lasting more than four weeks.
The program started on October 19 and it will end no later than November 22. Up to 600 researchers who have registered will be invited to find vulnerabilities in Department of Defense applications that were recently migrated to a cloud environment owned by the Air Force.
Iran accused Israel on Monday of launching a failed cyber attack against its communications systems.
“A regime whose record in using cyber weapons is clear from cases such as Stuxnet has tried this time to damage Iran’s communication infrastructure,” said Information Minister Mohammad Javad Azari Jahromi on his Twitter account.
An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns.
Previously, the botnet was being distributed via an exploit targeting the ShellShock vulnerability, hence its name. Last month, IBM observed attacks targeting the Drupalgeddon2 vulnerability (CVE-2018-7600) to distribute the botnet.
The campaign Trend Micro’s security researchers investigated, however, leveraged previously brute-forced or compromised hosts for distribution purposes. The bot was observed targeting Ubuntu and Android devices.
Unit 42 has previously observed attacks from the group in 2017 against government targets in Europe, Russia, and Central Asia and expects these to remain the primary regions this threat is seen.
The Domain Name System (DNS) is one of the key foundations of the internet. The DNS acts as a sort of phone book by translating user-friendly names like “Google.com” into numeric IP addresses that computers use to move packets of data over a network.
What Is DNS Logging?
A DNS log is one of many data sources through which you can detect security incidents and start your incident response plan. DNS log monitoring can be done in two ways: by looking at the content of the logs and checking for malicious activity, or by analyzing anomalies in the volumes, frequency, and types of requests and responses.
There are essentially two types of DNS logs concerning client behavior:
Request logs, which record which system requested the resolution of which name in a given time frame.
Response logs, which track which numeric IP address the requested name resolved to at a particular time.
How Does Passive DNS Work?
Passive DNS replication can happen in several ways. You can run a passive sensor that sniffs the DNS traffic and records the answers. Or, you can attach it as a module to an existing network monitor service, use it as a plugin with a name server or extract the data from stored network captures.
When to Use DNS Data
Consider that you are investigating a compromised machine and you’ve been handed its DNS request and response logs. You have a rough idea of when the infection took place, which was well before the initial steps of the investigation were started.
The DNS logs show that during the suspected time frame, the machine completed multiple queries for a single domain. This is most likely the domain used by the malware.
You can use this data to extract additional information by looking at the intrusion detection logs.
Once installed, some of these Telegram “clones” have access to mobile devices’ full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to backend servers, which allows the attacker to take full control of the account in use. We declare with high confidence that these apps should be classified as “greyware.” It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP).
Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all?
In the real non-digital world there are lots of insurance policies that cover things if they get damaged or stolen.
Hacked accounts
When investigating hacked accounts from popular services it’s almost impossible to compile valid data because there are so many black-market vendors selling this stuff. It is also difficult to verify the uniqueness of the data being sold. But one thing is certain – this is the most popular type of data being sold on the black market. When talking about data from popular services, I’m referring to things like stolen social media accounts, banking details, remote access to servers or desktops and even data from popular services like Uber, Netflix, Spotify and tons of gaming websites (Steam, PlayStation Network, etc.), dating apps, porn websites.
Researchers at Radboud University in the Netherlands have discovered that widely used data storage devices with self-encrypting drives do not provide the expected level of data protection. A malicious expert with direct physical access to widely sold storage devices can bypass existing protection mechanisms and access the data without knowing the user-chosen password.
As a patient moves down the small, loud tunnel of an MRI tube, CT scan, or other high-powered radiology device, it’s safe to assume they believe the diagnostic benefits outweigh the risk of radiation exposure (and a possible claustrophobic-induced panic attack). In fact, only after understanding – and accepting — these risks is a patient permitted to proceed with the test. But, what additional risks could you be exposing yourself to while using a diagnostic imaging device?
According to a new project being spearheaded by the National Cybersecurity Center of Excellence (NCCoE) Healthcare Sector Community of Interest, cybersecurity is now considered a significant risk associated with medical imaging that must be better understood and addressed by the healthcare sector.
IN DECEMBER 2016, Georgia secretary of state Brian Kemp accused the Department of Homeland Security of attempting to hack his office’s systems, which include the Georgia voter registration database. Six months later, the DHS inspector general concluded that the allegations were unfounded; someone on a DHS computer had simply visited the Georgia Secretary of State website. Now, two days before an election in which Kemp himself is the Republican candidate for governor, he has levied similarly unsupported charges—this time against his democratic opponents.
Kysely jatkui. Hursti antoi säännöt, joiden noudattaminen olisi vaikeaa. Tällä hän yritti päästä kyselijöistä eroon.
”Pitää olla kutsu vaalitoimikunnan johtajalta. Pitää olla oikeusturva syytteitä vastaan.”
Vuoden 2000 presidentinvaalien uudelleenlaskennasta vastannut Tallahasseen vaalitoimikunnan johtaja Ion Sancho soitti Hurstille ja lupasi tälle turvaa.
Lopulta Hursti paljasti, että muistikorttien avulla voidaan manipuloida äänestystulosta. Hänestä tehtiin dokumentteja, artikkeleita ja Yhdysvaltain hallinnon tietoturva-asiantuntija.
Muutosta ei tapahtunut
“Minulla oli vuosina 2005–2006 usko, että kun nämä asiat paljastetaan, niin asia on korjattu parin vuoden päästä. Minulle ei olisi tullut mieleenkään, että se sama softaversio ja laitteet ovat edelleen käytössä ja keskustelemme tästä vieläkin.”
”Vaalitietojärjestelmät tulevat yksityisiltä firmoilta. Siinä ei ole mitään sääntelyä tai luvanvaraista toimintaa. Kyseessä on täysi villi länsi.”
Vuodet ovat opettaneet, että mahdottomalta tuntuva voi olla mahdollista.
”Olisi täysin mahdotonta saada minua uskomaan kaikki se, mitä olen nähnyt 15 vuoden aikana. Että ei tämä systeemi voisi olla näin surkea.”
Vielä vuoden 2016 presidentinvaaleissa Yhdysvaltain hallinnon äänestyksen uhkakuva numero yksi oli epärehellinen ehdokas, joka yrittäisi voittaa vilpillä.
Uhkakuva oli täysin väärä, Hursti kertoo.
