Cyber security May 2018

This posting is here to collect security alert news in May 2018.

I post links to security vulnerability news to comments of this article.

 

Security And Privacy

269 Comments

  1. Tomi Engdahl says:

    Cyber-stability wonks add election-ware to ‘civilised nations won’t hack this’ standard
    Bad Vlad won’t care, but this puts voting infrastructure on par with DNS and BGP
    https://www.theregister.co.uk/2018/05/29/global_commission_on_the_stability_of_cyberspace_electoral_infrastructure_norm/

    The Global Commission on the Stability of Cyberspace (GCSC) has called for an end to cyber-attacks on electoral infrastructure.

    The GCSC works to develop “norms” of behaviour it hopes governments and others will adopt in order to leave internet infrastructure untouched during conflict. The body believes that as the internet is now critical to civil society, international agreements should protect its operation so that bystanders to conflicts aren’t harmed by disruptions to online services. Microsoft, the Internet Society and the governments of The Netherlands, France and Singapore have all funded the group.

    The Commission met last week and resolved that “State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.”

    Reply
  2. Tomi Engdahl says:

    Sonic and Ultrasonic Attacks Damage Hard Drives and Crash OSes
    https://hardware.slashdot.org/story/18/05/30/0349202/sonic-and-ultrasonic-attacks-damage-hard-drives-and-crash-oses

    Attackers can cause potentially harmful hard drive and operating system crashes by playing sounds over low-cost speakers embedded in computers or sold in stores, a team of researchers demonstrated last week. The attacks use sonic and ultrasonic sounds to disrupt magnetic HDDs as they read or write data. The researchers showed how the technique could stop some video-surveillance systems from recording live streams. Just 12 seconds of specially designed acoustic interference was all it took to cause video loss in a 720p system made by Ezviz. Sounds that lasted for 105 seconds or more caused the stock Western Digital 3.5 HDD in the device to stop recording altogether until it was rebooted. The device uses flash storage to house its firmware, but by default it uses a magnetic HDD to store the large quantities of video it records.

    Sonic and ultrasonic attacks damage hard drives and crash OSes
    Sounds played over off-the-shelf or embedded speakers often require a reboot.
    https://arstechnica.com/information-technology/2018/05/attackers-can-send-sounds-to-ddos-video-recorders-and-pcs/

    Attackers can cause potentially harmful hard drive and operating system crashes by playing sounds over low-cost speakers embedded in computers or sold in stores, a team of researchers demonstrated last week.

    The attacks use sonic and ultrasonic sounds to disrupt magnetic HDDs as they read or write data.

    “For such systems, the integrity of the recorded data is vital to the usefulness of the system, which makes them susceptible to acoustic interference or vibration attacks,” the researchers wrote in a paper titled “Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems.”

    The technique was also able to disrupt HDDs in desktop and laptop computers running both Windows and Linux. In some cases, it even required a reboot before the PCs worked properly. The technique took as little as 45 seconds to cause a Dell XPS 15 9550 laptop to become temporarily unresponsive when it was exposed to a “self-stimulation attack”

    The technique works because audible sound can cause an HDD’s head stack assembly to vibrate outside of normal bounds. The vibrations push the head far enough from the center of the drive track to temporarily prevent writing.

    The researchers, who demonstrated the technique at last week’s IEEE Symposium on Security and Privacy, have proposed several methods for detecting and preventing the attacks, some of which can be implemented with simple firmware tweaks.

    Reply
  3. Tomi Engdahl says:

    Blue Note: How Intentional Acoustic Interference
    Damages Availability and Integrity in Hard Disk
    Drives and Operating Systems
    https://spqr.eecs.umich.edu/papers/bolton-blue-note-IEEESSP-2018.pdf

    Magnetic HDDs remain common [
    1
    ] because of the long
    tail of legacy systems and the relatively inexpensive cost for
    high capacity storage. However, sudden movement can damage
    the hard drive or corrupt data because of the tight operating
    constraints on the read/write head(s) and disk(s). Thus, modern
    drives use shock sensors to detect such movement and safely
    park the read/write head.

