Security trends 2017

3,151 Comments

1. September 21, 2017 at 9:31 am

   Tomi Engdahl says:

   FedEx Profit Takes $300 Million Hit After Malware Attack
   http://www.securityweek.com/fedex-profit-takes-300-million-hit-after-malware-attack

   The malware attack that hit international delivery services company TNT Express in June had a negative impact of roughly $300 million on FedEx’s profit in the latest quarter.

   TNT Express, which FedEx acquired last year for $4.8 billion, was one of several major companies whose systems were infected with NotPetya malware (also known as Nyetya, PetrWrap, exPetr, GoldenEye, and Diskcoder.C) in late June.

   The company reported a few weeks after the attack that the incident had a significant impact on its operations and communications. FedEx admitted at the time that it was possible TNT would not be able to fully restore all affected systems and recover all the critical business data encrypted by NotPetya.

   “The worldwide operations of TNT Express were significantly affected during the first quarter by the June 27 NotPetya cyberattack. Most TNT Express services resumed during the quarter and substantially all TNT Express critical operational systems have been restored. However, TNT Express volume, revenue and profit still remain below previous levels,” the company said on Tuesday.

   “Operating results declined due to an estimated $300 million impact from the cyberattack, which was partially offset by the benefits from revenue growth, lower incentive compensation accruals and ongoing cost management initiatives,” it added.

   Reply
2. September 21, 2017 at 9:33 am

   Tomi Engdahl says:

   Google, Spotify Release Open Source Cloud Security Tools
   http://www.securityweek.com/google-spotify-release-open-source-cloud-security-tools

   Google and music service Spotify announced last week the launch of Forseti Security, a community-driven collection of open source tools designed to improve security in Google Cloud Platform (GCP) environments.

   The Forseti toolkit currently includes an inventor tool that provides visibility into GCP resources, a scanner that validates access control policies, an enforcement tool that removes unwanted access to resources, and an add-on that helps users understand, test and develop Identity and Access Management (IAM) policies.

   http://forsetisecurity.org/

   Reply
3. September 21, 2017 at 9:33 am

   Tomi Engdahl says:

   POS Malware Abuses Exposed ElasticSearch Nodes for C&C
   http://www.securityweek.com/pos-malware-abuses-exposed-elasticsearch-nodes-cc

   Two point of sale (POS) malware families have been abusing thousands of publicly accessible ElasticSearch nodes for command and control (C&C) purposes, Kromtech security researchers warn.

   Malicious files discovered on the ElasticSearch deployments referenced to the AlinaPOS and JackPOS malware families, which are well known for their wide use in credit card data theft campaigns. Both threats have been designed to scrape credit card data from computer memory.

   Both JackPOS and AlinaPOS have been around for several years and have seen numerous variants to date, each employing different techniques to steal credit card data. Already widespread, POS malware is active year-round, but usually shows spikes in activity during the holiday shopping season.

   This isn’t the first time ElasticSearch nodes made the news after falling to miscreants. In January this year, after tens of thousands of MongoDB databases were ransacked, hackers turned to ElasticSearch servers, deleted data on them, and demanded various ransom amounts, claiming they can restore the wiped information.

   After performing a Shodan search, Kromtech discovered nearly 4000 infected ElasticSearch servers, most of which (about 99%) are hosted on Amazon.

   “Why Amazon? Because on Amazon Web Services you can get a free t2 micro (EC2) instance with up to 10 Gb of disk space. At the same time t2 micro allows to set up only versions ES 1.5.2 and 2.3.2. AWS-hosted ES service gives you a possibility to configure your ES cluster just in few clicks,” the researchers note.

   Reply
4. September 21, 2017 at 9:34 am

   Tomi Engdahl says:

   New “Red Alert” Android Banking Trojan Emerges
   http://www.securityweek.com/new-red-alert-android-banking-trojan-emerges

   A recently discovered Android banking Trojan features a bot and command and control panel fully written from scratch, SfyLabs has discovered.

   Dubbed Red Alert 2.0, the malware has been designed and distributed over the past several months by a new threat actor, the researchers say. The threat features new code but its capabilities are similar to those of other Android banking Trojans, such as the use of overlays to steal login credentials, or the ability to intercept SMS messages and steal users’ contacts.

   Reply
5. September 21, 2017 at 9:37 am

   Tomi Engdahl says:

   EU to Launch Cybersecurity ‘Safety Labels’
   http://www.securityweek.com/eu-launch-cybersecurity-safety-labels

   The European Union unveiled plans Tuesday to step up its response to cyber attacks, including a new intelligence-sharing agency, cyber war games and product safety labels.

   The proposals by the European Commission, the executive arm of the 28-nation bloc, come amid growing concerns over election hacking by foreign states, ransomware attacks and other cybercrime like identity theft and bank fraud.

   “Cyberattacks are becoming more frequent, imaginative and global,” Andrus Ansip, the European Commission Vice President for the Digital Single Market, told a press conference. “The EU needs to respond to them 24/7.”

   Building on an existing agency based in Greece, the new EU Cybersecurity Agency would help countries deal with cyber threats. It would also organise yearly pan-European cybersecurity exercises and ensure better sharing of intelligence.

   Reply
6. September 21, 2017 at 9:46 am

   Tomi Engdahl says:

   Manchester plod still running 1,500 Windows XP machines
   Issue ‘endemic’ across public sector, shriek experts
   https://www.theregister.co.uk/2017/09/20/manchester_police_still_running_1500_xp_machines/

   Cops in Manchester, England, have 1,518 PCs running on Microsoft’s dusty operating system Windows XP, according to a Freedom of Information response.

   This equates 20.3 per cent of the total PC fleet that GMP has in use, despite Microsoft ending support for the much loved operating systems back in April 2014.

   Reply
7. September 21, 2017 at 11:40 am

   Tomi Engdahl says:

   SecureDrop:NEW!
   Freedom of the Press Foundation announces $2,500 bug bounty program for SecureDrop, the open-source whistleblowing tool — Created date — The SecureDrop engineering team welcomes the contributions of security researchers. SecureDrop is relied on by sources to talk with journalists …

   Ethical Security Research on SecureDrop
   https://securedrop.org/news/ethical-security-research-securedrop

   The SecureDrop engineering team welcomes the contributions of security researchers. SecureDrop is relied on by sources to talk with journalists at dozens of news organizations, many of whom are taking significant risks to bring information to the public eye. We want to do everything we can to make the whistleblowing process as safe for them as possible. Testing by external security researchers is an important part of that process. In order to minimize risk to SecureDrop users throughout the security research process, in this post we will describe how to ethically perform security research on SecureDrop and what constitutes acceptable and unacceptable behavior.

   Reply
8. September 21, 2017 at 11:47 am

   Tomi Engdahl says:

   Unisys: Micro-segmentation and AI in the security wake of Equifax
   http://www.zdnet.com/article/unisys-micro-segmentation-and-ai-in-the-security-wake-of-equifax/

   The chief trust officer of Unisys explains what business leaders and technologists need to know about next-generation network security practices. Read carefully to protect your organization.

   The Equifax security breach is on everyone’s mind. Equifax has broken our trust and made clear that security is everyone’s problem — ultimately, no one is immune to the effects of poor computer security.

   During our conversation, Patterson explains why effective security must go beyond technology to encompass business strategy and practice at the most senior levels in an organization. It’s a perspective that explains why organizational leaders and technologist are jointly responsible for securing data, corporate assets, and even critical infrastructure.

   However, the technology itself is also fascinating. From micro-segmentation to predictive analytics, there is plenty of material for the most hardened technologist to study and enjoy.