”Ei pohdittu, että voi olla hyvin rahoitettu tai kärsivällinen organisaatio, jonka ainoa tarkoitus saattaa olla tuhota usko demokratiaan.”
Hurstin mukaan muun muassa Venäjän tarkoitus hybridisodankäynnissä Suomen kanssa on yhteiskuntarauhan horjuttaminen.
Mutta mihin hybridisodankäynti loppuu? Fyysinen sota loppuu viime kädessä kuolemaan, mutta entä hybridisodankäynti?
”Olet oikeassa. Sillä ei ole välttämättä mitään loogista päätöstä. Ehkä se, että hyökkääjä saa, mitä haluaa, ja tapahtuu vallankumous. Tai sitten se vain jatkuu. Puolustajalla ei ole siinä mitään end gamea eikä tapaa lopettaa sodankäynti.”
”Ainoa tapa puolustautua on kehittää päänsisäistä palomuuria, joka auttaa erottelemaan viestejä, poistamaan virheinformaatiota ja tekemään rationaalisia päätöksiä.”
”Organisaatiot eivät ymmärrä, miten vihollinen ajattelee. Kun katson vihollisen silmin asioita, ohitan kaikki muurit ja ajattelen, että kiva, kun rakensitte ne, mutta kävelen nyt omaa reittiäni perille.”
Vuonna 2013 Hursti yritettiin tappaa. Mies hyökkäsi Atlantassa hänen kimppuunsa.
Huawei has pointed to its ‘unblemished record of cybersecurity’ following reports over the weekend that it helped the Chinese government gain access codes for a foreign network.
Huawei has denied that it assisted the Chinese government in infiltrating a foreign network to gain information, following reports over the weekend to the contrary.
“Huawei categorically denies it has ever provided, or been asked to provide, customer information for any government or organisation,” a Huawei spokesperson told ZDNet on Monday morning.
“These baseless accusations are made without any evidence whatsoever.”
The denial followed reports by The Australian that it had “confirmed from a national security source” that Huawei staffers were used by Chinese intelligence to “get access codes to infiltrate a foreign network”, including providing password and network details.
Jon Porter / The Verge:
Chrome 71, which arrives next month, will block all ads on sites that have persistently shown abusive ads such as fake system messages
Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they’ve got their hands on the equipment.
A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.
Basically, the cryptographic keys used to encrypt and decrypt the data are not derived from the owner’s password, meaning, you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it’s that dumb.
“The analysis uncovers a pattern of critical issues across vendors,” according to the researchers. “For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys.”
In practice, the Radboud duo say they were able to decrypt the data on a number of SSDs simply by connecting to the drive’s debug interface on its circuit board, and modify the password-checking routine in the firmware to accept any passphrase before accessing the DEK to encrypt or decrypt the device.
One possible way to secure these devices, the boffins stated in their paper, is to ensure the secrets needed to decrypt a drive are stored off the equipment itself.
HSBC Bank sent a letter to an undisclosed number of customers informing them of a data breach that might have exposed their personal information.
HSBC Bank is one of the largest banking and financial services organizations in the world. It maintains 7,500 offices in over 80 countries in Europe, Africa, the Americas, the Asia-Pacific region and the Middle East.
FTP — the “file transfer protocol” — is a long-supplanted Unix tool for transferring files between computers, once standard but now considered to be too insecure to use; so it’s alarming that it’s running on the voting information systems that will be used in elections in Wisconsin and Kentucky tomorrow.
The FBI has warned that “criminal actors” use FTP in targeting US voting systems. The Wisconsin Elections Commission and DHS have reported hacker attacks on Wisconsin voting machines in the 2016 elections.
Everyone knows that it’s not a matter of if your private information will be breached. It’s a matter of when. I don’t have much of an expectation of privacy these days.
Statistics Canada, our national statistics agency with a mandate that “ensures Canadians have the key information on Canada’s economy, society and environment that they require to function effectively as citizens and decision makers.”, has asked for the personal banking information of 500,000 Canadians to be released to them.
This means that 1 in 20 Canadians will have all of their banking information and personally identifiable information turned over to a government agency that has failed security audits.
many consider PCI to be the minimum amount of effort that an organization should invest in security.
While I’m often the first to say that we have to expect our privacy to be breached, we still need to work to prevent avoidable breaches. Given the history of the agency, along with the sensitivity of this data, everyone needs to pay close attention to this moving forward. The results could be disastrous.
Through a novel marrying of different tools, Kamerka can take an address, landmark, or coordinates and display exposed internet connected cameras on a map.
China Telecom, the large international communications carrier with close ties to the Chinese government, misdirected big chunks of Internet traffic through a roundabout path that threatened the security and integrity of data passing between various providers’ backbones for two and a half years, a security expert said Monday. It remained unclear if the highly circuitous paths were intentional hijackings of the Internet’s Border Gateway Protocol or were caused by accidental mishandling.
For almost a week late last year, the improper routing caused some US domestic Internet communications to be diverted to mainland China before reaching their intended destination, Doug Madory, a researcher specializing in the security of the Internet’s global BGP routing system, told Ars.
“We are describing the same thing in different ways,” he told Ars, speaking of the two-and-a-half-year event he documented and the two-month hijacking reported two weeks ago. “They may have only known about it for those two months in 2017, but I can guarantee you that it was going [on] for much longer.”
The domestic US traffic, in particular, “becomes an even more extreme example,” he told Ars. “When it gets to US-to-US traffic traveling through mainland China, it becomes a question of is this a malicious incident or is it accidental? It’s definitely concerning. I think people will be surprised to see that US-to-US traffic was sent through China Telecom for days.”
Browlocks are the main driving force behind tech support scams, using a combination of malvertising and clever browser locker tricks to fool users. In fact, the effects can be so convincing that people call the rogue Microsoft support number for help because they believe their computer has been hijacked.
HSBC has admitted miscreants have probably made off with personal details of thousands of its online-banking customers.
The bank submitted paperwork [PDF] to the California Attorney General’s office late last week outlining its plan to notify folks of the significant data theft. California law requires that the AG be notified whenever a computer security breach affects 500 or more residents in the US state.
Latest ESET research shows just how far attackers will go in order to steal bitcoin from customers of one specific virtual currency exchange
On November 3, attackers successfully breached StatCounter, a leading web analytics platform. This service is used by many webmasters to gather statistics on their visitors – a service very similar to Google Analytics.
by compromising the StatCounter platform, attackers can inject JavaScript code in all websites that use StatCounter.
