This posting is here to collect cyber security news in January 2020.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
174 Comments
Tomi Engdahl says:
U.S. legislation on spread of cyber tools passes after Reuters investigation
https://www.reuters.com/article/us-usa-spying-idUSKBN1Z11KS?taid=5e0ece18b1b456000180a6d9&utm_campaign=trueAnthem:+Trending+Content&utm_medium=trueAnthem&utm_source=twitter
The legislation directs the State Department to report to Congress within 90 days on how it controls the spread of cyber tools and to disclose any action it has taken to punish companies for violating its policies.
Tomi Engdahl says:
Your smart TV is spying on you. Here are step-by-step instructions to stop it
https://eu.usatoday.com/story/tech/2020/01/02/amazon-fire-sony-vizio-smart-tvs-spying/2792152001/
Those smart TVs that sold for unheard of low prices over the holidays come with a catch. The price is super low, but the manufacturers get to monitor what you’re watching and report back to third parties, for a fee.
Tomi Engdahl says:
U.S. Government Issues Warning About Possible Iranian Cyberattacks
https://www.bleepingcomputer.com/news/security/us-government-issues-warning-about-possible-iranian-cyberattacks/
“Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS,” he added. “Make sure you’re also watching third party accesses!”
Tomi Engdahl says:
Promiscuous Cookies and Their Impending Death via the SameSite Policy
https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
If a website sets a cookie then you click a link to another page on that same site, will the cookie be automatically sent with the request? Yes.
What if an attacker sends you a link to that same website in a malicious email and you click that link, will the cookie be sent? Also yes.
Last one: what if an attacker directs you to a malicious website and upon visiting it your browser makes a post request to the original website that set the cookie – will that cookie still be sent with the request? Yes!
Cookies just don’t care about how the request was initiated nor from which origin, all they care about is that they’re valid for the requested resource. “Origin” is a key word here too; those last two examples above are “cross-origin” requests
The “future release of Chrome” is version 80 and it’s scheduled to land on the 4th of Feb which is rapidly approaching. Which brings us to the SameSite cookies mentioned in the console warning above. In a nutshell, they boil down to 3 different ways of handling cookies based on the value set:
None: what Chrome defaults to today without a SameSite value set
Lax: some limits on sending cookies on a cross-origin request
Strict: tight limits on sending cookies on a cross-origin request
Come version 80, any cookie without a SameSite attribute will be treated as “Lax” by Chrome.
Tomi Engdahl says:
Google has little choice to be evil or not in today’s fractured internet
https://techcrunch.com/2020/01/02/google-has-little-choice-to-be-evil-or-not-in-todays-fractured-internet/
Tomi Engdahl says:
https://www.usatoday.com/story/tech/2020/01/02/amazon-fire-sony-vizio-smart-tvs-spying/2792152001/
Tomi Engdahl says:
Frustration-free log management. (It’s a thing.)
https://www.papertrail.com/?utm_source=google&utm_medium=cpc&utm_term=papertrail&utm_campaign=PT-EMEA-Search-Brand&sw_ad_group_id=53782303357&sw_adposition=1t1&sw_campaignid=1345470697&sw_creative=295189950843&sw_device=m&sw_feeditemid=&sw_keyword=papertrail&sw_loc_interest_ms=&sw_loc_physical_ms=1005576&sw_matchtype=e&sw_placement=&CMP=KNC-TAD-GGL-1345470697~53782303357~g~m~papertrail~e~295189950843~~1005576~~-PPT-DL-TXT_LNK&gclid=CjwKCAiAo7HwBRBKEiwAvC_Q8bDrgkOECNESrXi-7NqFd56kdw2l4BoudylCO2dmGCsv_P_UyEK3yRoCfAgQAvD_BwE
Tomi Engdahl says:
The California Consumer Privacy Act officially takes effect today
https://techcrunch.com/2020/01/01/the-california-consumer-privacy-act-officially-takes-effect-today/
Tomi Engdahl says:
https://www.bbc.com/news/technology-50972890
A computer virus forced a US maritime base offline for more than 30 hours, the country’s coast guard has revealed.
