This posting is here to collect cyber security news in July 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
208 Comments
Tomi Engdahl says:
Criminal charges reveal the identity of the “invisible god” hacker
Newly-unsealed court documents name a Kazakh man as the mastermind behind a hacking campaign that hit 44 countries. They also detail his short-lived successes.
https://www.technologyreview.com/2020/07/07/1004870/criminal-charges-reveal-the-identity-of-the-invisible-god-hacker/
Tomi Engdahl says:
Microsoft Files Lawsuit to Seize Fake Domains Used in COVID-19-Themed BEC Attacks
https://www.securityweek.com/microsoft-files-lawsuit-seize-fake-domains-used-covid-19-themed-bec-attacks
Microsoft has filed a lawsuit in an effort to seize control of several domains used to launch COVID-19-themed cyberattacks against the company’s customers in 62 countries.
The tech company started tracking the malicious activity in December 2019, after identifying it as a phishing scheme attempting to compromise Microsoft customer accounts and access emails, contacts, sensitive files, and other information.
After the scheme was blocked and the malicious app used in the attack disabled, the cybercriminals changed their tactics and switched to COVID-19-related lures in recent phishing attacks.
The activity, Microsoft corporate vice president Tom Burt explains, is another form of business email compromise (BEC), a type of fraud that caused losses of more than $1.7 billion in 2019, according to a 2020 report from the FBI’s Internet Crime Complaint Center (IC3).
Tomi Engdahl says:
Cerberus Banking Trojan Delivered via App Hosted on Google Play
https://www.securityweek.com/cerberus-banking-trojan-delivered-app-hosted-google-play
A Malware-as-a-Service (Maas), Cerberus is known for its mobile remote access Trojan (mRAT) capabilities, as well as functionality through which it logs keystrokes and steals credentials, information from Google Authenticator, and SMS messages.
As part of the newly identified attack, the malware was disguised as a currency converter for Android users in Spain and managed to remain undetected by hiding the malicious activity for weeks after being submitted to Google Play.
Thus, it managed to rack up over 10,000 downloads before beginning the malicious routine of harvesting users’ banking data. Called Calculadora de Moneda, the application has already been reported to Google for removal, Avast’s security researchers reveal.
At a later stage, the application received updates that included dropper code, but the command and control (C&C) server only started issuing commands after a while longer, so as to avoid any suspicion from its users.
Tomi Engdahl says:
Free Microsoft Service Looks at OS Memory Snapshots to Find Malware
https://www.securityweek.com/free-microsoft-service-looks-os-memory-snapshots-find-malware
Microsoft on Monday unveiled Project Freta, a free service that allows users to find rootkits and other sophisticated malware in operating system memory snapshots.
The Project Freta cloud-based service currently only supports Linux systems, but Microsoft plans on adding support for Windows as well.
Project Freta aims to provide an agentless way for organizations to conduct automated forensic analysis on thousands of virtual machines in search of malware — ranging from cryptocurrency miners to rootkits — by looking at a captured image of volatile memory.
The service leverages sensors that are designed to detect malware, but without tipping off the malicious software.
The service looks at processes, global values and addresses, in-memory files, debugged processes, kernel components, networks, ARP tables, open files, open sockets, and Unix sockets.
Project Freta is currently available as a portal where users can upload their operating system images for analysis. The results can be accessed directly on the portal or through REST and Python APIs.
https://docs.microsoft.com/en-us/security/research/project-freta/
https://freta.azurewebsites.net/
Tomi Engdahl says:
F5 BigIP vulnerability exploitation followed by a backdoor implant
attempt
https://isc.sans.edu/diary/rss/26322
While monitoring SANS Storm Center’s honeypots today, I came across
the second F5 BIGIP CVE-2020-5902 vulnerability exploitation followed
by a backdoor deployment attempt. The first one was seen by Johannes
yesterday.
https://www.bleepingcomputer.com/news/security/mitigating-critical-f5-big-ip-rce-flaw-not-enough-bypass-found/
Tomi Engdahl says:
Microsoft’s Project Freta: This new free service spots rootkits
lurking in cloud VMs
https://www.zdnet.com/article/microsofts-project-freta-this-new-free-service-spots-rootkits-lurking-in-cloud-vms/
“Project Freta intends to automate and democratize VM forensics to a
point where every user and every enterprise can sweep volatile memory
for unknown malware with the push of a button no setup required,”
says Mike Walker, a senior director at Microsoft Research’s New, or
NExT, Security Ventures team. . Api code to the service at
https://github.com/Microsoft/project-freta. Also
https://www.theregister.com/2020/07/07/project_freta/
Tomi Engdahl says:
New research reveals privacy risks of home security cameras
https://techxplore.com/news/2020-07-reveals-privacy-home-cameras.html
For the study, researchers from the Chinese Academy of Science and
Queen Mary University of London tested if an attacker could infer
privacy-compromising information about a camera’s owner from simply
tracking the uploaded data passively without inspecting any of the
video content itself.. The findings, published at the IEEE
International Conference on Computer Communications (6-9 July 2020),
showed that the traffic generated by the cameras could be monitored by
attackers and used to predict when a house is occupied or not.