    Previous research has indicated that
    loud audible sounds, such as shouting or fire alarms, can cause
    drive components to vibrate, disturbing throughput

    Audible sounds can even cause HDDs to become
    unresponsiv

    What remains a mystery is
    how
    and
    why
    intentional
    vibration causes bizarre malfunctions in HDDs and undefined
    behavior in operating systems. In our work, we explore how
    sustained, intentional vibration at resonant frequencies can
    cause permanent data loss, program crashes, and unrecoverable
    physical loss in HDDs from three different vendors

    Our work assumes an adversary that uses vibration to
    interfere with a HDD on a target machine, typically induced
    through use of a speaker.

    An adversary can attack a
    HDD by inducing vibration via acoustic emitters built into the
    victim system (or a nearby system).

    A self-stimulated attack may use a standard phishing attack,
    malicious email, or malicious javascript to deliver audio to a
    laptop’s speakers. Most laptops have speakers and the ability to
    browse the Internet. Modern browsers support JavaScript and
    HTML5, both of which are capable of playing audio without
    user permission. Therefore, should a victim visit a page owned
    by the attacker, the attacker would be able to play audio over
    the victim’s speakers.

    Physical Proximity Attacks.
    An attacker can induce
    vibration using a speaker near the victim system. T

    When the attacker is able to physically place the speaker,
    the attacker can choose a speaker with the desired frequency
    range (audible, near ultrasound, or ultrasound). In addition, the
    attacker can choose non-traditional acoustic emitters that may
    beamform signals to attack a drive from long distance. A Long
    Range Acoustic Device (LRAD) can send audible acoustic
    waves above 95 dB SPL miles away in open ai

    Reply
  4. Tomi Engdahl says:

    U.S. Attributes Two More Malware Families to North Korea
    https://www.securityweek.com/us-attributes-two-more-malware-families-north-korea

    The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.

    The latest alert attributes the Joanap backdoor trojan and the Brambul worm to the North Korean government. It provides IP addresses and other indicators of compromise (IoC) associated with these threats in an effort to help organizations protect their networks against attacks.

    The threat actor tracked by the U.S. government as Hidden Cobra is known in the cybersecurity community as Lazarus Group

    Reply
  5. Tomi Engdahl says:

    Europol Creates Dark Web Investigations Team
    https://www.securityweek.com/europol-creates-dark-web-investigations-team

    The European Union’s law enforcement agency today announced the creation of a dedicated team that will be investigating activity across the dark web.

    The newly established Dark Web Investigations Team, embedded within Europol’s European Cybercrime Centre (EC3), is the result of a Europol initiative “to create a coordinated law enforcement approach to tackle crime on the dark web.”

    The dedicated team will have participation from EU law enforcement agencies, operational third parties, and other relevant partners.

    Through EC3, Europol has been long supporting investigations of criminal marketplaces on the dark web, and helped last year with the takedown of some of the largest dark web markets, such as AlphaBay.

    Reply
  6. Tomi Engdahl says:

    Attack Bypasses AMD’s Virtual Machine Encryption
    https://www.securityweek.com/attack-bypasses-amds-virtual-machine-encryption

    A group of German researchers has devised a new attack method capable of bypassing AMD’s Secure Encrypted Virtualization (SEV).

    Used by AMD data-center processors, SEV is a hardware feature that provides secure encryption of virtual machines (VMs) to protect VM memory from physical attacks and cross-VM and hypervisor-based attacks.

    In a whitepaper (PDF), Fraunhofer AISEC researchers present an attack carried out from a malicious hypervisor and capable of “extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines.” Named SEVered, the attack requires a remote communication service running in the VM.

    https://arxiv.org/pdf/1805.09604.pdf

    Reply
  7. Tomi Engdahl says:

    BackSwap Trojan Uses New Browser Monitoring and Injection Techniques
    https://www.securityweek.com/backswap-trojan-uses-new-browser-monitoring-and-injection-techniques

    A newly discovered banking Trojan uses innovative techniques to detect when a bank’s website is accessed and to inject malicious code into targeted pages, ESET warns.

    Dubbed BackSwap, the malware no longer relies on complex process injection methods to keep track of browsing activity, but hooks key window message loop events instead.

    “This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks,” the security firm explains.

    BackSwap malware finds innovative ways to empty bank accounts
    https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

    Reply
  8. Tomi Engdahl says:

    Open Source Tool From FireEye Helps Detect Malicious Logins
    https://www.securityweek.com/open-source-tool-fireeye-helps-detect-malicious-logins

    FireEye has released GeoLogonalyzer, an open source tool that can help organizations detect malicious logins based on geolocation and other data.