Tomi Engdahl says:
‘Iran’ launches cyber-attack on US government website warning ‘we’re always ready’
https://www.dailystar.co.uk/news/world-news/breaking-iran-launches-cyber-attack-21216337
A group claiming to be working on behalf of the Iranian government has hacked a US government website where they plastered sinister warnings
Tomi Engdahl says:
First Suleimani Attack By ‘Iranian’ Hackers Hits U.S., Exposing ‘Noisy’ New Threat
https://www.forbes.com/sites/zakdoffman/2020/01/05/first-suleimani-attack-by-iranian-hackers-hits-us-exposing-noisy-new-threat/#25a5ca016fd3
It didn’t take long—the first attack on a U.S. government website hit on Saturday, a day after the killing of Qassem Suleimani in Baghdad. The fact there was an attack is not a surprise—speculation has been rife. And the style of the attack is consistent with the nature of the primary cyber threat we now face. Hackers claiming to be linked to Iran targeted a low-level domain—the website of the Federal Depository Library Program—defacing its home page, echoing Teheran’s threats of vengeance alongside imagery of President Trump, Ayatollah Khamenei and the Iranian flag. There is nothing substantive to link the hackers with the regime in Teheran. The FDLP website was taken down shortly after the attack—U.S. law enforcement is now investigating.
Tomi Engdahl says:
UK investigates if cyberattack led to stock exchange outage
GCHQ isn’t fully convinced the failure was due to a glitch.
https://www.engadget.com/2020/01/05/uk-investigates-london-stock-exchange-outage-for-cyberattack/?guccounter=1&guce_referrer=aHR0cHM6Ly93d3cudGVjaG1lbWUuY29tLw&guce_referrer_sig=AQAAAGMLhYxcbmHgv2gew4L3SDfSx4nZpSYHlCOpKDtYsZPf5h870aeJY7JgE-n0HLFUH3UzDsLFJ9d0bId_sYOxKgkbtNXfI10wVUgeD5t8TnB-4feSDHPPXUuzHNAOVd7QngtjorHZzOHEsabI3z4dIzNALobPnRp65DiIkV_v1ie7
UK officials are worried that a London Stock Exchange outage in August wasn’t just the glitch that many suspected. Wall Street Journal sources say the GCHQ intelligence agency is investigating the possibility that the failure may have been due to a cyberattack. It’s reportedly taking a close look at the associated code, including time stamps, to determine if there was any suspicious activity. The exchange was in the middle of updating its systems when the outage happened, and there’s a fear this left systems open to attack.
The exchange contracts development out to third-party teams, and a WSJ contact said it’s concerned about the security of that software chain. There’s a risk that the inadvertent spread of malware or rogue contractors could pose problems.
Tomi Engdahl says:
Bloomberg:
A look back at cyber attacks on US organizations that were attributed to Iranian hackers, as some fear an increase in such attacks after Soleimani assassination — – Digital warfare likely among Iran’s options for retribution — Cyberfeud between Iran and U.S. dates back more than a decade
Iran’s Cyber Attack on Billionaire Adelson Provides Lesson on Strategy
https://www.bloomberg.com/news/articles/2020-01-05/iranian-attack-on-adelson-provides-lesson-on-cyber-strategy
As the U.S. awaits possible retribution over a recent airstrike that killed a top general, there’s at least one American businessman who can attest, in detail, to what happened after he provoked Iran.
Now, as Iran vows revenge for the airstrike, the U.S. faces an aggressive adversary in which digital warfare may be among its best options to strike directly at the American population. In the years since the Sands incident, Iranian hackers have continued their attacks, targeting a U.S. presidential campaign, universities, journalists, and even a dam in suburban New York.
