Cyber Security March 2019

This posting is here to collect cyber security news in March 2019.

I post links to security vulnerability news to comments of this article.

If you are interested in cyber security trends, read my Cyber security trends 2019 posting.

You are also free to post related links.

490 Comments

  1. Tomi Engdahl says:

    Russian hackers are eight times faster than North Korean groups
    https://www.technologyreview.com/the-download/612983/russian-hackers-are-eight-times-faster-than-chinese-and-north-korean-groups/?utm_campaign=site_visitor.unpaid.engagement&utm_medium=tr_social&utm_source=facebook

    Russian hackers are way ahead of the next-fastest state-sponsored hackers, North Korea, who themselves are nearly twice as fast as Chinese groups, according to a new report by US cybersecurity firm Crowdstrike.

    Reply
  2. Tomi Engdahl says:

    Lithuanian Pleads Guilty to Stealing $100 Million From Google, Facebook
    https://www.bleepingcomputer.com/news/security/lithuanian-pleads-guilty-to-stealing-100-million-from-google-facebook/

    A Lithuanian man pleaded guilty today to wire fraud, aggravated identity theft, and three counts of money laundering, after tricking employees of Alphabet’s Google unit and Facebook into wiring more than $100 million into bank accounts he controlled as part of multiple business email compromise (BEC) fraud attacks spanning from at least in or around 2013 through in or about 2015.

    Reply
  3. Tomi Engdahl says:

    Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560)
    https://lgtm.com/blog/facebook_fizz_CVE-2019-3560

    Reply
  4. Tomi Engdahl says:

    Vulnerability in Swiss e-voting system could have led to vote alterations
    https://www.google.com/amp/s/www.zdnet.com/google-amp/article/vulnerability-in-swiss-e-voting-system-could-have-led-to-vote-alterations/

    A fix has been deployed to Switzerland’s e-voting system, slated to roll out later this year.

    Reply
  5. Tomi Engdahl says:

    Glitch in new Presto app can shut down systems, Toronto man warns
    https://www.cbc.ca/news/canada/toronto/toronto-man-finds-apparent-glitch-on-presto-1.5061232

    Robert Leyzerovich claims his Presto card can disable fare gates, card loading machines

    Robert Leyzerovich says he’s discovered a glitch in Presto’s mobile app that lets him shut down fare gates and card-loading machines

    Reply
  6. Tomi Engdahl says:

    Encryption pioneer aims to end our data dilemma with cryptography’s holy grail
    https://www.fastcompany.com/90314942/duality-homomorphic-encryption

    A company founded by one of cryptography’s heavyweights is making waves with a long-awaited approach to the data privacy problem.

    Reply
  7. Tomi Engdahl says:

    QUANTUM PHYSICS COULD PROTECT THE GRID FROM HACKERS—MAYBE
    https://www.wired.com/story/quantum-physics-protect-grid/amp

    One challenge with this approach is the grid itself. It’s a mishmash of transformers, switches, and sundry parts installed over various years, and grafting on any new technology is difficult. “You can’t just shut the power off,” says physicist Tom Venhaus of Los Alamos National Laboratory, who collaborated on the project. “It’s like working on a car with its engine running.”

    Reply
  8. Tomi Engdahl says:

    As the Cyber War Grows: Is It Time to Strike Back?
    https://www.venafi.com/blog/cyber-war-grows-it-time-strike-back?utm_source=socialmedia&utm_medium=Bora&utm_campaign=Cyber-War-RSA-blog

    According to Nakasone, cyber attacks from nation state actors, like Russia, North Korea and Iran, have increased in sophistication and intensity; some even breached critical naval systems. As a result, the general recommended the United States become more prepared to aggressively strike back their assailants.

    Reply
  9. Tomi Engdahl says:

    Quantum-safe communication over the internet infrastructure? Yeah, that’s doable
    https://techcrunch.com/2019/03/19/quantum-safe-communication-over-the-internet-infrastructure-yeah-thats-doable/

    Quantum computing promises to do many things for business and industry, processing data at far greater speeds and rates than today’s binary computers can accomplish. But it also promises to do something else — essentially render current security standards useless, as hackers will be able to utilize quantum systems to crack the cryptographic schemes that are used to protect systems today.

    Reply
  10. Tomi Engdahl says:

    We invited professional hackers to attack us: Here’s what happened
    https://www.cnet.com/news/we-invited-professional-hackers-to-attack-us-heres-what-happened/

    Even when you anticipate a cyberattack, email phishing remains one of the most effective methods used by hackers to access private accounts.

