This is “well known” research that resurfaces every other year. Let me tell you a story how I have heard about this in 2012 and putting it into perspective.
Police are accusing a 24-year-old woman, arrested in connection with a drive-by shooting, of remote-wiping her iPhone and thereby destroying evidence – a felony offense.
A researcher has allegedly discovered a zero-day vulnerability in VirtualBox. Though discovering zero-day bugs isn’t anything distinct, what makes this report interesting is that the researcher disclosed the flaw publicly without informing the vendors. So, we may not expect a patch anytime soon.
As explained, this zero-day vulnerability in VirtualBox can allow an attacker with root access to escape the virtual environment and gain access to the underlying OS.
Zelenyuk shared his findings in a detailed write-up on Github
Wall Street Journal:
Some Google services were temporarily unreachable for some users due to internet traffic being misdirected; Google believes cause was external, will investigate — Internet giant says issue has been resolved and it will conduct an investigation — Google services were temporarily unreachable …
Wall Street Journal:
US officials and cybersecurity firms looking for evidence of foreign interference say Russian hackers mostly sat on the sidelines during the midterm elections — U.S. officials and cybersecurity firms cite a number of reasons 2018 wasn’t like 2016 — SAN FRANCISCO—After unleashing …
U.S. officials and cybersecurity firms cite a number of reasons 2018 wasn’t like 2016
After unleashing widespread cyberattacks and disinformation warfare on the U.S. during the 2016 presidential election, Russia’s trolls and hackers mostly appeared to have sat on the sidelines during the campaign ahead of last week’s midterm elections.
Lorenzo Franceschi-Bicchierai / Motherboard:
Leaked court documents show that Italian authorities have given up catching Phineas Fisher, the person who hacked the government spyware maker Hacking Team — Leaked court documents show that Italian authorities have no idea who hacked the government spyware maker Hacking Team.
DURING A SPEECH at the annual UNESCO Internet Governance Forum in Paris Monday, French President Emmanuel Macron announced the “Paris Call for Trust and Security in Cyberspace,” a new initiative designed to establish international norms for the internet, including good digital hygiene and the coordinated disclosure of technical vulnerabilities.
To address these growing number of network threats and keep abreast with the changing sophistication of network intrusion methods, Trend Micro looked into network flow clustering — a method that leverages the power of machine learning in strengthening current intrusion detection techniques.
Network anomalies can be discovered by examining flow data because they contain information useful for analyzing traffic composition of varying applications and services in the network. To efficiently label and process large amounts of said data through clustering, we used a semi-supervised learning approach. These labels will then be used to discern relationships between different malware families, as well as to know how they differ from one another.
These “get rich quick” scams are fairly simple. A hacker hijacks a verified Twitter account using stolen or leaked passwords. Then, the hacker swaps the account’s name, bio and photo — almost always to mirror Elon Musk — and drops a reply with “here’s where to send your bitcoin,” or something similar.
The end result appears as though Musk is responding to his own tweet, and nudging hapless bitcoin owners to drop their coins into the scammer’s coffers.
Hitman 2 is due to hit the streets on November 13, protected by the most up-to-date variant of Denuvo’s anti-tamper technology. However, a cracking group appears to have obtained a version of the game destined for pre-order buyers, cracked it, and released it online three days early. Just last week, Denuvo suggested that four days protection could prove significant for game sales.
Iranian hackers are believed to be responsible for a cyber security breach and extortion attempt on Australia’s biggest defence exporter.
Perth-based shipbuilder Austal earlier this month revealed an “unknown offender” had hacked into its computer systems, accessing staff email addresses and phone numbers as well as ship drawings and designs.
When someone gets hacked, many people impulsively blame the victim. We’re conditioned to think that they did something wrong; we presume that they had a bad password, reused passwords across websites, didn’t turn on two-factor authentication, or otherwise made some sort of mistake that a more security-conscious person wouldn’t have.
The truth is often a little more complicated. While there are of course things you can do to make yourself less of a target and to harden your accounts, the fact remains that hackers are increasingly exploiting systematic failures by large companies, and that there is often little or nothing the average user can do to prevent a breach. The business models of many companies rely on monetizing and selling user data; internet of things and new startups rarely take security as seriously as they should; massive hacks of companies like Equifax and T-Mobile make our social security numbers less private than they ever have before.
The “weakest link” in cybersecurity is often no longer the human, it’s the infrastructure that increasingly controls our data without giving us a chance to do anything about it. In this brave new digital world, what can you really do to protect yourself?
The US, China and Russia have refused to endorse a French-backed agreement designed to regulate the Internet and bolster cyber security, despite the approval of 51 other countries including all members of the European Union.
The Paris Call for Trust and Security in Cyberspace was launched by French President Emmanuel Macron on Monday and represents an attempt to set clear rules for the use of cyber-weapons.
At an event organised by UNESCO, the French leader set out his ambitions for stronger international regulation of the Internet and better cooperation on cyber-attacks, foreign meddling in elections, online censorship and hate speech.
But the refusal of Washington DC, Moscow and Beijing to sign up to the agreement represents a serious blow for the initiative.
“The internet is a space currently managed by a technical community of private players. But it’s not governed. So now that half of humanity is online, we need to find new ways to organize the internet,” a French official said. “Otherwise, the internet as we know it today — free, open and secure — will be damaged by the new threats.”
Fresh from belatedly admitting that 9.4 million passengers’ personal data was stolen by hackers, Hong Kong airline Cathay Pacific has now admitted that it was under attack for three solid months before it took half a year to tell anyone.
In its initial public statement on the hack, which saw names, nationalities, dates of birth, addresses, some people’s passport numbers, email addresses and more heading from its secure servers into the hands of as-yet unidentified miscreants, Cathay said it had detected “suspicious activity” beginning in March 2018.
“During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention,” said the airline in its written submission to local legislators.
The airline has set up a dedicated website for people who think their personal data may have gone walkies.