“I’m sure the Iranians are asking their hackers for a list of options,”
“Cyber-attacks can be tempting if they can find the right American target.”
Iran is hardly the only U.S. cyber adversary.
cyber-attacks can also be used to create disruptive effects that can impact millions. In a computer-dependent world, hackers can clog ports, shut down transportation networks, and open dams.
Iran has shown a willingness to use those types of digital attacks — targeting some of the U.S.’s biggest banks, the world’s top oil producer, and Adelson’s casino empire.
The U.S. is widely believed to have the ability to shut down power grids, interrupt air travel and create chaos at ports through digital strikes alone. Iran’s hackers and digital arms are less sophisticated, cybersecurity experts say, but the number of U.S.-related targets available to them is huge.
The digital feud between the U.S. and Iran dates back more than a decade, to when a devastating digital worm called Stuxnet crippled an Iranian uranium processing facility. That attack has been attributed by multiple media outlets to the U.S. and Israel.
Tomi Engdahl says:
Don’t Xiaomi pics of other people’s places! Chinese kitmaker fingers
dodgy Boxing Day cache update after Google banishes it from Home
https://www.theregister.co.uk/2020/01/03/google_blocks_xiaomi/
Xiaomi has blamed some post-Christmas cache digestion problems after
finding itself plonked on the naughty step by Google which blocked
the Chinese tech conglomerate’s devices from its Nest Hub and
Assistant last night.
Tomi Engdahl says:
Police Tracked a Terror Suspect Until His Phone Went Dark After a
Facebook Warning
https://www.morningstar.com/news/dow-jones/202001026663/police-tracked-a-terror-suspect-until-his-phone-went-dark-after-a-facebook-warning
WhatsApp, Facebook Inc.’s popular messaging tool, had just notified
about 1,400 users — among them the suspected terrorist — that their
phones had been hacked by an “advanced cyber actor.” An elite
surveillance team was using spyware from NSO Group, an Israeli
company, to track the suspect, according to a law-enforcement official
overseeing the investigation.
Tomi Engdahl says:
Promiscuous Cookies and Their Impending Death via the SameSite Policy
https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/
Come version 80, any cookie without a SameSite attribute will be
treated as “Lax” by Chrome. This is really important to understand
because put simply, it’ll very likely break a bunch of stuff..
Enterprise IT administrators may need to implement special policies to
temporarily revert Chrome Browser to legacy behavior if some services
such as single sign-on or internal applications are not ready for the
February launch.
Tomi Engdahl says:
Some researchers have computed the very first chosen-prefix collision for SHA-1. In a nutshell, this means a complete and practical break of the SHA-1 hash function, with dangerous practical implications if you are still using this hash function. To put it in another way: all attacks that are practical on MD5 are now also practical on SHA-1.
https://sha-mbles.github.io/
Tomi Engdahl says:
The Quiet Billionaires Behind America’s Predator Drone That Killed Iran’s Soleimani
https://www.forbes.com/sites/denizcam/2020/01/07/the-quiet-billionaires-behind-americas-predator-drone-that-killed-irans-soleimani/?utm_source=FBPAGE&utm_medium=social&utm_content=3020942006&utm_campaign=sprinklrForbesMainFB#7432a04c5cb0
Tomi Engdahl says:
Texas facing 10,000 potential cybersecurity attacks from Iran per minute, Abbott Says
https://www.star-telegram.com/news/politics-government/article239042893.html
Texas Gov. Greg Abbott said Tuesday the Texas Department of Information Resources has seen a spike in attempted cyberattacks from Iran on state agency networks at the rate of about 10,000 per minute.
The increase in activity from that area has come in the last 48 hours, and to the department’s knowledge, none of the probes has been successful
“We have no way of knowing whether anything is government-based or not, or government-sanctioned. What we’re doing is scanning on our state networks, and we can see where attacks are coming from,” Crawford said.
