Recently, I saw a report about several bugs that were found on FreeRTOS. Curiosity got the best of me, and I started to take a look to see what can be done from the IPS side to protect our customers because of importance of IoT devices and the popularity of this operating system. (Since the initial report more details have been made available here, CVE-2018-16525.)
IN OCTOBER, GOOGLE dramatically announced that it would shut down Google+ in August 2019, because the company had discovered through an internal audit (and a simultaneous Wall Street Journal exposé) that a bug in Google+ had exposed 500,000 users’ data for about three years. Maybe it should have pulled the plug sooner.
On Monday, Google announced that an additional bug in a Google+ API, part of a November 7 software update, exposed user data from 52.5 million accounts.
app developers would have had improper user data access for six days
the company is now moving up Google+’s termination date to April, and it will cut off access to Google+ APIs in 90 days
The bug exposed Google+ profile data that a user hadn’t made public—things like name, age, email address, and occupation—and some profile data shared privately between users
The types of data unique to the Starwood hack can be used to launch targeted email campaigns and recruit sources in the cloak-and-dagger world of espionage.
Intelligence and cybersecurity sources say the data breach that exposed the records of up to 500 million customers at the Marriott-owned Starwood hotel chain shows signs of being the work of a hostile foreign intelligence service.
Much of the compromised data is typical of corporate breaches, such as names and emails, but other types of data unique to this hack — including where people traveled to and when — can be mined and used to launch targeted email campaigns and recruit sources in the cloak-and-dagger world of espionage
the hack “fits the pattern” of China’s state-sponsored cyberattacks.
“Personal data … they eat that stuff up,” the official said.
the intruders used tools, techniques and procedures previously found in attacks attributed to hackers working for China’s government, but cautioned that other entities had access to the same tools.
A key clue may be the type of data accessed, which aside from basic personal details and credit card numbers also included passport numbers and hotel arrivals and departures.
“Who other than a hostile intelligence service wants passport info?” Schindler said.
The Starwood breach lasted four years before it was discovered, a period known in the cybersecurity realm as “dwell time.”
the intrusion evaded detection during any auditing Marriott did prior to its acquisition of Starwood in 2016, as well as during subsequent mandatory compliance audits.
Also notable is how long it took from the breach’s detection in September to its announcement, Cran said.
“There’s something going on with Marriott,” he said. “It does take time to detect scope, but three months is a long time.”
Modern data analysis has shown that seemingly innocuous data can be used to detect patterns and make educated guesses about everything
That capability has been available for years in the commercial world through businesses such as Equifax and Acxiom, and the software of companies including Palantir,
“Anything that’s doable off-the-shelf, we have to assume that adversarial nation-states are capable of doing as well,” Weatherford said.
“Once you find weakness, that’s when you start exploiting,” Weatherford said. “You become a potential intelligence asset.”
Any modern person who spends time on the internet is familiar with the basic principles of cybersecurity — but imagine you’re in charge of a satellite that people around the globe rely on. Suddenly, changing a password every few months and hoping for the best doesn’t seem quite vigilant enough.
And cybersecurity is indeed a threat countries need to consider to protect their satellites
“Satellites aren’t just military tools. What we do every day in our lives [relies] on satellites,” Fanning said, pointing to GPS, phone, and power networks that all rely on satellite infrastructure. And the more we use satellites, the more potentially harmful any loss of capability is, no matter what the cause.
But unlike, for example, physically ramming into a satellite, cyberattacks are often difficult to trace
“Generally, if you want to mess with someone’s space capabilities, you want to do it anonymously if you can,”
Satellites also have a series of points of vulnerability, rather than a single entry
. “You can mess with the signals that are going from the ground to the satellite or back,”
A House Oversight Committee report out Monday has concluded that Equifax’s security practices and policies were sub-par and its systems were old and out-of-date, and bothering with basic security measures — like patching vulnerable systems — could’ve prevented its massive data breach last year.
Security services to look into social media, minister says
Russian-linked sites increase targeting of French protests
France opened a probe into possible Russian interference behind the country’s Yellow Vest protests, after reports that social-media accounts linked to Moscow have increasingly targeted the movement.
Embattled Chinese telecoms giant Huawei has agreed to British intelligence demands over its equipment and software as it seeks to be part of the country’s 5G network plans, the FT reported Friday.
Huawei executives met senior officials from Britain’s National Cyber Security Centre (NCSC), where they accepted a range of technical requirements to ease security fears, according to the FT’s sources.
The NCSC said in a statement that it was “committed to the security of UK networks, and we have a regular dialogue with Huawei about the criteria expected of their products.
“The NCSC has concerns around a range of technical issues and has set out improvements the company must make,” it said.
A recently-patched set of flaws in Samsung’s mobile site was leaving users open to account theft.
Bug-hunter Artem Moskowsky said the flaws he discovered, a since-patched trio of cross-site request forgery (CSFR) bugs, would have potentially allowed attackers to reset user passwords and take over accounts.
Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites.
This wouldn’t be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren’t abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007.