   Is security a business or technical problem?

   It used to be bits and bytes and routers and firewalls. Now, it’s boardroom decisions and what should we do about an M&A? How should we go into a merger? How should we partner in this country or that country?

   These are all business decisions. And, the threats are dramatic. There’s not only the threat of being shut down or having all the information that you are entrusted with taken from you, but there’s also regulatory compliance now. New regulations coming that starts next year where the fines start at $20 million dollars and go up from there.

   It’s an issue that goes well beyond the technology. That’s what the chief trust officer role works with here. We’re a coordination point for privacy, physical security, and business security issues.

   Where does technical debt have an impact?

   Most every company of any size that’s been around for a while has issues like technical debt. They’ve got old stuff and there’s not enough money to buy all new stuff.

   So, they’ve got to work together and be realistic with each other, and say, “Well, we’ve got this privacy spin that we’ve got to do, and we’ve got this technical debt issue here, and we’re trying to go an open business in country X and country Y. Let’s design a system, maybe using a cloud provider and some micro-segmentation and we do this.”

   Suddenly, we’re addressing all those issues with one spend. That opens the eyes not only of the practitioners but also of the business leaders and the governance leaders across the board. Literally around the world.

   What is micro-segmentation and why is it so important?

   Security people have long known that it’s better to segment their network, so, if one part gets broken into, the other parts will be safe. It’s a concept called “east-west collateral movements,” which you want to stop.

   They used to do by putting a firewall between this building or that building, or between this giant network or that giant network. That’s how they segmented their networks.

   Well, we have gone to clients that had over 100,000 individual rules on one firewall. No one can keep up with that! They don’t know what rules are there, who wrote them, what they’re for; so they don’t touch them. In those old days, it was so expensive to segment that people stopped doing it.

   Enter a new concept, a new technology, called “micro-segmentation.” We’ve been working on it for over five years with individual clients, but it’s now a generally available commercial product called “Stealth,” which we can weave into any existing network to allow you to create little, tiny microsegments, completely transparent to the users, that don’t require any firewall rules. If you’re in accounting, you get to see the accounting resources and nothing else. If you’re in marketing, you can see the marketing resources and nothing else.

   Even though all the networks are still interconnected, the packets are locked into these little, tiny microsegments, which makes it easier to protect the network and deliver the resilience that’s necessary. Someone still might click on the wrong thing, but that attack is going to be limited to their little group. The accounting people and Poughkeepsie might be affected but not the rest of the world.

   We use artificial intelligence to create the whole mapping. When we roll out micro-segmentation with Stealth, it can be transparent to employee or associates. If they are not breaking the rules, they’ll never even know it’s there.

   Explain the concept of resiliency?

   Resiliency is a key word in 2017. They UN is focused on that. Many big, global organizations are trying to shift the focus because in security you have to be perfect to be any good at all. Resiliency and “perfect” are difficult to achieve in this day and age. Even the best systems are attacked successfully because something breaks down. So, we’re focused on resiliency.

   For example, what if someone at a power company clicks the wrong thing in their email or leaves their laptop on the train with the password taped to the top. Or, they lend their laptop to their kid who clicks on the wrong website at home one night. Those things happen; it’s part of life.

   The concept of resiliency, which Unisys really stresses with its clients, recognizes that’s going to happen but don’t let it shut off the lights for an entire country.

   We deploy all sorts of countermeasures within an organization to make sure that when something happens, we can limit it. It starts by segmenting so if one part of the power system is corrupted, the rest will not be.

   Reply
9. September 21, 2017 at 11:57 am

   Tomi Engdahl says:

   ISO Rejects NSA Encryption Algorithms
   https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html

   The ISO has decided not to approve two NSA-designed block encryption algorithms: Speck and Simon. It’s because the NSA is not trusted to put security ahead of surveillance

   Reply
10. September 21, 2017 at 12:31 pm

    Tomi Engdahl says:

    Spy Tech: Nonlinear Junction Detectors
    https://hackaday.com/2017/09/20/spy-tech-nonlinear-junction-detectors/

    If you ever watch a spy movie, you’ve doubtlessly seen some nameless tech character sweep a room for bugs using some kind of detector and either declare it clean or find the hidden microphone in the lamp. Of course, as a hacker, you have to start thinking about how that would work. If you had a bug that transmits all the time, that’s easy. The lamp probably shouldn’t be emitting RF energy all the time, so that’s easy to detect and a dead give away. But what if the bug were more sophisticated? Maybe it wakes up every hour and beams its data home. Or perhaps it records to memory and doesn’t transmit anything. What then?

    High-end bug detectors have another technique they use that claims to be able to find active device junctions. These are called Nonlinear Junction Detectors (NLJD). Spy agencies in the United States, Russian and China have been known to use them and prisons employ them to find cell phones. Their claim to fame is the device doesn’t have to be turned on for detection to occur. You can see a video of a commercial NLJD, below

    Reply
11. September 21, 2017 at 5:31 pm

    Tomi Engdahl says:

    CCleaner supply chain malware targeted tech giants
    https://techcrunch.com/2017/09/21/ccleaner-supply-chain-malware-targeted-tech-giants/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    Malware that piggybacked on CCleaner, a popular free software tool for optimizing system performance on PCs, appears to have specifically targeted high profile technology companies and may have been an attempt to harvest IP — perhaps for commercial or state-level espionage.

    In an update on its investigation into the malware, which was revealed to have affected 2.27M users of CCleaner earlier this week

    the attackers behind it appear to have been interested in only a specific subset of PC users working for tech firms.

    companies in Japan, Taiwan, UK, Germany and the US were targeted

    “We are not excluding any possibility. It is possible that this was the result of a State level attack or industrial espionage.”

    Avast said it believes the malware’s second stage payload was indeed delivered — saying server logs indicate it was sent to 20 machines in a total of eight organizations

    Meanwhile security researchers at Cisco Talos, who are also analyzing the CCleaner malware

    have revealed the below list of company domains

    The list apparently includes mobile makers Samsung, HTC and Sony, as well as telcos Singtel, Vodafone and O2, plus tech firms Cisco, Intel, VMware, Google and Microsoft. Also listed are: Linksys, Epson, MSI, Dlink and Akamai.

    There’s also, rather chillingly, a distributor of security solutions, such as CCTV, alarm and door access systems.

    According to Cisco Talos’ analysis, the malware gathered system information from infected machines
    and used this intel to determine how to handle those hosts.

    Avast is still recommending that consumer users of CCleader upgrade to the latest version (“now 5.35, after we have revoked the signing certificate used to sign the impacted version 5.33”) — and use a “quality antivirus product”.

    Reply
12. September 21, 2017 at 6:21 pm

    Tomi Engdahl says:

    Google’s Heather Adkins thinks everybody is going to get hacked and you need to be ready
    https://techcrunch.com/2017/09/18/googles-heather-adkins-thinks-everybody-is-going-to-get-hacked-and-you-need-to-be-ready/

    Google’s Information Security Manager Heather Adkins has a pretty good track record. The company was last hacked in 2009, that’s why Adkins had some good advice for startups in the audience at TechCrunch Disrupt SF.

    “At some point in the history of your company, you’re probably going to get hacked. The question is not whether or not you’re going to get hacked, but are you ready?” Adkins said. “Are you going to be able to very quickly make decisions about what to do next?”

    Reply
13. September 21, 2017 at 6:22 pm

    Tomi Engdahl says:

    And one of the reasons you’re going to get hacked is because most technology companies rely on open source software. Hackers can use this opportunity to find 0-day vulnerabilities. It’s the reason why you should keep all your dependencies patched at all times.