    Many organizations need to allow their employees to connect to enterprise systems from anywhere in the world. However, threat actors often rely on stolen credentials to access a targeted company’s systems.

    Identifying legitimate logins and malicious ones can be challenging, but FireEye hopes to solve the problem with its GeoLogonalyzer, which leverages what the company calls GeoFeasibility.

    GeoLogonalyzer analyzes authentication logs containing timestamps, usernames, and IP addresses, and highlights any changes, including related to anomalies, data center hosting information, location data, ASN information, and time and distance metrics.

    https://www.fireeye.com/blog/threat-research/2018/05/remote-authentication-geofeasibility-tool-geologonalyzer.html

    Reply
  9. Tomi Engdahl says:

    GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources.
    https://github.com/fireeye/GeoLogonalyzer

    Reply
  10. Tomi Engdahl says:

    26 of the 115 most popular VPNs are secretly keeping tabs on you
    https://thenextweb.com/security/2018/03/27/26-popular-115-vpns-keeping-tabs-saying-theyre-not/

    A recent investigation into 115 of the world’s most popular VPN services revealed that many are antithetical to their stated claims. To build trust, providers make promises not to track users through logs or other identifying information. But as a popular VPN comparison site found out, this isn’t always true.

    The Best VPN recently peeked under the hood of over 100 of the biggest VPN services. All told, 26 of them collect three or more important log files that could contain personal and identifying information — things like your IP address, location, bandwidth data, and connection timestamps.

    Reply
  11. Tomi Engdahl says:

    USA needs law ‘a lot like GDPR’ says Salesforce CEO Marc Benioff
    As his company smashes Q1 2019
    https://www.theregister.co.uk/2018/05/30/salesforce_q1_2019/

    Salesforce CEO Marc Benioff thinks the USA needs “a national privacy law … that probably looks a lot like GDPR.”

    “This is going to help our industry,” he said on an earnings call for Salesforces Q1 2019 results. “It’s going to set the guardrails around trust, around safety. It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”

    Reply
  12. Tomi Engdahl says:

    NPM Fails Worldwide With “ERR! 418 I’m a Teapot” Error
    https://www.bleepingcomputer.com/news/technology/npm-fails-worldwide-with-err-418-im-a-teapot-error/

    Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of “ERR! 418 I’m a teapot” whenever they tried to update or install a new JavaScript/Node.js package.

    Reply
  13. Tomi Engdahl says:

    Catalin Cimpanu / BleepingComputer.com:
    Ubiquitous code repository project Git patches two flaws, including one letting an attacker execute code on systems that recursively cloned a malicious Git repo

    Malicious Git Repository Can Lead to Code Execution on Remote Systems
    https://www.bleepingcomputer.com/news/security/malicious-git-repository-can-lead-to-code-execution-on-remote-systems/

    The developers behind Git and various companies providing Git repository hosting services have pushed out a fix to patch a dangerous vulnerability in the Git source code versioning software.

    The fix is included with Git 2.17.1, which patches two security bugs, CVE-2018-11233 and CVE-2018-11235.

    Reply
  14. Tomi Engdahl says:

    Deb Riechmann / Associated Press:
    FBI and DHS say North Korea used two pieces of malware to target US infrastructure and aerospace, financial, and media companies over nine years

    US says North Korea behind malware attacks
    https://www.apnews.com/9fb4327df4994d93a3b5c49ee227b2e0/US-says-North-Korea-behind-malware-attacks

    Reply
  15. Tomi Engdahl says:

    Paul Elias / Associated Press:
    US judge sentences Toronto man to five years in prison and fines him $250K for using data stolen in giant Yahoo data breach to hack into private email accounts

    Hacker gets 5 years for Russian-linked Yahoo security breach
    https://www.apnews.com/2664cefa070e470584a59bd56f8688a5/Hacker-sentenced-to-5-years-for-major-Yahoo-security-breach

    A young computer hacker who prosecutors say unwittingly worked with a Russian spy agency was sentenced to five years in prison Tuesday for using data stolen in a massive Yahoo data breach to gain access to private emails.