Tomi Engdahl says:
Hundreds of forgotten corners of mega-corp websites fall into the
hands of spammers and malware slingers
https://www.theregister.com/2020/07/07/microsoft_azure_takeovers/
More than 240 website subdomains belonging to organizations large and
small, including household names, were hijacked to redirect netizens
to malware, X-rated material, online gambling, and other unexpected
content.. These big names are said to include Chevron, the Red Cross,
UNESCO, 3M, Getty Images, Hawaiian Airlines, Arm, Warner Brothers,
Honeywell, Autodesk, Toshiba, Xerox, the NHS, Siemens, Volvo, Clear
Channel, Total, and more.
Tomi Engdahl says:
Pig in a poke: smartphone adware
https://securelist.com/pig-in-a-poke-smartphone-adware/
Our support team continues to receive more and more requests from
users complaining about intrusive ads on their smartphones from
unknown sources. In some cases, the solution is quite simple. In
others, the task is far harder: the adware plants itself in the system
partition, and trying to get rid of it can lead to device failure. In
addition, ads can be embedded in undeletable system apps and .
libraries at the code level. According to our data, 14.8% of all users
attacked by malware or adware in the past year suffered an infection
of the system partition.
Tomi Engdahl says:
Hey Alexa. Is This My Voice Or a Recording?
https://www.bankinfosecurity.com/hey-alexa-this-my-voice-or-recording-a-14562
A group of researchers with Samsung Research and Data61, a unit within
Australia’s Commonwealth Scientific and Industrial Research
Organization, or CSIRO, have developed a system called Void – short
for Voice liveness Detection – to prevent voice-spoofing attacks. A
research paper describing Void will be presented at the USENIX
Security Symposium in Boston in August.. Void looks at 97 spectrogram
features, or how recorded voices look when the frequencies are
visually mapped. There are significant differences that emerge when
comparing live voices to recorded ones. Played-back voices have
distortions that occur when played through loudspeakers, the
researchers write.
Tomi Engdahl says:
Hackers Are Spreading Trump Propaganda Through Roblox
https://www.forbes.com/sites/davidthier/2020/07/05/hackers-are-spreading-trump-propaganda-through-roblox/#4c6b689b6aa7
Roblox, a popular game among children and early teens that announced
100 million active players last year, has become a small-scale
battleground in the upcoming presidential elections. The BBC is
reporting that hackers are taking over accounts to spread pro-Trump
propaganda, dressing them up in red hats like Trump supporters and
putting pro-Trump messages in profiles.
Tomi Engdahl says:
Pompeo says U.S. looking at banning Chinese social media apps,
including TikTok
https://www.reuters.com/article/us-usa-tiktok-china-pompeo-idUSKBN2480DF
Secretary of State Mike Pompeo said late on Monday that the United
States is certainly looking at banning Chinese social media apps,
including TikTok.
Tomi Engdahl says:
X-FAB Affected by Cyber Attack
https://www.businesswire.com/news/home/20200705005045/en/X-FAB-Affected-Cyber-Attack
On July 5, 2020, X-FAB Group was the target of a cyber security
attack. Following the advice of leading security experts engaged by
X-FAB, all IT systems have been immediately halted. As an additional
preventive measure, production at all six manufacturing sites has been
stopped.
Tomi Engdahl says:
New Bill Looks to One-Up Previous Anti-Encryption Law by Requiring Backdoors in Nearly Every Electronic Device
https://www.cpomagazine.com/data-protection/new-bill-looks-to-one-up-previous-anti-encryption-law-by-requiring-backdoors-in-nearly-every-electronic-device/
The proposed EARN IT Act set off a firestorm of controversy in privacy circles when it was introduced in early March. A new proposal makes its terms look tame and reasonable by comparison. Dubbed the “Lawful Access to Encrypted Data Act of 2020”, the new anti-encryption law would require that a backdoor be placed in nearly every electronic device that has at least 1 GB of memory and all encrypted services.
The bill is essentially the Armageddon scenario of a complete government ban on encryption that some privacy advocates have been fearing (and sounding alarms about) for years. However, the terms of the bill are so outlandish and impractical that it would appear to stand little real chance of going anywhere.
From “EARN IT” to “backdoors everywhere”
The EARN IT anti-encryption law couched its calls for law enforcement backdoors in terms of the battle against child sex trafficking, and was not nearly as expansive as the new proposal. It was nevertheless widely criticized and rejected by privacy advocates due to its requirement that online platforms either grant law enforcement an encryption backdoor or lose legal protections under Section 230 of the Communications Decency Act.