The bug narrows down to a malicious website embedding an iframe inside their source code.
Attackers scan for Ethereum wallets and mining rigs that have carelessly exposed port 8545 on the Internet.
Hackers have set off in motion a massive campaign that scans for Internet-exposed Ethereum wallets and mining equipment, ZDNet has learned today.
The mass-scan campaign has been raging for at least a week, since December 3, Troy Mursch, co-founder of Bad Packets LLC told ZDNet.
Attackers are scanning for devices with port 8545 exposed online. This is the standard port for the JSON-RPC interface of many Ethereum wallets and mining equipment. This interface is a programmatic API that locally-installed apps and services can query for mining and funds-related information.
The recently disclosed critical-impact bug in Kubernetes created strong ripples in the security space of the container-orchestration system. Now, multiple demo exploits exist and come with easy-to-understand explanations.
The severity score of the vulnerability (CVE-2018-1002105) has been established at 9.8, just 0.2 points shy of the perfect ten. This is because one avenue of attack involves unauthenticated users who could escalate privileges and run commands that could allow them to take over entire compute nodes.
The cyberespionage group referred to as MuddyWater has hit over 130 victims in 30 organizations from late September to mid-November, Symantec security researchers said in a report published Monday.
A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals.
Cybersecurity experts say the law, the first of its kind globally, will instead be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy.
“I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM.
Company examined equipment following allegations of a rogue chip
Super Micro Computer Inc. told its customers in a letter Tuesday that a third-party firm didn’t find malicious hardware on its equipment, as the supplier of motherboards continued to dispute a report that its products had been sabotaged.
“After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,”
The Australian government has passed a law that forces tech companies to give police and security agencies access to encrypted messages, claiming it’s needed to fight crime.
What it says: The Assistance and Access Bill 2018 is a world first, letting law enforcement bodies require companies to hand over user information, even if it’s end-to-end encrypted. Because companies currently have no way of viewing end-to-end encrypted messages, they will be forced to build a “back door” to gain access.
The future implications: We won’t know for sure until agencies start to use the new powers. Companies could leave Australia or argue they are not subject to Australian law.
Jigsaw, the security incubator owned by Google’s parent company Alphabet, has just rolled out a tool that lets users bypass sites that are blocked by repressive governments.
Bug bounty hunter Sahad Nk recently uncovered a series of vulnerabilities that left Microsoft users’ accounts — from your Office documents to your Outlook emails — susceptible to hacking.
Nk discovered that he was able to take over the Microsoft subdomain, http://success.office.com, because it wasn’t properly configured. This allowed the bug hunter to set up an Azure web app that pointed to the domain’s CNAME record, which maps domain aliases and subdomains to the main domain.
also receives any and all data sent to it.
Microsoft Office, Outlook, Store, and Sway apps send authenticated login tokens to the http://success.office.com subdomain
A string of bugs when chained together created the perfect attack to gain access to someone’s Microsoft account — simply by tricking a user into clicking a link.
When individuals and organizations alike rely so much on their computers to get work done, there is nothing they hate more than being held hostage by ransomware and often hold a deep resistance to paying the demanded ransom. After all, when there is no guarantee the criminal will keep his word and release the files, why pay up? To avoid paying then, victims can hire an IT consultancy to help them unlock their files.
However, Check Point Research recently discovered a new development in the ransomware industry of an IT consultancy, in this case a Russian company named ‘Dr. Shifro’, that claims to legitimately unlock encrypted files but in fact merely pays the ransomware’s creator themselves and passes on the cost to the victim – at a massive profit margin.
We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted website traffic from all devices connected to the same router by resolving targeted domains to the IP address of their server.
The earliest Novidade sample we found was from August 2017, and two different variants were identified since. While one of the variants was involved in the DNSChanger system of a recent GhostDNS campaign, we believe that Novidade is not limited to a single campaign, as the exploit kit was also concurrently being used in different campaigns.
ESET researchers discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal’s two-factor authentication
There is a new Trojan preying on Android users, and it has some nasty tricks up its sleeve.
First detected by ESET in November 2018, the malware combines the capabilities of a remotely controlled banking Trojan with a novel misuse of Android Accessibility services, to target users of the official PayPal app.
At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores.
More than 40,000 users victims of phishing attacks had their credentials for unlocking online accounts for government services stolen. The information might have already been sold on underground hacker forums
Researchers at Group-IB, an international company focused on the prevention of cyber attacks, found that the login data offered access to services in 30 countries around the world.
A spokesperson for the company told BleepingComputer that the compromised credentials were discovered using investigative research techniques that involved detection and reverse-engineering of malware, and digital forensics data.
More than half of the victims are from Italy (52%), followed by Saudi Arabia (22%) and Portugal (5%). Users of government portals in other countries were also affected.
The Computer Emergency Response Teams (CERTs) of the affected countries have been notified of the threat so they can take action to minimize the risks.