    Reply
  11. Tomi Engdahl says:

    Mitä sinun on hyvä tietää tietosuojastasi ja Nokia 7 Plus -puhelinten väitetystä “tietovuodosta”
    https://www.nokia.com/phones/fi_fi/privacy-info

    Reply
  12. Tomi Engdahl says:

    Did not know there was a company actually working to make homomorphic encryption usable…

    Encryption pioneer aims to end our data dilemma with cryptography’s holy grail
    https://www.fastcompany.com/90314942/duality-homomorphic-encryption

    Reply
  13. Tomi Engdahl says:

    Leaker, Liar, Hacker, Hoaxer: The Russian contractor who infiltrated Anonymous
    https://emma.best/2019/03/20/the-russian-contractor-who-infiltrated-anonymous/

    Reply
  14. Tomi Engdahl says:

    Researchers find 36 new security flaws in LTE protocol
    https://www.zdnet.com/google-amp/article/researchers-find-36-new-security-flaws-in-lte-protocol/?__twitter_impression=true

    South Korean researchers apply fuzzing techniques to LTE protocol and find 51 vulnerabilities, of which 36 were new.

    The vulnerabilities allow attackers to disrupt mobile base stations, block incoming calls to a device, disconnect users from a mobile network, send spoofed SMS messages, and eavesdrop and manipulate user data traffic.

    Reply
  15. Tomi Engdahl says:

    John Herrman / New York Times:
    A profile of Citizen, a crime tracking app that notifies users in NYC, SF Bay Area, Baltimore, and LA when a crime or a major incident is reported near them

    All the Crime, All the Time: How Citizen Works
    https://www.nytimes.com/2019/03/17/style/citizen-neighborhood-crime-app.html

    An app called Citizen promises “awareness” of nearby danger. What it provides is more complicated.

    Open Citizen and you will see a familiar blue location dot — that’s you! — surrounded by other, often larger dots, in red and yellow. Each represents an incident, either of the “Recent” or “Trending” variety, that has recently been reported in your proximity, and that may even be unfolding at the very moment.

    Particularly notable reports might have video, sometimes live, as well as a timeline of new developments, and a chat-scroll full of users discussing what they’re seeing.

    “Sometimes it makes me feel paranoid, and afraid knowing that there is a lot that goes on,” she said. “It does give me some comfort knowing my surroundings, but I’m always torn between wanting to know and see everything, or to have that blind eye toward everything.”

    Conflicted enthusiasm is a common sentiment among Citizen users: I don’t know if I want to know, but I can’t not know.

    Reply
  16. Tomi Engdahl says:

    Wireless vulns in Medtronic’s implanted defibrillators allow remote shocks, shutdown, denial-of-service battery attacks and data theft
    https://boingboing.net/2019/03/22/lethal-shocks-r-us.html

    Medtronic is the most notorious maker of insecure medical implants in America, with a long history of inserting computers into people’s bodies with insecure wireless interfaces, toolchains and update paths, and nothing has changed.

    In a new CERT advisory — scoring 9.3/10 for severity! — we learn that remote attackers can hijack a Medtronic implanted defibrillator and administer potentially lethal shocks, shut down lifesaving features, and put the device into a high power-consumption mode that drains the battery. A separate attack allows attackers to steal sensitive patient data from the device.

    https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01

    Reply
  17. Tomi Engdahl says:

    Industry Reactions to Norsk Hydro Breach: Feedback Friday
    https://www.securityweek.com/industry-reactions-norsk-hydro-breach-feedback-friday

    Norwegian aluminum giant Norsk Hydro has been hit by a serious ransomware attack that caused disruptions at some of its plants and forced the company to turn to manual processes to fulfill customer orders.

    The attack appears to have involved file-encrypting ransomware known as LockerGoga. However, Norsk Hydro claims it has good backups in place that should help it restore compromised files without having to pay the ransom.

    Cybersecurity expert Kevin Beaumont (blog post on his thoughts and analysis of the attack):

    “Hydro started the best incident representation response plan I’ve ever seen — they had a temporary website up, they told the press, they told their staff, they apparently didn’t hide any details — they even had daily webcasts with the most senior staff talking through what was happening, and answering questions.

    In contrast to some other incidents, their stock price actually went up — despite a difficult trading period for past 2 years involving some major business setbacks, they have actually gained in value.

    Ray Walsh, digital privacy expert, BestVPN.com:

    “The surge in the price of aluminum since the cyber attack on the Norwegian producer Norsk Hydro is a stark reminder of the possible ramifications of targeted cyber attacks. Anytime that a large firm has a strong direct influence on the production of a material, it is possible that a large attack of this nature could disrupt distribution levels and therefore affect prices.