Windows 10 users don’t have to wait much longer for the support of latest WPA3 Wi-Fi security standard, a new blog post from Microsoft apparently revealed.
The third version of Wi-Fi Protected Access, in-short WPA3, is the next generation of the wireless security protocol that has been designed to make it harder for attackers to hack WiFi password.
WPA3 was officially launched earlier this year, but the new WiFi security standard won’t arrive overnight. Most device manufacturers could take months to get their new routers and networking devices certified by the Wi-Fi Alliance to support WPA3.
WPA3-Personal (SAE) Support in Windows 10
Though Microsoft hasn’t yet officially announced WPA3 support for its Windows 10 operating system, new APIs introduced in the newly released Windows 10 SDK Preview build 18272, as marked in the screenshot below, indicates that Windows users would soon be getting support for the new protocol.
Besides this, Tim Cappalli, an engineer at Aruba Security, in a tweet claimed that he also spotted WPA3-Personal (SAE) available in the Windows 10 Insider build 18252.100 while manually configuring a wireless network.
Another Windows user confirmed the WPA3-Personal availability in the latest Insider build version but also mentioned that it’s not currently working as intended.
Recommendations will depend on how an environment is configured, it’s best to dig into the report for available mitigations before sharing the results outside your organization. If the report comes up with an unpatched vulnerability that has no mitigations, please send us the report and POC.
StatCounter has fixed the issue and Gate.io has removed the script from its site.
Faou says the malicious code was first added to this StatCounter script over the weekend, on Saturday, November 3. The code is still live, as this screenshot taken before the article’s publication can attest.
According to a PublicWWW search, there are over 688,000 websites that currently appear to load the company’s tracking script.
But according to Faou, none of these companies have anything to fear, at least for now. This is because the malicious code inserted into StatCounter’s site-tracking script only targets the users of one site –cryptocurrency exchange Gate.io.
The ESET researcher says that the malicious code looks at the page’s current URL and won’t activate unless the page link contains the “myaccount/withdraw/BTC” path.
The StatCounter incident is just the latest incident in a long list of recent supply-chain attacks via third-party JavaScript code loaded on legitimate sites. In the past year, miscreants have hacked several online services to deliver in-browser cryptocurrency-mining scripts or card-skimming code to unsuspecting users.
“This [incident] is another reminder that external JavaScript code is under the control of a third party and can be modified at any time without notice,”
How much higher are the odds that your device will be exposed to malware if you download apps from outside Google Play or if you use one of Android’s older versions? Google has the numbers
A Connecticut man who’s earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers’ personal data, KrebsOnSecurity has learned.
In May 2018, ZDNet ran a story about the discovery of a glaring vulnerability in the Web site for wireless provider T-Mobile that let anyone look up customer home addresses and account PINs. The story noted that T-Mobile disabled the feature in early April after being alerted by a 22-year-old “security researcher” named Ryan Stevenson, and that the mobile giant had awarded Stevenson $1,000 for reporting the discovery under its bug bounty program.
Likewise, AT&T has recognized Stevenson for reporting security holes in its services.
Stevenson’s Linkedin profile — named “Phobias” — says he specializes in finding exploits in numerous Web sites
Coincidentally, I came across multiple variations on this Phobia nickname as I was researching a story published this week on the epidemic of fraudulent SIM swaps
This week’s SIM swapping story quoted one recent victim who lost $100,000 after his mobile phone number was briefly stolen in a fraudulent SIM swap.
the perpetrators of his attack were able to access his T-Mobile account information using a specialized piece of software that gave them backdoor access to T-Mobile’s customer database.
Both the Santa Clara investigators and T-Mobile declined to confirm or deny the existence of this software.
I found that as late as June 2018 Ryan was offering a service that he claimed was capable of “doxing any usa carrier,” including Verizon, AT&T, Sprint, T-Mobile, MetroPCS and Boost Mobile.
“All I need is the number,” Ryan said of his customer data lookup service, which he sold for $25 per record. “Payment BTC [bitcoin] only.”
Researchers have proven lots of side channel vulnerabilities in CPUs that pose as security risks. However, this time, researchers have demonstrated a vulnerability in GPUs as well. Their work revolved around proving the possibility of a side-channel attack on Graphics Processing Units. From the results obtained, they concluded that GPU vulnerability to side channel attacks could lead to privacy and security breaches. This includes everything from spying on user activity to allowing hackers in to cloud services.
Overall, our Security Advisory Services team found that, whilst many users coped well with the attempts to phish them, a significant number of users did not. As a result, our recommendations for end users included:
Remind users that they should not follow untrusted links and/or submit credentials to untrusted websites
Ensure that users know what to do if they accidentally access an untrusted website (the answer is not to ‘blindly panic’!)
Remind users that responding by email can be as dangerous as following untrusted links, and that email headers can be routinely forged
Provide users with training on how to use social networks securely
Additionally, we also advised the customer that their blue team (including the SOC, platform owners etc) ought to (at a minimum) perform the following actions:
Ensure that system clocks are correctly synchronised across all key systems
Check DNS server caches and logs for our malicious domains and staging box IP addresses
Check mail server logs for our malicious domains and staging box IP addresses
Determine the scores with all inbound emails from our malicious domains to establish on what grounds they were accepted and delivered
Check web proxy logs for our malicious domains and staging box IP addresses
Investigate whether the mail server and web proxy can take custom filters to support activities such as greylisting for all non-role account addresses
Ensure that mail servers do not leak sensitive information
Check that all mobile devices use a VPN that prevents split tunneling to connect back into the main network, and only access the Internet through the VPN tunnel
Scan internal systems for known file hashes corresponding to the files used during the exercise
Ensure that any systems with identifiably out-of-date client software are included in asset management systems and that there are processes to patch them regularly
Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.