    “I think it’s the cost of doing business with open source software. The reality is that we have to stay on top of it,” Adkins said. “Even if you’re just two people in a garage, one of you need to be in charge of security, whether it’s part time as an IT person or as a lead software developer.”

    Source: https://techcrunch.com/2017/09/18/googles-heather-adkins-thinks-everybody-is-going-to-get-hacked-and-you-need-to-be-ready/

    Reply
14. September 21, 2017 at 7:19 pm

    Tomi Engdahl says:

    Apple blocking ads that follow users around web is ‘sabotage’, says industry
    https://www.theguardian.com/technology/2017/sep/18/apple-stopping-ads-follow-you-around-internet-sabotage-advertising-industry-ios-11-and-macos-high-sierra-safari-internet

    New iOS 11 and macOS High Sierra will stop ads following Safari users, prompting open letter claiming Apple is destroying internet’s economic model

    For the second time in as many years, internet advertisers are facing unprecedented disruption to their business model thanks to a new feature in a forthcoming Apple software update.

    iOS 11, the latest version of Apple’s operating system for mobile devices, will hit users’ phones and tablets on Tuesday. It will include a new default feature for the Safari web browser dubbed “intelligent tracking prevention”, which prevents certain websites from tracking users around the net, in effect blocking those annoying ads that follow you everywhere you visit.

    Reply
15. September 21, 2017 at 7:51 pm

    Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Experian tool to retrieve credit freeze PIN relies on just four pieces of basic personal information for authentication, inadequate given widespread leaks — An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone …

    Experian Site Can Give Anyone Your Credit Freeze PIN
    http://krebsonsecurity.com/2017/09/experian-site-can-give-anyone-your-credit-freeze-pin/

    An alert reader recently pointed my attention to a free online service offered by big-three credit bureau Experian that allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

    The first hurdle for instantly revealing anyone’s freeze PIN is to provide the person’s name, address, date of birth and Social Security number (all data that has been jeopardized in breaches 100 times over — including in the recent Equifax breach — and that is broadly for sale in the cybercrime underground).

    After that, one just needs to input an email address to receive the PIN and swear that the information is true and belongs to the submitter. I’m certain this warning would deter all but the bravest of identity thieves!

    The final authorization check is that Experian asks you to answer four so-called “knowledge-based authentication” or KBA questions.

    much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

    Reply
16. September 21, 2017 at 7:53 pm

    Tomi Engdahl says:

    Joseph Menn / Reuters:
    Interviews and emails show NSA backed down on two encryption techniques, Simon and Speck, it wanted as global standards amid experts’ concerns and lack of trust — SAN FRANCISCO (Reuters) – An international group of cryptography experts has forced the U.S. National Security Agency …

    Distrustful U.S. allies force spy agency to back down in encryption fight
    http://www.reuters.com/article/us-cyber-standards-insight/distrustful-u-s-allies-force-spy-agency-to-back-down-in-encryption-fight-idUSKCN1BW0GV

    SAN FRANCISCO (Reuters) – An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies.

    In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them.

    The presence of the NSA officials and former NSA contractor Edward Snowden’s revelations about the agency’s penetration of global electronic systems have made a number of delegates suspicious of the U.S. delegation’s motives

    Reply
17. September 21, 2017 at 7:57 pm

    Tomi Engdahl says:

    SEC ‘fesses to security breach, says swiped info likely used for dodgy stock-market trading
    EDGAR database a veritable goldmine of financial tips
    https://www.theregister.co.uk/2017/09/21/sec_breach/

    The US Securities and Exchange Commission (SEC) has admitted that hackers broke into its corporate filling system last year.

    As-yet unidentified miscreants may have profited from financial tip-offs and other data obtained after hacking into its online EDGAR test filing system, the US government’s financial trading watchdog admitted on Wednesday.

    In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.

    The SEC said that although it patched the unspecified vulnerability in EDGAR soon after its discovery last year, it recently came to realise that the glitch may nonetheless have been leveraged for illicit gain.

    The SEC has tightened up its security and launched an investigation in wake of the breach, which was publicly acknowledged on Wednesday.

    The commission’s disclosure follows hard on the heels of news of a major breach at credit reference agency Equifax that affected 143 million US consumers. Attacks on US financial institutions are rare but not unprecedented. For example, Nasdaq suffered a malware-related breach back in 2014.

    The mechanism of the SEC breach remains unclear. Infosec experts suspect a targeted attack rather than an opportunistic raid.

    Reply
18. September 21, 2017 at 8:15 pm

    Tomi Engdahl says:

    Researchers claim ISPs are ‘complicit’ in latest FinSpy snooping rounds
    Dictators’ favourite spyware is working at the top, says report
    https://www.theregister.co.uk/2017/09/21/finspy_snooping_isp/

    A surveillance campaign utilising a new variant of FinFisher, the infamous spyware also known as FinSpy, has been tracked by security researchers.

    Seven countries have been affected, and in two of them, major internet providers have most likely been involved in infecting surveillance targets, according to security researchers at ESET. The suspected involvement of ISPs – if confirmed – would be a first.

    ESET is not naming the countries involved (“so as not to put anyone in danger,” it said – others have named names) but it is offering details of the mechanism of the attack.

    FinFisher is marketed as a law enforcement tool but has a history of turning up in deployments in countries with a poor reputation for human rights. The software offers covert surveillance through keylogging, and exfiltration of files, as well as live surveillance through webcams and microphones.

    Reply
19. September 21, 2017 at 8:32 pm

    Tomi Engdahl says:

    Yahoo! retires! bleeding! ImageMagick! to! kill! 0-day! vulnerability!
    Purple Palace pays researcher US$778 bounty per byte
    https://www.theregister.co.uk/2017/05/21/yahoo_retires_imagemagick_library/

    How would you like US$778 per byte for your exploit?

    That’s what security researcher Chris Evans just scored from Yahoo!, for an 18-byte demonstration of how private Yahoo! Mail images could leak.

    Even though the bug’s been patched, Yahoo! decided it was one bug too many in the library, and retired it.

    Because (a) bugs get brands these days; and (b) “*bleed attacks are hot right now”, Evans called his trick “Yahoobleed #1” (YB1).

    The fix is simple enough

    “The resulting JPEG image served to my browser is based on uninitialized, or previously freed, memory content.”

    Reply
20. September 21, 2017 at 8:38 pm

    Tomi Engdahl says:

    Nectar Gan / South China Morning Post:
    China’s domestic security and intelligence chief, Meng Jianzhu, urges increased AI use to predict social unrest, combat terrorism, more

    China’s security chief calls for greater use of AI to predict terrorism, social unrest
    http://www.scmp.com/news/china/policies-politics/article/2112203/china-security-chief-calls-greater-use-ai-predict

    Artificial intelligence can complete tasks with a ‘precision and speed unmatchable by humans’, official says

    China’s domestic security and intelligence chief has called on the country’s police to use artificial intelligence to improve their ability to predict and prevent terrorism and social unrest.

    “Artificial intelligence can complete tasks with a precision and speed unmatchable by humans, and will drastically improve the predictability, accuracy and efficiency of social management,” Meng was quoted as saying by Chinese news website Thepaper.cn on Thursday.