“These sorts of attacks happen every day. It happened yesterday. It’s going to happen tomorrow.”
Tomi Engdahl says:
Army says text messages saying ‘You’ve been selected for the military draft’ are fake
https://www.armytimes.com/news/your-army/2020/01/08/military-draft-text-messages-are-not-from-the-army-officials-warn/?utm_campaign=Socialflow+MIL&utm_source=facebook.com&utm_medium=social
Fraudulent texts were sent throughout the country this week informing individuals that they have been selected for a military draft, the command said. The phony messages come amid heightened tensions with Iran and after the emergency deployment of 3,500 paratroopers to Kuwait.
URGENT NEWS: Army Recruiting discredits military draft texts
https://recruiting.army.mil/News/Article-Display/Article/2051787/urgent-news-army-recruiting-discredits-military-draft-texts/
Tomi Engdahl says:
Iran courted US security expert for years, seeking industrial hacking training
In emails and WhatsApp messages, Iranian telecom official tried to recruit US researcher.
https://arstechnica.com/information-technology/2020/01/iran-courted-us-security-expert-for-years-seeking-industrial-hacking-training/
Iran has over the past decade built up its own organic hacking and cyberwarfare capabilities. But the groups associated with orchestrating Iran’s various cyberwarfare and cyber-espionage activities have also relied significantly on mining the work of others—and in at least one case, they have tried to bring in outside help for the ostensible purpose of training would-be hackers
Tomi Engdahl says:
Microsoft Phishing Scam Exploits Iran Cyberattack Scare
https://www.bleepingcomputer.com/news/security/microsoft-phishing-scam-exploits-iran-cyberattack-scare/
An attacker is attempting to take advantage of the recent warnings
about possible Iranian cyberattacks by using it as a theme for a
phishing attack that tries to collect Microsoft login credentials.
Tomi Engdahl says:
UK man sentenced to prison for hacking and spying on victims through
their webcams
https://www.zdnet.com/article/uk-man-sentenced-to-prison-for-hacking-and-spying-on-victims-through-their-webcams/#ftag=RSSbaffb68
A UK man was sentenced this week to two years in prison for infecting
at least three female victims with malware and then watching and
recording victims via their webcams.
Tomi Engdahl says:
Half of the websites using WebAssembly use it for malicious purposes
https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/
Around half of the websites that use WebAssembly, a new web
technology, use it for malicious purposes, according to academic
research published last year.. Paper at
https://www.sec.cs.tu-bs.de/pubs/2019a-dimva.pdf. The first category
was WebAssembly code used for cryptocurrency-mining. These types of
Wasm modules were often found on hacked sites, part of so-called
cryptojacking (drive-by mining) attacks.. The second category referred
to WebAssembly code packed inside obfuscated Wasm modules that
intentionally hid their content. These modules, the research team
said, were found part of malvertising campaigns.
Tomi Engdahl says:
The Iran Cyber Warfare Threat: Everything You Need To Know
http://on.forbes.com/61891wbEZ
When news emerged that Iranian general Qassem Soleimani had been killed in a U.S. airstrike on January 3, speculation about an imminent cyberattack was rife. It quickly led to warnings that Iran would retaliate by hitting the U.S. and its allies with a combination of physical and cyber warfare.
Tomi Engdahl says:
Alert (AA20-006A)
Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad
https://www.us-cert.gov/ncas/alerts/aa20-006a
The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nation’s critical infrastructure in light of the current tensions between the Islamic Republic of Iran and the United States and Iran’s historic use of cyber offensive activities to retaliate against perceived harm. Foremost, CISA recommends organizations take the following actions:
Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.
Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see Contact Information section below).
Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.