The recently disclosed critical-impact bug in Kubernetes created strong ripples in the security space of the container-orchestration system. Now, multiple demo exploits exist and come with easy-to-understand explanations.
Another proof-of-concept comes from software-as-a-service company Gravitational who made it available on GitHub on December 5, just two days after the Kubernetes developers announced the vulnerability and the availability of new software versions to mitigate it.
The PoC is actually a test utility that checks if a Kubernetes cluster is vulnerable to CVE-2018-1002105. It comes with the warning that under it may render incorrect results under some circumstances.
Messaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed “secure instant messaging applications.” These apps claim to encrypt users’ messages and keep their content secure from any third parties.
However, after a deep dive into three of these secure messaging apps — Telegram, WhatsApp and Signal — we discovered that these services may not fulfill the promises they are meant to keep by putting users’ confidential information at risk.
The OpenSSH client and server are now available as a supported Feature-on-Demand in Windows Server 2019 and Windows 10 1809! The Win32 port of OpenSSH was first included in the Windows 10 Fall Creators Update and Windows Server 1709 as a pre-release feature. In the Windows 10 1803 release, OpenSSH was released as a supported feature on-demand component, but there was not a supported release on Windows Server until now.
What is the state of OpenSSH and PowerShell?
PowerShell Remoting over SSH is supported with PowerShell Core.
Biometric screening is expanding to the rental car industry.
Hertz said Tuesday it is teaming up with Clear, the maker of biometric screening kiosks found at many airports, in an effort to slash the time it takes to pick up a rental car. Clear hopes it will lead more travelers to its platform, which has 3 million members in the U.S.
It’s the latest place consumers will find biometric technology
Industrial cybersecurity firm Claroty on Tuesday announced significant enhancements to its threat detection product, along with technology integrations with several cybersecurity, network infrastructure and industrial automation providers.
Claroty provides an ICS security platform that includes real-time threat detection, continuous vulnerability monitoring, and secure remote access capabilities.
Experts believe that the Windows kernel zero-day vulnerability fixed this week by Microsoft with its Patch Tuesday updates has been exploited by several threat actors, including a new group.
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system.
A newly identified exploit kit is targeting home and small office routers in an attempt to compromise the mobile devices or desktop computers connected to the routers, according to Trend Micro.
Dubbed Novidade, the exploit kit employs cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of routers to attack web applications and redirect traffic from the connected devices to the IP address of their server.
Several critical infrastructure organizations in Russia have been targeted by hackers believed to be financially-motivated cybercriminals rather than state-sponsored cyberspies.
Since many of the targeted organizations are owned by the Russian government, one would expect the fake websites to have been set up by state-sponsored threat actors focusing on espionage. However, a closer analysis revealed that they were actually used by profit-driven cybercriminals for command and control (C&C) purposes.
The fake websites closely resembled the target’s legitimate site and the domains hosting them imitated the real domain.
The FBI reported earlier this year that BEC scams have cost businesses around the world over $12 billion in the past years.
Italian oil and gas services company Saipem reported on Monday that some of its servers were hit by a cyberattack.
The company has shared few details about the attack – it’s unclear if it was ransomware or another type of intrusion – but its representatives told SecurityWeek that no data was stolen and that only some servers in its infrastructure were impacted.
Secure messaging applications such as Telegram, Signal and WhatsApp can expose user messages through a session hijacking attack, Cisco’s Talos security researchers warn.
WASHINGTON (AP) — Google’s CEO faces a grilling from U.S. lawmakers on how the web search giant handled an alarming data breach and whether it may bend to Chinese government censorship demands.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
486 Comments
Tomi Engdahl says:
DarkVishnya: Banks attacked through direct connection to local network
https://securelist.com/darkvishnya/89169/
DarkVishnya attacks from inside
https://www.kaspersky.com/blog/dark-vishnya-attack/24867/
Tomi Engdahl says:
Japan to halt buying Huawei, ZTE equipment
https://www.itproportal.com/news/japan-to-halt-buying-huawei-zte-equipment/
Government set to revise internal rules on procurement to protect national cybersecurity.
Tomi Engdahl says:
Auto theft on the rise in Toronto area, and a security expert thinks he knows why
https://www.cbc.ca/news/canada/toronto/car-thefts-rising-1.4930890
Thieves boosting signal from key fobs inside your home to steal vehicles, automotive security specialist says
https://www.tivi.fi/Kaikki_uutiset/oletko-kuullut-tallaisesta-tempusta-autovaras-voi-vieda-ajokin-vaikkei-olisi-nahnytkaan-avaimia-6751953
Tomi Engdahl says:
Exploiting an RCE bug in the UDP Protocol implemented in FreeRTOS
https://www.fortinet.com/blog/threat-research/exploiting-an-rce-bug-in-the-udp-protocol-implemented-in-freerto.html
Recently, I saw a report about several bugs that were found on FreeRTOS. Curiosity got the best of me, and I started to take a look to see what can be done from the IPS side to protect our customers because of importance of IoT devices and the popularity of this operating system. (Since the initial report more details have been made available here, CVE-2018-16525.)