    Reply
21. September 21, 2017 at 8:40 pm

    Tomi Engdahl says:

    Eric Beech / Reuters:
    SEC says hackers may have profited by trading with insider information stolen from its database; the breach took place in 2016 but was discovered last month — WASHINGTON (Reuters) – The U.S. Securities and Exchange Commission (SEC), the country’s top markets regulator …

    U.S. SEC says hackers may have traded using stolen insider information
    http://www.reuters.com/article/legal-us-sec-intrusion/u-s-sec-says-hackers-may-have-traded-using-stolen-insider-information-idUSKCN1BW1K0

    WASHINGTON (Reuters) – The top U.S. markets regulator said on Wednesday that hackers accessed its corporate disclosure database and may have illegally profited by trading on the insider information stolen.

    The Securities and Exchange Commission (SEC) said the hack occurred in 2016 but that it had only discovered last month that the cyber criminals may have used the information to make illicit trades.

    Reply
22. September 22, 2017 at 6:03 am

    Tomi Engdahl says:

    If you freeze your credit, Experian will let crooks unfreeze it by ticking a box
    https://boingboing.net/2017/09/21/cross-my-heart.html

    Say you’re worried that Equifax has just destroyed your life with its callous disregard for the dossier it compiled on you and your finance; maybe you’ll contact an Equifax competitor like Experian and ask them to “freeze” your credit so no one can use that data to open a new account in your name.

    Good luck with that.

    Once you’ve frozen your credit with Experian, you can’t unfreeze it without a four-digit PIN. However, Experian will give anyone that four-digit PIN, provided they first tick a box promising that they are really, totally, honestly not a scammer, and then answer three easy-to-look-up “knowledge-based authentication” questions.

    Reply
23. September 22, 2017 at 7:30 am

    Tomi Engdahl says:

    Another Day, Another Air Gap Breached
    https://hackaday.com/2017/09/21/another-day-another-air-gap-breached/

    What high-tech, ultra-secure data center would be complete without dozens of video cameras directed both inward and outward? After all, the best informatic security means nothing without physical security. But those eyes in the sky can actually serve as a vector for attack, if this air-gap bridging exploit using networked security cameras is any indication.

    It seems like the Cyber Security Lab at Ben-Gurion University is the place where air gaps go to die. They’ve knocked off an impressive array of air gap bridging hacks, like modulating power supply fans and hard drive activity indicators. The current work centers on the IR LED arrays commonly seen encircling the lenses of security cameras for night vision illumination. When a networked camera is compromised with their “aIR-Jumper” malware package, data can be exfiltrated from an otherwise secure facility. Using the camera’s API, aIR-Jumper modulates the IR array for low bit-rate data transfer.

    aIR-Jumper: Covert Air-Gap Exfiltration/Infiltration via Security Cameras & Infrared (IR)
    https://arxiv.org/abs/1709.05742

    Reply
24. September 22, 2017 at 8:18 am

    Tomi Engdahl says:

    Joomla Login Page Flaw Exposes Admin Credentials
    http://www.securityweek.com/joomla-login-page-flaw-exposes-admin-credentials

    Joomla 3.8 brings more than 300 improvements to the popular content management system (CMS) and patches two vulnerabilities, including one that can be exploited to obtain administrator credentials.

    Researchers at RIPS Technologies discovered that Joomla versions between 1.5 and 3.7.5 are affected by a potentially serious vulnerability when using Lightweight Directory Access Protocol (LDAP) authentication.

    LDAP is designed for accessing directory systems via TCP/IP and it’s available in Joomla via a native authentication plugin that can be enabled from the Plugin Manager.

    An analysis of the Joomla login page when the LDAP authentication plugin is used revealed that, due to the lack of input sanitization, an attacker can try to determine the username and password by guessing the credentials character by character.

    “By exploiting a vulnerability in the login page, an unprivileged remote attacker can efficiently extract all authentication credentials of the LDAP server that is used by the Joomla! installation. These include the username and password of the super user, the Joomla! Administrator,” RIPS researchers explained.

    Reply
25. September 22, 2017 at 8:19 am

    Tomi Engdahl says:

    The “Dirty” Secret Everyone Should Know About Automation
    http://www.securityweek.com/dirty-secret-everyone-should-know-about-automation

    Automating Steps in the Security Process is Critical to Defeat Today’s Relentless and Complex Attacks

    You’ve likely heard the phrase: “dirty data in, dirty data out.” Jumping to the end of the security lifecycle and using automation to take action – like automating playbooks and automatically sending the latest intelligence to your sensor grid (firewalls, IPS/IDS, routers, web and email security, endpoint, etc.) – can backfire. Without first aggregating, scoring and prioritizing intelligence you can actually exacerbate the dirty data problem.

    However, devising an approach that’s workable can be tough – the time and effort required to sift through the data so you can focus only on what is important to your organization can outstrip your resources. This is because most organizations are bombarded with millions of threat-focused data points from commercial sources, open source, industry and existing security vendors. Not to mention the massive amount of log and event data from each point product within your layers of defense and/or your SIEM.

    Because all threat data is not created equal, you also need to be able to score and prioritize it. This helps cut down on the noise. Intelligence feed vendors may provide “global” scores but, in fact, these can contribute to the noise since the score is not within the context of your company’s specific environment. Worse yet, when uploaded to your SIEM or sensor grid they can generate more noise in the form of false positives and security operators end up chasing ghosts. Dirty data in, dirty data out. This is why automation also needs to occur at the early stages of the security lifecycle process. Not only will you reduce the dirty data problem, you’ll also save valuable time and resources.

    As an example, let’s say your organization brings in one million indicators of compromise (IOCs) across several feeds over a four-month period. Using automation, you can aggregate the data in one location and augment and enrich it with context. Then, you can apply an automated scoring framework based on your risk levels to filter the intelligence into a manageable subset – reducing the actionable dataset by 95% or more. You can redefine how the scores are calculated using multiple parameters you set, including: indicator source, type, attributes and context, as well as adversary attribution.

    Now you’re in a position to deploy the right intelligence to the right tools. Because you’ve laid the proper groundwork, you can use automation with greater confidence and reliability.

    Reply
26. September 22, 2017 at 8:20 am

    Tomi Engdahl says:

    Nine Vulnerabilities Patched in WordPress
    http://www.securityweek.com/nine-vulnerabilities-patched-wordpress

    WordPress 4.8.2 patches nine vulnerabilities affecting version 4.8.1 and earlier, including cross-site scripting (XSS), SQL injection, path traversal and open redirect flaws.

    The security update addresses one potential SQL injection vulnerability that exists due to the $wpdb->prepare() function creating unexpected and unsafe queries. The flaw, reported by a researcher who uses the online moniker “Slavco,” does not affect the WordPress core directly, but developers have added hardening to prevent plugins and themes from accidentally creating a vulnerability.

    A total of five XSS flaws were patched in the latest version of WordPress, including in oEmbed discovery, the visual editor, the plugin editor, template names and the link modal.

    These security holes were discovered and reported by Rodolfo Assis of Sucuri, Chen Ruiqi, Anas Roubi, a Croatian expert who uses the online moniker “sikic,” and a member of the WordPress Security Team.

    Another member of the WordPress Security Team discovered a path traversal vulnerability in the customizer. A similar flaw was also found by Alex Chapman in the file unzipping code.

    Reply
27. September 22, 2017 at 8:25 am

    Tomi Engdahl says:

    Has science gone too far, part 97: Boffins craft code to find protesters on social networks, rate them on their violence
    Image-recognition system posited as reporting tool
    https://www.theregister.co.uk/2017/09/21/social_media_turned_into_yardstick_for_violence/

    Mining social networks for every scrap of information about our online lives is now common practice for marketers, academics, government agencies, and so on.

    Text in tweets, blogs and other posts is valuable because it’s searchable, analyzable, and not terribly costly to crawl, fetch or store. But ongoing computer vision advancements have opened up the wealth of information encoded in images.