Iranian Cyber Activity
Late 2011 to Mid-2013 – DDoS Targeting U.S. Financial Sector: In response to this activity, in March 2016, the U.S. Department of Justice indicted seven Iranian actors employed by companies performing work on behalf of the IRGC for conducting DDoS attacks primarily targeting the public-facing websites of U.S. banks. The attacks prevented customers from accessing their accounts and cost the banks millions of dollars in remediation. [1]
August/September 2013 – Unauthorized Access to Dam in New York State: In response, in March 2016, the U.S. Department of Justice indicted one Iranian actor employed by a company performing work on behalf of the IRGC for illegally accessing the supervisory control and data acquisition (SCADA) systems of the Bowman Dam in Rye, New York. The access allowed the actor to obtain information regarding the status and operation of the dam. [2]
February 2014 – Sands Las Vegas Corporation Hacked: Cyber threat actors hacked into the Sands Las Vegas Corporation in Las Vegas, Nevada, and stole customer data, including credit card data, Social Security Numbers, and driver’s license numbers. According to a Bloomberg article from December 2014, the attack also involved a destructive portion, in which the Sands Las Vegas Corporation’s computer systems were wiped. In September 2015, the U.S. Director of National Intelligence identified the Iranian government as the perpetrator of the attack in a Statement for the Record to the House Permanent Select Committee on Intelligence. [3]
2013 to 2017 – Cyber Theft Campaign on Behalf of IRGC: In response, in March 2018, the U.S. Justice Department indicted nine Iranian actors associated with the Mabna Institute for conducting a massive cyber theft campaign containing dozens of individual incidents, including “many on behalf of the IRGC.” The thefts targeted academic and intellectual property data as well as email account credentials. According to the indictment, the campaign targeted “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.” [4]
Tomi Engdahl says:
I think this is important for all hardware hackers…
https://www.ifixit.com/News/apple-is-bullying-a-security-company-with-a-dangerous-dmca-lawsuit
Tomi Engdahl says:
Las Vegas data breach comes amid Homeland Security warning on Iranian cyber threat
http://news3lv.com/news/local/las-vegas-data-breach-comes-amid-homeland-security-warning-on-iranian-cyber-threat
The city of Las Vegas experienced a cyber compromise at 4:30 a.m. PST Tuesday. The city’s Information Technologies Department is assessing the extent of the compromise.
The breach in Las Vegas comes amid tensions with Iran and a warning from Homeland Security of “potentially disruptive and destructive” Iranian cyber operations.
Local cybersecurity expert and Vice President of Cyber World Institute Garvin Bushell thinks Iran is to blame for the breach in Las Vegas.
Tomi Engdahl says:
We own ɡooɡle.com now and we don’t know what to do with it. (clickbait title but technically true)
https://www.reddit.com/r/sysadmin/comments/elblzv/we_own_%C9%A1oo%C9%A1lecom_now_and_we_dont_know_what_to_do/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
This is known as an homograph attack
Tomi Engdahl says:
Mozilla Patches Firefox Zero-Day Exploited in Targeted Attacks
https://www.securityweek.com/mozilla-patches-firefox-zero-day-exploited-targeted-attacks
Tomi Engdahl says:
Interpol Announces Successful Operation Against Cryptojacking in Southeast Asia
https://www.securityweek.com/interpol-announces-successful-operation-against-cryptojacking-southeast-asia
Tomi Engdahl says:
Firefox 72 Blocks Fingerprinting Scripts by Default
https://www.securityweek.com/firefox-72-blocks-fingerprinting-scripts-default
Mozilla this week released Firefox 72 to the stable channel with advanced privacy protections that involve the blocking of fingerprinting scripts by default.
Long focused on protecting users’ privacy when browsing the Internet, Mozilla launched Enhanced Tracking Protection (ETP) last year, which keeps users safe from cross-site tracking.
Last week, it also announced that it would let users delete telemetry data, a reaction to the California Consumer Privacy Act (CCPA).