The Centers for Medicare and Medicaid Services (CMS) said in a post buried on its website that the hackers obtained “inappropriate access” to a number of broker and agent accounts, which “engaged in excessive searching” of the government’s healthcare marketplace systems.
Guess who’s back, back again? China’s back, hacking your friends: Beijing targets American biz amid tech tariff tiff
Everything little thing Xi does is magic, everything Xi do just turns me intrusion alarms on https://www.theregister.co.uk/2018/11/09/china_hacking_usa/
Three years after the governments of America and China agreed not to hack corporations in each other’s countries, experts say Beijing is now back to its old ways.
And if that’s the case, we can well imagine Uncle Sam having a pop back.
The Battle for Privacy in the United States is Just Beginning
The European Union has one primary over-arching data law that covers the entire EU (and reaches non-European countries that collect and store personal data on European citizens). The United States has historically taken a different approach to data laws – individual responses to specific concerns.
The result is that while the EU has one basic law covering data protection, privacy controls and breach notification (GDPR), the U.S. has a patchwork of state and federal laws, common law and public and private enforcement that has evolved over the last 100 years and more.
Every state now has its own breach notification law. California started the ball rolling in 2003 with the first state legislation.
A Windows zero-day vulnerability addressed this week by Microsoft with its November 2018 Patch Tuesday updates has been exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.
The security hole, tracked as CVE-2018-8589, allows an attacker to elevate privileges on a compromised Windows 7 or Windows Server 2008 system.
Microsoft’s Patch Tuesday updates for November 2018 address more than 60 vulnerabilities, including zero-days and publicly disclosed flaws.
Researchers at Kaspersky Lab informed Microsoft of a privilege escalation vulnerability in Windows that has been actively exploited by malicious actors. The flaw, tracked as CVE-2018-8589, allows an attacker to execute arbitrary code in the context of the local user. The issue, caused due to the way Windows handles calls to Win32k.sys, only affects Windows 7 and Windows Server 2008.
The weakness, identified as CVE-2018-8584, is related to the Advanced Local Procedure Call (ALPC), and Microsoft says an authenticated attacker can use it to elevate privileges and take control of a vulnerable system. Windows 10 and recent versions of Windows Server are impacted.
Adobe has released Patch Tuesday updates for Flash Player, Acrobat and Reader, and Photoshop CC to address three vulnerabilities – one in each product.
According to Adobe, exploitation of the flaw, tracked as CVE-2018-15979, “could lead to an inadvertent leak of the user’s hashed NTLM password.”
At least seven different cybercrime groups referred to as “Magecart hackers” are placing digital credit card skimmers on compromised e-commerce sites, Flashpoint and RiskIQ reveal in a joint report.
Active since at least 2015, the Magecart hackers steal credit card information by placing digital skimmers on the websites they visit.
Although the hackers managed to remain unnoticed for about three years, they gained a lot of attention lately, after targeting high-profile online destinations, including Ticketmaster, British Airways, and Newegg.
The world’s biggest airline data breach, affecting millions of Cathay Pacific customers, was the result of a sustained cyber attack that lasted for three months, the carrier admitted, while insisting it was on alert for further intrusions.
The Hong Kong-based firm was subjected to continuous breaches that were at their “most intense” from March to May but continued after, it said in a written submission to the city’s Legislative Council ahead of a panel hearing on Wednesday.
It also looked to explain why it took until October 24 to reveal that 9.4 million passengers had been affected, with hackers getting access to personal information including dates of birth, phone numbers and passport numbers.
Six months ago, the European Union’s General Data Protection Regulation, or GDPR, took effect, threatening companies worldwide with massive fines if they didn’t look after customer data properly. Fresh research suggests it’s making a difference in Europe — but not so much for U.S. web users.
The personal information of American charity donors, political party supporters, and online shoppers, has continued to quietly leak onto the internet as a result of poor website security practices, new research shows. As many as one in five e-commerce sites in the U.S. are still leaving their customers exposed, Philadelphia-based search marketing company Seer Interactive said Monday.
Using simple Google searches, similar to methods examined by Seer, Bloomberg was able to access sensitive user information from a wide range of randomly chosen U.S. websites.
These examples were discovered by requesting results for terms such as “firstname,” “print,” or “@gmail.com” and restricting the queries to subdomains on company web addresses, such as “shop.companyname.com.”
The vulnerability can be caused by a number of basic errors, one of which is that if a website lets a user share a transaction on social media — such as to promote a charitable donation — a search engine can see their post, and from there index the original web page, whether the user knows this or not. With no security protection in place, these pages are available to anyone.
A spokesman for Alphabet Inc.’s Google said the company provides documentation to help webmasters prevent this happening, and that it only serves information available on the public web.
While individually the data may be seen as harmless, in the hands of a cyber-criminal it could be used fraudulently, said Melson.
The widespread leak of data is emblematic “of a wider cultural problem business have towards data,”
He said such low-level leaks were why Europe’s GDPR legislation was required. The law mandates that companies have to take technical precautions such as encryption to ensure all client data is protected. It also states that firms must notify authorities about breaches within 72 hours of learning about them. Violations of GDPR rules may lead to fines of as much as 4 percent of a company’s global annual sales.
Melson said the affected websites Seer had identified as vulnerable were “largely” U.S.-based. “We’re finding significantly fewer U.K. companies,”
In a previous blog we highlighted a vulnerability in Chrome that allowed bad actors to steal Facebook users’ personal information; and, while digging around for bugs, thought it prudent to see if there were any more loopholes that bad actors might be able to exploit.
What popped up was a bug that could have allowed other websites to extract private information about you and your contacts.
Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved.
If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
558 Comments
Tomi Engdahl says:
Azorult Malware Advertised for Sale on Darknet Forums
https://darkwebnews.com/hacking/azorult-malware-for-sale-darknet-forums/
Cybercrime has been greatly assisted by the free sale of hacking tools via the dark web.
