Yesterday, Microsoft published its security bulletin, which patches a vulnerability discovered by our technologies. We reported it to Microsoft on October 17, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8589.
CVE-2018-8589 is a race condition present in win32k!xxxMoveWindow due to improper locking of messages sent synchronously between threads.
Kaspersky Lab products detected this exploit proactively using the following technologies:
Behavioral Detection Engine and Automatic Exploit Prevention for endpoints
Advanced Sandboxing and Anti-Malware Engine for Kaspersky Anti Targeted Attack Platform (KATA)
Varastomuodossa RFID-tunnisteet tuottavat vain identifioinnin ja paikannuksen. Kuvaamillaan helpoilla muutoksilla tutkimusryhmä antoi hakkeroidulle tagille myös kyvyn seurata ympäristöään.
- Näemme tämän hyvänä esimerkkinä kattavasta ohjelmisto-laitteistojärjestelmästä IoT-laitteille. Me hakkeroimme yksinkertaisia laitteita – leikkaamme RFID-tunnisteita ja asetimme niihin anturin. Sitten suunnittelimme uusia algoritmeja ja yhdistimme ohjelmiston ja laitteiston uusien sovellusten ja ominaisuuksien käyttöön, kuvailee Omid Abari.
- Tärkein panos on osoittaa, kuinka helppoa on hakkeroida RFID-tunniste, jolla luodaan IoT-laite. Se on niin helppoa, että aloittelija voisi tehdä sen.
An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks.
Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week.
The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users’ bank cards (also known as skimming).
Experts said that 85 percent of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to.
Researchers said that 27 percent of the tested ATMs were vulnerable to having their processing center communications spoofed, while 58 percent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.
The Australian government department wants a solution to support its move towards compliance with the Essential Eight Security Controls.
The Department of Health is seeking help with Australian government security compliance, publishing a request for tender (RFT) for a privileged access management (PAM) solution.
The solution, the department said, is required to support Health’s “move towards compliance with the Essential Eight Security Controls”.
“Ultimately, the solution will increase the risk posture for the department and safe guarding its people and information from potential threats related to privileged accounts,” the RFT explains.
The Department of Health has approximately 6,500 standard user accounts, 150 of which are classed as privileged. Its environment consists of: A total of 1,700 servers comprised of 900 Windows, 500 RHEL, and 100 Unix installations; 500 network devices including routers, switches, firewalls, load balancers, WAP, and WAN accelerators; 20 domains; and a combination of Microsoft Azure/Office 365 and Amazon Web Services (AWS) cloud-based environments.
The solution tendered for must be able to manage accounts across Google cloud and IBM Blue Mix, in addition to Azure and AWS.
Iran, Sudan, Syria, and Cuba are the most geoblocked countries.
Geoblocking, the practice of websites blocking users from certain countries from accessing their content, is not as widespread as most people believe, a recently published study has revealed.
Scans of the Alexa Top 10,000 and Top 1 Million sites have unveiled low percentages of websites engaging in geoblocking.
More precisely, researchers found that only 596 websites from the Alexa Top 10,000 list of sites engaged in geoblocking (also known as geofencing), and only 1,595 sites did so from the Alexa Top 1 Million.
Hackers linked to the Russian government are impersonating U.S. State Department employees in an operation aimed at infecting computers of U.S. government agencies, think tanks and businesses, two cybersecurity firms told Reuters.
There may still be nearly seven weeks left in 2018, but security leaders are already looking ahead to the new year. Enterprise concerns, from cloud attacks to nation-states, are already piling high.
This year, on track to be the worst-ever for data breaches, has already proved exhaustive for the infosec community. From Jan. 1 to Sept. 30, a total of 3,676 breaches were reported, involving over 3.6 billion records – the second-most number of reported breaches in a year.
How I found vulnerabilities that could jeopardise child safety.
A friend recently showed me a tracker watch that he’d purchased for his young son for less than £10. It offered useful functionality such as two-way calling using a SIM and cellular connection. The accompanying app allowed him to track the location of his son. He was interested in the security of the device, so I had a look. It was bad… really bad.
It was a Misafes ‘Kids Watcher’
Using IDOR attacks, I could:
retrieve real time GPS coordinates of the kids watches
call the child on their watch
create a covert one-way audio call, spying on the child
send audio messages to the child on the watch, bypassing the approved caller list
retrieve a photo of the child, plus their name, date of birth, gender, weight & height
With a couple of watches paired to different testing phones, I had a play with various authorisation and Insecure Direct Object Reference, IDOR, attacks.
The watch updates the GPS coordinates to the API every five minutes, so it’s nearly real-time location data. With that information, it would be easy to iterate through the family_ids and recover the location and device_id’s of all children. The ID’s appeared to be sequential, and we estimate there are around 12,000.
I decided to write a proof-of-concept application in C#, that allowed our watches to be tracked in real time.
The API also kept track of previous locations, so it would be possible to click on a marker and show the routes that child took on a daily basis and it would then be possible to anticipate where they were going to be.
Calling kids through the watches
The watch did have some protection against arbitrary people calling the child. It implemented a whitelist of authorised phone numbers that the watch would both call and receive. The problem with that is that Caller IDs can be spoofed. So as a proof-of-concept, I used crazycall.net to spoof the Caller ID to a test watch.
Using the data from the API, an attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch.
The app also allowed the watch to be turned into a remote listening device
Tracking millions of kids?
My colleague Vangelis looked at the APIs for numerous smart watches and other GPS tracking devices as part of his ‘trackmageddon’ project.
we believe that in excess of a million smart kids tracking watches with similar vulnerabilities are being used, possibly in excess of 3 million globally.
Disclosure
We tried multiple ways to contact Misafes, but got nothing back. The BBC also made extensive enquiries on our behalf but also drew a blank. That echoes the experience of SEC Consult who found unrelated issues in a Misafes camera.
We understand the eBay has just pulled the product and it also appears that its no longer available on Amazon.
Conclusion
My friend paid £9 for the watch, and I paid around £35 each for an extra two. When margins are that thin, it becomes less likely that manufacturers spend money on security testing. This could compromise the security of a child.
Phishing scams are more advanced and widespread than ever, and threat actors are becoming increasingly sophisticated in their ability to craft malicious websites that look legitimate to unsuspecting users — including your employees, who have the kind of restricted access to enterprise data that cybercriminals covet most.
A huge database with user names, smartphone numbers, SMS messages and even two-factor authentication codes has been exposed, putting personal details at risk.
Sébastien Kaul, a Berlin-based security researcher, used Shodan, a search engine for publicly available devices and databases to uncover the server, and the database, which belongs to Voxox, a San Diego based communications company.
Voxox is the gateway between companies that send out messages that verify phone numbers or send two-factor authentication codes, and the end recipients.
As a gateway, they’re the ones that convert information sent out by companies into actual text and numbers.
Moving healthcare subsidiary into main company breaks pledge that ‘data will not be connected to Google accounts’
Google has been accused of breaking promises to patients, after the company announced it would be moving a healthcare-focused subsidiary, DeepMind Health, into the main arm of the organisation.
The restructure, critics argue, breaks a pledge DeepMind made when it started working with the NHS that “data will never be connected to Google accounts or services”. The change has also resulted in the dismantling of an independent review board, created to oversee the company’s work with the healthcare sector, with Google arguing that the board was too focused on Britain to provide effective oversight for a newly global body.
Google says the restructure is necessary to allow DeepMind’s flagship health app, Streams, to scale up globally. The app, which was created to help doctors and nurses monitor patients for AKI, a severe form of kidney injury, has since grown to offer a full digital dashboard for patient records.
12 November 2018 — Google and a number of other services experienced a 74 minute outage. It’s not the first time this has happened; and while there might be a temptation to assume that bad actors are at work, incidents like this only serve to demonstrate just how much frailty is involved in how packets get from one point on the Internet to another.
Our logs show that at 21:12 UTC on Monday, a Nigerian ISP, MainOne, accidentally misconfigured part of their network causing a “route leak”. This resulted in Google and a number of other networks being routed over unusual network paths. Incidents like this actually happen quite frequently, but in this case, the traffic flows generated by Google users were so great that they overwhelmed the intermediary networks — resulting in numerous services (but predominantly Google) unreachable.