Tomi Engdahl says:
‘Say hello to my little vacuum cleaner!’ US drug squad puts spycams in cleaner’s kit
DEA gets down and dirty with new surveillance kit
https://www.theregister.co.uk/2018/12/07/dea_vacuum_cleaner/
Tomi Engdahl says:
Twitter 6.12.
Isn’t it ironic that you almost always see the statement ”we take the privacy of our customers seriously” on sites that failed to do so …
https://mobile.twitter.com/tomituominen/status/1070580787626606592
Ilta-Sanomat 9.12.
Trafi kertoo suhtautuvansa tietosuojaan ja tietoturvaan erittäin vakavasti.
https://www.is.fi/kotimaa/art-2000005926869.html
Tomi Engdahl says:
A NEW GOOGLE+ BLUNDER EXPOSED DATA FROM 52.5 MILLION USERS
https://www.wired.com/story/google-plus-bug-52-million-users-data-exposed/?utm_content=81050388&utm_medium=social&utm_source=facebook&hss_channel=fbp-539813956129876
IN OCTOBER, GOOGLE dramatically announced that it would shut down Google+ in August 2019, because the company had discovered through an internal audit (and a simultaneous Wall Street Journal exposé) that a bug in Google+ had exposed 500,000 users’ data for about three years. Maybe it should have pulled the plug sooner.
On Monday, Google announced that an additional bug in a Google+ API, part of a November 7 software update, exposed user data from 52.5 million accounts.
app developers would have had improper user data access for six days
the company is now moving up Google+’s termination date to April, and it will cut off access to Google+ APIs in 90 days
The bug exposed Google+ profile data that a user hadn’t made public—things like name, age, email address, and occupation—and some profile data shared privately between users
Google is notifying impacted users
Tomi Engdahl says:
Foreign intelligence clues in Marriott breach could foreshadow future attacks
https://www.nbcnews.com/tech/tech-news/foreign-intelligence-clues-marriott-breach-could-foreshadow-future-attacks-n945296?cid=sm_npd_nn_fb_ma
The types of data unique to the Starwood hack can be used to launch targeted email campaigns and recruit sources in the cloak-and-dagger world of espionage.
Intelligence and cybersecurity sources say the data breach that exposed the records of up to 500 million customers at the Marriott-owned Starwood hotel chain shows signs of being the work of a hostile foreign intelligence service.
Much of the compromised data is typical of corporate breaches, such as names and emails, but other types of data unique to this hack — including where people traveled to and when — can be mined and used to launch targeted email campaigns and recruit sources in the cloak-and-dagger world of espionage
the hack “fits the pattern” of China’s state-sponsored cyberattacks.
“Personal data … they eat that stuff up,” the official said.
the intruders used tools, techniques and procedures previously found in attacks attributed to hackers working for China’s government, but cautioned that other entities had access to the same tools.
A key clue may be the type of data accessed, which aside from basic personal details and credit card numbers also included passport numbers and hotel arrivals and departures.
“Who other than a hostile intelligence service wants passport info?” Schindler said.
The Starwood breach lasted four years before it was discovered, a period known in the cybersecurity realm as “dwell time.”
the intrusion evaded detection during any auditing Marriott did prior to its acquisition of Starwood in 2016, as well as during subsequent mandatory compliance audits.
Also notable is how long it took from the breach’s detection in September to its announcement, Cran said.
“There’s something going on with Marriott,” he said. “It does take time to detect scope, but three months is a long time.”
Modern data analysis has shown that seemingly innocuous data can be used to detect patterns and make educated guesses about everything
That capability has been available for years in the commercial world through businesses such as Equifax and Acxiom, and the software of companies including Palantir,
“Anything that’s doable off-the-shelf, we have to assume that adversarial nation-states are capable of doing as well,” Weatherford said.
“Once you find weakness, that’s when you start exploiting,” Weatherford said. “You become a potential intelligence asset.”
Tomi Engdahl says:
Why Satellites Need Cybersecurity Just Like You
https://www.space.com/42658-cybersecurity-for-satellites.html
Any modern person who spends time on the internet is familiar with the basic principles of cybersecurity — but imagine you’re in charge of a satellite that people around the globe rely on. Suddenly, changing a password every few months and hoping for the best doesn’t seem quite vigilant enough.
And cybersecurity is indeed a threat countries need to consider to protect their satellites
“Satellites aren’t just military tools. What we do every day in our lives [relies] on satellites,” Fanning said, pointing to GPS, phone, and power networks that all rely on satellite infrastructure. And the more we use satellites, the more potentially harmful any loss of capability is, no matter what the cause.
But unlike, for example, physically ramming into a satellite, cyberattacks are often difficult to trace
“Generally, if you want to mess with someone’s space capabilities, you want to do it anonymously if you can,”
Satellites also have a series of points of vulnerability, rather than a single entry
. “You can mess with the signals that are going from the ground to the satellite or back,”
Tomi Engdahl says:
One single patch could’ve prevented one of the largest breaches in U.S. history.