Tomi Engdahl says:
https://en.m.wikipedia.org/wiki/Van_Eck_phreaking
Tomi Engdahl says:
Alarm over talks to implant UK employees with microchips
https://www.theguardian.com/technology/2018/nov/11/alarm-over-talks-to-implant-uk-employees-with-microchips?CMP=share_btn_fb
Trades Union Congress concerned over tech being used to control and micromanage
Tomi Engdahl says:
Hacking Team Hacker Phineas Fisher Has Gotten Away With It
https://motherboard.vice.com/en_us/article/3k9zzk/hacking-team-hacker-phineas-fisher-has-gotten-away-with-it
Leaked court documents show that Italian authorities have no idea who hacked the government spyware maker Hacking Team.
Tomi Engdahl says:
CSS Keylogger – old is new again
https://www.youtube.com/watch?v=oJ6t7AImTdE
This is “well known” research that resurfaces every other year. Let me tell you a story how I have heard about this in 2012 and putting it into perspective.
Tomi Engdahl says:
Does wiping your iPhone count as destroying evidence?
https://nakedsecurity.sophos.com/2018/11/13/does-wiping-your-iphone-count-as-destroying-evidence/
Police are accusing a 24-year-old woman, arrested in connection with a drive-by shooting, of remote-wiping her iPhone and thereby destroying evidence – a felony offense.
Her defense: I don’t even know how to do that!
Tomi Engdahl says:
Annoyed Researcher Disclosed Zero-Day Vulnerability In VirtualBox Without Informing Oracle
https://latesthackingnews.com/2018/11/11/annoyed-researcher-disclosed-zero-day-vulnerability-in-virtualbox-without-informing-oracle/
A researcher has allegedly discovered a zero-day vulnerability in VirtualBox. Though discovering zero-day bugs isn’t anything distinct, what makes this report interesting is that the researcher disclosed the flaw publicly without informing the vendors. So, we may not expect a patch anytime soon.
As explained, this zero-day vulnerability in VirtualBox can allow an attacker with root access to escape the virtual environment and gain access to the underlying OS.
Zelenyuk shared his findings in a detailed write-up on Github
Tomi Engdahl says:
Wall Street Journal:
Some Google services were temporarily unreachable for some users due to internet traffic being misdirected; Google believes cause was external, will investigate — Internet giant says issue has been resolved and it will conduct an investigation — Google services were temporarily unreachable …
Google Internet Traffic Is Briefly Misdirected Through Russia, China
https://www.wsj.com/articles/google-internet-traffic-is-briefly-misdirected-through-russia-china-1542068392
Internet giant says issue has been resolved and it will conduct an investigation
Google services were temporarily unreachable for some users after some traffic intended to reach the web giant was rerouted through other networks.
Tomi Engdahl says:
Wall Street Journal:
US officials and cybersecurity firms looking for evidence of foreign interference say Russian hackers mostly sat on the sidelines during the midterm elections — U.S. officials and cybersecurity firms cite a number of reasons 2018 wasn’t like 2016 — SAN FRANCISCO—After unleashing …
Russian Hackers Largely Skipped the Midterms, and No One Really Knows Why
https://www.wsj.com/articles/russian-hackers-largely-skipped-the-midterms-and-no-one-really-knows-why-1542054493
U.S. officials and cybersecurity firms cite a number of reasons 2018 wasn’t like 2016
After unleashing widespread cyberattacks and disinformation warfare on the U.S. during the 2016 presidential election, Russia’s trolls and hackers mostly appeared to have sat on the sidelines during the campaign ahead of last week’s midterm elections.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
Leaked court documents show that Italian authorities have given up catching Phineas Fisher, the person who hacked the government spyware maker Hacking Team — Leaked court documents show that Italian authorities have no idea who hacked the government spyware maker Hacking Team.
Hacking Team Hacker Phineas Fisher Has Gotten Away With It
https://motherboard.vice.com/en_us/article/3k9zzk/hacking-team-hacker-phineas-fisher-has-gotten-away-with-it
Leaked court documents show that Italian authorities have no idea who hacked the government spyware maker Hacking Team.
Tomi Engdahl says:
THE US SITS OUT AN INTERNATIONAL CYBERSECURITY AGREEMENT
https://www.wired.com/story/paris-call-cybersecurity-united-states-microsoft/
DURING A SPEECH at the annual UNESCO Internet Governance Forum in Paris Monday, French President Emmanuel Macron announced the “Paris Call for Trust and Security in Cyberspace,” a new initiative designed to establish international norms for the internet, including good digital hygiene and the coordinated disclosure of technical vulnerabilities.
Tomi Engdahl says:
Google goes down after major BGP mishap routes traffic through China
https://arstechnica.com/information-technology/2018/11/major-bgp-mishap-takes-down-google-as-traffic-improperly-travels-to-china/
Google says it doesn’t believe leak was malicious despite suspicious appearances.
Tomi Engdahl says:
Using Machine Learning to Cluster Malicious Network Flows From Gh0st RAT Variants
https://blog.trendmicro.com/trendlabs-security-intelligence/using-machine-learning-to-cluster-malicious-network-flows-from-gh0st-rat-variants/
To address these growing number of network threats and keep abreast with the changing sophistication of network intrusion methods, Trend Micro looked into network flow clustering — a method that leverages the power of machine learning in strengthening current intrusion detection techniques.
Network anomalies can be discovered by examining flow data because they contain information useful for analyzing traffic composition of varying applications and services in the network. To efficiently label and process large amounts of said data through clustering, we used a semi-supervised learning approach. These labels will then be used to discern relationships between different malware families, as well as to know how they differ from one another.
Tomi Engdahl says:
Twitter, those ‘verified’ bitcoin-pushing pillocks are pissing everyone off
https://techcrunch.com/2018/11/12/twitter-those-verified-bitcoin-pushing-pillocks-are-pissing-everyone-off/?utm_source=tcfbpage&sr_share=facebook
These “get rich quick” scams are fairly simple. A hacker hijacks a verified Twitter account using stolen or leaked passwords. Then, the hacker swaps the account’s name, bio and photo — almost always to mirror Elon Musk — and drops a reply with “here’s where to send your bitcoin,” or something similar.
