Cyber Security February 2018

This posting is here to collect security alert news in February 2018.

I post links to security vulnerability news to comments of this article.




  1. Tomi Engdahl says:

    Chinese Police Add Facial-Recognition Glasses to Surveillance Arsenal
    Police are donning the devices as hundreds of millions of Chinese begin traveling for the Lunar New Year holiday

  2. Tomi Engdahl says:

    Sarah Scoles / Wired:
    US government controls access to sensitive satellite imagery by regulating sales and buying exclusive imagery rights, driving business to other countries

    How the Government Controls Sensitive Satellite Data

    Earth orbit doesn’t just host a few Soviet spysats: More than a thousand working orbiters are out there, hundreds of those equipped with Earth-observing cameras. They are American, European, African, South American, Japanese, Indian, Chinese, Russian. And nothing stops many of them from taking pictures of supersecret areas.

    But the government has other ways of restricting information. The feds can limit how good commercially available images can be when taken by US companies. And it can issue a directive barring imaging over a given location. The law regulating that imaging, though, was first passed before satellite imaging really existed as an industry. And according to insiders, it’s been keeping satellites down—even as thousands more of them are set to launch in the next decade.

    When the Land Remote Sensing Policy Act passed, the world was a younger, more naïve place.

    “US government customers have the ability—as, actually, do some of our other customers—to say, ‘We would like you to take this image and not make this image available publicly,’” explains Scott. “It’s an exclusivity arrangement.”

    Then, there are the things that aren’t shutter control but do place cuffs around satellite operators. Take the Kyl-Bingaman Amendment, which bans US companies from releasing their high-resolution images of Israel and the Occupied Territories. In addition, “certain licensees have some area imaging restrictions,”

    In 1999, DigitalGlobe wanted permission to sell images with 25-centimeter resolution—to turn, in other words, three men’s shoes into one pixel. That didn’t sit right with federal regulators, who, in 2000, gave DigitalGlobe permission to sell pictures half that precise: a large throw pillow could become a pixel. Even more, Scott says, “we had to impose a 24-hour delay on anything better than 82-centimeter resolution.”

    That time restriction went away a while ago, but it wasn’t until 2014 that DigitalGlobe finally got permission, after asking again, to release images with 25-centimeter resolution. “The reason was national security,”

    “Licenses are issued with a maximum capability defined in the license,” says Dawkins, about resolution limits. “Other restrictions are based on national security and/or foreign policy concerns, these too are proprietary.”

    Even though DigitalGlobe “won” the right to sell better images, the battle isn’t over.

    Meanwhile, other countries have figured out this whole space snapshot business, too—and they don’t fall under the same US regulations. “All you’ve really done is drive business to those foreign companies,”

    In fact, smart people abroad probably accelerated their technology because of the Americans’ grip on data. “When we tightened up on export control, others decided they couldn’t rely on us anymore,”

    SpaceX wants to launch thousands of satellites to build its own internet network

  3. Tomi Engdahl says:

    South Korea Probes Cyber Shutdown During Olympics Ceremony

    South Korea on Saturday investigated a mysterious internet shutdown during the Winter Olympics opening ceremony, which follows warnings of possible cyberattacks during the Pyeongchang Games.

    Internal internet and wifi systems crashed at about 7:15 pm (1015 GMT) on Friday and were still not back to normal at midday on Saturday, Games organizers said.

    Cyber-security teams and experts from South Korea’s defence ministry, plus four other ministries, formed part of a taskforce investigating the shutdown, they said, adding that it didn’t affect the high-tech opening ceremony.

    The outage follows warnings of malware phishing attacks targeting organizations working at the Olympics, and allegations of cyberattacks from Russia — which has denied any involvement.

    North Korea has also blamed for a series of cyber incidents including the WannaCry global ransomware attack, which infected 300,000 computers worldwide last May.