Equifax breach was ‘entirely preventable’ had it used basic security measures, says House report
https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/?utm_source=tcfbpage&sr_share=facebook
A House Oversight Committee report out Monday has concluded that Equifax’s security practices and policies were sub-par and its systems were old and out-of-date, and bothering with basic security measures — like patching vulnerable systems — could’ve prevented its massive data breach last year.
Tomi Engdahl says:
France to Probe Possible Russian Influence on Yellow Vest Riots
https://www.bloomberg.com/news/articles/2018-12-08/pro-russia-social-media-takes-aim-at-macron-as-yellow-vests-rage
Security services to look into social media, minister says
Russian-linked sites increase targeting of French protests
France opened a probe into possible Russian interference behind the country’s Yellow Vest protests, after reports that social-media accounts linked to Moscow have increasingly targeted the movement.
Tomi Engdahl says:
US tech giants decry Australia’s ‘deeply flawed’ new anti-encryption law
https://techcrunch.com/2018/12/10/silicon-valley-denounce-australia-encryption-law/?utm_source=tcfbpage&sr_share=facebook
Tomi Engdahl says:
Under Fire Huawei Agrees to UK Security Demands: Report
https://www.securityweek.com/under-fire-huawei-agrees-uk-security-demands-report
Embattled Chinese telecoms giant Huawei has agreed to British intelligence demands over its equipment and software as it seeks to be part of the country’s 5G network plans, the FT reported Friday.
Huawei executives met senior officials from Britain’s National Cyber Security Centre (NCSC), where they accepted a range of technical requirements to ease security fears, according to the FT’s sources.
The NCSC said in a statement that it was “committed to the security of UK networks, and we have a regular dialogue with Huawei about the criteria expected of their products.
“The NCSC has concerns around a range of technical issues and has set out improvements the company must make,” it said.
Tomi Engdahl says:
These hackers are using Android surveillance malware to target opponents of the Syrian government
https://www.zdnet.com/article/these-hackers-are-using-android-surveillance-malware-to-target-opponents-of-the-syrian-government/
SilverHawk hacking campaign uses fake versions of secure messaging apps like WhatsApp and Telegram to plant spyware on devices.
Tomi Engdahl says:
New York Times:
How mobile apps share precise location data with 75+ firms, including advertisers, retailers, and hedge funds, and fail to describe the practice to users
https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html
Tomi Engdahl says:
Antti Ahola, a software company entrepreneur from Tampere Finland, warned Trafia about the distribution of people’s birth dates early in August. The agency responded that the service was legitimate. Four months later, the service was shut down by frenzy.
https://www.is.fi/digitoday/art-2000005927490.html?ref=rss
https://yle.fi/uutiset/3-10547783?origin=rss
https://www.tivi.fi/Kaikki_uutiset/tietosuojavaltuutettu-varoitti-trafia-etukateen-mutta-turhaan-vauhtisokeus-iskenyt-6752168
Tomi Engdahl says:
Nice phone account you have there – shame if something were to happen to it. Samsung fixes ID-theft flaws
If Artem Moskowsky owes you money, its a good time to ask
https://www.theregister.co.uk/2018/12/10/samsung_patches_accountstealing_hole/
A recently-patched set of flaws in Samsung’s mobile site was leaving users open to account theft.
Bug-hunter Artem Moskowsky said the flaws he discovered, a since-patched trio of cross-site request forgery (CSFR) bugs, would have potentially allowed attackers to reset user passwords and take over accounts.
Tomi Engdahl says:
Malicious sites abuse 11-year-old Firefox bug that Mozilla failed to fix
Bug dealt with in Chrome and Edge, but still a problem for Firefox users.
https://www.zdnet.com/article/malicious-sites-abuse-11-year-old-firefox-bug-that-mozilla-failed-to-fix/
Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites.
This wouldn’t be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren’t abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007.
The bug narrows down to a malicious website embedding an iframe inside their source code.
Tomi Engdahl says:
Hackers ramp up attacks on mining rigs before Ethereum price crashes into the gutter
https://www.zdnet.com/article/hackers-ramp-up-attacks-on-mining-rigs-before-ethereum-price-crashes-into-the-gutter/
Attackers scan for Ethereum wallets and mining rigs that have carelessly exposed port 8545 on the Internet.
Hackers have set off in motion a massive campaign that scans for Internet-exposed Ethereum wallets and mining equipment, ZDNet has learned today.
The mass-scan campaign has been raging for at least a week, since December 3, Troy Mursch, co-founder of Bad Packets LLC told ZDNet.
Attackers are scanning for devices with port 8545 exposed online. This is the standard port for the JSON-RPC interface of many Ethereum wallets and mining equipment. This interface is a programmatic API that locally-installed apps and services can query for mining and funds-related information.
Tomi Engdahl says:
Exploit Code for the Kubernetes Flaw Is Now Available
https://www.bleepingcomputer.com/news/security/exploit-code-for-the-kubernetes-flaw-is-now-available/
The recently disclosed critical-impact bug in Kubernetes created strong ripples in the security space of the container-orchestration system. Now, multiple demo exploits exist and come with easy-to-understand explanations.