The end result appears as though Musk is responding to his own tweet, and nudging hapless bitcoin owners to drop their coins into the scammer’s coffers.
Tomi Engdahl says:
US, Russia, China don’t sign Macron’s cyber pact
https://www.zdnet.com/article/us-russia-china-dont-sign-macrons-cyber-pact/#ftag=RSSbaffb68
New cyber peace pact signed by 51 other countries, 224 companies, and 92 non-profits and advocacy groups.
Tomi Engdahl says:
Hitman 2’s Denuvo Protection Cracked Three Days Before Launch
https://torrentfreak.com/hitman-2s-denuvo-protection-cracked-three-days-before-launch-181112/
Hitman 2 is due to hit the streets on November 13, protected by the most up-to-date variant of Denuvo’s anti-tamper technology. However, a cracking group appears to have obtained a version of the game destined for pre-order buyers, cracked it, and released it online three days early. Just last week, Denuvo suggested that four days protection could prove significant for game sales.
Tomi Engdahl says:
Annoyed Researcher Disclosed Zero-Day Vulnerability In VirtualBox Without Informing Oracle
https://latesthackingnews.com/2018/11/11/annoyed-researcher-disclosed-zero-day-vulnerability-in-virtualbox-without-informing-oracle/
Tomi Engdahl says:
Iranian hackers suspected in cyber breach and extortion attempt on Navy shipbuilder Austal
https://www.abc.net.au/news/2018-11-13/iranian-hackers-suspected-in-austal-cyber-breach/10489310
Iranian hackers are believed to be responsible for a cyber security breach and extortion attempt on Australia’s biggest defence exporter.
Perth-based shipbuilder Austal earlier this month revealed an “unknown offender” had hacked into its computer systems, accessing staff email addresses and phone numbers as well as ship drawings and designs.
Tomi Engdahl says:
The Weakest Link in Cybersecurity Isn’t Human, It’s the Infrastructure
Welcome to Motherboard’s third annual hacking week.
https://motherboard.vice.com/en_us/article/d3bvgy/the-weakest-link-in-cybersecurity-isnt-human-its-the-infrastructure
When someone gets hacked, many people impulsively blame the victim. We’re conditioned to think that they did something wrong; we presume that they had a bad password, reused passwords across websites, didn’t turn on two-factor authentication, or otherwise made some sort of mistake that a more security-conscious person wouldn’t have.
The truth is often a little more complicated. While there are of course things you can do to make yourself less of a target and to harden your accounts, the fact remains that hackers are increasingly exploiting systematic failures by large companies, and that there is often little or nothing the average user can do to prevent a breach. The business models of many companies rely on monetizing and selling user data; internet of things and new startups rarely take security as seriously as they should; massive hacks of companies like Equifax and T-Mobile make our social security numbers less private than they ever have before.
The “weakest link” in cybersecurity is often no longer the human, it’s the infrastructure that increasingly controls our data without giving us a chance to do anything about it. In this brave new digital world, what can you really do to protect yourself?
Tomi Engdahl says:
US, Russia and China refuse to back French cybersecurity initiative
https://www.telegraph.co.uk/technology/2018/11/12/us-russia-china-refuse-back-french-cybersecurity-initiative/
The US, China and Russia have refused to endorse a French-backed agreement designed to regulate the Internet and bolster cyber security, despite the approval of 51 other countries including all members of the European Union.
The Paris Call for Trust and Security in Cyberspace was launched by French President Emmanuel Macron on Monday and represents an attempt to set clear rules for the use of cyber-weapons.
At an event organised by UNESCO, the French leader set out his ambitions for stronger international regulation of the Internet and better cooperation on cyber-attacks, foreign meddling in elections, online censorship and hate speech.
But the refusal of Washington DC, Moscow and Beijing to sign up to the agreement represents a serious blow for the initiative.
“The internet is a space currently managed by a technical community of private players. But it’s not governed. So now that half of humanity is online, we need to find new ways to organize the internet,” a French official said. “Otherwise, the internet as we know it today — free, open and secure — will be damaged by the new threats.”
Tomi Engdahl says:
Security
Cathay Pacific hack: Airline admits techies fought off cyber-siege for months
Initial ‘suspicious activity’ was full-scale data theft, it tells local lawmakers
https://www.theregister.co.uk/2018/11/12/cathay_pacific_hack_data_siege_3_months/
Fresh from belatedly admitting that 9.4 million passengers’ personal data was stolen by hackers, Hong Kong airline Cathay Pacific has now admitted that it was under attack for three solid months before it took half a year to tell anyone.
In its initial public statement on the hack, which saw names, nationalities, dates of birth, addresses, some people’s passport numbers, email addresses and more heading from its secure servers into the hands of as-yet unidentified miscreants, Cathay said it had detected “suspicious activity” beginning in March 2018.
“During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention,” said the airline in its written submission to local legislators.
The airline has set up a dedicated website for people who think their personal data may have gone walkies.
https://infosecurity.cathaypacific.com/en_HK.html
Tomi Engdahl says:
New APIs Suggest WPA3 Wi-Fi Security Support Coming Soon to Windows 10
https://thehackernews.com/2018/11/windows-10-wpa3-wifi-security.html
Windows 10 users don’t have to wait much longer for the support of latest WPA3 Wi-Fi security standard, a new blog post from Microsoft apparently revealed.
The third version of Wi-Fi Protected Access, in-short WPA3, is the next generation of the wireless security protocol that has been designed to make it harder for attackers to hack WiFi password.
WPA3 was officially launched earlier this year, but the new WiFi security standard won’t arrive overnight. Most device manufacturers could take months to get their new routers and networking devices certified by the Wi-Fi Alliance to support WPA3.