The assumption that privacy advocates make is that any “law enforcement approved” encryption would have backdoors in it.
The new proposed anti-encryption law dispenses with any layers of plausible deniability. It simply calls for a law enforcement backdoor to be mandatory in any and all forms of encryption, in both hardware and software. Any sort of device that has at least 1 GB of storage capacity, even a simple handheld camera or MP3 player, would be required to have a means of government access built in. At the software end, everything from web browsers to cloud services would have to offer similar access.
Unlike the EARN IT Act, this bill is not bipartisan.
The bill is thus technically not looking to end all encryption entirely, but it is clearly trying to make it impossible for major hardware and software publishers like Apple, Facebook and Microsoft. Given that Google’s Android and iOS devices dominate the phone landscape, it would effectively be impossible for an end user to get a phone that could avoid having a backdoor in it somewhere.
The terms of the bill would also make it much easier for courts to issue a court order allowing law enforcement to access the backdoor for the purpose of retrieving stored data. Any judge would be forced to issue the warrant so long as the law enforcement agency can demonstrate “reasonable grounds to believe” that accessing the backdoor would aid in execution of an existing search warrant.
The anti-encryption law would appear to apply to both domestic criminal cases and those of foreign national security.
Impossible demands
The proposed anti-encryption law is likely to stall out not just due to the serious privacy concerns, but also because it would put an undue burden on the electronics and software publishing industries. All sorts of hardware would have to be physically redesigned to enable such a backdoor, and apps would have to be re-engineered. Any new app or piece of software being developed would have to consider the possibility of creating a backdoor if it is anticipated that it will have over a million users.
The anti-encryption law does not make any allowance for the fact that any backdoor could potentially be exploited by parties other than the government. If it is technically possible to create one, developers and manufacturers would be required to under the new anti-encryption law.
But as privacy advocates have been pointing out (long since before this new bill was introduced), it is not feasible to create an encrypted messaging backdoor that is solely for law enforcement access. Once a threat actor sniffs it out and figures out how to exploit it, the device or the software is effectively ruined.
Tomi Engdahl says:
Florida man’s unemployment disappears after hacker redirects funds
https://www.nbc-2.com/story/42330032/florida-mans-unemployment-disappears-after-hacker-redirects-funds?fbclid=IwAR3Y1rbUtHaCpxUtTp0Y_SQZLt7ZXM4hZw9X4ckvAcEr9KKA1_dwX6Ceacg
“They stole over $3090 which is a lot of money for someone who isn’t working right now,” Nobrega said.
The state’s website reports more than 30,000 cases of fraud have been detected so far.
“With COVID going on and the issues with unemployment that’s a green and red flashing light for attackers, for people who want to hack,” said Greg Scasny of Cigent Cyber Security.
In May it was revealed that the state’s DEO website had been hacked.
The state claimed only 98 people were impacted and all were notified.
Tomi Engdahl says:
China’s Great Firewall descends on Hong Kong internet users
https://www.msn.com/en-au/news/world/chinas-great-firewall-descends-on-hong-kong-internet-users/ar-BB16uAzC
At midnight on Tuesday, the Great Firewall of China, the vast apparatus that limits the country’s internet, appeared to descend on Hong Kong.
Unveiling expanded police powers as part of a contentious new national security law, the Hong Kong government enabled police to censor online speech and force internet service providers to hand over user information and shut down platforms.
Tomi Engdahl says:
Drone Path Often Reveals Operator’s Location
https://www.darkreading.com/threat-intelligence/drone-path-often-reveals-operators-location/d/d-id/1338292
The way that a drone moves and its path through the sky can reveal the
location of the operator, a critical step in preventing drone attacks
on critical infrastructure and other malicious activities, researchers
at Ben-Gurion University (BGU) of the Negev said in a paper published
on July 7. . Original at
https://in.bgu.ac.il/en/pages/news/drone_pinpoint.aspx paper at
https://orenlab.sise.bgu.ac.il/p/DroneLocation.pdf
Tomi Engdahl says:
Cops Seize Server that Hosted BlueLeaks, DDoSecrets Says
https://www.vice.com/en_us/article/qj43xq/cops-seize-blueleaks-ddosecrets-server
Authorities in Germany have seized a server used by the organization
that published a trove of US police internal documents commonly known
as BlueLeaks, according to the organizations founder.. DDoSecrets has
recently taken WikiLeaks mantle as the most influential leaking
organization on the internet, publishing several dumps such as data
stolen from the Chilean military, and Neo-Nazi messages exchanged on
the chat platform Discord.. At the end of June, the organization
published what it called BlueLeaks, a collection of almost 270
gigabytes of data likely hacked and stolen from police fusion centers
in the US. The data included internal law enforcement communications,
as well as some personal information belonging to agents.