    Malcolm Taylor, Director Cyber Advisory, ITC Secure:

    “Supply chain risk through cyberattack has come to the fore recently. Not, I believe, because it’s become a greater issue or because of attacks like this which are highlighting it, but simply because there is a growing understanding of the inter-connected nature of modern commercial activity and just in time production, and crucially how empowered that is by technology. It may also be a factor, though I think sadly a smaller one, that as firms mature their cyber security, they have the wherewithal, in terms of understanding, time and budget, to begin to get to grips with the problem of their suppliers, which has made the issue gain prominence.

    Tyler Moffitt, Security Analyst, Webroot:

    “LockerGoga is a new ransomware variant that appears to be targeting European companies. So far, the notable victims have been Altran in France on Jan. 25 and Norsk Hydro in Norway in the past 24 hours. The encryption process used by LockerGoga is slow because it creates a new process each times it encrypts a new file and also exhibits no detection evasion techniques, showing a lack of sophistication. LockerGoga was signed using a valid Digital Certificate which has since been revoked.”

    Dean Weber, CTO, Mocana:

    “The Norsk Hydro attack goes to show that the reliance of operational technology (OT) systems on information technology (IT) platforms means that any attack is likely to impact both in industrial environments. By targeting and disabling IT systems, adversaries are able to cause a variety of subsequent issues affecting OT input/output, storage, data recorders, ICS/SCADA platforms and more. Why is the impact so widespread? Professionals are forced to disconnect IT systems for either protection purposes or for remediation activities.

    Reply
  18. Tomi Engdahl says:

    Pwn2Own 2019: Researchers Win Tesla After Hacking Its Browser
    https://www.securityweek.com/pwn2own-2019-researchers-win-tesla-after-hacking-its-browser

    A team of researchers has earned $35,000 and a Tesla Model 3 after hacking the vehicle’s web browser at the Pwn2Own 2019 competition that took place this week in Vancouver, Canada.

    Reply
  19. Tomi Engdahl says:

    UK Police Federation Hit by Ransomware
    https://www.securityweek.com/uk-police-federation-hit-ransomware

    The UK Police Federation of England & Wales (PFEW) website was subject to a malware attack that it discovered on March 9, 2019. It appears that this was a ransomware attack; but the strain has not been announced.

    Reply
  20. Tomi Engdahl says:

    Russian Hackers Target European Governments Ahead of Elections: FireEye
    https://www.securityweek.com/russian-hackers-target-european-governments-ahead-elections-fireeye

    Hackers believed to be sponsored by the Russian government are targeting European governments for cyber-espionage purposes ahead of the upcoming European elections, FireEye reports.

    The targeting, the security firm says, is focused on NATO member states. The activity has increased significantly since mid-2018, and is ongoing.

    The attacks are being carried out by two groups that security companies refer to as APT28 (also known as Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium) and Sandworm Team (also tracked as TeleBots).

    Reply
  21. Tomi Engdahl says:

    D.C. Attorney General Introduces New Data Security Bill
    https://www.securityweek.com/dc-attorney-general-introduces-new-data-security-bill

    Karl A. Racine, the attorney general for the District of Columbia, on Thursday announced the introduction of a new bill that aims to expand data breach notification requirements and improve the way personal information is protected by organizations.

    The Security Breach Protection Amendment Act of 2019 expands the types of information companies are held accountable for. Current legislation covers social security numbers, payment cards, and driver’s license numbers, and the new bill would also add passport numbers, military IDs, biometric data, health information, taxpayer identification numbers, health insurance info, and genetic information and DNA profiles to that list.

    The bill also requires companies that own, maintain, license or handle personal information to implement security measures to prevent unauthorized access and data misuse.

    The legislation would also require organizations to notify the AG’s office of any data breaches, and inform impacted consumers of their right (under federal law) to obtain a security freeze.

    Reply
  22. Tomi Engdahl says:

    Microsoft Launches Defender ATP Endpoint Security for macOS
    https://www.securityweek.com/microsoft-launches-defender-atp-endpoint-security-macos

    Microsoft this week announced the availability of its Microsoft 365 advanced endpoint security solution across platforms, courtesy of Mac support added to Microsoft Defender Advanced Threat Protection (ATP).

    Reply
  23. Tomi Engdahl says:

    Multiple Vulnerabilities Patched in PuTTY and LibSSH2
    https://www.securityweek.com/multiple-vulnerabilities-patched-putty-and-libssh2

    PuTTY, an SSH and Telnet client program, and LibSSH2, a client-side C library for the SSH2 protocol, have both received updates fixing multiple vulnerabilities. Eight vulnerabilities have been fixed in version 0.71 of PuTTY, and nine vulnerabilities fixed in version 1.8.1 of LibSSH2.