You might be surprised to learn that an error by an ISP somewhere in the world could result in Google and other services going offline. This blog post explains how that can happen and what the Internet community is doing to try to fix this fragility.
But… Why Did This Impact So Many People?
The root cause of this was MainOne misconfiguring their routing. As mentioned earlier, incidents like this actually happen quite frequently. The impact of this misconfiguration should have been limited to MainOne and its customers.
However, what took this from relatively isolated and turned it into a much broader one is because CN2 — China Telecom’s premium cross-border carrier — was not filtering the routing that MainOne provided to them. In other words, MainOne told CN2 that it had authority to route Google’s IP addresses. Most networks verify this, and if it is incorrect, filter it out. CN2 did not — it simply trusted MainOne. As a result of this, MainOne’s misconfiguration propagated to a substantially larger network.
Compounding this, it is likely that the Russian network TransTelecom behaved similarly towards CN2 as CN2 had behaved towards MainOne — they trusted without any verification of the routing paths that CN2 gave to them.
The name Magecart has become ubiquitous as recent high-profile compromises have brought the threat of online card skimming to the forefront of security conversations and news publications.
Magecart, an umbrella term given to at least seven cybercrime groups, are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success. Responsible for victimizing scores of e-commerce sites including global brands Ticketmaster, British Airways, and Newegg, Magecart and its operatives intercepted thousands of consumer credit card records and are claiming more victims every day.
Daniel’s Hosting, one of the largest providers of Dark Web hosting services, was hacked this week and taken offline, ZDNet has learned from one of our readers.
The hack took place on Thursday, November 15, according to Daniel Winzen, the software developer behind the hosting service.
“As per my analysis it seems someone got access to the database and deleted all accounts,” he said in a message posted on the DH portal today.
Winzen said the server’s root account was also deleted, and that all 6,500+ Dark Web services hosted on the platform are now gone.
“Unfortunately, all data is lost and per design, there are no backups,” Winzen told ZDNet in an email today. “I will bring my hosting back up once the vulnerability has been identified and fixed.”
Currently, he identified one flaw, a PHP zero-day vulnerability. Details about this unpatched vulnerability were known for about a month in Russian PHP programming circles, but the flaw gained a lot of attention among the wider programming and infosec communities, on November 14, a day before the hack.
This is a setup for a TOR based shared hosting server. It is provided as is and before putting it into production you should make changes according to your needs. This is a work in progress and you should carefully check the commit history for changes before updating.
The configuration was tested with a standard Debian sid and Ubuntu 16.04 LTS installation. It’s recommended you install Debian sid on your server, but with a little tweaking you may also get this working on other distributions and/or versions.
Australia’s government’s crypto-busting legislation risks blocking security research, a leading Internet policy boffin has warned.
Speaking to a parliamentary hearing into the “Assistance and Access” legislation this morning, a director of the Massachusetts Internet Policy Research Initiative, Daniel Weitzner, said the problem arose out of secrecy provisions of the proposed legislation.
Microsoft menaced with GDPR mega-fines in Europe for ‘large scale and covert’ gathering of people’s info via Office
Telemetry data slurp broke the law, Dutch govt eggheads say https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/
Microsoft broke Euro privacy rules by carrying out the “large scale and covert” gathering of private data through its Office apps.
Those actions break Europe’s new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines.
Infosec personality John McAfee has been found legally “liable” via a default judgment for the death of his neighbour, who was found dead from a gunshot wound to the head in his Belize home in 2012.
Though local police wanted to question McAfee as a potential witness, the millionaire, who is the founder of the antivirus software firm that still bears his name, had travelled abroad. And despite the criminal investigation stalling, a civil case was later brought against McAfee by Faull’s relatives.
When local cops searched McAfee’s home, wanting to question the one-time software developer over his neighbour’s demise, Mac was nowhere to be found.
The flaw allows hackers to bypass handset lock screens in seconds.
A design flaw affecting all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication.
In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers, according to Tencent’s Xuanwu Lab which is credited for first identifying the flaw earlier this year.
“During our research on this, we found all the in-display fingerprint sensor module suffer the same problem no matter where it was manufactured by whatever vendors,” said Yang Yu, a researcher at Xuanwu Lab. “This vulnerability is a design fault of in-display fingerprint sensors.”
Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors, said Yu.
That includes current models of Huawei Technologies’ Porsche Design Mate RS and Mate 20 Pro model phones.
AS YOU TRAVEL this holiday season, bouncing from airport to airplane to hotel, you’ll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it.
This advice comes with plenty of qualifiers.
if you’re a high-value target of a sophisticated nation state—look at you!—stay off of public Wi-Fi at all costs.
But for the rest of us? You’re probably OK. That’s not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.
“A lot of the former risks, the reasons we used to warn people, those things are gone now,” says Chet Wisniewski, principle researcher at security firm Sophos. “It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel.”
In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks
A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off.
All of that’s still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.
HTTPS All Over
Look at the URL bar in your browser. Do you see that little lock symbol on the left? That means that traffic on this site is encrypted in transit from WIRED’s servers to your browser and back.
“If you’re in the US, the web is pretty well encrypted. It’s unusual to go to a website that matters and it’s not HTTPS,”
The Wi-Fi Pineapple enables anyone to steal data on public Wi-Fi networks. Here’s how it facilitates two sophisticated network attacks and how to protect yourself against them.
In the Wild West of “influencer” marketing, there are few protections and plenty of easy marks.
In early October, a publicist received an irresistible message via email.
the influencer would simply need to log into a third-party Instagram analytics tool, Iconosquare—a common request; many brands use tools such as Iconosquare to track the success of their influencer campaigns.
But the link Brooks sent wasn’t to Iconosquare.com—it was to lconosquare.biz, a cloned version of the site set up for phishing. Once the influencer logged in with the Instagram username and password, Brooks seized control of the account. Within minutes, he was spamming the influencer’s millions of followers with offers for a free iPhone.
Brooks has targeted several YouTubers, Instagram stars, and meme pages and used the stolen pages to promote scammy-looking apps and fake offers for free products.
According to its website, SCL Media is “a tech-media company building content brands for multicultural and niche audiences.”
Eric Toda, head of marketing at Hill City, a GAP brand, said that the influencer industry right now is like the Wild West. “You see a lot of people selling snake oil,” he said, “because the market is so saturated.”
Influencers as young as 13 are entering into brand deals with zero experience in negotiating high-value business partnerships. It’s all too easy for a scammer to entice them with the promise of a big paycheck, then hack their accounts or escape without paying. “It’s an underground world and what a lot of people are doing is representing themselves as Insta experts when they’re hackers and scammers,” explained Lisa Navarro, founder of Espire, a digital marketing agency that works with influencers. “They’re stealing accounts from children.”
Once hackers gain control of an influencer’s account, said Moritz von Contzen, founder of the Dutch social-media agency Avenik, they’ll often hop into the account’s direct messages and begin spamming other influencers with the same phishing links before the hacked influencer even knows what’s happening.
EFF and MuckRock have filed hundreds of public records requests with law enforcement agencies around the country to reveal how data collected from automated license plate readers (ALPR) is used to track the travel patterns of drivers. We focused exclusively on departments that contract with surveillance vendor Vigilant Solutions to share data between their ALPR systems.
On average, agencies are sharing data with a minimum of 160 other agencies through Vigilant Solutions’ LEARN system, though many agencies are sharing data with over 800 separate entities.
Today, police can access vast databases to search our travel patterns with just a few keyboard strokes.
The reason: automated license plate readers (ALPR).
At its core, ALPR is a simple technology. These systems are a combination of high-speed cameras and optical character recognition technology that can identify license plates and turn them into machine-readable text. What makes ALPR so powerful is that drivers are required by law to install license plates on their vehicles. In essence, our license plates have become tracking beacons.
ALPR systems can be affixed to stationary locations, such as highway overpasses and street lights, to capture the license plate of every vehicle that passes. The cameras can also be mounted on police cars (or other vehicles, such as tow trucks) to passively collect license plate scans during routine patrols or to surveil specific communities by driving systematically through targeted neighborhoods.