Tomi Engdahl says:
New German law would force ISPs to allow secret service to install trojans on user devices
https://www.privateinternetaccess.com/blog/new-german-law-would-force-isps-to-allow-secret-service-to-install-trojans-on-user-devices/
A new law being proposed in Germany would see all 19 federal state intelligence agencies in Germany granted the power to spy on German citizens through the use of trojans. The new law would force internet service providers (ISPs) to install government hardware at their data centers which would reroute data to law enforcement, and then on to its intended destination so the target is blissfully unaware that their communications and even software updates are being proxied.
Germany wants to be the man in the middle
The state sponsored trojans would likely be utilizing software called FinFly ISP from a company called FinFisher which has already been used by German law enforcement in the past. FinFisher claims to be able to inject trojans on target devices from the ISP level with ease
“FinFly ISP is able to patch files that are downloaded from the destination on-the-fly or to send fake software updates for popular software.”
https://netzpolitik.org/2018/geheime-dokumente-das-bundeskriminalamt-kann-jetzt-drei-staatstrojaner-einsetzen/
Tomi Engdahl says:
China’s Great Firewall descends on Hong Kong internet users
https://www.theguardian.com/world/2020/jul/08/china-great-firewall-descends-hong-kong-internet-users
Many residents, already anxious since the law took effect last week,
rushed to erase their digital footprint of any signs of dissent or
support for the last year of protests. Charles Mok, a pro-democracy
lawmaker who represents the technology sector, tweeted: We are already
behind the de facto firewall.
Tomi Engdahl says:
Report says US State and local government agencies struggle to keep up
Cyber Attacks
https://www.cybersecurity-insiders.com/report-says-us-state-and-local-government-agencies-struggle-to-keep-up-cyber-attacks/
A recent report called The Economic Impact of Cyber Attacks on
Municipalities published by KnowBe4 states that the US state and local
government agencies are struggling to keep up with the cyber attacks..
Report at
https://www.knowbe4.com/hubfs/Cyber-Attacks-on-Municipalities-White-Paper.pdf
Tomi Engdahl says:
Remote Code Execution Vulnerability in Zoom Client for Windows (0day)
https://blog.0patch.com/2020/07/remote-code-execution-vulnerability-in.html
We analyzed the issue and determined it to be only exploitable on
Windows 7 and older Windows systems. While Microsoft’s official
support for Windows 7 has ended this January, there are still millions
of home and corporate users out there
Tomi Engdahl says:
Vulnerabilities in Popular Open Source Management Tool Expose Hospitals to Attacks
https://www.securityweek.com/vulnerabilities-popular-open-source-management-tool-expose-hospitals-attacks
A dozen vulnerabilities have been found in OpenClinic GA, a popular open source hospital management system, including flaws that can be exploited to access sensitive information or install malware on the hosting server.
OpenClinic GA is described as an “integrated hospital information management system covering management of administrative, financial, clinical, lab, x-ray, pharmacy, meals distribution and other data.” The product is used worldwide and it has been downloaded nearly 120,000 times from SourceForge.
Brian Hysell, a senior consultant at the Synopsys Software Integrity Group, discovered that the software is affected by a dozen vulnerabilities, most of which have been classified as critical or high severity based on their CVSS score. The flaws can be exploited to bypass access controls and account protections, obtain sensitive information, upload and execute arbitrary files, and execute arbitrary code or commands.
The researcher told SecurityWeek that he reported his findings to the vendor, via ICS-CERT, in August 2018. He says he has not communicated directly with the developer, who told ICS-CERT in March 2019 that most of the vulnerabilities had been patched in the latest release. However, communications with the developer were apparently poor and it’s unclear exactly which of the flaws have been patched.
The researcher says it might be possible to exploit some of the vulnerabilities directly from the internet if an organization has configured the application to be remotely accessible.
“I am aware of a couple of internet-exposed instances, but OpenClinic GA’s default configuration doesn’t lend itself to ‘passively’ identifying instances in databases like Shodan. An attacker could actively seek them out with an application-layer network scanner like ZGrab, but I haven’t done so,” he explained.
Tomi Engdahl says:
Honeywell Sees Rise in USB-Borne Malware That Can Cause Major ICS Disruption
https://www.securityweek.com/honeywell-sees-rise-usb-borne-malware-can-cause-major-ics-disruption
Honeywell says it has seen a significant increase over the past year in USB-borne malware that can cause disruption to industrial control systems (ICS).
Honeywell Industrial Cybersecurity this week published its 2020 USB Threat Report. The report is based on data collected over a period of 12 months by the company’s Secure Media Exchange (SMX) USB security platform from oil and gas, energy, chemical, food, shipping, building, aerospace, pulp and paper, and manufacturing companies across 60 countries in the Americas, Europe and Asia.