    Earlier this week, researchers from University of California, Los Angeles described a way to analyze images to find protesters, to characterize their activities and to assess the level of violence depicted.

    In a paper titled “Protest Activity Detection and Perceived Violence Estimation from Social Media Images,” graduate student Donghyeon Won, assistant professor of public policy Zachary C Steinert-Threlkeld, and assistant professor of communication studies Jungseock Joo explore how imagery can be used to understand protests, because text may not be reliable.

    https://arxiv.org/pdf/1709.06204.pdf

    Reply
28. September 22, 2017 at 8:27 am

    Tomi Engdahl says:

    Firefox For iOS Gets Tracking Protection, Firefox Focus For Android Gets Tabs
    https://news.slashdot.org/story/17/09/21/1953205/firefox-for-ios-gets-tracking-protection-firefox-focus-for-android-gets-tabs?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29

    Mozilla today released Firefox 9.0 for iOS and updated Firefox Focus for Android. The iOS browser is getting tracking protection, improved sync, and iOS 11 compatibility. The Android privacy browser is getting tabs. You can download the former from Apple’s App Store and the latter from Google Play. This is the first time Firefox has offered tracking protection on iOS,

    Reply
29. September 22, 2017 at 8:28 am

    Tomi Engdahl says:

    “Admin from Hell” holds company to ransom with porn makeover
    https://nakedsecurity.sophos.com/2017/09/21/admin-from-hell-holds-company-to-ransom-with-porn-makeover/

    You might not be aware of a porn site titled teen[sexual orientation][bodypart].com.

    You most certainly don’t want to discover that site when you type in your company’s URL and get redirected to teen[sexual orientation][bodypart].com… all thanks to refusing to pay a $10,000 ransom to an IT admin contractor from Hell.

    The IT admin is Tavis Tso, a 40-year-old Arizona man who’s confessed to lying to a client company in Phoenix, telling them he didn’t have the login information for their account with the registrar GoDaddy (likely for domain name or hosting).

    Tso had renewed the company’s GoDaddy account in 2011. In May 2015, the company wanted to update its contact details with the domain registrar. Can’t help, Tso said; I don’t have the login anymore.

    Fibber. He did have the login.

    By tweaking the account, Tso made it so the company’s employees couldn’t use their email accounts. At first, he redirected the company’s homepage to a blank page. Then, he offered to make it all better… in exchange for a cool $10,000 for returning everything to normal.

    No dice, the company said. After the company refused to pay the ransom, Tso redirected the company’s homepage to the porn site.

    According to a release from the Arizona US Attorney’s Office, Tso was sentenced on Monday to four years of probation and an order to pay $9,145 in restitution after having pleaded guilty to one count of wire fraud.

    Reply
30. September 22, 2017 at 8:29 am

    Tomi Engdahl says:

    WeChat confirms that it makes all private user data available to the Chinese government
    WeChat, which is developed by Chinese firm Tencent, is a messaging app similar to Whatsapp
    http://www.moneycontrol.com/news/business/companies/wechat-confirms-that-it-makes-all-private-user-data-available-to-the-chinese-government-2391847.html/news/business/companies/wechat-confirms-that-it-makes-all-private-user-data-available-to-the-chinese-government-2391847.html

    WeChat has confirmed what has been rumoured all along i.e. it gives all user information to the Chinese government. The popular app in a privacy statement is now informing the users that virtually all the private user information will be disclosed to the authorities.

    WeChat, owned by the Chinese firm Tencent, is a messaging app similar to the WhatsApp. With over 662 million users, the app, besides being the dominant messaging app in China, it is one of the largest in the world.

    The app is also infamous for its links with the Chinese regime. A 2016 survey by Amnesty International ranked it lowest among popular messaging apps with regard to privacy protection of its users.

    The information that nearly all the private data in the app is accessible to the Chinese regime became evident when the users tried to avail the latest update.

    Reply
31. September 22, 2017 at 11:00 am

    Tomi Engdahl says:

    The hacker always gets in

    Businesses should be prepared for some kind of hacker to eventually get through all the security to the company’s network. “IT management needs to be prepared for robbers and hackers inevitably get into systems in some time,” says Combitch consultant Jyrki Luukko, a security company.

    - I do not want to say that antivirus programs, firewalls and network protection would be pointless. However, companies need to develop their control and responsiveness rather than just defensive, Luke Cookies.

    For example, data corruption may be due to stealing user IDs or causing the employee to be cheated to download harmful memory software that the antivirus program can not capture because the file does not exist.

    - Of course, access to the systems is to be made as difficult as possible and the aggressor’s progress can be hampered, but blocking the intrusion may even be impossible as the hackers always come up with new tricks.

    By exploiting vulnerabilities, cybercrime can be accessed, for example, by Windows maintenance tools, which can not be prevented by system crashes.

    Environments can never be fully protected, but fortunately they can be controlled. – Think about workstations that are usually attacked by the attack. We can track whether there are any suspicious processes behind the operating system. An attacker often leaves traces that can be identified.

    - There must be little to do with security with the same security as with insurance. Little is controlled if the potential disadvantage of a possible change is small, Luukko decides.

    Source: http://etn.fi/index.php?option=com_content&view=article&id=6876&via=n&datum=2017-09-21_14:47:35&mottagare=30929

    Reply
32. September 23, 2017 at 6:36 am

    Tomi Engdahl says:

    Feds reveal which states were targeted by Russian hackers trying to break into voting systems during the 2016 election cycle. DHS said “most” states were unsuccessfully attacked, but didn’t make clear how and where the hackers were successful, or whether the sustained cyberattacks helped Donald Trump win the presidency.

    DHS informs 21 states that Russian hackers attacked their voting systems in 2016 election
    https://boingboing.net/2017/09/22/dhs-informs-21-states.html

    The Department of Homeland Security today revealed which states were targeted by Russian hackers trying to break into voting systems during the 2016 election cycle. DHS said “most” states were unsuccessfully attacked, but didn’t make clear how and where the hackers were successful, or whether the sustained cyberattacks helped Donald Trump win the presidency.

    10 Months After Election Day, Feds Tell States More About Russian Hacking
    http://www.npr.org/2017/09/22/552956517/ten-months-after-election-day-feds-tell-states-more-about-russian-hacking

    The Department of Homeland Security said earlier this year that it had evidence of Russian activity in 21 states, but it failed to inform individual states whether they were among those targeted. Instead, DHS authorities say they told those who had “ownership” of the systems — which in some cases were private vendors or local election offices.

    State election officials have complained for months that the lack of information from the federal government was hampering their efforts to secure future elections.

    State election officials were finally contacted by federal authorities on Friday about whether their election systems were among those targeted for attack last year by Russian hackers.

    It will be up to the election officials to decide whether to share what they learn with the public.

    “The good news is that, for the most part, most of the things that we saw attempted in 2016 were just that, attempts,”

    Only two state election security breaches last year have been made public so far. Hackers were able to gain access to the records of tens of thousands of voters in Illinois’ centralized registration database, but there is no sign any records were deleted or changed. Russian hackers also gained access to the password and other credentials of a county elections worker in Arizona. Again there is no evidence that records were altered.

    Earlier this year, a leaked National Security Agency report also detailed attempts by Russian military intelligence to infiltrate an election software vendor’s computer

    Reply
33. September 23, 2017 at 8:21 am

    Tomi Engdahl says:

    NBD: Adobe just dumped its PRIVATE PGP key on the internet
    Change the name to A-d’oh!-be
    https://www.theregister.co.uk/AMP/2017/09/22/oh_dear_adobe_security_blog_leaks_private_key_info/

    An absent-minded security staffer just accidentally leaked Adobe’s private PGP key onto the internet.