After the plate data is collected, the ALPR systems upload the information to a central a database along with the time, date, and GPS coordinates. Cops can search these databases to see where drivers have traveled or to identify vehicles that visited certain locations. Police can also add license plates under suspicion to “hot lists,” allowing for real-time alerts when a vehicle is spotted by an ALPR network.
It is crucial to remember that ALPR is a mass surveillance technology that spies on every driver on the road, and logs their location, regardless of whether they are suspected of being involved in a crime.
Bombs and guns aside, a smartphone can be a powerful weapon in the hands of a terrorist — but it can also provide intelligence services with the tools to track them down.
For new recruits in developing countries, where smartphones are more common than computers, there are different strategies still.
“Phones are no longer phones — they’re computers,” said Laurent Heslault, director of security strategies at Symantec, a security group.
“They are far more powerful than what we had on our desks 10 years ago,” he added.
“They have more computing power, more memory and connection capabilities. They are very powerful tools when it comes to communicating.”
That has also made it much easier for jihadist groups to recruit new members.
Smartphones “enable people to reach out for propaganda” with the swipe of a screen, said the retired official.
“Thirty years ago, guys used to exchange video cassettes, then it was CDs. Now it’s online and can be looked up at any time.”
For propaganda-makers, videos of attacks can be filmed and uploaded in the blink of an eye.
“You can film attacks, claim responsibility, use (a phone) to take photos and film reconnaissance operations,” the ex-official said.
- Flip side of the phone -
But the smartphone can be an extremist’s downfall as well as their best asset.
Intelligence agencies have grown better at using phones to identify suspects, spy on them — and, in case of capture, lift data for use as evidence in court.
That in turn has raised difficult questions for tech giants who promise their users privacy.
The French military intervention in Mali, launched in 2013 after jihadists took over the northern half the country, started with air strikes whose targets were chosen based on phone data, the former French official said.
“Today all air strikes focus on telephones,” he added.
“Even if you keep changing the SIM card the phone has its own identity and once detected can continue being tracked.”
And when it comes to police investigations, smartphones sometimes provide more information than their owners.
Amazon announced this week that a new feature designed to prevent data leaks has been added to Amazon Web Services (AWS).
Improperly configured Simple Storage Service (S3) buckets can expose an organization’s sensitive files, as demonstrated by several incidents involving companies such as Viacom, Verizon, Accenture, Booz Allen Hamilton, and Dow Jones.
As a result of numerous incidents, AWS last year introduced a new feature that alerts users of publicly accessible buckets, but researchers have still found data leaks resulting from misconfigured buckets.
Amazon S3 Block Public Access aims to address this by providing settings for blocking existing public access and ensuring that public access is not granted to new items.
“If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure. Our goal is to make clear that public access is to be used for web hosting!” said Jeff Barr, Chief Evangelist for AWS.
The new settings can be accessed from the S3 console, the command-line interface (CLI) or the S3 APIs, and they allow users to manage public ACLs and public bucket policies.
Europol on Friday announced that it has signed a cybersecurity-focused memorandum of understanding (MoU) with Diebold Nixdorf, one of the world’s largest providers of ATM and point-of-sale (PoS) services.
According to Europol, the goal is to create a safer cyberspace for individuals, businesses and governments through the sharing of knowledge on cyber threats and attacks, and by exchanging expertise, best practices and technical information.
Steven Wilson, head of Europol’s European Cybercrime Centre (EC3), believes the partnership with US-based Diebold Nixdorf will improve the law enforcement agency’s capabilities and effectiveness in preventing, disrupting and prosecuting cybercrime targeted at the self-service industry.
Google is analyzing all the apps that it can find across the Internet in an effort to keep Android users protected from Potentially Harmful Applications (PHAs).
One week after launching the Android Ecosystem Security Transparency Report, Google decided to explain how it leverages machine learning techniques for detecting PHAs.
Google Play Protect (GPP), the security services that help keep devices with Google Play clean, analyzes more than half a million apps each day, and looks everywhere it can for those apps, the Internet search giant said.
Keeping Your Organization Safe From Mobile Threats During the Holidays
Digital transformation has pushed BYOD from being a privilege extended to employees, to becoming a critical component of today’s business infrastructure strategy. According to one report (PDF), 87% of companies now actually rely on their employees using personal devices to access business apps.
However, during the third quarter of 2018, over a quarter of organizations also experienced some sort of malware attack originating from those mobile devices, with Android operating systems being the primary attack vector. In fact, Android-based threats now comprise 14% of all cyberthreats that organizations have to contend with. This shouldn’t come as too much of a surprise, since over 80% of smartphones, tablets, and other mobile devices now run some version of Android OS.
As of Friday 2018-11-16, email attachments with (and URL downloads for) Emotet docs are now XML-based.
These new Emotet docs don’t match Microsoft’s XML-based DOCX format for Word docs.
These new Emotet docs are tagged xml in VirusTotal.
Using the “file” command in Linux shows them as: XML 1.0 document text, UTF-8 Unicode text, with very long lines, with CRLF line terminators
These new Emotet XML docs still use a .doc extension, they open in Microsoft Word, and they look and act the same as before.
Shaun Nichols / The Register:
Microsoft says Azure users globally were unable to log in using MFA on Monday due to the weight of login requests, is still working on fix for Office 365 logins
Researchers Analyzed How the Iran-linked “OilRig” Hacking Group Tests Malicious Documents Before Use in Attacks
Palo Alto Networks security researchers analyzed the testing process the Iran-linked cyber-espionage group OilRig has engaged in while preparing August 2018 attacks on a Middle-Eastern government.
The attacks targeted individuals of interest with malicious documents designed to deliver BONDUPDATER, a downloader that features DGA (domain generation algorithm) functionality. The attacks were carried out on August 26 and the threat actor created numerous delivery documents the week before, to test anti-virus detection rates.
Also tracked as APT34 and believed to have ties to the Iran government, OilRig has been active since at least 2014, mainly targeting financial, government, energy, telecoms and chemical organizations in the Middle East.
White hat hackers earned more than $1 million for exploits disclosed at the Tianfu Cup PWN hacking competition that took place on November 16-17 in Chengdu, the capital of China’s Sichuan province.
Instagram informed some users last week that their passwords may have been exposed as a result of using the “Download Your Data” tool.
The “Download Your Data” tool, which Instagram announced in April, allows users to export their profile information, photos, videos, comments and other data associated with their account. The tool prompts users to enter an email address to which a download link will be sent and their Instagram password.
The social networking service said it recently discovered that when customers used the download tool, their password may have been displayed in the URL in their web browser after the data was downloaded.
Microsoft has unveiled several enhancements to its Windows Defender Advanced Threat Protection (ATP) product to improve its protection capabilities.
The improvements target various aspects of the endpoint protection platform, such as attack surface reduction, post-breach detection and response, automation capabilities, security insights, and threat hunting, Moti Gindi, General Manager, Windows Cyber Defense, explains.
Vulnerabilities recently addressed by WiFi device maker TP-Link in its TL-R600VPN small and home office (SOHO) router could allow remote code execution, Cisco Talos security researchers warn.
The issues were mainly caused by lack of input sanitization and parsing errors. Lack of proper input sanitization can be exploited without authentication to cause denial of service and leak server information.
Parsing errors require an authenticated session for exploitation, but can lead to remote code execution under the context of HTTPD. While the attacker needs to be authenticated to exploit the flaw, because the HTTPD process runs as root, the code would be executed with elevated privileges.
China has sharply escalated cyberattacks on Australian companies this year in a “constant, significant effort” to steal intellectual property, according to a report published Tuesday.
The investigation by Fairfax Media and commercial broadcaster Channel Nine comes just days after US Vice President Mike Pence accused Beijing at the APEC summit of widespread “intellectual property theft”.
People who have synced their mobile phones with a wide variety of vehicle infotainment systems may have have their personal information exposed to a new type of vehicle hack, security researchers say.
A researcher from Privacy4Cars, which offers a mobile app that can erase Personally Identifiable Information (PII) from modern vehicles, have discovered that vehicles from several car makers can expose user data via the Bluetooth protocol.