  4. Tomi Engdahl says:

    Half of All Cryptojacking Scripts Found on Porn Sites

    Almost 50% of all cryptojacking scripts (in-browser miners) are deployed on adult-themed sites, according to new numbers released this week by Qihoo 360′s Netlab division.

    Researchers gathered these numbers by using Netlab’s DNSMon system, a tool that analyzes relations in DNS traffic between web domains.

    According to researchers, 241 (0.24%) out of Alexa Top 100,000 websites, and 629 (0.21%) out of Alexa Top 300,000 websites are deploying JavaScript code that mines Monero using the users’ CPU power, most of it without the user’s permission. Also by the same numbers, Coinhive is by far the favorite cryptojacking script, found on 78% of all offending sites, with JSEcoin coming second with a 9% “market share.”

    Adult sites accounted for 49%, followed by fraud sites (8%), advertising domains (7%), cryptocurrency mining (7%), and film and television streaming sites (6%).

    The biggest surprise is that cryptojacking scripts were not often found on gaming-related domains, this category accounting for 1.4% of the sites in Netlab’s list

    Cryptojacking scripts are known to be efficient when loaded on sites where users spend a lot of time, allowing site operators to take full advantage of the user’s computing power. Gaming and video streaming portals are considered good places to run in-browser miners, as users tend to spend a lot of time on these types of sites.

    Seeing adult sites on the list is no surprise, as porn sites are usually some of the biggest offenders when it comes to intrusive and over-the-top advertising schemes.

    Google is readying to release the first version of Chrome with a built-in ad blocker next week

  5. Tomi Engdahl says:

    NSA Used Public Tweets To Communicate With Russian Spies In Secret

    the hiding of a secret message in plain sight (or steganography) is a tactic that goes back millennia.

    Last week, reports in The New York Times and The Intercept revealed the National Security Agency (NSA) has been communicating with Russian spies using their public Twitter account, giving the old practice a 21st-century spin.

    More recently, spies have turned to the realm of the digital. In one case, the FBI discovered secret messages from Russian spies in New Jersey hidden in the pixels of photos posted on a public website.

  6. Tomi Engdahl says:

    Attackers had arbitrary script injection on thousands of sites including many NHS websites here in England. Just stop and think for a few moments about what exactly they could have done with that capability…

    Cryptojacking attack hits ~4,000 websites, including UK’s data watchdog

  7. Tomi Engdahl says:

    Be careful if Facebook suggests you to install the “Onavo Protect” app – it’s a VPN app that forwards ALL of your network traffic to Facebook.

    Facebook is suggesting mobile users ‘Protect’ themselves…by downloading a Facebook-owned app that tracks their mobile usage

    Facebook is now pointing some users to a secure wireless networking app without disclosing it’s a Facebook-owned company.
    The app, Onavo Protect, also tracks users’ apps, how often they’re used and what websites users visit.

  8. Tomi Engdahl says:

    Cryptojacking attack hits ~4,000 websites, including UK’s data watchdog

    Cryptojacking attack hits ~4,000 websites, including UK’s data watchdog
    Posted yesterday by Natasha Lomas (@riptari)

    At first glance a CoinHive crypto miner being served by a website whose URL contains the string ‘ICO’ might not seem so strange.

    But when you know that ICO in this case stands for the UK’s Information Commissioner’s Office — aka the national data protection and privacy watchdog, whose URL ( predates both Bitcoin and the current craze for token sales — well, the extent of the cryptojacking security snafu quickly becomes apparent.

  9. Tomi Engdahl says:

    Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform

    Nine remotely exploitable vulnerabilities have been found in Dell EMC’s Isilon OneFS platform, a scale-out NAS storage platform that combines modular hardware with unified software to harness unstructured data.

    “Multiple vulnerabilities were found in the Isilon OneFS Web console that would allow a remote attacker to gain command execution as root,” warns an advisory released today.