WPA3-Personal (SAE) Support in Windows 10
Though Microsoft hasn’t yet officially announced WPA3 support for its Windows 10 operating system, new APIs introduced in the newly released Windows 10 SDK Preview build 18272, as marked in the screenshot below, indicates that Windows users would soon be getting support for the new protocol.
Besides this, Tim Cappalli, an engineer at Aruba Security, in a tweet claimed that he also spotted WPA3-Personal (SAE) available in the Windows 10 Insider build 18252.100 while manually configuring a wireless network.
Another Windows user confirmed the WPA3-Personal availability in the latest Insider build version but also mentioned that it’s not currently working as intended.
Tomi Engdahl says:
Should You Send Your Pen Test Report to the MSRC?
https://blogs.technet.microsoft.com/msrc/2018/11/12/should-you-send-your-pen-test-report-to-the-msrc/
The best use for pen test reports
Recommendations will depend on how an environment is configured, it’s best to dig into the report for available mitigations before sharing the results outside your organization. If the report comes up with an unpatched vulnerability that has no mitigations, please send us the report and POC.
https://www.microsoft.com/en-us/msrc?rtc=1
Tomi Engdahl says:
Hackers infect nearly 700,000 sites with Bitcoin-stealing malware
… but just one cryptocurrency exchange was the real target
https://thenextweb.com/hardfork/2018/11/07/bitcoin-stealing-malware/
Hackers breach StatCounter to hijack Bitcoin transactions on Gate.io exchange
https://www.zdnet.com/article/hackers-breach-statcounter-to-hijack-bitcoin-transactions-on-gate-io-exchange/
StatCounter has fixed the issue and Gate.io has removed the script from its site.
Faou says the malicious code was first added to this StatCounter script over the weekend, on Saturday, November 3. The code is still live, as this screenshot taken before the article’s publication can attest.
According to a PublicWWW search, there are over 688,000 websites that currently appear to load the company’s tracking script.
But according to Faou, none of these companies have anything to fear, at least for now. This is because the malicious code inserted into StatCounter’s site-tracking script only targets the users of one site –cryptocurrency exchange Gate.io.
The ESET researcher says that the malicious code looks at the page’s current URL and won’t activate unless the page link contains the “myaccount/withdraw/BTC” path.
The StatCounter incident is just the latest incident in a long list of recent supply-chain attacks via third-party JavaScript code loaded on legitimate sites. In the past year, miscreants have hacked several online services to deliver in-browser cryptocurrency-mining scripts or card-skimming code to unsuspecting users.
“This [incident] is another reminder that external JavaScript code is under the control of a third party and can be modified at any time without notice,”
Tomi Engdahl says:
U.S. official says China violating 3-year-old cybertheft accord
https://www.marketwatch.com/story/us-official-says-china-violating-3-year-old-cybertheft-accord-2018-11-08
Tomi Engdahl says:
Google’s data charts path to avoiding malware on Android
https://www.welivesecurity.com/2018/11/12/googles-data-avoiding-malware-on-android/
How much higher are the odds that your device will be exposed to malware if you download apps from outside Google Play or if you use one of Android’s older versions? Google has the numbers
Tomi Engdahl says:
Hide and Script: Inserted Malicious URLs within Office Documents’ Embedded Videos
https://blog.trendmicro.com/trendlabs-security-intelligence/hide-and-script-inserted-malicious-urls-within-office-documents-embedded-videos/
Tomi Engdahl says:
Recently-Patched Adobe ColdFusion Flaw Exploited By APT
https://threatpost.com/recently-patched-adobe-coldfusion-flaw-exploited-by-apt/138981/
Tomi Engdahl says:
Nov 18
Bug Bounty Hunter Ran ISP Doxing Service
https://krebsonsecurity.com/2018/11/bug-bounty-hunter-ran-isp-doxing-service/
A Connecticut man who’s earned bug bounty rewards and public recognition from top telecom companies for finding and reporting security holes in their Web sites secretly operated a service that leveraged these same flaws to sell their customers’ personal data, KrebsOnSecurity has learned.
In May 2018, ZDNet ran a story about the discovery of a glaring vulnerability in the Web site for wireless provider T-Mobile that let anyone look up customer home addresses and account PINs. The story noted that T-Mobile disabled the feature in early April after being alerted by a 22-year-old “security researcher” named Ryan Stevenson, and that the mobile giant had awarded Stevenson $1,000 for reporting the discovery under its bug bounty program.
Likewise, AT&T has recognized Stevenson for reporting security holes in its services.
Stevenson’s Linkedin profile — named “Phobias” — says he specializes in finding exploits in numerous Web sites
Coincidentally, I came across multiple variations on this Phobia nickname as I was researching a story published this week on the epidemic of fraudulent SIM swaps
This week’s SIM swapping story quoted one recent victim who lost $100,000 after his mobile phone number was briefly stolen in a fraudulent SIM swap.
the perpetrators of his attack were able to access his T-Mobile account information using a specialized piece of software that gave them backdoor access to T-Mobile’s customer database.
Both the Santa Clara investigators and T-Mobile declined to confirm or deny the existence of this software.
I found that as late as June 2018 Ryan was offering a service that he claimed was capable of “doxing any usa carrier,” including Verizon, AT&T, Sprint, T-Mobile, MetroPCS and Boost Mobile.
“All I need is the number,” Ryan said of his customer data lookup service, which he sold for $25 per record. “Payment BTC [bitcoin] only.”