An analysis of the data showed that SMX blocked at least one threat at 45% of industrial sites using the product, up from 44% in the previous report, which the company published in 2018.
While only 11% of the malware found on USB drives was specifically designed to target industrial systems — this represents a slight drop compared to the 14% identified in 2018 — 59% of the detected threats could cause significant disruption to industrial systems, compared to only 26% in 2018. On the other hand, that 11% becomes 28% if ransomware, which has increasingly targeted operational technology (OT) systems, is also taken into consideration.
Tomi Engdahl says:
Microsoft Adds New Data Corruption Preventions to Windows
https://www.securityweek.com/microsoft-adds-new-data-corruption-preventions-windows
Microsoft this week announced Kernel Data Protection (KDP), new technology that aims to protect the Windows kernel and drivers from data corruption attacks.
Such attacks can result in modifications to system security policies, privilege escalation, and security attestation tampering, among others, and Microsoft’s KDP aims to prevent them through virtualization-based security (VBS).
KDP builds upon the technology included by default in Secured-core PCs and adds another layer of protection for configuration data.
In Windows 10, KDP is implemented in two parts, namely static KDP, where software running in kernel mode can protect a section of its own image, and dynamic KDP, where kernel-mode software can
“allocate and release read-only memory from a ‘secure pool’,” Microsoft says.
https://www.microsoft.com/security/blog/2020/07/08/introducing-kernel-data-protection-a-new-platform-security-technology-for-preventing-data-corruption/
Tomi Engdahl says:
Op-ed | U.S. satellites increasingly vulnerable to China’s ground-based lasers
https://spacenews.com/op-ed-u-s-satellites-increasingly-vulnerable-to-chinas-ground-based-lasers/
Of the world’s 50 satellite laser ranging stations, five fixed stations are in Shanghai, Changchun, Beijing, Wuhan and Kuming
The Defense Intelligence Agency warned in January 2019 that China likely will field in 2020 a ground-based laser weapon that can counter low-orbit space-based sensors. By the mid-to-late 2020s it may field higher power systems that could damage the structures of non-optical satellites.
How real is the threat? Analysts have already identified five Chinese laser bases. One in Xinjiang has four main buildings. One of these building is thought to be for tracking satellites, while equipment in the other three could be used to dazzle or disable satellite sensors.
The ranging system at the Shanghai station uses a laser with a relatively low average power of 2.8 watts. The wattage at other stations are most likely the same or lower. Another laser of 60 watts at the Shanghai station has been used routinely to measure space debris. Calculations show that a 1-watt laser has 1 in 1,000 chance to cause permanent damage to a sensor, while a 40-watt laser would double the chance. These odds are low but likely to increase.
In the near term China’s top priority is to deny America and its allies imagery with high resolution of 10 centimeters or better. Fortunately, to damage a satellite’s optical elements such as pixels and filters, an offensive anti-satellite laser would have to be located within roughly 10 kilometers of what one wants to take a picture of.
Tomi Engdahl says:
” Cognitive Electronic Warfare ” Could Revolutionize How America Wages War With Radio Waves build build so-called “electronic orders of battle”
Cognitive Electronic Warfare Could Revolutionize How America Wages War With Radio Waves
https://www.thedrive.com/the-war-zone/34606/cognitive-electronic-warfare-could-revolutionize-how-america-wages-war-with-radio-waves
The holy grail of this concept is electronic warfare systems that can spot new or otherwise unexpected threats and immediately begin adapting to them.
Tomi Engdahl says:
Iran explosions: Did Israel and the US just start a cyber war?
https://www.rt.com/op-ed/494383-iran-explosions-israel-us/
Explosions rocked a pair of Iranian factories involved in the manufacture of centrifuges for its nuclear program, and the development of advanced ballistic missiles. Iran suspects a cyberattack by either the US, Israel or both.
A series of explosions hit various locations throughout Iran in late June and early July, killing scores of people and causing extensive damage. Two of these locations stand out in particular because of their importance to Iran’s national security, and their involvement in technology related to nuclear enrichment programs and ballistic missile production, which have been singled out by both the US and Israel as representing a threat to regional and international peace and security.
Tomi Engdahl says:
Hacker Streams Porn Into Florida Court Hearing by Infiltrating Zoom
An intruder marred the court proceedings.
https://www.law.com/dailybusinessreview/2020/07/10/hacker-streams-porn-into-florida-court-hearing-by-infiltrating-zoom/?slreturn=20200610160859
It began like any other court hearing over Zoom, but this lawsuit challenging Leon County’s COVID-19 mask order took an X-rated turn Friday morning. While Florida attorneys were presenting legal arguments, a hacker infiltrated with bursts of music and a strange sort of rap, then began streaming porn.