    The vulnerabilities were discovered by researchers Ivan Huertas and Maximiliano Vidal from CoreLabs, the research center of Core Security, and disclosed to Dell in September 2017. A range of Isilon OneFS versions from to were found to be affected by two or more of the vulnerabilities. “Other products and versions might be affected, but they were not tested,” states the advisory.

  10. Tomi Engdahl says:

    Critical Code Execution Flaws Patched in Android

    Google this month addressed several critical severity remote code execution (RCE) vulnerabilities in the Android operating system.

    Split in two parts, the Android Security Bulletin for February 2018 resolves only 26 vulnerabilities in the mobile operating system, most of which are rated high severity. The vast majority of the security issues are elevation of privilege (EoP) bugs.

    A total of 7 issues were addressed with the 2018-02-01 security patch level, including 6 flaws in Media Framework and one vulnerability in the System component.

    This month, Google addressed two critical RCE bugs in Media Framework: CVE-2017-13228, which impacts Android 6.0 and newer, and CVE-2017-13230, which impacts Android 5.1.1 and later (it is considered a high risk denial-of-service (DoS) flaw on Android 7.0 and newer).

  11. Tomi Engdahl says:

    U.K. Officially Blames Russia for NotPetya Attack

    The United Kingdom on Thursday officially accused the Russian government of launching the destructive NotPetya attack, which had a significant financial impact on several major companies.

    British Foreign Office Minister for Cyber Security Lord Tariq Ahmad said the June 2017 NotPetya attack was launched by the Russian military and it “showed a continued disregard for Ukrainian sovereignty.”

    “The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it,” the official stated.

    “The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace,” he added.

  12. Tomi Engdahl says:

    Intel Offers $250,000 for Side-Channel Exploits

    Intel Opens Bug Bounty Program to All Researchers, Offers up to $250,000 for Flaws Similar to Meltdown and Spectre

    Intel on Wednesday announced major changes to its bug bounty program, including that it’s now open to all researchers, and significant rewards for exploits similar to Meltdown and Spectre.

    Researchers who find critical hardware vulnerabilities that allow software-based side-channel attacks – just like Meltdown and Spectre – can earn up to $250,000. Flaws classified as high severity are worth up to $100,000, while medium- and low-risk issues are worth up to $20,000 and $5,000, respectively. The severity of a flaw is determined based on its CVSS base score, adjusted depending on the security objectives and threat model of the targeted product.

    The part of Intel’s bug bounty program covering side-channel exploits will run until December 31, 2018.

  13. Tomi Engdahl says:

    Energy-efficient encryption for the internet of things

    Special-purpose chip reduces power consumption of public-key encryption by 99.75 percent, increases speed 500-fold.

  14. Tomi Engdahl says:

    U.S., Canada, Australia Attribute NotPetya Attack to Russia

    The United States, Canada, Australia and New Zealand have joined the United Kingdom in officially blaming Russia for the destructive NotPetya attack launched last summer. Moscow has denied the accusations.

    In a statement released on Thursday, the White House attributed the June 2017 attack to the Russian military and described it as “the most destructive and costly cyber-attack in history.”

    “The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas,” the White House Press Secretary stated. “It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences.”

  15. Tomi Engdahl says:

    ‘DoubleDoor’ IoT Botnet Uses Two Backdoor Exploits

    A newly discovered Internet of Things (IoT) botnet is using two exploits to ensure it can not only bypass authentication on targeted devices, but also render additional protections useless, NewSky Security has discovered.

    Dubbed DoubleDoor, the botnet allows attackers to takeover devices even if the user has authentication enabled and has added a firewall for additional protection. Specifically, the malware abuses CVE-2015–7755, a Juniper Networks SmartScreen OS exploit, and CVE-2016–10401, a Zyxel modem backdoor exploit (also abused by the Hide ‘N Seek botnet).

    What NewSky Security discovered was that the botnet first deploys the infamous Juniper Networks exploit, which essentially allows it to get past firewall authentication. The backdoor was initially discovered in the ScreenOS software running on NetScreen firewalls.