Tomi Engdahl says:
Government cybersecurity units: the good, the bad and the bureaucracy
https://www.geekwire.com/2018/government-cybersecurity-units-good-bad-bureaucracy/
Tomi Engdahl says:
Nvidia GPU Side Channel Vulnerability Disclosed
https://latesthackingnews.com/2018/11/11/nvidia-gpu-side-channel-vulnerability-disclosed/
Researchers have proven lots of side channel vulnerabilities in CPUs that pose as security risks. However, this time, researchers have demonstrated a vulnerability in GPUs as well. Their work revolved around proving the possibility of a side-channel attack on Graphics Processing Units. From the results obtained, they concluded that GPU vulnerability to side channel attacks could lead to privacy and security breaches. This includes everything from spying on user activity to allowing hackers in to cloud services.
Tomi Engdahl says:
Demystifying: Cryptocurrency Mining Threats
https://blogs.cisco.com/security/demystifying-cryptocurrency-mining-threats
How to protect your endpoints from “creepy crypto miners”
Tomi Engdahl says:
https://www.wired.com/story/gadget-disposal-safe-secure/
Tomi Engdahl says:
War Games: A WOPR of a Security Test (Part 4)
https://blogs.cisco.com/security/war-games-a-wopr-of-a-security-test-part-4
Overall, our Security Advisory Services team found that, whilst many users coped well with the attempts to phish them, a significant number of users did not. As a result, our recommendations for end users included:
Remind users that they should not follow untrusted links and/or submit credentials to untrusted websites
Ensure that users know what to do if they accidentally access an untrusted website (the answer is not to ‘blindly panic’!)
Remind users that responding by email can be as dangerous as following untrusted links, and that email headers can be routinely forged
Provide users with training on how to use social networks securely
Additionally, we also advised the customer that their blue team (including the SOC, platform owners etc) ought to (at a minimum) perform the following actions:
Ensure that system clocks are correctly synchronised across all key systems
Check DNS server caches and logs for our malicious domains and staging box IP addresses
Check mail server logs for our malicious domains and staging box IP addresses
Determine the scores with all inbound emails from our malicious domains to establish on what grounds they were accepted and delivered
Check web proxy logs for our malicious domains and staging box IP addresses
Investigate whether the mail server and web proxy can take custom filters to support activities such as greylisting for all non-role account addresses
Ensure that mail servers do not leak sensitive information
Check that all mobile devices use a VPN that prevents split tunneling to connect back into the main network, and only access the Internet through the VPN tunnel
Scan internal systems for known file hashes corresponding to the files used during the exercise
Ensure that any systems with identifiably out-of-date client software are included in asset management systems and that there are processes to patch them regularly
Tomi Engdahl says:
Inside CSAW, a Massive Student-Led Cybersecurity Competition
https://www.darkreading.com/risk/inside-csaw-a-massive-student-led-cybersecurity-competition/d/d-id/1333241
Nearly 400 high school, undergraduate, and graduate students advance to the final round of New York University’s CSAW games.
Tomi Engdahl says:
Hackers stole income, immigration and tax data in Healthcare.gov breach, government confirms
https://techcrunch.com/2018/11/09/hackers-stole-income-immigration-and-tax-data-in-healthcare-gov-breach-government-confirms/
Hackers siphoned off thousands of Healthcare.gov applications by breaking into the accounts of brokers and agents tasked with helping customers sign up for healthcare plans.
The Centers for Medicare and Medicaid Services (CMS) said in a post buried on its website that the hackers obtained “inappropriate access” to a number of broker and agent accounts, which “engaged in excessive searching” of the government’s healthcare marketplace systems.
Information Breach on HealthCare.gov
https://www.healthcare.gov/how-we-use-your-data/
Tomi Engdahl says:
Guess who’s back, back again? China’s back, hacking your friends: Beijing targets American biz amid tech tariff tiff
Everything little thing Xi does is magic, everything Xi do just turns me intrusion alarms on
https://www.theregister.co.uk/2018/11/09/china_hacking_usa/
Three years after the governments of America and China agreed not to hack corporations in each other’s countries, experts say Beijing is now back to its old ways.
And if that’s the case, we can well imagine Uncle Sam having a pop back.
Tomi Engdahl says:
US Air Force invites white hats to find hackable flaws, again
This is the third time that the Air Force asks ethical hackers to uncover chinks in its digital armor
https://www.welivesecurity.com/2018/11/09/us-air-force-hackable-bug-bounty-program/
Tomi Engdahl says:
State vs. Federal Privacy Laws: The Battle for Consumer Data Protection
https://www.securityweek.com/state-vs-federal-privacy-laws-battle-consumer-data-protection
The Battle for Privacy in the United States is Just Beginning
The European Union has one primary over-arching data law that covers the entire EU (and reaches non-European countries that collect and store personal data on European citizens). The United States has historically taken a different approach to data laws – individual responses to specific concerns.
The result is that while the EU has one basic law covering data protection, privacy controls and breach notification (GDPR), the U.S. has a patchwork of state and federal laws, common law and public and private enforcement that has evolved over the last 100 years and more.
Every state now has its own breach notification law. California started the ball rolling in 2003 with the first state legislation.
Tomi Engdahl says:
APT Group Uses Windows Zero-Day in Middle East Attacks
https://www.securityweek.com/apt-group-uses-windows-zero-day-middle-east-attacks
A Windows zero-day vulnerability addressed this week by Microsoft with its November 2018 Patch Tuesday updates has been exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.
The security hole, tracked as CVE-2018-8589, allows an attacker to elevate privileges on a compromised Windows 7 or Windows Server 2008 system.
Tomi Engdahl says:
Microsoft Patches Actively Exploited Windows Vulnerability
https://www.securityweek.com/microsoft-patches-actively-exploited-windows-vulnerability
Microsoft’s Patch Tuesday updates for November 2018 address more than 60 vulnerabilities, including zero-days and publicly disclosed flaws.
Researchers at Kaspersky Lab informed Microsoft of a privilege escalation vulnerability in Windows that has been actively exploited by malicious actors. The flaw, tracked as CVE-2018-8589, allows an attacker to execute arbitrary code in the context of the local user. The issue, caused due to the way Windows handles calls to Win32k.sys, only affects Windows 7 and Windows Server 2008.