    Reply
  24. Tomi Engdahl says:

    Glitch Exposes the Passwords of Roughly Half Billion Facebook and Instagram Users
    https://www.pandasecurity.com/mediacenter/social-media/glitch-facebook-instagram/

    Reply
  25. Tomi Engdahl says:

    Two Russia-backed hacker groups target Europe ahead of elections, FireEye reports
    https://boingboing.net/2019/03/21/two-russia-backed-hacker-group.html

    Security services firm FireEye says two hacker groups known to be sponsored by the Russian government of Vladimir Putin are waging cyber-attacks currently against European government systems.

    FireEye says these internet-based digital attacks are focused on the member states of NATO, the European security alliance that both Putin and Trump disparage.

    The two hacking groups are believed to be coordinating their efforts, but they’re using different tools, FireEye reports, adding it noticed a “significant increase” in activity from both groups in mid-2018.

    The cyber-espionage campaign is said to be ongoing.

    Reply
  26. Tomi Engdahl says:

    Cyber-espionage warning: Russian hacking groups step up attacks ahead of European elections
    https://www.zdnet.com/article/cyber-espionage-warning-russian-hacking-groups-step-up-attacks-ahead-of-european-elections/

    Researchers at FireEye say Kremlin-backed hacking operations are attempting to target governments, media and political parties as elections approach.

    Reply
  27. Tomi Engdahl says:

    NRK: Ainakin neljä Nokia-puhelinmallia lähettää tietoja Kiinaan
    https://www.is.fi/digitoday/tietoturva/art-2000006044697.html

    Flere Nokia-modeller har kommunisert med server eid av kinesisk selskap
    https://nrkbeta.no/2019/03/22/flere-nokia-modeller-har-kommunisert-med-kinesiske-servere/

    Reply
  28. Tomi Engdahl says:

    Evidence mounts that Russian hackers are trying to disrupt the EU elections
    State-sponsored groups Fancy Bear and Sandworm are phishing for government info.
    https://www.engadget.com/2019/03/21/russia-hackers-influence-eu-election-phishing/

    Reply
  29. Tomi Engdahl says:

    Nokia-puhelinten valmistajaa infottiin mystisestä yhteydenpidosta Kiinaan jo viime kesänä
    https://www.tivi.fi/Kaikki_uutiset/nokia-puhelinten-valmistajaa-infottiin-mystisesta-yhteydenpidosta-kiinaan-jo-viime-kesana-6761908

    Flere Nokia-modeller har kommunisert med server eid av kinesisk selskap
    https://nrkbeta.no/2019/03/22/flere-nokia-modeller-har-kommunisert-med-kinesiske-servere/

    Reply
  30. Tomi Engdahl says:

    Nokia phones may have breached user data
    And may have sent it to the Chinese.
    https://www.itproportal.com/news/nokia-phones-may-have-breached-user-data/

    Reports are coming in that a certain Nokia phone model may have leaked personal information to a Chinese server, and Finnish authorities are moving in to investigate.

    The news was confirmed by Reuters recently, which confirmed that Finland’s data protection ombudsman would investigate the matter.

    Ombudsman Reijo Aarnio told Reuters he’d look into any potential breaches that involved “personal information and if there has been a legal justification for this.”

    According to local media, the device in question is the Nokia 7 Plus. The company that makes these phones, HMD Global, said that an “unspecified number” of these devices sent data to a Chinese server.

    Nokia, the company, didn’t want to comment.

    Reply
  31. Tomi Engdahl says:

    Vietnam ‘State-Aligned’ Hackers Are Targeting Auto Firms, FireEye Says
    https://www.bloomberg.com/news/articles/2019-03-20/vietnam-tied-hackers-target-auto-industry-firms-fireeye-says

    Vietnamese “state-aligned” hackers are targeting foreign automotive companies in attacks that appear to support the country’s vehicle manufacturing goals, according to cyber-security provider FireEye Inc.

    FireEye, which designated the group as APT32 and dates its activities to 2014, said the attacks accelerated in early February. The hacking targeted companies in Southeast Asia and “the broader areas surrounding Vietnam,” said Nick Carr, a FireEye senior manager.