Memory handling issues in U-Boot open-source bootloader for embedded devices make possible multiple exploitation techniques that lead to arbitrary code execution.
U-Boot, short for the Universal Boot Loader, is a first-stage and second-stage bootloader. It is responsible for the initial hardware configuration and loading the operating system (OS) kernel.
It has support for a variety of architectures, including ARM, MIPS, and PowerPC. Among the types of devices it can initiate are Chromebooks, routers, and Amazon Kindle.
To ensure that authentic code is running on the system, U-Boot features ‘Verified Boot’ – its own version of Secure Boot – which verifies the integrity of the images it loads.
Barisani discloses two methods that leverage U-Boot’s lack of memory allocation restrictions. The flaws received the identifiers CVE-2018-18440 and CVE-2018-18439.
“The memory overwrite can directly lead to arbitrary code execution, fully controlled by the contents of the loaded image,” Barisani adds.
Apache Struts developers are urging users to update a file upload library due to the existence of two vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks.
The team behind the open source development framework pointed out that the Commons FileUpload library, which is the default file upload mechanism in Struts 2, is affected by a critical remote code execution vulnerability.
Hackers have been targeting Iranian users of Telegram and Instagram with fake login pages, app clones and BGP hijacking in attacks that have been ongoing since 2017, Cisco Talos reveals.
Banned in Iran, Telegram is a popular target for greyware, software that provides the expected functionality but also suspicious enough to be considered a potentially unwanted program (PUP).
America’s trade watchdog’s case against network device maker D-Link will go ahead next January – after a district judge rebuked the two sides for wasting money drawing up and filing demands for summary judgments.
The US Federal Trade Commission (FTC) brought its lawsuit against Taiwanese D-Link early last year in California, and in doing so griped about a host of alleged bad practices, including hard-coded passwords, command-injection vulnerabilities, misplaced security keys, and plaintext password storage in D-Link’s gear. These, the watchdog claimed, amounted to misrepresentation by a company that touted the advanced security of its products, and thus put buyers at risk.
Huawei has pointed to its ‘unblemished record of cybersecurity’ following reports over the weekend that it helped the Chinese government gain access codes for a foreign network.
Huawei has denied that it assisted the Chinese government in infiltrating a foreign network to gain information, following reports over the weekend to the contrary.
“Huawei categorically denies it has ever provided, or been asked to provide, customer information for any government or organisation,” a Huawei spokesperson told ZDNet on Monday morning.
Microsoft has conducted its own investigation on the Asian new PC market, only to discover an insane number of computers sold with a pirated Windows license.
As reported by The Economic Times, Microsoft purchased PCs between May and July from Asian markets in an attempt to determine how many of them are shipped with counterfeit Windows licenses and malware pre-installed.
The cybercrime wing of Pakistan’s Federal Investigation Agency has said data from “almost all” Pakistani banks was stolen in a recent security breach. FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News that hackers based outside the country had breached the security systems of several local banks. “The hackers have stolen large amounts of money from people’s accounts,” he added.
“According to a recent report we have received, data from almost all Pakistani banks has been reportedly hacked,” FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News on Tuesday.
“The hackers have stolen large amounts of money from people’s accounts,” he added.
“The recent attack on banks has made it quite clear that there is a need for improvement in the security system of our banks,” he observed.
It wasn’t immediately clear when exactly the security breach took place.
Sources told Dawn the State Bank of Pakistan (SBP) has been informed by several commercial banks that they have blocked international payments on debit and credit cards as a precautionary measure after cyber attacks on their clients’ accounts.
According to a digital security website krebsonsecurity.com, data of over 8,000 account holders of about 10 Pakistani banks was sold in a market of hackers.
The first cyber attack was reported by BankIslami on October 27.
One of the top traffic metrics websites on the internet is apparently being used by criminals to steal Bitcoins from a currency exchange.
Researchers at ESET have found that the JavaScript used by StatCounter’s analytics platform has been modified by miscreants so that when embedded into the pages of Gate.io, a cryptocurrency exchange, it can siphon off alt-coins.
While millions of sites may have pulled in that modified code, however, it appears that just one site was the target.
Yahoo News report points to exposure of CIA communications causing deaths of dozens.
A covert “transitional” channel used for communicating with sources that Central Intelligence Agency handlers couldn’t reach directly was exposed and infiltrated by Iranian intelligence in 2009. The breakdown in operational security—which apparently relied heavily on security through obscurity—was the result of Iranian intelligence officials simply using Google to locate the websites used as the communications channel after a double-agent exposed the method used by the CIA, according to a report from Yahoo News’ Zach Dorfman and Jenna McLaughlin.
Steganography involves hiding data in something else — for example, encoding data in a picture. [David Buchanan] used polyglot files not to hide data, but to send a large amount of data in a single Twitter post. We don’t think it quite qualifies as steganography because the image has a giant red UNZIP ME printed across it. But without it, you might not think to run a JPG image through your unzip program.
What’s a polyglot file? Jpeg images have an ICC (International Color Consortium) section that defines color profiles. While Twitter strips a lot of things out of images, it doesn’t take out the ICC section. However, the ICC section can contain almost anything that fits in 64 kB up to a limit of 16 MB total.
The ZIP format is also very flexible. The pointer to the central directory is at the end of the file. Since that pointer can point anywhere, it is trivial to create a zip file with extraneous data just about anywhere in the file.
Interestingly, even creating a thumbnail usually keeps the color profile data, so a Twitter thumbnail will still retain the payload.
Intel is experimenting with a new approach to participatory democracy. We have created a website on which we have posted our recommended draft for a comprehensive U.S. privacy law. The website has a portion where privacy law experts are providing feedback on the draft, and for the public to provide comments. We are going to keep the discussion going for two weeks and then will revise our draft.
Recent discussion about the need for a US federal law inspired us to draft a bill that will optimize for both innovation and protecting privacy.
We have invited some of the country’s top privacy experts to discuss the draft on this site. We also want to hear from you. Read our bill, follow along with the experts, and add your own voice to the public discussion
In this post, we will focus on the main skeleton of our logistics infrastructure: the mass transportation of goods over the surface of the earth. How do the goods that we use every day make their way into the warehouses, stores, or factories that need them? We will deal with air and public transportation separately, as they use completely different infrastructures in order to function.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
558 Comments
Tomi Engdahl says:
Cisco Security Appliance Zero-Day Found Actively Exploited in the Wild
https://threatpost.com/cisco-security-appliance-zero-day-found-actively-exploited-in-the-wild/138763/
A high severity zero-day flaw exists in Cisco System’s SIP inspection engine.