Tomi Engdahl says:
Slack vulnerability allowed attackers to smuggle malicious files onto victims’ devices
https://portswigger.net/daily-swig/slack-vulnerability-allowed-attackers-to-smuggle-malicious-files-onto-victims-devices
Now-patched code execution bug affected mobile and desktop versions of messaging app
The issue, present in both the mobile and desktop versions of the app, allowed a malicious actor to disguise dangerous files as benign, due to a flaw in the create snippet feature which resulted in filetypes being displayed incorrectly.
Slack’s snippet feature allows users to quickly and easily share pieces of code, configuration files, or log files within their workspace.
“What that means is that I was able to inject benign looking files into Slack channels and DMs [direct messages] which were actually executables.
“In essence, this issue enables a malicious user to disguise a dangerous executable as a safe, non-executable filetype.
Tomi Engdahl says:
https://unit42.paloaltonetworks.com/acidbox-rare-malware/
Tomi Engdahl says:
CBP says it’s ‘unrealistic’ for Americans to avoid its license plate surveillance
https://techcrunch.com/2020/07/10/cbp-license-plate-surveillance/?tpcc=ECFB2020
U.S. Customs and Border Protection has admitted that there is no practical way for Americans to avoid having their movements tracked by its license plate readers, according to its latest privacy assessment.
CBP published its new assessment — three years after its first — to notify the public that it plans to tap into a commercial database, which aggregates license plate data from both private and public sources, as part of its border enforcement efforts.
The U.S. has a massive network of license plate readers, typically found on the roadside, to collect and record the license plates of vehicles passing by.
https://www.documentcloud.org/documents/6986843-CBP-privacy-assessment.html
Tomi Engdahl says:
US Secret Service Forms Cyber Fraud Task Force
Newly Formed Task Force Combines Electronic and Financial Crimes Units
https://www.govinfosecurity.com/us-secret-service-forms-cyber-fraud-task-force-a-14602
Tomi Engdahl says:
Backdoor accounts discovered in 29 FTTH devices from Chinese vendor C-Data
https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/
The backdoor accounts grant access to a secret Telnet admin account running on the devices’ external WAN interface.
Tomi Engdahl says:
Mitigating a 754 Million PPS DDoS Attack Automatically
https://blog.cloudflare.com/mitigating-a-754-million-pps-ddos-attack-automatically/
On June 21, Cloudflare automatically mitigated a highly volumetric
DDoS attack that peaked at 754 million packets per second. This DDoS
campaign, the attack peaked at a mere 250 Gbps so it does not seem as
the attacker intended to saturate our Internet links, perhaps because
they know that our global capacity exceeds 37 Tbps.
Tomi Engdahl says:
Smartwatch hack could trick patients to ‘take pills’ with spoofed
alerts
https://techcrunch.com/2020/07/09/smartwatch-hack-spoofed-alerts/
One of the major flaws found was that the server was using a
hard-coded key, which, if used, an attacker could have sent any
commands to remotely control any one of these devices.
Tomi Engdahl says:
Signal’s New PIN Feature Worries Cybersecurity Experts
https://www.vice.com/en_us/article/pkyzek/signal-new-pin-feature-worries-cybersecurity-experts
The popular encrypted app is now going to store your contacts in the
cloud. Experts are worried this compromises users’ privacy.
Tomi Engdahl says:
Hackers Scanning for Citrix Systems Affected by Recent Vulnerabilities
https://www.securityweek.com/hackers-scanning-citrix-systems-affected-recent-vulnerabilities
Tomi Engdahl says:
Zoom Working on Patch for Code Execution Vulnerability in Windows Client
https://www.securityweek.com/zoom-working-patch-code-execution-vulnerability-windows-client
Zoom is working on resolving a remote code execution vulnerability affecting the Windows client, but a third-party fix has been made available for users who don’t want to wait for the official patch. [Update: patch available]
Tomi Engdahl says:
Juniper Networks Patches Critical Vulnerabilities in Firewalls
https://www.securityweek.com/juniper-networks-patches-critical-vulnerabilities-firewalls
Tomi Engdahl says:
Facebook Offering Big Rewards for Vulnerabilities in Hermes, Spark AR
https://www.securityweek.com/facebook-offering-big-rewards-vulnerabilities-hermes-spark-ar
Facebook announced on Friday that it’s offering significant rewards through its bug bounty program for vulnerabilities found in Hermes and Spark AR.
Hermes is a JavaScript engine that Facebook released as open source one year ago. Hermes is used by the social media giant’s React Native apps for Android and other software, including Spark AR, an augmented reality platform that is used to create effects on Facebook, Instagram and even on Facebook’s Portal smart displays.
Vulnerabilities found in native Facebook code have been covered by its bug bounty program, but the company says it wants to encourage security researchers to analyze Hermes and Spark AR, which is why it has significantly increased bug bounties.