Dubbed CarsBlues, the new vehicle hack targets the infotainment systems in modern vehicles and allows an attacker to access user information within minutes, using only inexpensive and readily available hardware and software. No significant technical knowledge is required either, the company claims.
Tens of millions of vehicles already in circulation worldwide are believed to be impacted, and the number continues to rise into the millions as more vehicles are evaluated. Exposed information includes contacts, call logs, text logs, and even text messages in the full, in some cases.
A recent article in the Atlantic asks why we haven’t seen a”cyber 9/11″ in the past fifteen or so years.
he author’s answer:
Three main barriers are likely preventing this. For one, cyberattacks can lack the kind of drama and immediate physical carnage that terrorists seek. Identifying the specific perpetrator of a cyberattack can also be difficult, meaning terrorists might have trouble reaping the propaganda benefits of clear attribution. Finally, and most simply, it’s possible that they just can’t pull it off.
Commenting on the article, Rob Graham adds:
I think there are lots of warning from so-called “experts” who aren’t qualified to make such warnings, that the press errs on the side of giving such warnings credibility instead of challenging them.
These are all good reasons, but I think both authors missed the most important one: there simply aren’t a lot of terrorists out there. Let’s ask the question more generally: why hasn’t there been another 9/11 since 2001?
Our fear of terrorism is far greater than the actual risk.
This isn’t to say that cyberterrorism can never happen. Of course it will, sooner or later. But I don’t foresee it becoming a preferred terrorism method anytime soon.
Why would hackers attack a water utility company serving an area affected by the hurricanes?
A water utility organization based in Jacksonville, NC recently became a victim of a cybercrime. Last month hackers managed to infect multiple Onslow Water and Sewer Authority (ONWASA) computers with ransomware that spread across the organization encrypting various databases and files.
Attacking water supply company while it is battling the consequences of deadly hurricanes is not the worse hackers can do, they are not afraid to go even lower and often target healthcare institutions. They tend to request ransom from hospitals and are fully aware that the chaos they cause will endanger the lives of hundreds and sometimes even thousands of patients.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
558 Comments
Tomi Engdahl says:
Day in the life of a researcher: Finding a wave of Trickbot malspam
https://isc.sans.edu/diary/rss/24306
Tomi Engdahl says:
A new exploit for zero-day vulnerability CVE-2018-8589
https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/
Yesterday, Microsoft published its security bulletin, which patches a vulnerability discovered by our technologies. We reported it to Microsoft on October 17, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8589.
CVE-2018-8589 is a race condition present in win32k!xxxMoveWindow due to improper locking of messages sent synchronously between threads.
Kaspersky Lab products detected this exploit proactively using the following technologies:
Behavioral Detection Engine and Automatic Exploit Prevention for endpoints
Advanced Sandboxing and Anti-Malware Engine for Kaspersky Anti Targeted Attack Platform (KATA)
Tomi Engdahl says:
Ransomware attacks see huge rise compared to 2017
https://www.itproportal.com/news/ransomware-attacks-see-huge-rise-compared-to-2017/
All malware is on the rise, but ransomware sees the biggest growth, report claims.
Tomi Engdahl says:
Patch Your Microsoft Outlook: Fortinet Discovered Four Outlook Remote Code Execution Vulnerabilities
https://www.fortinet.com/blog/threat-research/patch-your-microsoft-outlook–fortinet-discovered-four-outlook-r.html
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8722-rfid-tunniste-on-helppo-hakkeroida
Varastomuodossa RFID-tunnisteet tuottavat vain identifioinnin ja paikannuksen. Kuvaamillaan helpoilla muutoksilla tutkimusryhmä antoi hakkeroidulle tagille myös kyvyn seurata ympäristöään.
- Näemme tämän hyvänä esimerkkinä kattavasta ohjelmisto-laitteistojärjestelmästä IoT-laitteille. Me hakkeroimme yksinkertaisia laitteita – leikkaamme RFID-tunnisteita ja asetimme niihin anturin. Sitten suunnittelimme uusia algoritmeja ja yhdistimme ohjelmiston ja laitteiston uusien sovellusten ja ominaisuuksien käyttöön, kuvailee Omid Abari.
- Tärkein panos on osoittaa, kuinka helppoa on hakkeroida RFID-tunniste, jolla luodaan IoT-laite. Se on niin helppoa, että aloittelija voisi tehdä sen.
Tomi Engdahl says:
Most ATMs can be hacked in under 20 minutes
Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking.
https://www.zdnet.com/article/most-atms-can-be-hacked-in-under-20-minutes/
An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks.
Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week.
The attacks they tried are the typical types of exploits and tricks used by cyber-criminals seeking to obtain money from the ATM safe or to copy the details of users’ bank cards (also known as skimming).
Experts said that 85 percent of the ATMs they tested allowed an attacker access to the network. The research team did this by either unplugging and tapping into Ethernet cables, or by spoofing wireless connections or devices to which the ATM usually connected to.
Researchers said that 27 percent of the tested ATMs were vulnerable to having their processing center communications spoofed, while 58 percent of tested ATMs had vulnerabilities in their network components or services that could be exploited to control the ATM remotely.
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/ATM-Vulnerabilities-2018-eng.pdf
Tomi Engdahl says:
Department of Health wants to up security posture to Commonwealth standard
https://www.zdnet.com/article/department-of-health-wants-to-up-security-posture-to-commonwealth-standard/
The Australian government department wants a solution to support its move towards compliance with the Essential Eight Security Controls.
The Department of Health is seeking help with Australian government security compliance, publishing a request for tender (RFT) for a privileged access management (PAM) solution.
The solution, the department said, is required to support Health’s “move towards compliance with the Essential Eight Security Controls”.
“Ultimately, the solution will increase the risk posture for the department and safe guarding its people and information from potential threats related to privileged accounts,” the RFT explains.
The Department of Health has approximately 6,500 standard user accounts, 150 of which are classed as privileged. Its environment consists of: A total of 1,700 servers comprised of 900 Windows, 500 RHEL, and 100 Unix installations; 500 network devices including routers, switches, firewalls, load balancers, WAP, and WAN accelerators; 20 domains; and a combination of Microsoft Azure/Office 365 and Amazon Web Services (AWS) cloud-based environments.
The solution tendered for must be able to manage accounts across Google cloud and IBM Blue Mix, in addition to Azure and AWS.
Tomi Engdahl says:
Website geoblocking is not that widespread, study finds
https://www.zdnet.com/article/website-geoblocking-is-not-that-widespread-study-finds/
Iran, Sudan, Syria, and Cuba are the most geoblocked countries.
Geoblocking, the practice of websites blocking users from certain countries from accessing their content, is not as widespread as most people believe, a recently published study has revealed.
Scans of the Alexa Top 10,000 and Top 1 Million sites have unveiled low percentages of websites engaging in geoblocking.
More precisely, researchers found that only 596 websites from the Alexa Top 10,000 list of sites engaged in geoblocking (also known as geofencing), and only 1,595 sites did so from the Alexa Top 1 Million.
Tomi Engdahl says:
Russians impersonating U.S. State Department aide in hacking campaign: researchers
https://www.reuters.com/article/us-usa-cyber-russia/russians-impersonating-u-s-state-department-aide-in-hacking-campaign-researchers-idUSKCN1NL2BG
Hackers linked to the Russian government are impersonating U.S. State Department employees in an operation aimed at infecting computers of U.S. government agencies, think tanks and businesses, two cybersecurity firms told Reuters.
Tomi Engdahl says:
Cloud, China, Generic Malware Top Security Concerns for 2019
FireEye researchers unveil an extensive list of security risks waiting in the new year’s wings.
https://www.darkreading.com/risk/cloud-china-generic-malware-top-security-concerns-for-2019/d/d-id/1333283
There may still be nearly seven weeks left in 2018, but security leaders are already looking ahead to the new year. Enterprise concerns, from cloud attacks to nation-states, are already piling high.
This year, on track to be the worst-ever for data breaches, has already proved exhaustive for the infosec community. From Jan. 1 to Sept. 30, a total of 3,676 breaches were reported, involving over 3.6 billion records – the second-most number of reported breaches in a year.