Attackers are actively exploiting a zero-day vulnerability in certain Cisco security products, to cause a denial-of-service (DoS) condition.
The as-yet-unpatched flaw (CVE-2018-15454) has an 8.6 CVSS score and is rated high-severity.
Tomi Engdahl says:
Hours before U.S. election day, Facebook pulls dozens of accounts for ‘coordinated inauthentic behavior’
https://techcrunch.com/2018/11/05/day-before-election-day-facebook-pulls-inauthentic-accounts/?utm_source=tcfbpage&sr_share=facebook
Facebook has pulled the plug on 30 accounts and 85 Instagram accounts that the company says were engaged in “coordinated inauthentic behavior.”
The company didn’t have much more to share, only that the Facebook Pages associated with the accounts “appear to be in the French or Russian languages, while the Instagram accounts seem to have mostly been in English — some were focused on celebrities, others political debate,” he said.
Only earlier on Monday, a new report from Columbia University’s Tow Center for Digital Journalism found that election interference remains a major problem for the platform
Tomi Engdahl says:
U.S. Air Force Announces Third Bug Bounty Program
https://www.securityweek.com/us-air-force-announces-third-bug-bounty-program
The United States Air Force on Monday announced that it has launched its third bug bounty program in collaboration with HackerOne.
Hack the Air Force 3.0 is the largest bug bounty program run by the U.S. government to date, spanning 191 countries and lasting more than four weeks.
The program started on October 19 and it will end no later than November 22. Up to 600 researchers who have registered will be invited to find vulnerabilities in Department of Defense applications that were recently migrated to a cloud environment owned by the Air Force.
Tomi Engdahl says:
Iran Accuses Israel of Failed Cyber Attack
https://www.securityweek.com/iran-accuses-israel-failed-cyber-attack
Iran accused Israel on Monday of launching a failed cyber attack against its communications systems.
“A regime whose record in using cyber weapons is clear from cases such as Stuxnet has tried this time to damage Iran’s communication infrastructure,” said Information Minister Mohammad Javad Azari Jahromi on his Twitter account.
Tomi Engdahl says:
Shellbot Botnet Targets Linux, Android Devices
https://www.securityweek.com/shellbot-botnet-targets-linux-android-devices
An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns.
Previously, the botnet was being distributed via an exploit targeting the ShellShock vulnerability, hence its name. Last month, IBM observed attacks targeting the Drupalgeddon2 vulnerability (CVE-2018-7600) to distribute the botnet.
The campaign Trend Micro’s security researchers investigated, however, leveraged previously brute-forced or compromised hosts for distribution purposes. The bot was observed targeting Ubuntu and Android devices.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8670-yhtiot-hakkeroivat-nyt-itseaan-loytaakseen-reiat
Tomi Engdahl says:
Inception Attackers Target Europe with Year-old Office Vulnerability
https://researchcenter.paloaltonetworks.com/2018/11/unit42-inception-attackers-target-europe-year-old-office-vulnerability/
Unit 42 has previously observed attacks from the group in 2017 against government targets in Europe, Russia, and Central Asia and expects these to remain the primary regions this threat is seen.
Tomi Engdahl says:
How to Use Passive DNS to Inform Your Incident Response
https://securityintelligence.com/how-to-use-passive-dns-to-inform-your-incident-response/
The Domain Name System (DNS) is one of the key foundations of the internet. The DNS acts as a sort of phone book by translating user-friendly names like “Google.com” into numeric IP addresses that computers use to move packets of data over a network.
What Is DNS Logging?
A DNS log is one of many data sources through which you can detect security incidents and start your incident response plan. DNS log monitoring can be done in two ways: by looking at the content of the logs and checking for malicious activity, or by analyzing anomalies in the volumes, frequency, and types of requests and responses.
There are essentially two types of DNS logs concerning client behavior:
Request logs, which record which system requested the resolution of which name in a given time frame.
Response logs, which track which numeric IP address the requested name resolved to at a particular time.
How Does Passive DNS Work?
Passive DNS replication can happen in several ways. You can run a passive sensor that sniffs the DNS traffic and records the answers. Or, you can attach it as a module to an existing network monitor service, use it as a plugin with a name server or extract the data from stored network captures.
When to Use DNS Data
Consider that you are investigating a compromised machine and you’ve been handed its DNS request and response logs. You have a rough idea of when the infection took place, which was well before the initial steps of the investigation were started.
The DNS logs show that during the suspected time frame, the machine completed multiple queries for a single domain. This is most likely the domain used by the malware.
You can use this data to extract additional information by looking at the intrusion detection logs.
Tomi Engdahl says:
Persian Stalker pillages Iranian users of Instagram and Telegram
https://blog.talosintelligence.com/2018/11/persian-stalker.html
Once installed, some of these Telegram “clones” have access to mobile devices’ full contact lists and messages, even if the users are also using the legitimate Telegram app. In the case of phony Instagram apps, the malicious software sends full session data back to backend servers, which allows the attacker to take full control of the account in use. We declare with high confidence that these apps should be classified as “greyware.” It is not malicious enough to be classified as malware, but is suspicious enough to be considered a potentially unwanted program (PUP).
Tomi Engdahl says:
Hey there! How much are you worth?
https://securelist.com/hey-there-how-much-are-you-worth/88691/
Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all?
In the real non-digital world there are lots of insurance policies that cover things if they get damaged or stolen.
Hacked accounts
When investigating hacked accounts from popular services it’s almost impossible to compile valid data because there are so many black-market vendors selling this stuff. It is also difficult to verify the uniqueness of the data being sold. But one thing is certain – this is the most popular type of data being sold on the black market. When talking about data from popular services, I’m referring to things like stolen social media accounts, banking details, remote access to servers or desktops and even data from popular services like Uber, Netflix, Spotify and tons of gaming websites (Steam, PlayStation Network, etc.), dating apps, porn websites.
Tomi Engdahl says:
Radboud University researchers discover security flaws in widely used data storage devices
Date of news: 5 November 2018
https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
Researchers at Radboud University in the Netherlands have discovered that widely used data storage devices with self-encrypting drives do not provide the expected level of data protection. A malicious expert with direct physical access to widely sold storage devices can bypass existing protection mechanisms and access the data without knowing the user-chosen password.