    Through this backdoor, the telnet and SSH daemons of Netscreen firewalls become accessible with the hardcoded password

    Next, the botnet attempts to deploy the backdoor for ZyXEL PK5001Z devices, which is pretty straight forward as well, using a hardcoded su password

    The DoubleDoor botnet was also observed performing reconnaissance to ensure the attack was successful and control of the IoT device was achieved.

    The botnet is currently in a nascent phase, with attacks observed only between Jan. 18 and Jan. 27, 2018. Most of the attacks were observed originating from South Korean IPs. The botnet’s attacks are expected to remain low, mainly because they are only effective if the victim runs a specific unpatched version of Juniper ScreenOS firewall and uses unpatched Zyxel modems.

  16. Tomi Engdahl says:

    One single character/symbol can crash all iPhones

    Sometimes very special bugs appear. Now, the Italian Mobile World site has found out that one of the only tags in the Telugu Telegraph in India will overwrite all messaging applications for iPhone phones. The problem concerns, for example, Whatsapp, iMessage, Mail, and Facebook Messenger.

    Obviously iOS can not read that character. This is why the app crashes. The problem is that restarting the application will launch it to the same location where it crashed. The result is a chain of crashes that can not be missed without action.

    According to Apple, the bug is no longer affected by iOS version 11.3, but all earlier versions. In addition, the same problem obviously applies to MacOS.


  17. Tomi Engdahl says:

    Two men charged in jackpotting scheme that drains ATMs in minutes
    As much as $50,000 taken from infected machine in Connecticut, prosecutors say.

    Two men have been charged with stealing huge amounts of cash through “Jackpotting,” a crime that causes malware-infected ATMs to rapidly empty their cash reserves to waiting accomplices.

    According to the complaint, police who searched the Accord ultimately found screwdrivers, pliers, Allen wrenches, an electronic device, cables, and wires. The car also contained a bag filled with a large number of $20 bills, prosecutors said. Both men also had a large number of $20 bills in their pockets, the complaint said.

    “Based on what I learned, these tools and electronic devices are consistent with the items needed to compromise an ATM… to dispense its cash contents,” Molly Reale, a special agent with the US Secret Service, wrote in the complaint.

    Word of the arrests comes a week after security reporter Brian Krebs reported what are believed to be some of the first jackpotting attacks to take place in the US. Those attacks used malware known as Ploutus.D to infect ATMs made by Diebold Nixdorf. Krebs published a follow-up post reporting that three suspects had been arrested in November after being caught in surveillance video Jackpotting ATMs in Wyoming and Utah. It’s not clear what connection may exist between the two defendant groups or between the crimes they’re alleged to have committed.

  18. Tomi Engdahl says:

    Six top US intelligence chiefs caution against buying Huawei phones

    The directors of the CIA, FBI, NSA and several other intelligence agencies express their distrust of Apple-rival Huawei and fellow Chinese telecom company ZTE.
    During a hearing, the intelligence chiefs commended American telecom companies for their measured resistance to the Chinese companies.
    Huawei has been trying to enter the U.S. market, first through a partnership with AT&T that was ultimately called off.

  19. Tomi Engdahl says:

    Crypto miners are striving for machinery – including in Finland

    According to the data maintained by the security company Check Point, Coinhive-miners was already the second most widely spread malware in Finland’s business network in January.

    On the top ten list of the most common malware, Coinhive was the top spot, and included two other cryptolouragers. In Finland, Coinhive was the second most commonly used corporate network malware after Fireball.

    Crimean miners are used by criminals and miners are not illegal in themselves. However, cybercriminals may harness programs with the secret of some of the victims ‘computers’ performance in extracting the crypto currencies themselves,


  20. Tomi Engdahl says:

    Cyber Intrusion Creates More Havoc for Washington State’s New Marijuana Tracking System

    Licensed marijuana product growers and retailers have been very unhappy with Washington State’s new “seed-to-sale” marijuana tracking system that went live on 1 February.