Tomi Engdahl says:
Tracking and snooping on a million kids
https://www.pentestpartners.com/security-blog/tracking-and-snooping-on-a-million-kids/
How I found vulnerabilities that could jeopardise child safety.
A friend recently showed me a tracker watch that he’d purchased for his young son for less than £10. It offered useful functionality such as two-way calling using a SIM and cellular connection. The accompanying app allowed him to track the location of his son. He was interested in the security of the device, so I had a look. It was bad… really bad.
It was a Misafes ‘Kids Watcher’
Using IDOR attacks, I could:
retrieve real time GPS coordinates of the kids watches
call the child on their watch
create a covert one-way audio call, spying on the child
send audio messages to the child on the watch, bypassing the approved caller list
retrieve a photo of the child, plus their name, date of birth, gender, weight & height
With a couple of watches paired to different testing phones, I had a play with various authorisation and Insecure Direct Object Reference, IDOR, attacks.
The watch updates the GPS coordinates to the API every five minutes, so it’s nearly real-time location data. With that information, it would be easy to iterate through the family_ids and recover the location and device_id’s of all children. The ID’s appeared to be sequential, and we estimate there are around 12,000.
I decided to write a proof-of-concept application in C#, that allowed our watches to be tracked in real time.
The API also kept track of previous locations, so it would be possible to click on a marker and show the routes that child took on a daily basis and it would then be possible to anticipate where they were going to be.
Calling kids through the watches
The watch did have some protection against arbitrary people calling the child. It implemented a whitelist of authorised phone numbers that the watch would both call and receive. The problem with that is that Caller IDs can be spoofed. So as a proof-of-concept, I used crazycall.net to spoof the Caller ID to a test watch.
Using the data from the API, an attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch.
The app also allowed the watch to be turned into a remote listening device
Tracking millions of kids?
My colleague Vangelis looked at the APIs for numerous smart watches and other GPS tracking devices as part of his ‘trackmageddon’ project.
we believe that in excess of a million smart kids tracking watches with similar vulnerabilities are being used, possibly in excess of 3 million globally.
Disclosure
We tried multiple ways to contact Misafes, but got nothing back. The BBC also made extensive enquiries on our behalf but also drew a blank. That echoes the experience of SEC Consult who found unrelated issues in a Misafes camera.
We understand the eBay has just pulled the product and it also appears that its no longer available on Amazon.
Conclusion
My friend paid £9 for the watch, and I paid around £35 each for an extra two. When margins are that thin, it becomes less likely that manufacturers spend money on security testing. This could compromise the security of a child.
https://www.sec-consult.com/en/blog/advisories/hijacking-of-arbitrary-misafes-mi-cam-video-baby-monitors/
Tomi Engdahl says:
How to Stay One Step Ahead of Phishing Websites — Literally
https://securityintelligence.com/how-to-stay-one-step-ahead-of-phishing-websites-literally/
Phishing scams are more advanced and widespread than ever, and threat actors are becoming increasingly sophisticated in their ability to craft malicious websites that look legitimate to unsuspecting users — including your employees, who have the kind of restricted access to enterprise data that cybercriminals covet most.
Tomi Engdahl says:
Exploring Emotet: Examining Emotet’s Activities, Infrastructure
https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/
Tomi Engdahl says:
AI Poised to Drive New Wave of Exploits
Criminals are ready to use AI to dramatically speed the process of finding zero-day vulnerabilities in systems.
https://www.darkreading.com/application-security/ai-poised-to-drive-new-wave-of-exploits/d/d-id/1333289
Tomi Engdahl says:
Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery
https://researchcenter.paloaltonetworks.com/2018/11/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/
Tomi Engdahl says:
A leaky database of SMS messages is a reminder that SMS is really, really insecure
https://boingboing.net/2018/11/16/thanks-voxox.html
A leaky database of SMS text messages exposed password resets and two-factor codes
https://techcrunch.com/2018/11/15/millions-sms-text-messages-leaked-two-factor-codes/
Tomi Engdahl says:
Major SMS leak exposed millions of messages
Two-factor authentication codes were also exposed in Voxox leak.
https://www.itproportal.com/news/major-sms-leak-exposed-millions-of-messages/
A huge database with user names, smartphone numbers, SMS messages and even two-factor authentication codes has been exposed, putting personal details at risk.
Sébastien Kaul, a Berlin-based security researcher, used Shodan, a search engine for publicly available devices and databases to uncover the server, and the database, which belongs to Voxox, a San Diego based communications company.
Voxox is the gateway between companies that send out messages that verify phone numbers or send two-factor authentication codes, and the end recipients.
As a gateway, they’re the ones that convert information sent out by companies into actual text and numbers.
Human error top cause of self-reported data breaches
https://www.itproportal.com/news/human-error-top-cause-of-self-reported-data-breaches/
Negligence and mistakes responsible for most of last year’s self-reported data breaches
Tomi Engdahl says:
Fake fingerprints can imitate real ones in biometric systems – research
DeepMasterPrints created by a machine learning technique have error rate of only one in five
https://www.theguardian.com/technology/2018/nov/15/fake-fingerprints-can-imitate-real-fingerprints-in-biometric-systems-research
2018 IEEE
DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent
Variable Evolution
https://arxiv.org/pdf/1705.07386.pdf
Tomi Engdahl says:
Google accused of ‘trust demolition’ over health app
https://www.bbc.com/news/technology-46206677
A controversial health app developed by artificial intelligence firm DeepMind will be taken over by Google, it has been revealed.
Streams was first used to send alerts in a London hospital but hit headlines for gathering data on 1.6 million patients without informing them.
DeepMind now wants the app to become an AI assistant for nurses and doctors around the world.
One expert described the move as “trust demolition”.
Google ‘betrays patient trust’ with DeepMind Health move
https://www.theguardian.com/technology/2018/nov/14/google-betrays-patient-trust-deepmind-healthcare-move
Moving healthcare subsidiary into main company breaks pledge that ‘data will not be connected to Google accounts’
Google has been accused of breaking promises to patients, after the company announced it would be moving a healthcare-focused subsidiary, DeepMind Health, into the main arm of the organisation.
The restructure, critics argue, breaks a pledge DeepMind made when it started working with the NHS that “data will never be connected to Google accounts or services”. The change has also resulted in the dismantling of an independent review board, created to oversee the company’s work with the healthcare sector, with Google arguing that the board was too focused on Britain to provide effective oversight for a newly global body.
Google says the restructure is necessary to allow DeepMind’s flagship health app, Streams, to scale up globally. The app, which was created to help doctors and nurses monitor patients for AKI, a severe form of kidney injury, has since grown to offer a full digital dashboard for patient records.
Tomi Engdahl says:
How a Nigerian ISP Accidentally Knocked Google Offline
15 Nov 2018 by Tom Paseka.
https://blog.cloudflare.com/how-a-nigerian-isp-knocked-google-offline/
12 November 2018 — Google and a number of other services experienced a 74 minute outage. It’s not the first time this has happened; and while there might be a temptation to assume that bad actors are at work, incidents like this only serve to demonstrate just how much frailty is involved in how packets get from one point on the Internet to another.
Our logs show that at 21:12 UTC on Monday, a Nigerian ISP, MainOne, accidentally misconfigured part of their network causing a “route leak”. This resulted in Google and a number of other networks being routed over unusual network paths. Incidents like this actually happen quite frequently, but in this case, the traffic flows generated by Google users were so great that they overwhelmed the intermediary networks — resulting in numerous services (but predominantly Google) unreachable.
You might be surprised to learn that an error by an ISP somewhere in the world could result in Google and other services going offline. This blog post explains how that can happen and what the Internet community is doing to try to fix this fragility.
But… Why Did This Impact So Many People?
The root cause of this was MainOne misconfiguring their routing. As mentioned earlier, incidents like this actually happen quite frequently. The impact of this misconfiguration should have been limited to MainOne and its customers.
However, what took this from relatively isolated and turned it into a much broader one is because CN2 — China Telecom’s premium cross-border carrier — was not filtering the routing that MainOne provided to them. In other words, MainOne told CN2 that it had authority to route Google’s IP addresses. Most networks verify this, and if it is incorrect, filter it out. CN2 did not — it simply trusted MainOne. As a result of this, MainOne’s misconfiguration propagated to a substantially larger network.