    The disclosure was spotted by security researcher Juho Nurminen – who found the key ion the Photoshop giant’s Product Security Incident Response Team blog. That contact page should have only included the public PGP key.

    Armed with the private key, an attacker could spoof PGP-signed messages as coming from Adobe. Additionally, someone (cough, cough the NSA) with the ability to intercept emails – such as those detailing exploitable Flash security vulnerability reports intended for Adobe’s eyes only – could use the exposed key to decrypt messages that could contain things like, say, zero-day vulnerability disclosures.

    Reply
34. September 23, 2017 at 2:56 pm

    Tomi Engdahl says:

    WeChat confirms that it makes all private user data available to the Chinese government
    http://www.moneycontrol.com//news/business/companies/wechat-confirms-that-it-makes-all-private-user-data-available-to-the-chinese-government-2391847.html/news/business/companies/wechat-confirms-that-it-makes-all-private-user-data-available-to-the-chinese-government-2391847.html

    WeChat, which is developed by Chinese firm Tencent, is a messaging app similar to Whatsapp

    Reply
35. September 23, 2017 at 4:42 pm

    Tomi Engdahl says:

    Ask Hackaday: Security Questions And Questionable Securities
    https://hackaday.com/2017/09/22/security-questions-and-questionable-securities/

    Your first school. Your mother’s maiden name. Your favorite color. These are the questions we’re so used to answering when we’ve forgotten a password and need to get back into an account. They’re not a password, yet in many cases have just as much power. Despite this, they’re often based on incredibly insecure information.

    Sarah Palin’s Yahoo account is perhaps the best example of this. In September 2008, a Google search netted a birthdate, ZIP code, and where the politician met her spouse. This was enough to reset the account’s password and gain full access to the emails inside.

    While we’re not all public figures with our life stories splashed across news articles online, these sort of questions aren’t exactly difficult to answer. Birthdays are celebrated across social media, and the average online quiz would net plenty of other answers. The problem is that these questions offer the same control over an account that a password does, but the answers are not guarded in the same way a password is.

    Palin E-Mail Hacker Says It Was Easy
    https://www.wired.com/2008/09/palin-e-mail-ha/

    Reply
36. September 23, 2017 at 5:56 pm

    Tomi Engdahl says:

    Aw, not you too, Verizon: US telco joins list of leaky AWS S3 buckets
    Now is a good time to go check your own Amazon settings. It’s OK, we’ll wait
    https://www.theregister.co.uk/2017/09/22/verizon_falls_for_the_old_unguarded_aws_s3_bucket_trick_exposes_internal_system/

    Researchers with Kromtech Security say they were able to access an AWS S3 storage bucket that contained data used by the US telco giant’s billing system and the Distributed Vision Service (DVS) software that powers it.

    “DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data,” Kromtech revealed today.

    “Although no customers data are involved in this data leak, we were able to see files and data named ‘VZ Confidential’ and ‘Verizon Confidential’, some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon’s internal network and infrastructure.”

    The researchers also say they were able to retrieve a number of Outlook messages, router host information, and “B2B payment server names and info.”

    This is not the first biz Kromtech researchers have spotted keeping confidential data in an insecure storage bucket. In recent months, the company has spotted vulnerable bins run by the likes of Time Warner Cable, and hotel booking company Bookzie.

    Reply
37. September 23, 2017 at 5:58 pm

    Tomi Engdahl says:

    IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS
    I don’t know which is worse
    https://www.theregister.co.uk/2017/09/22/iot_botnet_slinging_spam/

    An IoT botnet is making a nuisance of itself online after becoming a conduit for spam distribution.

    Linux.ProxyM has the capability to engage in email spam campaigns with marked difference to other IoT botnets, such as Mirai, that infamously offered a potent platform for running distributed-denial-of-service attacks (DDoSing). Other IoT botnets have been used as proxies to offer online anonymity.

    Linux.ProxyM never had DDoS capabilities and was built instead to function as a giant mesh of proxy servers running on smart devices. The botnet first surfaced in February 2017, reaching a size of nearly 10,000 bots by June. The botnet has halved in size since then but this positive development is offset by the addition of new features.

    Javvad Malik, security advocate at AlienVault, commented: “This isn’t a surprising development. If we look at IoT devices, they are basically running a small Linux PC – this can be used to serve whatever purposes the creator desires as long as it is within the device’s capabilities. Due to the difficulty in patching IoT devices, using them for malicious purposes will likely continue to rise.”

    Reply
38. September 24, 2017 at 2:33 pm

    Tomi Engdahl says:

    Post a boarding pass on Facebook, get your account stolen
    https://www.michalspacek.com/post-a-boarding-pass-on-facebook-get-your-account-stolen

    Holiday time is in full swing. When you want to brag about your final destination, be careful of what you post on Facebook and Instagram. Leave your boarding passes (and other barcodes) for yourself (and get a shredder).

    To find Petr’s departure from Hong Kong, it was enough to go to British Airways website and enter the booking reference in the right input field.

    The airlines wanted to verify that it was mePetr trying to change the details. I could enter his passport number but I didn’t have it (yet), or date of birth. Petr has his birthday on his Facebook profile, it’s published in Business Register or Trade Register of the Czech Republic, too. Your birthday is fairly public information

    Finally, here’s the passport number! And I can even change it. Cool, I can make Petr’s wife birthday celebration in Hong Kong a bit longer. Just enter the passport number of an internationally wanted criminal or something.

    I didn’t change a thing and reported everything to Petr. I also apologized because I blocked him from accessing the booking page for 24 hours when I tried to guess his wife’s birthday. I googled the date later, of course. Huge thanks to Petr for being nice to me!

    Reply
39. September 25, 2017 at 4:17 am

    Tomi Engdahl says:

    Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol
    https://www.google.fi/amp/s/arstechnica.com/information-technology/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/%3famp=1

    A known security hole in the networking protocol used by cellphone providers around the world played a key role in a recent string of attacks that drained bank customer accounts, according to a report published Wednesday.

    The unidentified attackers exploited weaknesses in Signalling System No. 7, a telephony signaling language that more than 800 telecommunications companies around the world use to ensure their networks interoperate. SS7, as the protocol is known, makes it possible for a person in one country to send text messages to someone in another country.

    The same functionality can be used to eavesdrop on conversations, track geographic whereabouts, or intercept text messages. Security researchers demonstrated this dark side of SS7 last year

    Instead of being delivered to the phones of designated account holders, the text messages were diverted to numbers controlled by the attackers. The attackers then used the mTANs—short for “mobile transaction authentication numbers”—to transfer money out of the accounts.

    The interception of the mTANs came only after attackers had compromised bank accounts using traditional bank-fraud trojans.

    Despite the growing awareness, Wednesday’s report makes clear that real-world attacks remain—or at least until recently remained—feasible in industrialized countries. The attacks underscore the inherent insecurity and lack of privacy in the global telephone network.

    It could take years to fully secure the system given the size of the global network and the number of telecoms that use it.

    Wednesday’s report also underscores the risks of relying on text messages for two-factor authentication. (Last year, the National Institute for Standards and technology proposed doing away with SMS and voice calls for so-called out-of-band verifiers.)

    Reply
40. September 25, 2017 at 7:43 am

    Tomi Engdahl says:

    Security
    Shock! Hackers for medieval caliphate are terrible coders
    Daesh-bags give up on writing their own attack code, copy successful hackers
    https://www.theregister.co.uk/2017/09/25/extremist_hackers_dubious_competence/

    DerbyCon An analysis of the hacking groups allying themselves to Daesh/ISIS has shown that about 18 months ago the religious fanatics stopped trying to develop their own secure communications and hacking tools and instead turned to the criminal underground to find software that actually works.