Tomi Engdahl says:
The alleged breach came after cybersecurity researcher Vinny Troia who vowed to expose real-life identities of prominent darkweb hackers in the upcoming conference!
Hacker steals databases from breach monitoring site; sells them online
https://www.hackread.com/breach-monitoring-site-hacked-databases-stolen-sold/
DataViper, a breach monitoring site is owned by cybersecurity researcher Vinny Troia who vows to expose real-life identities of prominent dark web hackers in the upcoming conference.
Many cybersecurity firms today host online data breach monitoring services which let users know if their data has been leaked somehow. They do so by collecting hacked databases from both across the dark web and surface web comprising of underground forums, Pastebin sites, and other possible avenues.
Then, when a user makes a query to check if they have been compromised, the user’s email address or username is searched through these databases to identify if any leaked records exist. One such service is DataViper which is run by Vinny Troia from a cybersecurity company named Night Lion Security.
In relation to this, today, a hacker ironically named Night Lion has leaked 8,225 databases from DataViper alleging that they maintained access to the company’s servers for 3 months while collecting the data.
Hacker breaches security firm in act of revenge
https://www.zdnet.com/article/hacker-breaches-security-firm-in-act-of-revenge/
Hacker claims to have stolen more than 8,200 databases from a security firm’s data leak monitoring service.
Tomi Engdahl says:
I Know What You Downloaded on BitTorrent’ website knows everything that you download using BitTorrent including your IP address.
A website tool named as the “I Know What You Downloaded on BitTorrent (IKWDB)” shows millions of IP addresses of the users who have accessed illegal file-sharing sites aka torrent websites on the Internet. In other words, this tool will reveal IP addresses of anyone who has downloaded songs, movies, or anything on the BitTorrent without using VPN (Virtual Private Network), proxy or seedbox for public viewing.
https://www.techworm.net/2016/12/website-knows-everything-download-using-bittorrent-including-ip-address.html#:~:text=Apparently%2C%20a%20website%20tool%20named%20as%20the%20%E2%80%9C,file-sharing%20sites%20aka%20torrent%20websites%20on%20the%20Internet
Tomi Engdahl says:
DARPA computer security unit says, “Don’t worry; we can take it.”
DARPA: Hack Our Hardware
https://spectrum.ieee.org/tech-talk/computing/hardware/hack-our-hardware
Thanks to Moore’s Law, the number of transistors in our computing devices has doubled every two years, driving continued growth in computer speed and capability. Conversely, Wirth’s Law indicates that software is slowing more rapidly than hardware is advancing. The net result is that both hardware and software are becoming more complex. With this complexity, the number of discovered software vulnerabilities is increasing every year; there were over 17,000 vulnerabilities reported last year alone. We at DARPA’s System Security Integrated Through Hardware and firmware (SSITH) program argue that the solution lies not in software patches but in rethinking hardware architecture.
In March 2020, MITRE released version 4.0 of its Common Weakness Enumerations (CWE) list, which catalogues weaknesses in computer systems. For the first time, it included categories of hardware vulnerabilities. Among them are: Rowhammer; Meltdown/Spectre; CacheOut; and LVI, which are becoming more prevalent. In fact, a reported 70 percent of cyber-attacks are the result of memory safety issues [pdf] such as buffer overflow attacks –
a category of software exploit that takes advantage of hardware’s inherent “gullibility.”
Gartner forecasts that there will be 5.81 billion IoT endpoints this year, and IDC estimates the number of IoT devices will grow to 41.6 billion in 2025. Despite these staggering statistics, IoT is still in its infancy. I liken it to the Wild West, where companies come and go, regulations and standards are undefined, and security is often an afterthought. This lawlessness can have significant consequences, as we saw in 2016 when the Mirai bot-net attacked domain registration service provider, Dyn.
Today, the security research community is able to identify many of these cyberattacks quickly, and solutions are distributed to patch the exploited software.
Every time a new software vulnerability that exploits hardware is identified, a new software patch is issued. However, these patches only address the software layer and do not actually “treat” the underlying problem in the hardware, leaving it open to the creation of new exploits. In the medical field, this type of treatment regime is expensive and doesn’t cure the disease. In recent years, physicians have been advocating preventive medicine to treat the root causes of chronic diseases. Similarly, we need to adapt and find a better way to protect our computer systems.
Even though they may use open source components, this slow update cycle is due to devices needing to be requalified to make sure that any updates to the kernel or drivers do not break the system.
Requalifying a device is expensive and even more costly when a new version of an operating system is involved. Often this is not even possible
The net result is that individual third-party IP components are often not updated and only support certain versions of an operating system and software stack, further preventing the device that uses them from being updated. Additionally, the cost of supporting hardware devices is so large that many companies outsource technical support and device management to third-party companies who were not involved with the original development.