    Reply
  32. Tomi Engdahl says:

    Ransomware Forces Two Chemical Companies to Order ‘Hundreds of New Computers’
    https://motherboard.vice.com/en_us/article/8xyj7g/ransomware-forces-two-chemical-companies-to-order-hundreds-of-new-computers

    It appears that LockerGoga, the same ransomware that hit aluminum manufacturing giant Norsk Hydro this week, also infected American chemicals companies Hexion and Momentive, leaving employees locked out of their computers.

    A ransomware attack appears to have affected two American chemicals companies, Motherboard has learned.

    Hexion and Momentive, which make resins, silicones, and other materials, and are controlled by the same investment fund, were hit by the ransomware on March 12, according to a current employee. An internal email obtained by Motherboard and signed by Momentive’s CEO Jack Boss refers to a “global IT outage” that required the companies to deploy “SWAT teams” to manage.

    Reply
  33. Tomi Engdahl says:

    Over 100,000 GitHub repos have leaked API or cryptographic keys
    Thousands of new API or cryptographic keys leak via GitHub projects every day.
    https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-cryptographic-keys/

    A scan of billions of files from 13 percent of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis.

    Reply
  34. Tomi Engdahl says:

    ’100 unique exploits and counting’ for latest WinRAR security bug
    https://www.zdnet.com/article/100-unique-exploits-and-counting-for-latest-winrar-security-bug/

    As expected, the recent WinRAR vulnerability is now being abused en-masse by multiple threat actors.

    Reply
  35. Tomi Engdahl says:

    Denial of service in Facebook Fizz due to integer overflow (CVE-2019-3560)
    https://lgtm.com/blog/facebook_fizz_CVE-2019-3560

    This post is about a denial of service vulnerability which I found in Facebook’s Fizz project, using a Semmle QL query. The vulnerability is an infinite loop which can be triggered by an unauthenticated remote attacker. Fizz is Facebook’s TLS implementation, which means that it is used for the “https:” part of https://facebook.com. In a blog post about Fizz

    Reply
  36. Tomi Engdahl says:

    Critical DoS Bug Bubbles Up in Facebook Fizz TLS 1.3 Project
    https://threatpost.com/dos-bug-facebook-fizz-tls/143086/

    Users of the open-source project should upgrade immediately.

    A critical denial-of-service (DoS) vulnerability in Facebook’s open-source implementation of the transport layer security (TLS) 1.3 protocol could cause an infinite loop – thus disrupting any web service that relies on it.

    Semmle Discovers Denial of Service (DoS) Vulnerability in Facebook Fizz
    https://semmle.com/news/denial-service-dos-vulnerability-facebook-fizz

    Reply
  37. Tomi Engdahl says:

    Zero-Day WordPress Plugin Vulnerability Used to Add Malicious Redirects
    https://www.bleepingcomputer.com/news/security/zero-day-wordpress-plugin-vulnerability-used-to-add-malicious-redirects/

    WordPress websites using unpatched Social Warfare installations (v3.5.1 and v3.5.2) are exposed to attacks abusing a stored Cross-Site Scripting (XSS) vulnerability fixed in the 3.5.3 version of the plugin.

    After it was determined that the vulnerable plugin which currently has more than 70,000+ installations was actively exploited in the wild, Social Warfare was removed from the WordPress plugin store and was later added back after the development team issued a patch to fix for the zero-day.

    Reply
  38. Tomi Engdahl says:

    Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes… er, any fixes?
    Vuln hunters warn malicious applets can bust through protections, snoop on or hijack access gizmos
    https://www.theregister.co.uk/2019/03/22/oracles_java_card/

    [SE-2019-01] Java Card vulnerabilities
    https://seclists.org/fulldisclosure/2019/Mar/35

    We discovered multiple security vulnerabilities in reference implementation
    of Java Card technology [1] from Oracle used in financial, government,
    transportation and telecommunication sectors among others.

    According to Oracle, “Java Card technology provides a secured environment
    for applications that run on smart cards and other trusted devices with
    limited memory and processing capabilities. With close to six billion
    Java Card-based devices deployed each year, Java Card is already a leading
    software platform to run security services on smart cards and secure
    elements, which are chips used to protect smartphones, banking cards and
    government services” [2].

    Unfortunately, due to certain architectural choices from the past, it’s
    hard to perceive Java Card technology in terms of security. There are
    ways for malformed applications loaded into a vulnerable Java Card to
    easily break memory safety. Such a breach directly leads to the security
    compromise of a Java Card VM, applet firewall breach and jeopardizes
    security of co-existing applications. In some cases, whole card environment
    can be compromised, but that’s dependant on the underlying OS / processor
    architecture (i.e. presence of the flat address space, isolation between
    tasks).

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*