This posting is here to collect cyber security news in June 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
109 Comments
Tomi Engdahl says:
Google cloud is down, affecting numerous applications and services
https://techcrunch.com/2019/06/02/google-cloud-is-down-affecting-numerous-applications-and-services/
A Google Cloud outage is currently affecting a number of services in and out of the Google suite including Snap and Discord as well as Google services like Gmail, Nest, and others.
Google’s Cloud outage is resolved, but it reveals the holes in cloud computing’s atmosphere
https://techcrunch.com/2019/06/02/googles-cloud-outage-is-resolved-but-it-reveals-the-holes-in-cloud-computings-atmosphere/
The outage hit everything from the ability to control the temperature in people’s homes and apartments through Google’s Nest to shopping on any service powered by Shopify, to Snapchat and Discord’s social networks.
“The network congestion issue in eastern USA, affecting Google Cloud, G Suite, and YouTube has been resolved
Even though the networking issue has been resolved, the fact that problems with Google’s cloud services could cause outages for several of the world’s most popular applications underscores how thin cloud coverage can be for modern computing architectures.
Most companies have put their entire backend in the hands of one company and while the benefits outweigh the risks most of the time, it’s worthwhile to at least think about contingency planning.
it’s going to be more important for companies to have a back-up plan in place in case these services go down.
Tomi Engdahl says:
Eternally Blue: Baltimore City leaders blame NSA for ransomware attack
https://arstechnica.com/information-technology/2019/05/eternally-blue-baltimore-city-leaders-blame-nsa-for-ransomware-attack/
Mayor and council president ask for federal disaster dollars to clean up IT toxic waste
Tomi Engdahl says:
US visas now demand social media details
https://www.techspot.com/news/80332-us-visas-now-demand-social-media-details.html
Tomi Engdahl says:
Amazon’s helping police build a surveillance network with Ring doorbells
https://www.cnet.com/features/amazons-helping-police-build-a-surveillance-network-with-ring-doorbells/
Its popular Ring smart doorbells mean more cameras on more doorsteps, where surveillance footage used to be rare.
Tomi Engdahl says:
This Windows Flaw Is So Bad, Even the NSA Is Begging You to Update
https://gizmodo.com/this-windows-flaw-is-so-bad-even-the-nsa-is-begging-yo-1835253375
Tomi Engdahl says:
In a rare advisory, NSA urges users to patch BlueKeep flaw
https://techcrunch.com/2019/06/05/nsa-advisory-bluekeep-patch/
Tomi Engdahl says:
https://www.immuniweb.com/blog/what-we-learned-from-infosecurity-europe-2019-gdpr-budgets-and-people-problems.html
Tomi Engdahl says:
A ‘backdoor’ in Optergy smart building tech gets maximum severity score
https://techcrunch.com/2019/06/06/optergy-backdoor-smart-building/
Tomi Engdahl says:
Fortune 500 giant Tech Data exposed customer and billing data
https://techcrunch.com/2019/06/06/tech-data-server-leak/
Tomi Engdahl says:
https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect/
Tomi Engdahl says:
https://pentestmag.com/data-provenance-unintended-consequences-of-multiple-data-breaches/
Tomi Engdahl says:
https://www.forbes.com/sites/gordonkelly/2019/06/01/microsoft-windows-10-upgrade-update-problem-warning-cost-windows-10-home/
Tomi Engdahl says:
https://pentestmag.com/how-hackers-are-spying-on-us-canadian-special-forces/
Tomi Engdahl says:
https://www.techspot.com/news/80332-us-visas-now-demand-social-media-details.html
Tomi Engdahl says:
https://www.immuniweb.com/news/free-website-pcidss-scan.html
Tomi Engdahl says:
The Return of the WIZard: RCE in Exim (CVE-2019-10149)
The Qualys team during code review of recent code changes discovered a RCE vulnerability in the Exim Mail Server existing in versions 4.87 to 4.91. While the exploitation is instant for a local attacker, the vulnerability can also be exploited in some non-default configuration cases. An attacker can execute arbitrary commands with execv(), as root; also no memory corruption or ROP (Return-Oriented Programming) is involved.
Details + Exploit: https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt
Tomi Engdahl says:
THE CATCH-22 THAT BROKE THE INTERNET
https://www.wired.com/story/google-cloud-outage-catch-22/
A Google Cloud outage that knocked huge portions of the internet offline also blocked access to the tools Google needed to fix it.