Compounding this, it is likely that the Russian network TransTelecom behaved similarly towards CN2 as CN2 had behaved towards MainOne — they trusted without any verification of the routing paths that CN2 gave to them.
Tomi Engdahl says:
Inside Magecart: RiskIQ and Flashpoint Release Comprehensive Report on the Assault on E-Commerce
https://www.riskiq.com/blog/external-threat-management/inside-magecart/
The name Magecart has become ubiquitous as recent high-profile compromises have brought the threat of online card skimming to the forefront of security conversations and news publications.
Magecart, an umbrella term given to at least seven cybercrime groups, are placing digital credit card skimmers on compromised e-commerce sites at an unprecedented rate and with frightening success. Responsible for victimizing scores of e-commerce sites including global brands Ticketmaster, British Airways, and Newegg, Magecart and its operatives intercepted thousands of consumer credit card records and are claiming more victims every day.
Tomi Engdahl says:
Popular Dark Web hosting provider got hacked, 6,500 sites down
Hosting provider is still looking for the hacker’s point of entry.
https://www.zdnet.com/article/popular-dark-web-hosting-provider-got-hacked-6500-sites-down/
Daniel’s Hosting, one of the largest providers of Dark Web hosting services, was hacked this week and taken offline, ZDNet has learned from one of our readers.
The hack took place on Thursday, November 15, according to Daniel Winzen, the software developer behind the hosting service.
“As per my analysis it seems someone got access to the database and deleted all accounts,” he said in a message posted on the DH portal today.
Winzen said the server’s root account was also deleted, and that all 6,500+ Dark Web services hosted on the platform are now gone.
“Unfortunately, all data is lost and per design, there are no backups,” Winzen told ZDNet in an email today. “I will bring my hosting back up once the vulnerability has been identified and fixed.”
Currently, he identified one flaw, a PHP zero-day vulnerability. Details about this unpatched vulnerability were known for about a month in Russian PHP programming circles, but the flaw gained a lot of attention among the wider programming and infosec communities, on November 14, a day before the hack.
[0day] Bypassing disabled exec functions in PHP via imap_open
https://www.reddit.com/r/netsec/comments/9wzwgw/0day_bypassing_disabled_exec_functions_in_php_via/
Tomi Engdahl says:
This is a setup for a TOR based shared hosting server
https://github.com/DanWin/hosting
This is a setup for a TOR based shared hosting server. It is provided as is and before putting it into production you should make changes according to your needs. This is a work in progress and you should carefully check the commit history for changes before updating.
The configuration was tested with a standard Debian sid and Ubuntu 16.04 LTS installation. It’s recommended you install Debian sid on your server, but with a little tweaking you may also get this working on other distributions and/or versions.
Tomi Engdahl says:
MIT to Oz: Crypto-busting laws risk banning security tests
I see the red team and I want it painted black
https://www.theregister.co.uk/2018/11/16/oz_cryptobusting_laws/
Australia’s government’s crypto-busting legislation risks blocking security research, a leading Internet policy boffin has warned.
Speaking to a parliamentary hearing into the “Assistance and Access” legislation this morning, a director of the Massachusetts Internet Policy Research Initiative, Daniel Weitzner, said the problem arose out of secrecy provisions of the proposed legislation.
Tomi Engdahl says:
Microsoft menaced with GDPR mega-fines in Europe for ‘large scale and covert’ gathering of people’s info via Office
Telemetry data slurp broke the law, Dutch govt eggheads say
https://www.theregister.co.uk/2018/11/16/microsoft_gdpr/
Microsoft broke Euro privacy rules by carrying out the “large scale and covert” gathering of private data through its Office apps.
Those actions break Europe’s new GDPR privacy safeguards, it is claimed, and may put Microsoft on the hook for potentially tens of millions of dollars in fines.
https://regmedia.co.uk/2018/11/16/microsoft-office-gdpr-fail.pdf
Tomi Engdahl says:
John McAfee is ‘liable’ for 2012 death of Belize neighbour, rules court
Default judgement for one-time antivirus bad boy
https://www.theregister.co.uk/2018/11/15/john_mcafee_liable_death_neighbour_belize/
Infosec personality John McAfee has been found legally “liable” via a default judgment for the death of his neighbour, who was found dead from a gunshot wound to the head in his Belize home in 2012.
Though local police wanted to question McAfee as a potential witness, the millionaire, who is the founder of the antivirus software firm that still bears his name, had travelled abroad. And despite the criminal investigation stalling, a civil case was later brought against McAfee by Faull’s relatives.
When local cops searched McAfee’s home, wanting to question the one-time software developer over his neighbour’s demise, Mac was nowhere to be found.
Tomi Engdahl says:
https://www.wired.com/story/your-drone-can-give-cops-a-surprising-amount-of-your-data/
Tomi Engdahl says:
https://www.wired.com/story/mcsweeneys-excerpt-the-right-to-experiment/
Tomi Engdahl says:
Lock-Screen Bypass Bug Quietly Patched in Handsets
https://threatpost.com/lock-screen-bypass-bug-quietly-patched-in-handsets/139141/
The flaw allows hackers to bypass handset lock screens in seconds.
A design flaw affecting all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication.
In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers, according to Tencent’s Xuanwu Lab which is credited for first identifying the flaw earlier this year.
“During our research on this, we found all the in-display fingerprint sensor module suffer the same problem no matter where it was manufactured by whatever vendors,” said Yang Yu, a researcher at Xuanwu Lab. “This vulnerability is a design fault of in-display fingerprint sensors.”
Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors, said Yu.
That includes current models of Huawei Technologies’ Porsche Design Mate RS and Mate 20 Pro model phones.
Tomi Engdahl says:
YOU KNOW WHAT? GO AHEAD AND USE THE HOTEL WI-FI
https://www.wired.com/story/hotel-airport-wifi-safe/
AS YOU TRAVEL this holiday season, bouncing from airport to airplane to hotel, you’ll likely find yourself facing a familiar quandary: Do I really trust this random public Wi-Fi network? As recently as a couple of years ago, the answer was almost certainly a resounding no. But in the year of our lord 2018? Friend, go for it.
This advice comes with plenty of qualifiers.
if you’re a high-value target of a sophisticated nation state—look at you!—stay off of public Wi-Fi at all costs.
But for the rest of us? You’re probably OK. That’s not because hotel and airport Wi-Fi networks have necessarily gotten that much more secure. The web itself has.
“A lot of the former risks, the reasons we used to warn people, those things are gone now,” says Chet Wisniewski, principle researcher at security firm Sophos. “It used to be because almost nothing on the internet was encrypted. You could sit there and sniff everything. Or someone could set up a rogue access point and pretend to be Hilton, and then you would connect to them instead of the hotel.”
In those Wild West days, in other words, signing onto a shared Wi-Fi network exposed you to myriad attacks
A cheap, easy to use device called a Wi-Fi Pineapple makes those attacks simple to pull off.
All of that’s still technically possible. But a critical internet evolution has made those efforts much less effective: the advent of HTTPS.
HTTPS All Over
Look at the URL bar in your browser. Do you see that little lock symbol on the left? That means that traffic on this site is encrypted in transit from WIRED’s servers to your browser and back.
“If you’re in the US, the web is pretty well encrypted. It’s unusual to go to a website that matters and it’s not HTTPS,”
How a Wi-Fi Pineapple Can Steal Your Data (And How to Protect Yourself From It)
https://motherboard.vice.com/en_us/article/pa39xv/pineapple-wifi-how-to-mitm-hack
The Wi-Fi Pineapple enables anyone to steal data on public Wi-Fi networks. Here’s how it facilitates two sophisticated network attacks and how to protect yourself against them.
Tomi Engdahl says:
How Hackers Are Stealing High-Profile Instagram Accounts
https://www.theatlantic.com/technology/archive/2018/11/hackers-are-stealing-influencer-instagram-accounts-promising-lucrative-brand-deals/575662/
In the Wild West of “influencer” marketing, there are few protections and plenty of easy marks.