Tomi Engdahl says:
ICS Devices Vulnerable to Side-Channel Attacks: Researcher
https://www.securityweek.com/ics-devices-vulnerable-side-channel-attacks-researcher
Tomi Engdahl says:
Radiation Isn’t the Only Risk Associated with Medical Imaging Devices
https://www.tripwire.com/state-of-security/healthcare/radiation-risk-medical-imaging-devices/
As a patient moves down the small, loud tunnel of an MRI tube, CT scan, or other high-powered radiology device, it’s safe to assume they believe the diagnostic benefits outweigh the risk of radiation exposure (and a possible claustrophobic-induced panic attack). In fact, only after understanding – and accepting — these risks is a patient permitted to proceed with the test. But, what additional risks could you be exposing yourself to while using a diagnostic imaging device?
According to a new project being spearheaded by the National Cybersecurity Center of Excellence (NCCoE) Healthcare Sector Community of Interest, cybersecurity is now considered a significant risk associated with medical imaging that must be better understood and addressed by the healthcare sector.
Tomi Engdahl says:
Brian Kemp is bad on cybersecurity
https://blog.erratasec.com/2018/11/brian-kemp-is-bad-on-cybersecurity.html
CITING NO EVIDENCE, BRIAN KEMP ACCUSES GEORGIA DEMOCRATS OF HACKING
https://www.wired.com/story/brian-kemp-georgia-democrats-hacking-claim/
IN DECEMBER 2016, Georgia secretary of state Brian Kemp accused the Department of Homeland Security of attempting to hack his office’s systems, which include the Georgia voter registration database. Six months later, the DHS inspector general concluded that the allegations were unfounded; someone on a DHS computer had simply visited the Georgia Secretary of State website. Now, two days before an election in which Kemp himself is the Republican candidate for governor, he has levied similarly unsupported charges—this time against his democratic opponents.
Tomi Engdahl says:
“Valkohatut ovat surkimuksia” – USA:n vaalien turvallisuutta valvomaan palkattu hakkeri Harri Hursti yritettiin tappaa
https://www.tivi.fi/Kaikki_uutiset/valkohatut-ovat-surkimuksia-usa-n-vaalien-turvallisuutta-valvomaan-palkattu-hakkeri-harri-hursti-yritettiin-tappaa-6747992
Kysely jatkui. Hursti antoi säännöt, joiden noudattaminen olisi vaikeaa. Tällä hän yritti päästä kyselijöistä eroon.
”Pitää olla kutsu vaalitoimikunnan johtajalta. Pitää olla oikeusturva syytteitä vastaan.”
Vuoden 2000 presidentinvaalien uudelleenlaskennasta vastannut Tallahasseen vaalitoimikunnan johtaja Ion Sancho soitti Hurstille ja lupasi tälle turvaa.
Lopulta Hursti paljasti, että muistikorttien avulla voidaan manipuloida äänestystulosta. Hänestä tehtiin dokumentteja, artikkeleita ja Yhdysvaltain hallinnon tietoturva-asiantuntija.
Muutosta ei tapahtunut
“Minulla oli vuosina 2005–2006 usko, että kun nämä asiat paljastetaan, niin asia on korjattu parin vuoden päästä. Minulle ei olisi tullut mieleenkään, että se sama softaversio ja laitteet ovat edelleen käytössä ja keskustelemme tästä vieläkin.”
”Vaalitietojärjestelmät tulevat yksityisiltä firmoilta. Siinä ei ole mitään sääntelyä tai luvanvaraista toimintaa. Kyseessä on täysi villi länsi.”
Vuodet ovat opettaneet, että mahdottomalta tuntuva voi olla mahdollista.
”Olisi täysin mahdotonta saada minua uskomaan kaikki se, mitä olen nähnyt 15 vuoden aikana. Että ei tämä systeemi voisi olla näin surkea.”
Vielä vuoden 2016 presidentinvaaleissa Yhdysvaltain hallinnon äänestyksen uhkakuva numero yksi oli epärehellinen ehdokas, joka yrittäisi voittaa vilpillä.
Uhkakuva oli täysin väärä, Hursti kertoo.
”Ei pohdittu, että voi olla hyvin rahoitettu tai kärsivällinen organisaatio, jonka ainoa tarkoitus saattaa olla tuhota usko demokratiaan.”
Hurstin mukaan muun muassa Venäjän tarkoitus hybridisodankäynnissä Suomen kanssa on yhteiskuntarauhan horjuttaminen.
Mutta mihin hybridisodankäynti loppuu? Fyysinen sota loppuu viime kädessä kuolemaan, mutta entä hybridisodankäynti?
”Olet oikeassa. Sillä ei ole välttämättä mitään loogista päätöstä. Ehkä se, että hyökkääjä saa, mitä haluaa, ja tapahtuu vallankumous. Tai sitten se vain jatkuu. Puolustajalla ei ole siinä mitään end gamea eikä tapaa lopettaa sodankäynti.”
”Ainoa tapa puolustautua on kehittää päänsisäistä palomuuria, joka auttaa erottelemaan viestejä, poistamaan virheinformaatiota ja tekemään rationaalisia päätöksiä.”
”Organisaatiot eivät ymmärrä, miten vihollinen ajattelee. Kun katson vihollisen silmin asioita, ohitan kaikki muurit ja ajattelen, että kiva, kun rakensitte ne, mutta kävelen nyt omaa reittiäni perille.”
Vuonna 2013 Hursti yritettiin tappaa. Mies hyökkäsi Atlantassa hänen kimppuunsa.
Epäilty tekijä löydettiin kuolleena.
”That’s life.”
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/kannabiskahvilat-terroristien-kohteina-kasikranaatteja-oviin-jos-lunnaita-ei-kuulu-6747808
Tomi Engdahl says:
Huawei denies foreign network hack reports
https://www.zdnet.com/article/huawei-denies-foreign-network-hack-reports/#ftag=RSSbaffb68
Huawei has pointed to its ‘unblemished record of cybersecurity’ following reports over the weekend that it helped the Chinese government gain access codes for a foreign network.
Huawei has denied that it assisted the Chinese government in infiltrating a foreign network to gain information, following reports over the weekend to the contrary.