YouTube sputtered. Shopify stores shut down. Snapchat blinked out. And millions of people couldn’t access their Gmail accounts. The disruptions all stemmed from Google Cloud, which suffered a prolonged outage—which also prevented Google engineers from pushing a fix. And so, for an entire afternoon and into the night, the internet was stuck in a crippling ouroboros: Google couldn’t fix its cloud, because Google’s cloud was broken.
The root cause of the outage, as Google explained this week, was fairly unremarkable. (And no, it wasn’t hackers.)
cascading combination of two misconfigurations and a software bug
capacity effectively went from six tunnels to two. The result: internet-wide gridlock.
Google’s network is designed to “fail static,” which means even after a control plane has been descheduled, it can function normally for a small period of time.
Google Cloud lost nearly a third of its traffic, which is why third parties like Shopify got nailed.
“Management traffic, because it can be quite voluminous, you’re always careful. It’s a little bit scary to prioritize that, because it can eat up the network if something wrong happens with your management tools,” Henthorn-Iwane says. “It’s kind of a Catch-22 that happens with network management.”
Which is exactly what played out on Sunday. Google says its engineers were aware of the problem within two minutes. And yet! “Debugging the problem was significantly hampered by failure of tools competing over use of the now-congested network,”
took the automation software that deschedules jobs during maintenance offline
Still, it’s unclear whether Google, or any cloud provider, can avoid collapses like this entirely. Networks don’t have infinite capacity. They all make choices about what keeps working, and what doesn’t, in times of stress.
much of what you experience as the internet lives in servers owned by a handful of companies, and that companies are run by humans, and that humans make mistakes
Tomi Engdahl says:
How hackers can permanently lock you out of your accounts
https://www.theguardian.com/commentisfree/2019/jun/09/how-hackers-can-permanently-lock-you-out-of-your-accounts
Some hackers use malicious code, but most just hide in plain sight. It can be devastatingly effective
A young woman recently contacted me for help: a hacker gained access to her Instagram and Snapchat and started sending her friends “nudes” she had taken. She tried many times to regain access to her account – often arduous efforts requiring she send social media companies selfies with dates and codes – but every time she regained access, the intruder locked her out again and forced her to start from scratch.
When I heard her story I was surprised; in these cases a password reset is usually sufficient. After digging a bit deeper I was astounded by the brutal effectiveness of the hacker’s strategy – so complete it left his victim with no recourse to regain her accounts.
If Anna retained access to her email address the situation would have been a pain, but temporary and fixable. However, Anna had given John her two-factor authentication code, enabling him to switch the phone number and alternate email on the account and leaving her no way to recover her account. When she contacted Microsoft, they essentially said they believed that the account was hers, but she had voluntarily handed over access and there was no way for her to prove it was hers any more.
he essentially just asked Anna for her credentials, and got them. This is a harsh lesson for anyone online: You must be vigilant about your accounts at all times. Do not write down your passwords or two-factor codes for any reason, no matter who asks. The importance of adding phone numbers and alternate emails to your accounts cannot be overstated.
Tomi Engdahl says:
Malicious Attacks On Open Source Are Going to Get Worse: Developers Need to Take Notice
https://blog.sonatype.com/malicious-attacks-on-open-source-are-going-to-get-worse
As vital as we know open source is to building software in today’s world, it’s a mistake to think of it as a silver bullet. The ability to expedite software development is clear– but so is the significant room for error, when not properly managed.
Since that initial Struts vulnerability in 2013, the community has witnessed Shellshock, Heartbleed, Commons Collection and others, including the 2017 attack on Equifax– all of which followed the same pattern of widespread exploit post-disclosure.
new form of attack on our software supply chains, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well.