Tomi Engdahl says:
Army says text messages saying ‘You’ve been selected for the military draft’ are fake
https://www.armytimes.com/news/your-army/2020/01/08/military-draft-text-messages-are-not-from-the-army-officials-warn/?utm_campaign=Socialflow+MIL&utm_source=facebook.com&utm_medium=social
Fraudulent texts were sent throughout the country this week informing individuals that they have been selected for a military draft, the command said. The phony messages come amid heightened tensions with Iran and after the emergency deployment of 3,500 paratroopers to Kuwait.
Tomi Engdahl says:
36C3 – Technical aspects of the surveillance in and around the Ecuadorian embassy in London
https://www.youtube.com/watch?v=s_0GVg7V3ng
Tomi Engdahl says:
SPYWARE DISCOVERED ON ALL SAMSUNG PHONES
https://hackaday.com/2020/01/09/spyware-discovered-on-all-samsung-phones/
the latest discovery related to pre-loaded software on Samsung phones seems to be of a pretty major security vulnerability.
This software in question is a “storage cleaner” in the “Device Care” section of the phone, which is supposed to handle file optimization and deletion. This particular application is made by a Chinese company called Qihoo 360 and can’t be removed from the phone without using ADB or having root. The company is known for exceptionally bad practices concerning virus scanning, and the software has been accused of sending all information about files on the phone to servers in China, which could then turn all of the data it has over to the Chinese government. This was all discovered through the use of packet capture and osint
https://www.reddit.com/r/Android/comments/ektg8u/chinese_spyware_preinstalled_on_all_samsung/
Tomi Engdahl says:
U.S. Funds Free Android Phones For The Poor — But With Permanent Chinese Malware
https://www.forbes.com/sites/thomasbrewster/2020/01/09/us-funds-free-android-phones-for-the-poor—but-with-permanent-chinese-malware/
It all sounds ideal for those who don’t have the money to splash on fancy Apple or Google phones. But according to security researchers, there’s a catch: the Android phones come with preinstalled Chinese malware, which effectively opens up a backdoor onto the device and endangers their private data. One of the malware types is impossible to remove, according to the researchers.
The affected device is a UMX phone shipped by Assurance Wireless and one of the preinstalled malware, according to MalwareBytes senior analyst Nathan Collier, is the creation of a Chinese entity known as Adups. Though the tool looks and operates as a Wireless Update program, it’s capable of auto-installing apps without any user consent, which it starts doing immediately, according to a MalwareBytes analysis of a device, shared with Forbes ahead of publication. Adups hadn’t responded to a request for comment at the time of publication.
Tomi Engdahl says:
Iranian Hackers Have Been ‘Password-Spraying’ the US Grid
A state-sponsored group called Magnallium has been probing American electric utilities for the past year.
https://www.wired.com/story/iran-apt33-us-electric-grid/
Tomi Engdahl says:
If anyone is running firefox, you need to update it immediately. There is a nasty zero day exploit in it which just got patched, and it’s being exploited in the wild like crazy right now. Avoid firefox v71.0. Update to v72.0.1 because v72.0 is still vulnerable.
https://arstechnica.com/information-technology/2020/01/firefox-gets-patch-for-critical-zeroday-thats-being-actively-exploited/
Tomi Engdahl says:
Mozilla says a new Firefox security bug is under active attack
https://techcrunch.com/2020/01/10/firefox-security-bug-zero-day/?tpcc=ECFB2019
Tomi Engdahl says:
Catalin Cimpanu / ZDNet:
Researchers: cable modems with Broadcom chips, including an estimated 200M in Europe alone, are vulnerable to the remote exploit codenamed Cable Haunt — Cable modems using Broadcom chips are vulnerable to a new vulnerability named Cable Haunt, researchers say.
Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability
https://www.zdnet.com/article/hundreds-of-millions-of-cable-modems-are-vulnerable-to-new-cable-haunt-vulnerability/
Cable modems using Broadcom chips are vulnerable to a new vulnerability named Cable Haunt, researchers say.