In early October, a publicist received an irresistible message via email.
the influencer would simply need to log into a third-party Instagram analytics tool, Iconosquare—a common request; many brands use tools such as Iconosquare to track the success of their influencer campaigns.
But the link Brooks sent wasn’t to Iconosquare.com—it was to lconosquare.biz, a cloned version of the site set up for phishing. Once the influencer logged in with the Instagram username and password, Brooks seized control of the account. Within minutes, he was spamming the influencer’s millions of followers with offers for a free iPhone.
Brooks has targeted several YouTubers, Instagram stars, and meme pages and used the stolen pages to promote scammy-looking apps and fake offers for free products.
According to its website, SCL Media is “a tech-media company building content brands for multicultural and niche audiences.”
Eric Toda, head of marketing at Hill City, a GAP brand, said that the influencer industry right now is like the Wild West. “You see a lot of people selling snake oil,” he said, “because the market is so saturated.”
Influencers as young as 13 are entering into brand deals with zero experience in negotiating high-value business partnerships. It’s all too easy for a scammer to entice them with the promise of a big paycheck, then hack their accounts or escape without paying. “It’s an underground world and what a lot of people are doing is representing themselves as Insta experts when they’re hackers and scammers,” explained Lisa Navarro, founder of Espire, a digital marketing agency that works with influencers. “They’re stealing accounts from children.”
Once hackers gain control of an influencer’s account, said Moritz von Contzen, founder of the Dutch social-media agency Avenik, they’ll often hop into the account’s direct messages and begin spamming other influencers with the same phishing links before the hacked influencer even knows what’s happening.
Tomi Engdahl says:
Data Driven: Explore How Cops Are Collecting and Sharing Our Travel Patterns Using Automated License Plate Readers
https://www.eff.org/pages/automated-license-plate-reader-dataset
EFF and MuckRock have filed hundreds of public records requests with law enforcement agencies around the country to reveal how data collected from automated license plate readers (ALPR) is used to track the travel patterns of drivers. We focused exclusively on departments that contract with surveillance vendor Vigilant Solutions to share data between their ALPR systems.
On average, agencies are sharing data with a minimum of 160 other agencies through Vigilant Solutions’ LEARN system, though many agencies are sharing data with over 800 separate entities.
Today, police can access vast databases to search our travel patterns with just a few keyboard strokes.
The reason: automated license plate readers (ALPR).
At its core, ALPR is a simple technology. These systems are a combination of high-speed cameras and optical character recognition technology that can identify license plates and turn them into machine-readable text. What makes ALPR so powerful is that drivers are required by law to install license plates on their vehicles. In essence, our license plates have become tracking beacons.
ALPR systems can be affixed to stationary locations, such as highway overpasses and street lights, to capture the license plate of every vehicle that passes. The cameras can also be mounted on police cars (or other vehicles, such as tow trucks) to passively collect license plate scans during routine patrols or to surveil specific communities by driving systematically through targeted neighborhoods.
After the plate data is collected, the ALPR systems upload the information to a central a database along with the time, date, and GPS coordinates. Cops can search these databases to see where drivers have traveled or to identify vehicles that visited certain locations. Police can also add license plates under suspicion to “hot lists,” allowing for real-time alerts when a vehicle is spotted by an ALPR network.
It is crucial to remember that ALPR is a mass surveillance technology that spies on every driver on the road, and logs their location, regardless of whether they are suspected of being involved in a crime.
Tomi Engdahl says:
Smartphones: A Double-edged Sword for Terrorists
https://www.securityweek.com/smartphones-double-edged-sword-terrorists
Bombs and guns aside, a smartphone can be a powerful weapon in the hands of a terrorist — but it can also provide intelligence services with the tools to track them down.
For new recruits in developing countries, where smartphones are more common than computers, there are different strategies still.
“Phones are no longer phones — they’re computers,” said Laurent Heslault, director of security strategies at Symantec, a security group.
“They are far more powerful than what we had on our desks 10 years ago,” he added.
“They have more computing power, more memory and connection capabilities. They are very powerful tools when it comes to communicating.”
That has also made it much easier for jihadist groups to recruit new members.
Smartphones “enable people to reach out for propaganda” with the swipe of a screen, said the retired official.
“Thirty years ago, guys used to exchange video cassettes, then it was CDs. Now it’s online and can be looked up at any time.”
For propaganda-makers, videos of attacks can be filmed and uploaded in the blink of an eye.
“You can film attacks, claim responsibility, use (a phone) to take photos and film reconnaissance operations,” the ex-official said.
- Flip side of the phone -
But the smartphone can be an extremist’s downfall as well as their best asset.
Intelligence agencies have grown better at using phones to identify suspects, spy on them — and, in case of capture, lift data for use as evidence in court.
That in turn has raised difficult questions for tech giants who promise their users privacy.
The French military intervention in Mali, launched in 2013 after jihadists took over the northern half the country, started with air strikes whose targets were chosen based on phone data, the former French official said.
“Today all air strikes focus on telephones,” he added.
“Even if you keep changing the SIM card the phone has its own identity and once detected can continue being tracked.”
And when it comes to police investigations, smartphones sometimes provide more information than their owners.
Tomi Engdahl says:
AWS Adds New Feature for Preventing Data Leaks
https://www.securityweek.com/aws-adds-new-feature-preventing-data-leaks
Amazon announced this week that a new feature designed to prevent data leaks has been added to Amazon Web Services (AWS).
Improperly configured Simple Storage Service (S3) buckets can expose an organization’s sensitive files, as demonstrated by several incidents involving companies such as Viacom, Verizon, Accenture, Booz Allen Hamilton, and Dow Jones.
As a result of numerous incidents, AWS last year introduced a new feature that alerts users of publicly accessible buckets, but researchers have still found data leaks resulting from misconfigured buckets.
Amazon S3 Block Public Access aims to address this by providing settings for blocking existing public access and ensuring that public access is not granted to new items.
“If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure. Our goal is to make clear that public access is to be used for web hosting!” said Jeff Barr, Chief Evangelist for AWS.
The new settings can be accessed from the S3 console, the command-line interface (CLI) or the S3 APIs, and they allow users to manage public ACLs and public bucket policies.
https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets/
Tomi Engdahl says:
Europol, Diebold Nixdorf to Share Information on Cyber Threats
https://www.securityweek.com/europol-diebold-nixdorf-share-information-cyber-threats
Europol on Friday announced that it has signed a cybersecurity-focused memorandum of understanding (MoU) with Diebold Nixdorf, one of the world’s largest providers of ATM and point-of-sale (PoS) services.
According to Europol, the goal is to create a safer cyberspace for individuals, businesses and governments through the sharing of knowledge on cyber threats and attacks, and by exchanging expertise, best practices and technical information.
Steven Wilson, head of Europol’s European Cybercrime Centre (EC3), believes the partnership with US-based Diebold Nixdorf will improve the law enforcement agency’s capabilities and effectiveness in preventing, disrupting and prosecuting cybercrime targeted at the self-service industry.
Tomi Engdahl says:
Google Scours the Internet for Dirty Android Apps
https://www.securityweek.com/google-scours-internet-dirty-android-apps
Google is analyzing all the apps that it can find across the Internet in an effort to keep Android users protected from Potentially Harmful Applications (PHAs).
One week after launching the Android Ecosystem Security Transparency Report, Google decided to explain how it leverages machine learning techniques for detecting PHAs.
Google Play Protect (GPP), the security services that help keep devices with Google Play clean, analyzes more than half a million apps each day, and looks everywhere it can for those apps, the Internet search giant said.
Tomi Engdahl says:
‘Tis the Season for Mobile Threats
https://www.securityweek.com/tis-season-mobile-threats
Keeping Your Organization Safe From Mobile Threats During the Holidays
Digital transformation has pushed BYOD from being a privilege extended to employees, to becoming a critical component of today’s business infrastructure strategy. According to one report (PDF), 87% of companies now actually rely on their employees using personal devices to access business apps.
However, during the third quarter of 2018, over a quarter of organizations also experienced some sort of malware attack originating from those mobile devices, with Android operating systems being the primary attack vector. In fact, Android-based threats now comprise 14% of all cyberthreats that organizations have to contend with. This shouldn’t come as too much of a surprise, since over 80% of smartphones, tablets, and other mobile devices now run some version of Android OS.