“Huawei categorically denies it has ever provided, or been asked to provide, customer information for any government or organisation,” a Huawei spokesperson told ZDNet on Monday morning.
“These baseless accusations are made without any evidence whatsoever.”
The denial followed reports by The Australian that it had “confirmed from a national security source” that Huawei staffers were used by Chinese intelligence to “get access codes to infiltrate a foreign network”, including providing password and network details.
https://www.theaustralian.com.au/national-affairs/national-security/china-used-huawei-to-hack-network-says-secret-report/news-story/510d3b17c2791cbcac18f047c64ab9d8
Tomi Engdahl says:
Jon Porter / The Verge:
Chrome 71, which arrives next month, will block all ads on sites that have persistently shown abusive ads such as fake system messages
Chrome will soon ad-block an entire website if it shows abusive ads
Chrome 71 arrives next month
https://www.theverge.com/2018/11/5/18063906/chrome-71-update-abusive-ads-blocking-december-2018
Tomi Engdahl says:
Lily Hay Newman / Wired:
An expert says Georgia’s voter registration site looks poorly secured, but the secretary of state, a candidate for governor, appears to deflect blame to rivals
https://www.wired.com/story/brian-kemp-georgia-democrats-hacking-claim/
Tomi Engdahl says:
Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it’s really, really dumb)
Security experts frantically facepalming at stupid design
https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/
Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they’ve got their hands on the equipment.
A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.
Basically, the cryptographic keys used to encrypt and decrypt the data are not derived from the owner’s password, meaning, you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it’s that dumb.
“The analysis uncovers a pattern of critical issues across vendors,” according to the researchers. “For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys.”
In practice, the Radboud duo say they were able to decrypt the data on a number of SSDs simply by connecting to the drive’s debug interface on its circuit board, and modify the password-checking routine in the firmware to accept any passphrase before accessing the DEK to encrypt or decrypt the device.
One possible way to secure these devices, the boffins stated in their paper, is to ensure the secrets needed to decrypt a drive are stored off the equipment itself.
https://t.co/UGTsvnFv9Y
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/pystymetsasta-tietoturva-ammattilaiseksi-f-securen-ja-yliopiston-maksuton-kurssi-kiinnostanut-kymmenia-tuhansia-6748095
Tomi Engdahl says:
HSBC Bank Notifies Customers of Data Breach
https://www.tripwire.com/state-of-security/security-data-protection/hsbc-bank-notifies-customers-of-data-breach/
HSBC Bank sent a letter to an undisclosed number of customers informing them of a data breach that might have exposed their personal information.
HSBC Bank is one of the largest banking and financial services organizations in the world. It maintains 7,500 offices in over 80 countries in Europe, Africa, the Americas, the Asia-Pacific region and the Middle East.
Tomi Engdahl says:
Voting systems in Wisconsin and Kentucky are running FTP. Seriously.
https://boingboing.net/2018/11/04/no-password-required-in-ky.html?fbclid=IwAR0hQFQLxntyCCm516EQfUS_s-t8anR-y7_0ZI6JrZYIBPtHz7QCs3Vd2TE
FTP — the “file transfer protocol” — is a long-supplanted Unix tool for transferring files between computers, once standard but now considered to be too insecure to use; so it’s alarming that it’s running on the voting information systems that will be used in elections in Wisconsin and Kentucky tomorrow.
The FBI has warned that “criminal actors” use FTP in targeting US voting systems. The Wisconsin Elections Commission and DHS have reported hacker attacks on Wisconsin voting machines in the 2016 elections.
Tomi Engdahl says:
Statistics Canada Asks for Banking Information of 500,000 Canadians
https://www.tripwire.com/state-of-security/security-awareness/statistics-canada/
Everyone knows that it’s not a matter of if your private information will be breached. It’s a matter of when. I don’t have much of an expectation of privacy these days.
Statistics Canada, our national statistics agency with a mandate that “ensures Canadians have the key information on Canada’s economy, society and environment that they require to function effectively as citizens and decision makers.”, has asked for the personal banking information of 500,000 Canadians to be released to them.
This means that 1 in 20 Canadians will have all of their banking information and personally identifiable information turned over to a government agency that has failed security audits.
many consider PCI to be the minimum amount of effort that an organization should invest in security.
While I’m often the first to say that we have to expect our privacy to be breached, we still need to work to prevent avoidable breaches. Given the history of the agency, along with the sensitivity of this data, everyone needs to pay close attention to this moving forward. The results could be disastrous.
Tomi Engdahl says:
This Tool Shows Exposed Cameras Around Your Neighbourhood
https://motherboard.vice.com/en_us/article/59vm4x/tool-exposed-cameras-map-shodan-python-github
Through a novel marrying of different tools, Kamerka can take an address, landmark, or coordinates and display exposed internet connected cameras on a map.
Tomi Engdahl says:
Strange snafu misroutes domestic US Internet traffic through China Telecom
Telecom with ties to China’s government misdirected traffic for two and a half years.
https://arstechnica.com/information-technology/2018/11/strange-snafu-misroutes-domestic-us-internet-traffic-through-china-telecom/
China Telecom, the large international communications carrier with close ties to the Chinese government, misdirected big chunks of Internet traffic through a roundabout path that threatened the security and integrity of data passing between various providers’ backbones for two and a half years, a security expert said Monday. It remained unclear if the highly circuitous paths were intentional hijackings of the Internet’s Border Gateway Protocol or were caused by accidental mishandling.
For almost a week late last year, the improper routing caused some US domestic Internet communications to be diverted to mainland China before reaching their intended destination, Doug Madory, a researcher specializing in the security of the Internet’s global BGP routing system, told Ars.
“We are describing the same thing in different ways,” he told Ars, speaking of the two-and-a-half-year event he documented and the two-month hijacking reported two weeks ago. “They may have only known about it for those two months in 2017, but I can guarantee you that it was going [on] for much longer.”
The domestic US traffic, in particular, “becomes an even more extreme example,” he told Ars. “When it gets to US-to-US traffic traveling through mainland China, it becomes a question of is this a malicious incident or is it accidental? It’s definitely concerning. I think people will be surprised to see that US-to-US traffic was sent through China Telecom for days.”