Because of these issues, protection from malware often requires a hardware upgrade. Take, for example, the cell phone market. Updates are often slow or nonexistent if you are not using one of the major brands.
Even then, they keep this up for only for a few years before the consumer is forced to upgrade. In between these hardware updates, software updates are employed in the form of the “patch and pray” approach.
DARPA’s System Security Integrated Through Hardware and firmware (SSITH) program seeks to break this cycle of vulnerability exploitation by developing hardware security architectures to protect systems against entire classes of the hardware vulnerabilities that these software exploits attack. SSITH’s philosophy: By treating the problem at its root—the hardware—it can end the need for continual “patch and pray” cycles.
https://cwe.mitre.org/data/
https://www.darpa.mil/program/ssith
Tomi Engdahl says:
Mozilla Joins Apple, Google in Reducing TLS Certificate Lifespans
https://www.securityweek.com/mozilla-joins-apple-google-reducing-tls-certificate-lifespans
Mozilla is the latest browser maker to have announced updated policies that would reduce the lifetime of TLS (Transport Layer Security) certificates.
Currently, SSL/TLS certificates have a maximum lifespan of 825 days, but, in an attempt to ensure better protection of HTTPS connections, browser makers such as Apple, Google and Mozilla are looking into reducing that period to 398 days.
Apple was the first to make a move in this direction, by announcing earlier this year that, starting September 1, 2020, TLS server certificates should have a validity period of up to 398 days.
“This change will affect only TLS server certificates issued from the Root CAs preinstalled with iOS, iPadOS, macOS, watchOS, and tvOS. Additionally, this change will affect only TLS server certificates issued on or after September 1, 2020; any certificates issued prior to that date will not be affected by this change,” Apple said.
Last month, it was revealed that Google too will impose the limit in Chrome, also starting September 1, 2020. The company will reject certificates that violate the policy.
Now, Mozilla says that it too is ready to join the fray, explaining that the move will bring numerous security and privacy benefits: certificates using outdated or weak algorithms will be phased out faster, there will be fewer disruptions, and exposure diminished. Furthermore, certain impersonation attacks will likely be mitigated this way.
Tomi Engdahl says:
Google Cloud Unveils Confidential VMs Powered by AMD EPYC Processors
https://www.securityweek.com/google-cloud-unveils-confidential-vms-powered-amd-epyc-processors
Google on Tuesday unveiled a new Google Cloud product designed to help organizations protect sensitive data while it’s being processed.
Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat and others last year announced the launch of the Confidential Computing Consortium, an organization of the Linux Foundation whose goal is to improve the security of data in use.
Google on Tuesday unveiled the first product in its Google Cloud Confidential Computing portfolio: Confidential VMs. Currently in beta for Google Compute Engine, Confidential VMs are designed to help organizations, particularly ones in regulated industries, protect sensitive data by providing memory encryption capabilities that can be leveraged to isolate cloud workloads.
The tech giant says it has been focusing on making confidential computing easy and accessible since the launch of its Asylo open source framework in 2018, and with the launch of Confidential VMs it believes it has achieved this goal.
Confidential VMs leverage the Secure Encrypted Virtualization (SEV) feature in 2nd Gen AMD EPYC processors to ensure that sensitive data remains encrypted at all times, including while it’s used, queried or indexed.
Google Cloud Confidential Computing builds on the protections provided by Shielded VM, a hardened virtual machine instance that ensures a verified bootloader and kernel run on startup, providing protection against malicious guest OS firmware, boot and kernel vulnerabilities, and malicious insiders.
Tomi Engdahl says:
https://etn.fi/index.php/13-news/10943-pian-voit-unohtaa-pankkikortin-pin-koodisi
Ranskalainen BNP Paribas -pankki lienee ensimmäinen pankki, joka ottaa biometrisen pankkikortin laajemmin käyttöön. Syksyn aikana pankin Premier- ja Gold-korttien haltijat voivat vaihtaa korttinsa sormenjälkitunnistimella varustettuun versioon. Pankki arvioi jakavansa 10-15 tuhatta biometristä korttia syksyn aikana
Tomi Engdahl says:
Israeli Court Rules NSO Group Can Continue Exporting Spyware
https://www.vice.com/en_us/article/jgxdgg/israeli-court-rules-nso-group-can-continue-exporting-spyware
NSO Group will be allowed to keep exporting its powerful hacking and surveillance tech after what Amnesty Internatioal calls a “disgraceful ruling.”
Tomi Engdahl says:
Blueleaks: How the FBI tracks Bitcoin laundering on the dark web
https://decrypt.co/34740/blueleaks-how-the-fbi-tracks-bitcoin-laundering-on-the-dark-web
Leaked FBI intelligence report details how dark web criminals are using a Panamanian crypto-changer to launder dirty Bitcoin into privacy coin Monero.
Tomi Engdahl says:
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/