Tomi Engdahl says:
2018-11-16 – EMOTET NOW USING XML FILES AS WORD DOCS
https://www.malware-traffic-analysis.net/2018/11/16/index.html
NOTES:
As of Friday 2018-11-16, email attachments with (and URL downloads for) Emotet docs are now XML-based.
These new Emotet docs don’t match Microsoft’s XML-based DOCX format for Word docs.
These new Emotet docs are tagged xml in VirusTotal.
Using the “file” command in Linux shows them as: XML 1.0 document text, UTF-8 Unicode text, with very long lines, with CRLF line terminators
These new Emotet XML docs still use a .doc extension, they open in Microsoft Word, and they look and act the same as before.
Tomi Engdahl says:
Shaun Nichols / The Register:
Microsoft says Azure users globally were unable to log in using MFA on Monday due to the weight of login requests, is still working on fix for Office 365 logins
Microsoft confirms: We fixed Azure by turning it off and on again. PS: Office 362 is still borked
https://www.theregister.co.uk/2018/11/19/microsoft_azure_office_outage_latest/
Redmond battles TITSUP multi-factor auth logins (yes, that’s Total Inability To Support Users’ Passcodes)
Tomi Engdahl says:
Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs
https://www.securityweek.com/iran-linked-hackers-use-just-time-creation-weaponized-attack-docs
Researchers Analyzed How the Iran-linked “OilRig” Hacking Group Tests Malicious Documents Before Use in Attacks
Palo Alto Networks security researchers analyzed the testing process the Iran-linked cyber-espionage group OilRig has engaged in while preparing August 2018 attacks on a Middle-Eastern government.
The attacks targeted individuals of interest with malicious documents designed to deliver BONDUPDATER, a downloader that features DGA (domain generation algorithm) functionality. The attacks were carried out on August 26 and the threat actor created numerous delivery documents the week before, to test anti-virus detection rates.
Also tracked as APT34 and believed to have ties to the Iran government, OilRig has been active since at least 2014, mainly targeting financial, government, energy, telecoms and chemical organizations in the Middle East.
Tomi Engdahl says:
Singapore Signs Cybersecurity Agreements With US, Canada
https://www.securityweek.com/singapore-signs-cybersecurity-agreements-us-canada
Tomi Engdahl says:
Hackers Earn $1 Million for Zero-Day Exploits at Chinese Competition
https://www.securityweek.com/hackers-earn-1-million-zero-day-exploits-chinese-competition
White hat hackers earned more than $1 million for exploits disclosed at the Tianfu Cup PWN hacking competition that took place on November 16-17 in Chengdu, the capital of China’s Sichuan province.
Tomi Engdahl says:
Instagram Download Tool Exposes User Passwords
https://www.securityweek.com/instagram-download-tool-exposes-user-passwords
Instagram informed some users last week that their passwords may have been exposed as a result of using the “Download Your Data” tool.
The “Download Your Data” tool, which Instagram announced in April, allows users to export their profile information, photos, videos, comments and other data associated with their account. The tool prompts users to enter an email address to which a download link will be sent and their Instagram password.
The social networking service said it recently discovered that when customers used the download tool, their password may have been displayed in the URL in their web browser after the data was downloaded.
Tomi Engdahl says:
Microsoft Enhances Windows Defender ATP
https://www.securityweek.com/microsoft-enhances-windows-defender-atp
Microsoft has unveiled several enhancements to its Windows Defender Advanced Threat Protection (ATP) product to improve its protection capabilities.
The improvements target various aspects of the endpoint protection platform, such as attack surface reduction, post-breach detection and response, automation capabilities, security insights, and threat hunting, Moti Gindi, General Manager, Windows Cyber Defense, explains.
Tomi Engdahl says:
TP-Link Patches Remote Code Execution Flaws in SOHO Router
https://www.securityweek.com/tp-link-patches-remote-code-execution-flaws-soho-router
Vulnerabilities recently addressed by WiFi device maker TP-Link in its TL-R600VPN small and home office (SOHO) router could allow remote code execution, Cisco Talos security researchers warn.
The issues were mainly caused by lack of input sanitization and parsing errors. Lack of proper input sanitization can be exploited without authentication to cause denial of service and leak server information.
Parsing errors require an authenticated session for exploitation, but can lead to remote code execution under the context of HTTPD. While the attacker needs to be authenticated to exploit the flaw, because the HTTPD process runs as root, the code would be executed with elevated privileges.
Tomi Engdahl says:
Surge in China Theft of Australia Company Secrets: Report
https://www.securityweek.com/surge-china-theft-australia-company-secrets-report
China has sharply escalated cyberattacks on Australian companies this year in a “constant, significant effort” to steal intellectual property, according to a report published Tuesday.
The investigation by Fairfax Media and commercial broadcaster Channel Nine comes just days after US Vice President Mike Pence accused Beijing at the APEC summit of widespread “intellectual property theft”.
Tomi Engdahl says:
New Vehicle Hack Exposes Users’ Private Data Via Bluetooth
https://www.securityweek.com/new-vehicle-hack-exposes-users%E2%80%99-private-data-bluetooth
People who have synced their mobile phones with a wide variety of vehicle infotainment systems may have have their personal information exposed to a new type of vehicle hack, security researchers say.
A researcher from Privacy4Cars, which offers a mobile app that can erase Personally Identifiable Information (PII) from modern vehicles, have discovered that vehicles from several car makers can expose user data via the Bluetooth protocol.
Dubbed CarsBlues, the new vehicle hack targets the infotainment systems in modern vehicles and allows an attacker to access user information within minutes, using only inexpensive and readily available hardware and software. No significant technical knowledge is required either, the company claims.
Tens of millions of vehicles already in circulation worldwide are believed to be impacted, and the number continues to rise into the millions as more vehicles are evaluated. Exposed information includes contacts, call logs, text logs, and even text messages in the full, in some cases.
Tomi Engdahl says:
What Happened to Cyber 9/11?
https://www.schneier.com/blog/archives/2018/11/what_happened_t.html
A recent article in the Atlantic asks why we haven’t seen a”cyber 9/11″ in the past fifteen or so years.
he author’s answer:
Three main barriers are likely preventing this. For one, cyberattacks can lack the kind of drama and immediate physical carnage that terrorists seek. Identifying the specific perpetrator of a cyberattack can also be difficult, meaning terrorists might have trouble reaping the propaganda benefits of clear attribution. Finally, and most simply, it’s possible that they just can’t pull it off.
Commenting on the article, Rob Graham adds:
I think there are lots of warning from so-called “experts” who aren’t qualified to make such warnings, that the press errs on the side of giving such warnings credibility instead of challenging them.
These are all good reasons, but I think both authors missed the most important one: there simply aren’t a lot of terrorists out there. Let’s ask the question more generally: why hasn’t there been another 9/11 since 2001?
Our fear of terrorism is far greater than the actual risk.
This isn’t to say that cyberterrorism can never happen. Of course it will, sooner or later. But I don’t foresee it becoming a preferred terrorism method anytime soon.
Tomi Engdahl says:
If Terrorists Launch a Major Cyberattack, We Won’t See It Coming
https://www.theatlantic.com/international/archive/2018/11/terrorist-cyberattack-midterm-elections/574504/
National-security experts have been warning of terrorist cyberattacks for 15 years. Why hasn’t one happened yet?
Tomi Engdahl says:
Hackers attack a company serving an area affected by hurricanes
https://www.pandasecurity.com/mediacenter/news/hackers-attack-utility-company/
Why would hackers attack a water utility company serving an area affected by the hurricanes?
A water utility organization based in Jacksonville, NC recently became a victim of a cybercrime. Last month hackers managed to infect multiple Onslow Water and Sewer Authority (ONWASA) computers with ransomware that spread across the organization encrypting various databases and files.
Attacking water supply company while it is battling the consequences of deadly hurricanes is not the worse hackers can do, they are not afraid to go even lower and often target healthcare institutions. They tend to request ransom from hospitals and are fully aware that the chaos they cause will endanger the lives of hundreds and sometimes even thousands of patients.