Tomi Engdahl says:
Browlock flies under the radar with complete obfuscation
https://blog.malwarebytes.com/threat-analysis/2018/11/browlock-flies-under-the-radar-with-complete-obfuscation/
Browlocks are the main driving force behind tech support scams, using a combination of malvertising and clever browser locker tricks to fool users. In fact, the effects can be so convincing that people call the rogue Microsoft support number for help because they believe their computer has been hijacked.
Tomi Engdahl says:
Stuxnet 2.0? Iran claims Israel launched new cyber attacks
President Rouhani’s phone “bugged,” attacks against network infrastructure claimed.
https://arstechnica.com/information-technology/2018/11/iran-accuses-israel-of-cyber-attacks-including-new-stuxnet/
Tomi Engdahl says:
HSBC now stands for Hapless Security, Became Compromised: Thousands of customer files snatched by crims
Bank fesses up: Hackers made off with folks’ personal details
https://www.theregister.co.uk/2018/11/06/hsbc_security_broken/
HSBC has admitted miscreants have probably made off with personal details of thousands of its online-banking customers.
The bank submitted paperwork [PDF] to the California Attorney General’s office late last week outlining its plan to notify folks of the significant data theft. California law requires that the AG be notified whenever a computer security breach affects 500 or more residents in the US state.
https://oag.ca.gov/system/files/Res%20102923%20PIB%20MAIN%20v3_1.pdf
Tomi Engdahl says:
Malicious Powershell Script Dissection
https://isc.sans.edu/diary/rss/24282
Tomi Engdahl says:
Supply-chain attack on cryptocurrency exchange gate.io
https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/
Latest ESET research shows just how far attackers will go in order to steal bitcoin from customers of one specific virtual currency exchange
On November 3, attackers successfully breached StatCounter, a leading web analytics platform. This service is used by many webmasters to gather statistics on their visitors – a service very similar to Google Analytics.
by compromising the StatCounter platform, attackers can inject JavaScript code in all websites that use StatCounter.
Attackers modified the script at http://www.statcounter.com/counter/counter.js by adding a piece of malicious code
Tomi Engdahl says:
https://www.wired.com/story/midterms-2018-secure-election-day/
Tomi Engdahl says:
U-Boot’s Trusted Boot Validation Bypassed
https://www.bleepingcomputer.com/news/security/u-boots-trusted-boot-validation-bypassed/
Memory handling issues in U-Boot open-source bootloader for embedded devices make possible multiple exploitation techniques that lead to arbitrary code execution.
U-Boot, short for the Universal Boot Loader, is a first-stage and second-stage bootloader. It is responsible for the initial hardware configuration and loading the operating system (OS) kernel.
It has support for a variety of architectures, including ARM, MIPS, and PowerPC. Among the types of devices it can initiate are Chromebooks, routers, and Amazon Kindle.
To ensure that authentic code is running on the system, U-Boot features ‘Verified Boot’ – its own version of Secure Boot – which verifies the integrity of the images it loads.
Barisani discloses two methods that leverage U-Boot’s lack of memory allocation restrictions. The flaws received the identifiers CVE-2018-18440 and CVE-2018-18439.
“The memory overwrite can directly lead to arbitrary code execution, fully controlled by the contents of the loaded image,” Barisani adds.
Tomi Engdahl says:
Apache Struts Users Told to Update Vulnerable Component
https://www.securityweek.com/apache-struts-users-told-update-vulnerable-component
Apache Struts developers are urging users to update a file upload library due to the existence of two vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks.
The team behind the open source development framework pointed out that the Commons FileUpload library, which is the default file upload mechanism in Struts 2, is affected by a critical remote code execution vulnerability.
Tomi Engdahl says:
UK Regulator Calls for Tougher Rules on Personal Data Use
https://www.securityweek.com/uk-regulator-calls-tougher-rules-personal-data-use
Tomi Engdahl says:
Hackers Target Telegram, Instagram Users in Iran
https://www.securityweek.com/hackers-target-telegram-instagram-users-iran
Hackers have been targeting Iranian users of Telegram and Instagram with fake login pages, app clones and BGP hijacking in attacks that have been ongoing since 2017, Cisco Talos reveals.
Banned in Iran, Telegram is a popular target for greyware, software that provides the expected functionality but also suspicious enough to be considered a potentially unwanted program (PUP).
Tomi Engdahl says:
Uncle Sam, D-Link told to battle in court over claims of shoddy device security: Judge snubs summary judgment bids
No spittin’, no cussin’, either, Cali judge rules
https://www.theregister.co.uk/2018/11/06/dlink_ftc_denied/
America’s trade watchdog’s case against network device maker D-Link will go ahead next January – after a district judge rebuked the two sides for wasting money drawing up and filing demands for summary judgments.
The US Federal Trade Commission (FTC) brought its lawsuit against Taiwanese D-Link early last year in California, and in doing so griped about a host of alleged bad practices, including hard-coded passwords, command-injection vulnerabilities, misplaced security keys, and plaintext password storage in D-Link’s gear. These, the watchdog claimed, amounted to misrepresentation by a company that touted the advanced security of its products, and thus put buyers at risk.
Tomi Engdahl says:
Android fans get fat November security patch bundle – if the networks or mobe makers are kind enough to let ‘em have it
And Apple fixes Watch-killing security patch of its own
https://www.theregister.co.uk/2018/11/06/android_november_patches/
Tomi Engdahl says:
Huawei denies foreign network hack reports
https://www.zdnet.com/article/huawei-denies-foreign-network-hack-reports/#ftag=RSSbaffb68
Huawei has pointed to its ‘unblemished record of cybersecurity’ following reports over the weekend that it helped the Chinese government gain access codes for a foreign network.
Huawei has denied that it assisted the Chinese government in infiltrating a foreign network to gain information, following reports over the weekend to the contrary.
“Huawei categorically denies it has ever provided, or been asked to provide, customer information for any government or organisation,” a Huawei spokesperson told ZDNet on Monday morning.
Tomi Engdahl says:
Microsoft Finds Pirated Windows on Too Many New Computers
Company also discovers malware and coin miners on these PCs
https://news.softpedia.com/news/microsoft-finds-pirated-windows-on-too-many-new-computers-523595.shtml
Microsoft has conducted its own investigation on the Asian new PC market, only to discover an insane number of computers sold with a pirated Windows license.
As reported by The Economic Times, Microsoft purchased PCs between May and July from Asian markets in an attempt to determine how many of them are shipped with counterfeit Windows licenses and malware pre-installed.