The severity score of the vulnerability (CVE-2018-1002105) has been established at 9.8, just 0.2 points shy of the perfect ten. This is because one avenue of attack involves unauthenticated users who could escalate privileges and run commands that could allow them to take over entire compute nodes.
https://www.bleepingcomputer.com/news/security/kubernetes-updates-patch-critical-privilege-escalation-bug/
Tomi Engdahl says:
Bug in Google+ API Puts at Risk Privacy of over 52 Million Users
https://www.bleepingcomputer.com/news/security/bug-in-google-api-puts-at-risk-privacy-of-over-52-million-users/
Tomi Engdahl says:
Researchers Find a Dozen Undocumented OpenSSH Backdoors
https://www.securityweek.com/researchers-find-dozen-undocumented-openssh-backdoors
ESET security researchers have discovered 12 new OpenSSH backdoor families that haven’t been documented before.
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf
Tomi Engdahl says:
Highly Active MuddyWater Hackers Hit 30 Organizations in 2 Months
https://www.securityweek.com/highly-active-muddywater-hackers-hit-30-organizations-2-months
The cyberespionage group referred to as MuddyWater has hit over 130 victims in 30 organizations from late September to mid-November, Symantec security researchers said in a report published Monday.
Tomi Engdahl says:
Australia Anti-Encryption Law Rushed to Passage
https://www.securityweek.com/australia-anti-encryption-law-rushed-passage
A newly enacted law rushed through Australia’s parliament will compel technology companies such as Apple, Facebook and Google to disable encryption protections so police can better pursue terrorists and other criminals.
Cybersecurity experts say the law, the first of its kind globally, will instead be a boon to the criminal underworld by undermining the technical integrity of the internet, hurting digital security and user privacy.
“I think it’s detrimental to Australian and world security,” said Bruce Schneier, a tech security expert affiliated with Harvard University and IBM.
Tomi Engdahl says:
Super Micro Finds No Malicious Hardware in Motherboards
https://www.wsj.com/articles/super-micro-finds-no-malicious-hardware-in-motherboards-11544534182
Company examined equipment following allegations of a rogue chip
Super Micro Computer Inc. told its customers in a letter Tuesday that a third-party firm didn’t find malicious hardware on its equipment, as the supplier of motherboards continued to dispute a report that its products had been sabotaged.
“After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,”
Tomi Engdahl says:
This is how Australia’s ban on encryption could endanger us all
https://www.technologyreview.com/the-download/612562/this-is-how-australias-ban-on-encryption-could-endanger-us-all/
The Australian government has passed a law that forces tech companies to give police and security agencies access to encrypted messages, claiming it’s needed to fight crime.
What it says: The Assistance and Access Bill 2018 is a world first, letting law enforcement bodies require companies to hand over user information, even if it’s end-to-end encrypted. Because companies currently have no way of viewing end-to-end encrypted messages, they will be forced to build a “back door” to gain access.
The future implications: We won’t know for sure until agencies start to use the new powers. Companies could leave Australia or argue they are not subject to Australian law.
Tomi Engdahl says:
“Hei, muistihan joku testata tietoturvan?”
https://www.tivi.fi/blogit/hei-muistihan-joku-testata-tietoturvan-6751500?utm_source=Facebook&utm_medium=Social&utm_campaign=TV_NA_12&utm_content=Ad+-+Post%3A+%2FTivi%2Fposts%2F10155919585267267
Tomi Engdahl says:
An app that lets you beat government censors has been launched by Alphabet
https://www.technologyreview.com/the-download/612237/an-app-that-lets-you-beat-government-censors-has-been-launched-by-alphabet/
Jigsaw, the security incubator owned by Google’s parent company Alphabet, has just rolled out a tool that lets users bypass sites that are blocked by repressive governments.
Tomi Engdahl says:
A bug left your Microsoft account wide open to complete takeover
https://mashable.com/article/microsoft-account-takeover-vulnerability/?europe=true#_b7HPc.Trkqz
Bug bounty hunter Sahad Nk recently uncovered a series of vulnerabilities that left Microsoft users’ accounts — from your Office documents to your Outlook emails — susceptible to hacking.
Nk discovered that he was able to take over the Microsoft subdomain, http://success.office.com, because it wasn’t properly configured. This allowed the bug hunter to set up an Azure web app that pointed to the domain’s CNAME record, which maps domain aliases and subdomains to the main domain.
also receives any and all data sent to it.
Microsoft Office, Outlook, Store, and Sway apps send authenticated login tokens to the http://success.office.com subdomain
Tomi Engdahl says:
A bug in Microsoft’s login system made it easy to hijack anyone’s Office account
https://techcrunch.com/2018/12/11/microsoft-login-bug-hijack-office-accounts/
A string of bugs when chained together created the perfect attack to gain access to someone’s Microsoft account — simply by tricking a user into clicking a link.