    Kyle Wilhoit, a senior security researcher at DomainTools, told the DerbyCon hacking conference in Kentucky that while a multiplicity of different hacking groups with different aims have consolidated themselves under the banner of the United Cyber Caliphate (UCC), their coding skills and opsec are “garbage.”

    “ISIS is really really bad at the development of encryption software and malware,” Wilhoit said. “The apps are sh*t to be honest, they have several vulnerabilities in each system that renders them useless.”

    He recounted how he’d found an open server online containing photographs of active military operations by ISIS in Iraq and Syria, which were to be used for propaganda purposes. However, the uploaders had included all the metadata in the photographs, making them easy targets. Little wonder four of the groups’ IT leaders have been killed in the last two years by drone strikes.

    One, the Caliphate Cyber Army, for example, formed about four years ago and concentrated on online defacement of websites.

    The Islamic State Hacking Division concentrates on trying to get into government databases in the US, UK and Australia so that they can compile and publish kill lists of targets. To date there is no evidence that this group has succeeded.

    The Islamic Cyber Army focuses on researching basic information about power grids, with a sideline in defacing websites. There’s no evidence they have actually managed to break into a power company, instead they share basic information about such systems online, Wilhoit opined.

    One unifying theme of these group’s work is the stunning lack of success and ineptitude. They will deface a website few people visit and claim a success, or try and launch a DDoS attack using a couple of dozen infected PCs.

    Reply
41. September 25, 2017 at 10:11 am

    Tomi Engdahl says:

    ARM TrustZone Hacked By Abusing Power Management
    https://hardware.slashdot.org/story/17/09/23/2113243/arm-trustzone-hacked-by-abusing-power-management

    “This is brilliant and terrifying in equal measure,” writes the Morning Paper. Long-time Slashdot reader phantomfive writes:
    Many CPUs these days have DVFS (Dynamic Voltage and Frequency Scaling), which allows the CPU’s clockspeed and voltage to vary dynamically depending on whether the CPU is idling or not. By turning the voltage up and down with one thread, researchers were able to flip bits in another thread. By flipping bits when the second thread was verifying the TrustZone key, the researchers were granted permission.

    CLKSCREW: Exposing the perils of security-oblivious energy management
    https://blog.acolyer.org/2017/09/21/clkscrew-exposing-the-perils-of-security-oblivious-energy-management/

    This is brilliant and terrifying in equal measure. CLKSCREW demonstrably takes the Trust out of ARM’s TrustZone, and it wouldn’t be at all surprising if it took the Secure out of SGX too (though the researchers didn’t investigate that). It’s the deepest, widest impact, hardest to fix security issue I’ve seen in a long time.

    Designing secure systems is really hard. One side channel, control over one single bit, and you can be compromised. Fault attacks try to induce bit corruptions at key moments. Differential fault attacks (DFA) compare execution under normal and faulted conditions, and can be use for example to infer AES keys based on pairs of correct and faulty ciphertexts.

    A new class of attacks

    I’ll leave you with this thought: CLKSCREW isn’t just the latest in a known exploit genre, CLKSCREW opens the door to a whole new class of energy-management based attacks.

    Reply
42. September 25, 2017 at 10:21 am

    Tomi Engdahl says:

    Fuzzing Reveals Over 30 Web Browser Engine Flaws
    http://www.securityweek.com/fuzzing-reveals-over-30-web-browser-engine-flaws

    Fuzzing tests conducted on the most popular web browser engines by Google Project Zero revealed the existence of more than 30 vulnerabilities, more than half of which in Apple’s Safari.

    Google Project Zero researcher Ivan Fratric pointed out that Document Object Model (DOM) engines have been one of the main sources of web browser flaws. That is why he created a new fuzzer, which he released as open source, to help him test the engines that power Google Chrome, Mozilla Firefox, Microsoft’s Internet Explorer and Edge, and Apple Safari.

    Fuzzing is a technique for finding vulnerabilities by injecting malformed or semi-malformed data into the targeted application. If the software crashes or behaves unexpectedly, it could indicate the presence of a security flaw.

    Reply
43. September 25, 2017 at 10:22 am

    Tomi Engdahl says:

    NVIDIA Patches Several Flaws in GPU Display Drivers
    http://www.securityweek.com/nvidia-patches-several-flaws-gpu-display-drivers

    NVIDIA has started releasing patches for several denial-of-service (DoS) and privilege escalation vulnerabilities affecting its GeForce, NVS, Quadro and Tesla graphics card drivers.

    A security advisory published by the company on Thursday reveals the existence of four high severity flaws in the kernel mode layer handler (nvlddmkm.sys) for the DxgkDdiEscape function.

    This interface was analyzed earlier this year by Google Project Zero researchers as part of their attempts to attack the NVIDIA kernel mode drivers on Windows. The experts, who found a total of 16 security holes, described DxgkDdiEscape as a “well known entry point for potential vulnerabilities.”

    Security Bulletin: NVIDIA GPU contains multiple vulnerabilities in the kernel mode layer handler
    http://nvidia.custhelp.com/app/answers/detail/a_id/4544

    Reply
44. September 25, 2017 at 10:23 am

    Tomi Engdahl says:

    Private, But Not Secure: HTTPS is Hiding Cybercrime
    http://www.securityweek.com/private-not-secure-https-hiding-cybercrime

    Encrypted communications have boomed in popularity in the aftermath of the Snowden leaks in 2013, which has ironically opened up a new pathway for cybercriminals. Since those fateful revelations years ago, the world has witnessed a sharp increase in encrypted web traffic—reaching half of all global traffic at the beginning of this year and zooming past more than 65 percent this past May, according to published browser statistics from Chrome and Firefox.

    While web site operators of all stripes have shifted to SSL encryption, malware authors have also followed suit. Every major ransomware family since 2015 has been distributed at some point via HTTPS, including Petya, Locky and Jigsaw. My team recently dug into our mass of threat data and found that 36 percent of global malware is using SSL encryption—still lower than the overall share of SSL in web traffic, but a significant number and a startling increase. In 2013 Gartner pegged the same statistic at “less than 5 percent,” and an NSS Labs study that same year found that less than one percent of malware was using SSL.

    The fact is, despite that growth, most businesses today are not inspecting their HTTPS traffic for threats. A pair of Osterman Research studies in the past year have shown that the adoption of SSL traffic inspection is low and varies greatly from region to region.

    The massive shift of the majority of web use to SSL encryption has become a double-edged sword. While it increases users’ privacy, it can create blind spots in many organizations, where malware in the HTTPS channel is essentially hidden from most web security tools. And as companies such as Google boost search rankings for sites that use HTTPS (and punish those who don’t with “not secure” warnings), the volume of encrypted traffic will continue to grow at escalating rates. The launch of the free SSL certificate authority called “Let’s Encrypt,” which launched just last year, has no doubt contributed to the recent run-up.

    It’s clear that many IT administrators underestimate this threat by failing to implement inspection. But looming larger than those concerns is the fact that many companies still don’t recognize SSL inspection as the basic necessity it has become. For all the laudable motives which have made SSL encryption the new normal for web transport

    Reply
45. September 25, 2017 at 10:24 am

    Tomi Engdahl says:

    1.4 Million Phishing Sites Are Created Monthly: Report
    http://www.securityweek.com/14-million-phishing-sites-are-created-monthly-report

    According to a new report, an average of 1.385 million unique new phishing sites are created every month, peaking at 2.3 million in May 2017. The majority of these are online and active for an average of just 4 to 8 hours. This combination of volume and brevity makes it effectively impossible to counter phishing — especially targeted spear-phishing and whaling — with block lists. By the time the site is included on a block list, the damage is done and the phishing site is no longer used.