Tomi Engdahl says:
Researchers ‘Break’ Microsoft’s Edge With Zero-Day Remote Code Exploit
https://it.slashdot.org/story/18/11/06/0246239/researchers-break-microsofts-edge-with-zero-day-remote-code-exploit?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Researchers ‘break’ Edge with zero-day remote code exploit
https://www.itpro.co.uk/zero-day-exploit/32294/researchers-break-edge-with-zero-day-remote-code-exploit
Tomi Engdahl says:
‘Almost All’ Pakistani Banks Hacked In Security Breach, Report Says
https://it.slashdot.org/story/18/11/06/2155237/almost-all-pakistani-banks-hacked-in-security-breach-report-says?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The cybercrime wing of Pakistan’s Federal Investigation Agency has said data from “almost all” Pakistani banks was stolen in a recent security breach. FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News that hackers based outside the country had breached the security systems of several local banks. “The hackers have stolen large amounts of money from people’s accounts,” he added.
‘Almost all’ Pakistani banks hacked in security breach, says FIA cybercrime head
https://www.dawn.com/news/1443970
“According to a recent report we have received, data from almost all Pakistani banks has been reportedly hacked,” FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News on Tuesday.
“The hackers have stolen large amounts of money from people’s accounts,” he added.
“The recent attack on banks has made it quite clear that there is a need for improvement in the security system of our banks,” he observed.
It wasn’t immediately clear when exactly the security breach took place.
Sources told Dawn the State Bank of Pakistan (SBP) has been informed by several commercial banks that they have blocked international payments on debit and credit cards as a precautionary measure after cyber attacks on their clients’ accounts.
According to a digital security website krebsonsecurity.com, data of over 8,000 account holders of about 10 Pakistani banks was sold in a market of hackers.
The first cyber attack was reported by BankIslami on October 27.
Tomi Engdahl says:
Hackers seed StatCounter with nasty JavaScript in elaborate Bitcoin cyber-heist caper
Gate.io exchange believed to be target of embedded attack
https://www.theregister.co.uk/2018/11/06/statcounter_javascript_theft_scheme/
One of the top traffic metrics websites on the internet is apparently being used by criminals to steal Bitcoins from a currency exchange.
Researchers at ESET have found that the JavaScript used by StatCounter’s analytics platform has been modified by miscreants so that when embedded into the pages of Gate.io, a cryptocurrency exchange, it can siphon off alt-coins.
While millions of sites may have pulled in that modified code, however, it appears that just one site was the target.
Tomi Engdahl says:
How did Iran find CIA spies? They Googled it
https://arstechnica.com/tech-policy/2018/11/how-did-iran-find-cia-spies-they-googled-it/
Yahoo News report points to exposure of CIA communications causing deaths of dozens.
A covert “transitional” channel used for communicating with sources that Central Intelligence Agency handlers couldn’t reach directly was exposed and infiltrated by Iranian intelligence in 2009. The breakdown in operational security—which apparently relied heavily on security through obscurity—was the result of Iranian intelligence officials simply using Google to locate the websites used as the communications channel after a double-agent exposed the method used by the CIA, according to a report from Yahoo News’ Zach Dorfman and Jenna McLaughlin.
https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html
Tomi Engdahl says:
VirtualBox E1000 Guest-to-Host Escape
https://github.com/MorteNoir1/virtualbox_e1000_0day
a 0day vulnerability
Tomi Engdahl says:
Shakespeare in a Zip in a RAR, Hidden in an Image on Twitter
https://hackaday.com/2018/11/07/shakespeare-in-a-zip-in-a-rar-hidden-in-an-image-on-twitter/
Steganography involves hiding data in something else — for example, encoding data in a picture. [David Buchanan] used polyglot files not to hide data, but to send a large amount of data in a single Twitter post. We don’t think it quite qualifies as steganography because the image has a giant red UNZIP ME printed across it. But without it, you might not think to run a JPG image through your unzip program.
What’s a polyglot file? Jpeg images have an ICC (International Color Consortium) section that defines color profiles. While Twitter strips a lot of things out of images, it doesn’t take out the ICC section. However, the ICC section can contain almost anything that fits in 64 kB up to a limit of 16 MB total.
The ZIP format is also very flexible. The pointer to the central directory is at the end of the file. Since that pointer can point anywhere, it is trivial to create a zip file with extraneous data just about anywhere in the file.
Interestingly, even creating a thumbnail usually keeps the color profile data, so a Twitter thumbnail will still retain the payload.
Tomi Engdahl says:
Intel’s David Hoffman proposes a new, comprehensive privacy law in the U.S. and is seeking input on the latest draft.
Intel Solicits Feedback on U.S. Privacy Law Proposal
https://blogs.intel.com/policy/2018/11/05/intel-solicits-feedback-on-u-s-privacy-law-proposal/
Intel is experimenting with a new approach to participatory democracy. We have created a website on which we have posted our recommended draft for a comprehensive U.S. privacy law. The website has a portion where privacy law experts are providing feedback on the draft, and for the public to provide comments. We are going to keep the discussion going for two weeks and then will revise our draft.
Intel’s Approach to Privacy
https://usprivacybill.intel.com/
Recent discussion about the need for a US federal law inspired us to draft a bill that will optimize for both innovation and protecting privacy.
We have invited some of the country’s top privacy experts to discuss the draft on this site. We also want to hear from you. Read our bill, follow along with the experts, and add your own voice to the public discussion
Tomi Engdahl says:
Dutch cops hope to cuff ‘hundreds’ of suspects after snatching server, snooping on 250,000+ encrypted chat texts
BlackBox IronPhones’ IronChat app convos intercepted
https://www.theregister.co.uk/2018/11/07/dutch_police_black_box/
Tomi Engdahl says:
New Chrome version aims to remove all ads from abusive sites
The move is part of Google’s continued clampdown on adverts that are intended to hoodwink users
https://www.welivesecurity.com/2018/11/07/chrome-71-remove-ads-abusive-sites/
Tomi Engdahl says:
Compromising vital infrastructure: transport and logistics
https://blog.malwarebytes.com/101/business/2018/11/compromising-vital-infrastructure-transport-logistics/
In this post, we will focus on the main skeleton of our logistics infrastructure: the mass transportation of goods over the surface of the earth. How do the goods that we use every day make their way into the warehouses, stores, or factories that need them? We will deal with air and public transportation separately, as they use completely different infrastructures in order to function.