Cable Haunt impacts Broadcom spectrum analyzers
The vulnerability impacts a standard component of Broadcom chips called a spectrum analyzer. This is a hardware and software component that protects the cable modem from signal surges and disturbances coming via the coax cable. The component is often used by internet service providers (ISPs) in debugging connection quality.
On most cable modems, access to this component is limited for connections from the internal network.
Researchers say that by tricking users into accessing a malicious page via their browser, they can use the browser to relay an exploit to the vulnerable component and execute commands on the device.
Using Cable Haunt, an attacker could:
Change default DNS server
Conduct remote man-in-the-middle attacks
Hot-swap code or even the entire firmware
Upload, flash, and upgrade firmware silently
Disable ISP firmware upgrade
Change every config file and settings
Get and Set SNMP OID values
Change all associated MAC Addresses
Change serial numbers
Be exploited in botnet
While the research team estimated that the number of vulnerable devices is around 200 million across Europe, they believe the total number of exploitable devices to be impossible to quantify.
“The reason for this, is that the vulnerability originated in reference software, which have seemingly been copied by different cable modems manufacturers, when creating their cable modem firmware,” researchers said. “This means that we have not been able to track the exact spread of the vulnerability, and that it might present itself in slightly different ways for different manufacturers.”
Proof-of-concept code available
The four-man research team published a white paper and a dedicated website this week with information about Cable Haunt.
https://cablehaunt.com/
Tomi Engdahl says:
Judge orders Google to turn over Jussie Smollett emails, private messages, location data
https://m.washingtontimes.com/news/2020/jan/8/google-ordered-turn-over-jussie-smollett-emails-pr/?fbclid=IwAR0Cy7hmIPr1Z18IX88IburpJpmLti35SddKJiIjh0j0TaSsl60wAHLcIYg
It remains unclear if Google has turned over the information. In approving the warrants, Toomin ordered Google not to disclose the order
Tomi Engdahl says:
Windows 7 will keep working come January 15. However, now that Microsoft won’t be releasing any more security updates for the operating system, it’s true that Windows 7 will be more vulnerable to attack. No question there.
https://lifehacker.com/am-i-screwed-if-i-dont-upgrade-windows-7-by-january-15-1840903120
Tomi Engdahl says:
Iranian Hackers Have Been ‘Password-Spraying’ the US Grid
A state-sponsored group called Magnallium has been probing American electric utilities for the past year.
https://www.wired.com/story/iran-apt33-us-electric-grid/
In the wake of the US assassination of Iranian general Qasem Soleimani and the retaliatory missile strike that followed, Iran-watchers have warned that the country could deploy cyberattacks as well, perhaps even targeting US critical infrastructure like the electric grid. A new report lends some fresh details to the nature of that threat: By all appearances, Iranian hackers don’t currently have the capability to start causing blackouts in the US. But they’ve been working to gain access to American electric utilities, long before tensions between the two countries came to a head.
On Thursday morning, industrial control system security firm Dragos detailed newly revealed hacking activity that it has tracked and attributed to a group of state-sponsored hackers it calls Magnallium. The same group is also known as APT33, Refined Kitten, or Elfin, and has previously been linked to Iran.
North American Electric Cyber Threat Perspective
https://dragos.com/resource/north-american-electric-cyber-threat-perspective/
Tomi Engdahl says:
VOTE WATCH
‘Online and vulnerable’: Experts find nearly three dozen U.S. voting systems connected to internet
https://www.nbcnews.com/politics/elections/online-vulnerable-experts-find-nearly-three-dozen-u-s-voting-n1112436
A team of election security experts used a “Google for servers” to challenge claims that voting machines do not connect to the internet and found some did.
It was an assurance designed to bolster public confidence in the way America votes: Voting machines “are not connected to the internet.”
Then Acting Undersecretary for Cybersecurity and Communications at the Department of Homeland Security Jeanette Manfra said those words in 2017, testifying before Congress while she was responsible for the security of the nation’s voting system.