    Reply
46. September 25, 2017 at 11:18 am

    Tomi Engdahl says:

    Nuclear war isn’t North Korea’s only threat
    http://edition.cnn.com/2017/09/23/opinions/north-korea-cyberattack-oneill-opinion/index.html

    The missile tests are posturing by Kim Jong Un and a clear attempt to show dominance to the United States and its allies. They are likely part of a strategy that follows Iran’s playbook: Get close to developing a nuclear weapon and the rest of the world will make a deal.
    But they are also a major distraction from a much bigger issue. The true risk when it comes to North Korea is its cyberattack capabilities.

    North Korea has invested heavily in cyberattack operations to disrupt its Western enemies. Western Intelligence services blamed the 2014 attack against Sony on North Korea’s spy agency, the Reconnaissance General Bureau. North Korea is also believed to be responsible for the cyber heist at Bangladesh’s central bank and the global WannaCry ransomware attack from earlier this year.

    Pyongyang’s cyberspies conduct low-cost, high-impact, deniable attacks around the world to harm enemies, disrupt the West and steal money.

    The goal for North Korea’s cyberattack operations, beyond flying under the radar, is to inflict death by a thousand cuts — a deliberate and organized disrupt-and-attack approach in line with the country’s national strategy. Arguably, the more money and resources North Korea can steal via cyberattacks, the stronger its kinetic military can become.

    North Korea has at its disposal a dedicated and systematically developed cyber army on call.

    North Korea’s most frequent target of cyberattacks is its southern neighbor.

    In turn, the United States should develop contingency plans to respond to a direct cyberattack from North Korea.
    Most critically, we should develop an escalation policy that establishes when a cyberattack will be considered an act of war. Cyberattacks can affect more than just bank accounts or identity theft; they can shut down power transmission, turn off water and prevent aircraft control towers from safely landing planes. The United States needs to invest heavily in cybersecurity for critical infrastructure, hardening key control elements across the country and doubling down on protections to our financial systems and power grids.

    Reply
47. September 25, 2017 at 1:48 pm

    Tomi Engdahl says:

    Go spy, GO! Popular app with 200M+ users crosses the red line
    https://blog.adguard.com/en/go-spy-go-popular-android-keyboard-from-china-crosses-the-red-line/

    Have you ever thought that your keyboard could be a professional spy? And we are not talking about jamesbondish handsome spies from Hollywood movies, but about the overt and constant home phoning of the personal information with its future distribution to third parties. Our recent research discovered a popular Android keyboard to spy on its users, with tons of personal information being sent to remote servers and using a prohibited technique to download dangerous executable code.

    We decided to test keyboard apps after the recent story with TouchPal, a keyboard, that started showing ads to HTC devices users right in the typing area. Why does it matter? A keyboard is an input tool wherethrough almost all your valuable private data passes. Just imagine, you enter your logins, passwords, texts of emails, and messages using your keyboard, and then – everything is sent (maybe even sold) to third-parties. GO Keyboard has become an absolute “champion” in this field. This app offers a “smart” keyboard with various colorful and attractive themes. It has 200M+ users all over the world and is developed by the Chinese GOMO Dev Team.

    Besides being a popular ad blocker and a privacy protection utility, AdGuard for Android is also an excellent tool for inspecting the apps’ traffic.

    What you should know about the notorious Go keyboard

    It has 2 versions (first, second) in Google play;
    It has 200M+ downloads;
    It advertises itself as “We will never collect your personal info including credit card information. In fact, we cares for privacy of what you type and who you type!”:
    Its privacy policy contradicts this statement;
    It communicates with dozens of third-party trackers and ad networks. It also downloads over 14 MB of data and sends quite a lot of information about you right after the installation.
    It has access to sensitive data including your identity, phone calls log, contacts, microphone.

    Unfortunately, everything listed above is a norm nowadays. Recent research showed that 7 in 10 mobile apps share your data with third-party services

    Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.

    Shortly after the installation, both apps downloaded and executed code from a remote server, directly violating this policy.

    We informed Google of these violations and are waiting for their reaction. Whatever their decision is, we find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation.

    Reply
48. September 25, 2017 at 3:10 pm

    Tomi Engdahl says:

    Analysis: Terrorism, espionage threats seen driving growth market for physical security equipment
    http://www.cablinginstall.com/articles/pt/2017/09/analysis-terrorism-espionage-threats-seen-driving-growth-market-for-physical-security-equipment.html?cmpid=enl_cim_cim_data_center_newsletter_2017-09-25

    A major trend being discerned in the market is the emergence of thermal cameras. As these cameras are water and heat resistant, and use infrared radiation for taking images, they have become an indispensable part of physical security equipment in monitoring unique/large-scale outdoor environments. Several institutions and critical infrastructures are being offered grants by governments for purchasing efficient surveillance equipment. The requirement for sophisticated security systems that help in ensuring safety of data has led the organisations to adopt data analytics, along with cloud-based data storages.

    The nature of the global physical security equipment market is highly fragmented, with presence of various large- as well as small-scale vendors competing for gaining larger market share. These vendors are concentrating on providing innovative and highly-efficient security solutions coupled with customized security services for sustaining their presence in the market. In addition, they are also providing integrated security systems, which ensure optimum security. Global leaders in the market are adopting key strategies such as M&A, and are acquiring niche players, in a bid to enhance their product portfolio.

    Reply
49. September 25, 2017 at 3:37 pm

    Tomi Engdahl says:

    Cloudflare now offers unmetered DDoS attack mitigation
    https://techcrunch.com/2017/09/25/cloudflare-now-offers-unmetered-ddos-attack-mitigation/?utm_source=tcfbpage&sr_share=facebook

    Cloudflare turns seven this week and it wants to give your network a present. Should your website come under Distributed Denial of Service (DDoS) attack, it will never charge you additional fees, or (and this is important) kick you off the network.

    Cloudflare CEO Matthew Prince has pledged unmetered DDoS mitigation, regardless of the size of the attack and no matter what level of service you have from the free tier all the way up to the enterprise level.

    As Prince explained, this is a pretty radical move by the company, but he feels like it’s the right way to go and will actually help grow his business.

    Reply
50. September 25, 2017 at 7:11 pm

    Tomi Engdahl says:

    Passwords and much more for 540,000 SVR Tracking accounts leaked online
    http://securityaffairs.co/wordpress/63343/data-breach/svr-tracking-data-leak.html

    Another day, another data breach to report, login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.

    The incident potentially exposes the personal data and vehicle details of drivers and businesses using the SVR Tracking service.

    A few hours ago Verizon data was leaked online, and last week a similar incident affected the entertainment giant Viacom, in both cases data were found on an unsecured Amazon S3 server.

    The unsecured AWS S3 cloud storage bucket containing SVR Tracking data was discovered by experts at Kromtech Security Center.The SVR Tracking service allows its customers to track their vehicles in real time by using a physical tracking device hidden in the vehicles.

    “The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.” reads the blog post published by Kromtech.

    Experts highlighted that leaked passwords were protected by the weak SHA-1 hashing algorithm that was easy to crack.

    archive also included the position of the vehicles for the past 120 days.

    Auto Tracking Company Leaks
    https://mackeepersecurity.com/post/auto-tracking-company-leaks-hundreds-of-thousands-of-records-online

    Reply