Microsoft Account Takeover Vulnerability Affecting 400 Million Users
https://www.safetydetective.com/blog/microsoft-outlook/
Tomi Engdahl says:
The Ransomware Doctor Without A Cure
https://blog.checkpoint.com/2018/12/10/ransomware-shifro-scam-russia-cyber-crime/
When individuals and organizations alike rely so much on their computers to get work done, there is nothing they hate more than being held hostage by ransomware and often hold a deep resistance to paying the demanded ransom. After all, when there is no guarantee the criminal will keep his word and release the files, why pay up? To avoid paying then, victims can hire an IT consultancy to help them unlock their files.
However, Check Point Research recently discovered a new development in the ransomware industry of an IT consultancy, in this case a Russian company named ‘Dr. Shifro’, that claims to legitimately unlock encrypted files but in fact merely pays the ransomware’s creator themselves and passes on the cost to the victim – at a massive profit margin.
Tomi Engdahl says:
New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers
https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/
We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted website traffic from all devices connected to the same router by resolving targeted domains to the IP address of their server.
The earliest Novidade sample we found was from August 2017, and two different variants were identified since. While one of the variants was involved in the DNSChanger system of a recent GhostDNS campaign, we believe that Novidade is not limited to a single campaign, as the exploit kit was also concurrently being used in different campaigns.
70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS
https://blog.netlab.360.com/70-different-types-of-home-routers-all-together-100000-are-being-hijacked-by-ghostdns-en/
Tomi Engdahl says:
Android Trojan steals money from PayPal accounts even with 2FA on
https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/
ESET researchers discovered a new Android Trojan using a novel Accessibility-abusing technique that targets the official PayPal app, and is capable of bypassing PayPal’s two-factor authentication
There is a new Trojan preying on Android users, and it has some nasty tricks up its sleeve.
First detected by ESET in November 2018, the malware combines the capabilities of a remotely controlled banking Trojan with a novel misuse of Android Accessibility services, to target users of the official PayPal app.
At the time of writing, the malware is masquerading as a battery optimization tool, and is distributed via third-party app stores.
Tomi Engdahl says:
Hackers Steal Over 40k Logins for Gov Services in 30 Countries
https://www.bleepingcomputer.com/news/security/hackers-steal-over-40k-logins-for-gov-services-in-30-countries/
More than 40,000 users victims of phishing attacks had their credentials for unlocking online accounts for government services stolen. The information might have already been sold on underground hacker forums
Researchers at Group-IB, an international company focused on the prevention of cyber attacks, found that the login data offered access to services in 30 countries around the world.
A spokesperson for the company told BleepingComputer that the compromised credentials were discovered using investigative research techniques that involved detection and reverse-engineering of malware, and digital forensics data.
More than half of the victims are from Italy (52%), followed by Saudi Arabia (22%) and Portugal (5%). Users of government portals in other countries were also affected.
The Computer Emergency Response Teams (CERTs) of the affected countries have been notified of the threat so they can take action to minimize the risks.
Victims fell for phishing trick
Tomi Engdahl says:
Exploit Code for the Kubernetes Flaw Is Now Available
https://www.bleepingcomputer.com/news/security/exploit-code-for-the-kubernetes-flaw-is-now-available/
The recently disclosed critical-impact bug in Kubernetes created strong ripples in the security space of the container-orchestration system. Now, multiple demo exploits exist and come with easy-to-understand explanations.
Another proof-of-concept comes from software-as-a-service company Gravitational who made it available on GitHub on December 5, just two days after the Kubernetes developers announced the vulnerability and the availability of new software versions to mitigate it.
The PoC is actually a test utility that checks if a Kubernetes cluster is vulnerable to CVE-2018-1002105. It comes with the warning that under it may render incorrect results under some circumstances.
Test utility for cve-2018-1002105
https://github.com/gravitational/cve-2018-1002105
Tomi Engdahl says:
Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret
https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html
Dozens of companies use smartphone locations to help advertisers and even hedge funds. They say it’s anonymous, but the data shows how personal it is.
The millions of dots on the map trace highways, side streets and bike trails — each one following the path of an anonymous cellphone user.
Tomi Engdahl says:
in(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal
https://blog.talosintelligence.com/2018/12/secureim.html
Messaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed “secure instant messaging applications.” These apps claim to encrypt users’ messages and keep their content secure from any third parties.
However, after a deep dive into three of these secure messaging apps — Telegram, WhatsApp and Signal — we discovered that these services may not fulfill the promises they are meant to keep by putting users’ confidential information at risk.
Tomi Engdahl says:
Windows Server 2019 Includes OpenSSH
https://blogs.windows.com/buildingapps/2018/12/11/windows-server-2019-includes-openssh/
The OpenSSH client and server are now available as a supported Feature-on-Demand in Windows Server 2019 and Windows 10 1809! The Win32 port of OpenSSH was first included in the Windows 10 Fall Creators Update and Windows Server 1709 as a pre-release feature. In the Windows 10 1803 release, OpenSSH was released as a supported feature on-demand component, but there was not a supported release on Windows Server until now.