But that is an overstatement, according to a team of 10 independent cybersecurity experts who specialize in voting systems and elections. While the voting machines themselves are not designed to be online, the larger voting systems in many states end up there, putting the voting process at risk.
“We found over 35 [voting systems] had been left online and we’re still continuing to find more,”
“We kept hearing from election officials that voting machines were never on the internet,” he said. “And we knew that wasn’t true. And so we set out to try and find the voting machines to see if we could find them on the internet, and especially the back-end systems that voting machines in the precinct were connecting to to report their results.”
The three largest voting manufacturing companies — Election Systems &Software, Dominion Voting Systems and Hart InterCivic — have acknowledged they all put modems in some of their tabulators and scanners. The reason? So that unofficial election results can more quickly be relayed to the public. Those modems connect to cell phone networks, which, in turn, are connected to the internet.
The largest manufacturer of voting machines, ES&S, told NBC News their systems are protected by firewalls and are not on the “public internet.”
“AT&T and Verizon and so on try and protect as best they can the security of their phone network from the rest of the internet, but it’s still part of the internet,” Appel explained. “There can still be security holes that allow hackers to get into the phone network.”
The 35 systems Skoglund’s team found represent a fraction of total voting systems nationwide
For election systems to be online, even momentarily, presents a serious problem, according to Appel.
“Once a hacker starts talking to the voting machine through the modem, the hacker cannot just change these unofficial election results, they can hack the software in the voting machine and make it cheat in future elections,” he said.
All the systems Skoglund’s group found online were manufactured by ES&S. The online systems were found in 11 states
While the company’s website states that “zero” of its voting tabulators are connected to the internet, ES&S told NBC News 14,000 of their DS200 tabulators with online modems are currently in use around the country.
With the 2020 presidential election only ten months away, Appel and Skoglund believe all modems can and should be removed from election systems.
“Modems in voting machines are a bad idea,”
Tomi Engdahl says:
https://pentestmag.com/metasploit-cheat-sheet/
Tomi Engdahl says:
https://www.is.fi/digitoday/tietoturva/art-2000006368883.html
Tomi Engdahl says:
CVE-2019-19781 (ADC/Netscaler Gateway RCE) mitigation guide is a technically a self virtual patch you have to apply. Is it the new way for other vendors instead of updating firmware?
Mitigation Steps for CVE-2019-19781
https://support.citrix.com/article/CTX267679
Solution
The following configuration changes serve as a mitigation to the aforementioned vulnerability.
Tomi Engdahl says:
DuckDuckGo will soon be offered as an option for default search engine on Android devices across the EU. European regulators are forcing Google to present Android users with the option to choose their own default search engine.
https://www.searchenginejournal.com/duckduckgo-is-now-a-default-search-engine-option-on-android-in-the-eu/343073/
Tomi Engdahl says:
Tesla hacking competition offers $1 million and free car if someone can hijack Model 3
https://www.livemint.com/auto-news/tesla-hacking-competition-offers-1-million-and-free-car-if-someone-can-hijack-model-3/amp-11578889743038.html?fbclid=IwAR2qSsqc2f-eS9qun0I6CK3O3EI_pA4uuH-ZkRQh9xMYSC8ygIsm5PyrEro
The Elon Musk-run company is returning to the annual hackers’ competition “Pwn20wn” to be held in Vancouver in March, reports electrek.
Some Model 3 cars and $1 million in award money will be up for grabs.
Tomi Engdahl says:
Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers https://ioac.tv/36X5xPm
Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers
https://www.vice.com/en_us/article/5dmbjx/how-hackers-are-breaking-into-att-tmobile-sprint-to-sim-swap-yeh
SIM swappers have escalated from bribing employees to using remote desktop software to get direct access to internal T-Mobile, AT&T, and Sprint tools.