    Reply
  16. Tomi Engdahl says:

    ‘SIGNIFICANT’ FBI ERROR REIGNITES DATA ENCRYPTION DEBATE
    https://www.wired.com/story/significant-fbi-error-reignites-data-encryption-debate/

    SUBSCRIBE

    AUTHOR: LILY HAY NEWMANLILY HAY NEWMAN
    SECURITY
    05.23.1807:02 PM
    ‘SIGNIFICANT’ FBI ERROR REIGNITES DATA ENCRYPTION DEBATE

    FBI HeadquartersT.J. KIRKPATRICK/BLOOMBERG/GETTY IMAGES
    LAW ENFORCEMENT AGENCIES including the FBI have long criticized data encryption as a threat to their ability to fight crime. They argue that encryption allows bad actors to “go dark,” impeding agents’ ability to access the data of suspects, even with court orders or warrants. After years of raising the alarm about the going-dark problem, though, officials have yet to convince privacy advocates that undermining encryption protections would do more good than harm. And critics say that the FBI in particular has failed to show the problem is significant.

    A Tuesday report in the Washington Post fueled this debate, revealing that the FBI had vastly overstated the number of devices to which it could not gain access.

    Reply
  17. Tomi Engdahl says:

    Lorenzo Franceschi-Bicchierai / Motherboard:
    Researcher discovers bug in Valve’s platform, present for 10 years, that exposed all 125M users to exploitation until Valve fixed it in March 2018

    An Exploit Left Millions of Steam Users Vulnerable for the Past 10 Years
    https://motherboard.vice.com/en_us/article/9k8qv5/steam-exploit-left-users-vulnerable-for-10-years

    A security researcher found a serious vulnerability that allowed hackers to take control of a Steam user’s computer.

    Hackers could have taken advantage of a nasty bug in the hugely popular video game platform Steam to take over victims’ computers.

    “This bug could have been used as the basis for a highly reliable exploit,” Court wrote. “This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections.”

    In other words, by exploiting this bug, hackers could have executed code on the victim’s machine, effectively taking full control over it.

    Court said that the takeaway for this bug is that developers need to constantly review old and aging code and make sure it conforms to “modern security standards.”

    Court also published a proof-of-concept video on YouTube in which he launches the calculator app (a standard trick for a hacking demo) on the target’s system taking advantage of this bug.

    Reply
  18. Tomi Engdahl says:

    Devin Coldewey / TechCrunch:
    Government investigation finds 73% of federal agencies at risk of being unable to detect data access attempts, 84% fail at encrypting data at rest, more

    Government investigation finds federal agencies failing at cybersecurity basics
    https://techcrunch.com/2018/05/30/government-investigation-finds-federal-agencies-failing-at-cybersecurity-basics/

    The Office of Management and Budget reports that the federal government is a shambles — cybersecurity-wise, anyway. Finding little situational awareness, few standard processes for reporting or managing attacks and almost no agencies adequately performing even basic encryption, the OMB concluded that “the current situation is untenable.”

    All told, nearly three quarters of federal agencies have cybersecurity programs that qualified as either “at risk” (significant gaps in security) or “high risk” (fundamental processes not in place).

    1. “Agencies do not understand and do not have the resources to combat the current threat environment.”

    2. “Agencies do not have standardized cybersecurity processes and IT capabilities.”

    3. “Agencies lack visibility into what is occurring on their networks, and especially lack the ability to detect data exfiltration.”

    4. “Agencies lack standardized and enterprise-wide processes for managing cybersecurity risks”

    73 percent can’t detect attempts to access large volumes of data.
    84 percent of agencies failed to meet goals for encrypting data at rest.

    https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018-Release.pdf

    Reply
  19. Tomi Engdahl says:

    Washington Post:
    China hacked a US Navy contractor early this year and stole 614GB of classified data, including plans for a supersonic anti-ship missile for US submarines — Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related …
    http://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html

    Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.

    The breaches occurred in January and February, the officials said, speaking on the condition of anonymity to discuss an ongoing investigation.

    The officials did not identify the contractor.

    Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.

    The data stolen was of a highly sensitive nature despite being housed on the contractor’s unclassified network.

    The breach is part of China’s long-running effort to blunt the U.S. advantage in military technology and become the preeminent power in East Asia.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*