Tomi Engdahl says:
https://borncity.com/win/2019/06/08/german-authorities-found-preinstalled-malware-on-4-china-phones-june-2019/
Tomi Engdahl says:
Tracked as CVE-2019-9510, the reported vulnerability could allow client-side attackers to bypass the lock screen on remote desktop (RD) sessions
https://thehackernews.com/2019/06/rdp-windows-lock-screen.html?fbclid=IwAR0tZvNXv4-pklbl8ihNIjMI8_RyUday5wJz-0b5c5152lmPSG_fsFwDLAM&m=1
Tomi Engdahl says:
Google Confirms Android Smartphone Security Backdoor
https://www.forbes.com/sites/daveywinder/2019/06/08/google-confirms-android-smartphone-security-backdoor/
Earlier this year, Forbes reported how a banking Trojan called Triada had been found on a bunch of brand new budget Android smartphones. Google has now confirmed that threat actors did, indeed, manage to compromise Android smartphones with the installation of a backdoor as part of a supply chain attack.
Tomi Engdahl says:
Amazon’s helping police build a surveillance network with Ring sopivalla
https://www.cnet.com/features/amazons-helping-police-build-a-surveillance-network-with-ring-doorbells/
Its popular Ring smart doorbells mean more cameras on more doorsteps, where surveillance footage used to be rare.
Tomi Engdahl says:
On Thursday, June 6, for two hours a large chunk of European mobile traffic was rerouted through China.
The claim seems to be according to this article that it was China Telecom, again “hijacking the vital internet backbone of western countries.” Or was this just another accidential mistake?
https://www.zdnet.com/article/for-two-hours-a-large-chunk-of-european-mobile-traffic-was-rerouted-through-china/
Border Gateway Protocol: The Biggest Network Vulnerability Of All?
https://www.techopedia.com/2/28494/security/border-gateway-protocol-the-biggest-network-vulnerability-of-all
Tomi Engdahl says:
German authorities found preinstalled Malware on 4 China phones (June 2019)
https://borncity.com/win/2019/06/08/german-authorities-found-preinstalled-malware-on-4-china-phones-june-2019/
Tomi Engdahl says:
Telegram Suffers ‘Powerful DDoS Attack’ From China During Hong Kong Protests
https://thehackernews.com/2019/06/telegram-ddos-attack.html
Telegram, one of the most popular encrypted messaging app, briefly went offline yesterday for hundreds of thousands of users worldwide after a powerful distributed denial-of-service (DDoS) attack hit its servers.
Tomi Engdahl says:
Microsoft and the Pentagon Are Quietly Hijacking U.S. Elections
https://www.truthdig.com/articles/microsoft-and-the-pentagon-are-quietly-hijacking-u-s-elections/
Tomi Engdahl says:
Encryption won’t work if it has a back door only the ‘good guys’ have keys to
https://www.theguardian.com/technology/2015/may/01/encryption-wont-work-if-it-has-a-back-door-only-the-good-guys-have-keys-to-
Tomi Engdahl says:
https://www.zdnet.com/article/no-more-passwords-windows-10-1903-is-close-to-that-goal-claims-microsoft/
Tomi Engdahl says:
https://www.infosecurity-magazine.com/news/criminals-try-to-schedule-spam-in-1/
Tomi Engdahl says:
https://www.howtogeek.com/327518/how-to-log-in-to-a-windows-desktop-without-a-keyboard/
Tomi Engdahl says:
https://techcrunch.com/2019/06/11/banking-apps-security-flaws/
Tomi Engdahl says:
New Cybersecurity Regulations About to Hit Everyone
https://pentestmag.com/new-cybersecurity-regulations-about-to-hit-everyone/
this new bill will affect far more companies than those directly engaged in “financial services” and like NYCRR 500, it will include entities that engage in activities that are “financial in nature” like
Tomi Engdahl says:
Maker of US border’s license-plate scanning tech ransacked by hacker, blueprints and files dumped online
https://www.theregister.co.uk/2019/05/23/perceptics_hacked_license_plate_recognition/
Perceptics confirms intrusion and theft, stays quiet on details
Tomi Engdahl says:
Customs Says Hack Exposed Traveler, License Plate Images
https://www.securityweek.com/customs-says-hack-exposed-traveler-license-plate-images
Tomi Engdahl says:
https://gizmodo.com/microsoft-quietly-pulls-its-database-of-100-000-faces-u-1835296212
Tomi Engdahl says:
https://hackaday.com/2019/06/09/gps-and-ads-b-problems-cause-cancelled-flights/
Tomi Engdahl says:
https://techcrunch.com/2019/06/06/protecting-the-integrity-u-s-elections-will-require-a-massive-regulatory-overhaul-academics-say/
Tomi Engdahl says:
https://www.reddit.com/r/security/comments/c0ga5x/the_critical_bug_in_a_connected_medical_device/?utm_medium=android_app&utm_source=share
Tomi Engdahl says:
one carrying a critical rating of 10 out of 10 on the CVSS v.3 severity scale.