What is the state of OpenSSH and PowerShell?
PowerShell Remoting over SSH is supported with PowerShell Core.
https://docs.microsoft.com/en-us/powershell/scripting/core-powershell/ssh-remoting-in-powershell-core?view=powershell-6
Tomi Engdahl says:
http://www.etn.fi/index.php/kolumni/8841-taman-takia-huaweita-pelataan
The 6 reasons why Huawei gives the US and its allies security nightmares
The biggest fear is that China could exploit the telecom giant’s gear to wreak havoc in a crisis.
https://www.technologyreview.com/s/612556/the-6-reasons-why-huawei-gives-the-us-and-its-allies-security-nightmares/
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8833-ostatko-joululahjat-verkosta-varo-roskaposteja
Tomi Engdahl says:
Hertz, Clear Partner to Speed Rentals With Biometric Scans
https://www.securityweek.com/hertz-clear-partner-speed-rentals-biometric-scans
Biometric screening is expanding to the rental car industry.
Hertz said Tuesday it is teaming up with Clear, the maker of biometric screening kiosks found at many airports, in an effort to slash the time it takes to pick up a rental car. Clear hopes it will lead more travelers to its platform, which has 3 million members in the U.S.
It’s the latest place consumers will find biometric technology
Tomi Engdahl says:
Claroty Adds New Capabilities to Industrial Security Platform
https://www.securityweek.com/claroty-adds-new-capabilities-industrial-security-platform
Industrial cybersecurity firm Claroty on Tuesday announced significant enhancements to its threat detection product, along with technology integrations with several cybersecurity, network infrastructure and industrial automation providers.
Claroty provides an ICS security platform that includes real-time threat detection, continuous vulnerability monitoring, and secure remote access capabilities.
Tomi Engdahl says:
Windows Zero-Day Exploited by New ‘SandCat’ Group
https://www.securityweek.com/windows-zero-day-exploited-new-sandcat-group
Experts believe that the Windows kernel zero-day vulnerability fixed this week by Microsoft with its Patch Tuesday updates has been exploited by several threat actors, including a new group.
https://www.securityweek.com/windows-kernel-vulnerability-exploited-attacks
Tomi Engdahl says:
CVE-2018-8611 | Windows Kernel Elevation of Privilege Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8611
An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system.
Tomi Engdahl says:
New Exploit Kit Targets SOHO Routers
https://www.securityweek.com/new-exploit-kit-targets-soho-routers
A newly identified exploit kit is targeting home and small office routers in an attempt to compromise the mobile devices or desktop computers connected to the routers, according to Trend Micro.
Dubbed Novidade, the exploit kit employs cross-site request forgery (CSRF) to change the Domain Name System (DNS) settings of routers to attack web applications and redirect traffic from the connected devices to the IP address of their server.
Tomi Engdahl says:
Russian Critical Infrastructure Targeted by Profit-Driven Cybercriminals
https://www.securityweek.com/russian-critical-infrastructure-targeted-profit-driven-cybercriminals
Several critical infrastructure organizations in Russia have been targeted by hackers believed to be financially-motivated cybercriminals rather than state-sponsored cyberspies.
Since many of the targeted organizations are owned by the Russian government, one would expect the fake websites to have been set up by state-sponsored threat actors focusing on espionage. However, a closer analysis revealed that they were actually used by profit-driven cybercriminals for command and control (C&C) purposes.
The fake websites closely resembled the target’s legitimate site and the domains hosting them imitated the real domain.
The FBI reported earlier this year that BEC scams have cost businesses around the world over $12 billion in the past years.
Tomi Engdahl says:
Italian Oil Services Company Saipem Hit by Cyberattack
https://www.securityweek.com/italian-oil-services-company-saipem-hit-cyberattack
Italian oil and gas services company Saipem reported on Monday that some of its servers were hit by a cyberattack.
The company has shared few details about the attack – it’s unclear if it was ransomware or another type of intrusion – but its representatives told SecurityWeek that no data was stolen and that only some servers in its infrastructure were impacted.
Tomi Engdahl says:
Secure Messaging Applications Prone to Session Hijacking
https://www.securityweek.com/secure-messaging-applications-prone-session-hijacking
Secure messaging applications such as Telegram, Signal and WhatsApp can expose user messages through a session hijacking attack, Cisco’s Talos security researchers warn.
Tomi Engdahl says:
Google CEO Faces House Grilling on Breach, China Censorship
https://www.securityweek.com/google-ceo-faces-house-grilling-breach-china-censorship
WASHINGTON (AP) — Google’s CEO faces a grilling from U.S. lawmakers on how the web search giant handled an alarming data breach and whether it may bend to Chinese government censorship demands.
Tomi Engdahl says:
Adobe Patches 87 Vulnerabilities in Acrobat Software
https://www.securityweek.com/adobe-patches-87-vulnerabilities-acrobat-software