The weakness, identified as CVE-2018-8584, is related to the Advanced Local Procedure Call (ALPC), and Microsoft says an authenticated attacker can use it to elevate privileges and take control of a vulnerable system. Windows 10 and recent versions of Windows Server are impacted.
Tomi Engdahl says:
Adobe Patches Disclosed Acrobat Vulnerability
https://www.securityweek.com/adobe-patches-disclosed-acrobat-vulnerability
Adobe has released Patch Tuesday updates for Flash Player, Acrobat and Reader, and Photoshop CC to address three vulnerabilities – one in each product.
According to Adobe, exploitation of the flaw, tracked as CVE-2018-15979, “could lead to an inadvertent leak of the user’s hashed NTLM password.”
Tomi Engdahl says:
SAP Patches Critical Vulnerability in HANA Streaming Analytics
https://www.securityweek.com/sap-patches-critical-vulnerability-hana-streaming-analytics
Tomi Engdahl says:
Seven Hacking Groups Operate Under “Magecart” Umbrella, Analysis Shows
https://www.securityweek.com/seven-hacking-groups-operate-under-%E2%80%9Cmagecart%E2%80%9D-umbrella-analysis-shows
At least seven different cybercrime groups referred to as “Magecart hackers” are placing digital credit card skimmers on compromised e-commerce sites, Flashpoint and RiskIQ reveal in a joint report.
Active since at least 2015, the Magecart hackers steal credit card information by placing digital skimmers on the websites they visit.
Although the hackers managed to remain unnoticed for about three years, they gained a lot of attention lately, after targeting high-profile online destinations, including Ticketmaster, British Airways, and Newegg.
Tomi Engdahl says:
Cathay Says ‘Most Intense’ Period of Data Breach Lasted Months
https://www.securityweek.com/cathay-says-most-intense-period-data-breach-lasted-months
The world’s biggest airline data breach, affecting millions of Cathay Pacific customers, was the result of a sustained cyber attack that lasted for three months, the carrier admitted, while insisting it was on alert for further intrusions.
The Hong Kong-based firm was subjected to continuous breaches that were at their “most intense” from March to May but continued after, it said in a written submission to the city’s Legislative Council ahead of a panel hearing on Wednesday.
It also looked to explain why it took until October 24 to reveal that 9.4 million passengers had been affected, with hackers getting access to personal information including dates of birth, phone numbers and passport numbers.
Tomi Engdahl says:
Dharma Ransomware: What It’s Teaching Us
https://www.fortinet.com/blog/threat-research/dharma-ransomware–what-it-s-teaching-us.html
Tomi Engdahl says:
Microsoft November 2018 Patch Tuesday Fixes 12 Critical Vulnerabilities
https://www.bleepingcomputer.com/news/security/microsoft-november-2018-patch-tuesday-fixes-12-critical-vulnerabilities/
Tomi Engdahl says:
Your Private Data Is Quietly Leaking Online, Thanks to a Basic Web Security Error
By Nate Lanxon
https://www.bloomberg.com/news/articles/2018-11-12/major-american-companies-are-making-basic-security-mistakes
Six months ago, the European Union’s General Data Protection Regulation, or GDPR, took effect, threatening companies worldwide with massive fines if they didn’t look after customer data properly. Fresh research suggests it’s making a difference in Europe — but not so much for U.S. web users.
The personal information of American charity donors, political party supporters, and online shoppers, has continued to quietly leak onto the internet as a result of poor website security practices, new research shows. As many as one in five e-commerce sites in the U.S. are still leaving their customers exposed, Philadelphia-based search marketing company Seer Interactive said Monday.
Using simple Google searches, similar to methods examined by Seer, Bloomberg was able to access sensitive user information from a wide range of randomly chosen U.S. websites.
These examples were discovered by requesting results for terms such as “firstname,” “print,” or “@gmail.com” and restricting the queries to subdomains on company web addresses, such as “shop.companyname.com.”
The vulnerability can be caused by a number of basic errors, one of which is that if a website lets a user share a transaction on social media — such as to promote a charitable donation — a search engine can see their post, and from there index the original web page, whether the user knows this or not. With no security protection in place, these pages are available to anyone.
A spokesman for Alphabet Inc.’s Google said the company provides documentation to help webmasters prevent this happening, and that it only serves information available on the public web.
While individually the data may be seen as harmless, in the hands of a cyber-criminal it could be used fraudulently, said Melson.
The widespread leak of data is emblematic “of a wider cultural problem business have towards data,”
He said such low-level leaks were why Europe’s GDPR legislation was required. The law mandates that companies have to take technical precautions such as encryption to ensure all client data is protected. It also states that firms must notify authorities about breaches within 72 hours of learning about them. Violations of GDPR rules may lead to fines of as much as 4 percent of a company’s global annual sales.
Melson said the affected websites Seer had identified as vulnerable were “largely” U.S.-based. “We’re finding significantly fewer U.K. companies,”
Tomi Engdahl says:
Patched Facebook Vulnerability Could Have Exposed Private Information About You and Your Friends
https://www.imperva.com/blog/facebook-privacy-bug/
In a previous blog we highlighted a vulnerability in Chrome that allowed bad actors to steal Facebook users’ personal information; and, while digging around for bugs, thought it prudent to see if there were any more loopholes that bad actors might be able to exploit.
What popped up was a bug that could have allowed other websites to extract private information about you and your contacts.
Having reported the vulnerability to Facebook under their responsible disclosure program in May 2018, we worked with the Facebook Security Team to mitigate regressions and ensure that the issue was thoroughly resolved.
Tomi Engdahl says:
That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards
https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/
If you own a domain name that gets decent traffic and you fail to pay its annual renewal fee, chances are this mistake will be costly for you and for others. Lately, neglected domains have been getting scooped up by crooks who use them to set up fake e-commerce sites that steal credit card details from unwary shoppers.