https://www.reddit.com/r/security/comments/c0ga5x/the_critical_bug_in_a_connected_medical_device/?utm_medium=android_app&utm_source=share
Tomi Engdahl says:
Configuration Error Likely Culprit in Massive Google Outage
https://pentestmag.com/configuration-error-likely-culprit-in-massive-google-outage/
Google has revealed some preliminary findings as it continues to investigate the massive Google Cloud outage that took down the majority of its services and several high profile third-party dependants in Sunday’s four hour outage.
Tomi Engdahl says:
Is Your Alarm System Safe from Hackers? Nope.
https://blog.paessler.com/is-your-alarm-system-safe-from-hackers-nope
Tomi Engdahl says:
Yubico recalls government-grade security keys due to bug
https://www.engadget.com/2019/06/13/yubico-recalls-government-grade-security-keys-due-to-bug/
The flaw reduces the randomness of cryptographic keys.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Researchers: an infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked and controlled — A hospital infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked …
A widely used infusion pump can be remotely hijacked, say researchers
https://techcrunch.com/2019/06/13/alaris-infusion-pump-security-flaws/
An infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked and controlled, according to security researchers.
Researchers at healthcare security firm CyberMDX found two vulnerabilities in the Alaris Gateway Workstation, developed by medical device maker Becton Dickinson.
In the worst-case scenario, the researchers said it would be possible to adjust specific commands on the pump — including the infusion rate — on certain versions of the device by installing modified firmware.
The researchers said it was also possible to remotely brick the onboard computer, knocking the pump offline.
The bug was scored a rare maximum score of 10.0 on the industry standard common vulnerability scoring system, according to Homeland Security’s advisory. A second vulnerability, scored at a lesser 7.3 out of 10.0, could allow an attacker to gain access to the workstation’s monitoring and configuration interfaces through the web browser.
The researchers said creating an attack kit was “quite easy” and “worked consistently,” said Elad Luz, CyberMDX’s head of research, in an email to TechCrunch. But the attack chain is complex and requires multiple steps, access to the hospital network, knowledge of the workstation’s IP address and the capability to write custom malicious code.
In other words, there are far easier ways to kill a patient than exploiting these bugs.
“There are about 50 countries that have these devices,”
The flaws are another reminder that security issues can exist in any device — particularly life-saving equipment in the medical space.
Tomi Engdahl says:
Jonathan Shieber / TechCrunch:
Telegram says it faced a massive DDoS attack originating from China coinciding with protests in Hong Kong, where organizers used the app to evade surveillance
Telegram faces DDoS attack in China… again
https://techcrunch.com/2019/06/12/telegram-faces-ddos-attack-in-china-again/
The popular encrypted messaging service Telegram is once again being hit with a distributed denial of service (DDoS) attack in Asia as protestors in Hong Kong take to the streets.
One of the tools that organizers have turned to is the encrypted messaging service, Telegram, and other secure messaging technologies, as they look to evade surveillance measures by government officials.
This isn’t the first time that someone has tried to take down Telegram at a time when China was experiencing significant unrest.
“IP addresses coming mostly from China,” Durov tweeted. “Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception.”
Tomi Engdahl says:
Eric Berger / Ars Technica:
NIST study: a widespread GPS outage would have an estimated $1B/day impact on the US economy; 90% of GPS’ financial impact has come since 2010 — 90 percent of the technology’s financial impact has come since just 2010. — Since becoming fully operational in 1995, Global Positioning System technology …
Study finds that a GPS outage would cost $1 billion per day
90 percent of the technology’s financial impact has come since just 2010.
https://arstechnica.com/science/2019/06/study-finds-that-a-gps-outage-would-cost-1-billion-per-day/
Since becoming fully operational in 1995, Global Positioning System technology has become widely adopted in the United States and abroad. The concept of satellite-based navigation has become so essential that other world powers, including China, Russia, the European Union, India, and Japan, have all started building their own regional or global systems.
To assess the effect of an outage, the study looked at several different variables. Among them was “precision timing” that enables a number of wireless services, including the synchronization of traffic between carrier networks, wireless handoff between base stations, and billing management. Moreover, higher levels of precision timing enable higher bandwidth and provide access to more devices. (For example, the implementation of 4G LTE technology would have been impossible without GPS technology).
In the case of an outage, there would be relatively minimal impacts over the first two days, but after that time, the wireless network would begin to degrade significantly. After 30 days, the study estimates that functionality would lie somewhere between 0 percent and 60 percent of normal operating levels. Landline phones would be largely unaffected.
“GPS came along at a time of significant evolution in the telecom sector and played a critical role in the digitization of telecom infrastructure and the advent of wireless technology,” the study states.
Tomi Engdahl says:
WeChat Is Watching
Living in China with the app that knows everything about me.
http://nautil.us/issue/73/play/wechat-is-watching
WeChat, the brainchild of Tencent—one of China’s big three tech giants—is often referred to in the West as a social media app, something equivalent to Facebook or WhatsApp, but that’s to undersell it. WeChat has over 1 billion active users. In China, people don’t refer to it as a social media platform but rather as a social ecosystem. The features are seemingly endless.
Before 10 on a normal day in Chengdu, WeChat knows the following things about me: It knows roughly when I wake up, it knows who has messaged me and who I message, it knows what we talk about. It knows my bank details, it knows my address and it knows my coffee preference in the morning. It knows my biometric information; it knows the very contours of my face.
But this isn’t all it knows. I use WeChat to pay my rent. I use it to pay for my utilities. I use it to top up my phone credit. I use WeChat to pay for the metro system. I use it to scan QR codes on the back of shared-bike schemes throughout the city. I use it to call cabs. It knows where I go and how I go there. I follow bloggers on it, I follow media organizations and NGOs and government offices (there are over 20 million official accounts associated with governmental institutions, agencies, or officials) and I read their content through it. It knows what academic interests I have
Then there are the features I don’t use. I could get a loan through WeChat. I thankfully haven’t had to book a doctor’s appointment through WeChat yet, but if I did it would know what afflicts me.
Tomi Engdahl says:
New York Times:
Sources: US Cyber Command is deploying offensive malware in Russia’s power grid, using powers granted in 2018 by Congress and a secret presidential directive — WASHINGTON — The United States is stepping up digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin …
U.S. Escalates Online Attacks on Russia’s Power Grid
https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html
The United States is stepping up digital incursions into Russia’s electric power grid in a warning to President Vladimir V. Putin and a demonstration of how the Trump administration is using new authorities to deploy cybertools more aggressively, current and former government officials said.
Advocates of the more aggressive strategy said it was long overdue, after years of public warnings from the Department of Homeland Security and the F.B.I. that Russia has inserted malware that could sabotage American power plants, oil and gas pipelines, or water supplies in any future conflict with the United States.
Power grids have been a low-intensity battleground for years.
The critical question — impossible to know without access to the classified details of the operation — is how deep into the Russian grid the United States has bored.
“We thought the response in cyberspace against electoral meddling was the highest priority last year, and so that’s what we focused on. But we’re now opening the aperture, broadening the areas we’re prepared to act in.”
Russian intrusion on American infrastructure has been the background noise of superpower competition for more than a decade.
A successful Russian breach of the Pentagon’s classified communications networks in 2008
assumption evaporated in 2014, two former officials said, when the same Russian hacking outfit compromised the software updates that reached into hundreds of systems that have access to the power switches.
In December 2015, a Russian intelligence unit shut off power to hundreds of thousands of people in western Ukraine. The attack lasted only a few hours, but it was enough to sound alarms at the White House.
Tomi Engdahl says:
Triton is the world’s most murderous malware, and it’s spreading
https://www.technologyreview.com/s/613054/cybersecurity-critical-infrastructure-triton-malware/
The rogue code can disable safety systems designed to prevent catastrophic industrial accidents. It was discovered in the Middle East, but the hackers behind it are now targeting companies in North America and other parts of the world, too.
Tomi Engdahl says:
San Francisco banned facial recognition tech. Here’s why other cities should too.
https://www.vox.com/future-perfect/2019/5/16/18625137/ai-facial-recognition-ban-san-francisco-surveillance
Don’t want constant surveillance? We can fight back.