    Buggy software has kept many suppliers from shipping their products because of manifest errors and, equally, retailers from accepting their orders.

    it also has disclosed that the tracking system experienced a cyber intrusion

    The intruder was able to access information for four days of marijuana deliveries

    Like most other states that have legalized marijuana in some form, Washington State requires that marijuana products be tracked from seed, or when it’s planted, to sale to a customer

    Nevada and California have also had problems with their marijuana tracking systems.

  21. Tomi Engdahl says:

    Jen Wieczner / Fortune:
    Hackers stole an estimated $50M+ over 3 years by buying Google Search ads, sending users to fake domains that looked like popular Bitcoin wallet

    Hackers Stole $50 Million in Cryptocurrency Using ‘Poison’ Google Ads

    For years, hackers have robbed Bitcoin investors, emptying their cryptocurrency wallets without fear of being caught thanks to the relative anonymity of the blockchain. Now, Cisco (csco, +0.59%) has exposed the thieves behind a string of particularly flagrant attacks.

    A Ukrainian hacker group dubbed Coinhoarder has stolen more than $50 million in cryptocurrency from users of, one of the most popular providers of digital currency wallets, according to a report published Wednesday by Cisco’s Talos cybersecurity team.

    The report explains how thieves preyed upon their victims using a “very simple” yet treacherous technique: Buying Google ads on popular search keywords related to cryptocurrency “to poison user search results” and snatch the contents of crypto wallets. This meant people Googling terms like “blockchain” or “bitcoin wallet,” saw links to malicious websites masquerading as legitimate domains for wallets.

    Blockchain, for its part, is working with Google “on a daily basis” to take down phishing ads, and secured the removal of almost 10,000 such malicious websites last year, along with another 3,000 it flagged in January alone, according to Blockchain CEO and co-founder Peter Smith.

    Cisco, which investigated the “massive phishing campaign” for more than six months in partnership with Ukraine’s Cyberpolice, noted that the Coinhoarder group’s method has since “become increasingly common in the wild, with attackers targeting many different crypto wallets and exchanges.”

    Phishing, which is just one of several techniques used to steal Bitcoin, is also deployed by the notorious North Korean hacking ring known as the Lazarus Group, which is likewise accused of perpetrating phishing attacks to steal cryptocurrency.

  22. Tomi Engdahl says:

    Steve Holland / Reuters:
    White House Council of Economic Advisers report: malicious cyber activity cost the US economy between $57B and $109B in 2016

    Malicious cyber activity cost U.S. up to $109 billion in 2016: White House report

    Malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016

  23. Tomi Engdahl says:

    Special counsel Robert Mueller indicts Russian bot farm for election meddling

    The indictment names the Internet Research Agency, a bot farm and disinformation operation based out of St. Petersburg, as one of the sources of the fake accounts meant to create divisions in American society. Those accounts were active on Facebook, Twitter and Instagram,

  24. Tomi Engdahl says:

    Swedish Public Healthcare Portal is sending your symptoms to Google

    Because of pure sloppiness in web design, the Swedish Public Healthcare portal is sending every single symptom and medication search to Google.

    The Swedish Public Healthcare portal 1177 — named so for historical reasons, since that is the Swedish “Dial-a-Nurse” phone number — is sending all your searches for embarrassing symptoms and sensitive medications to Google. Not as part of the search, ironically enough; it’s being sent to Google as part of Google Analytics

    This happens even when you’re browsing over HTTPS/SSL, because of how bad this design is

    They seem to get that they can’t use Google to actually search for the symptoms, since that would be intrusive, but then somebody bolts on Google Analytics to send all your symptoms and medications to Google anyway.

    This is so bad, I really don’t know how to articulate my feelings of despair and anger.

  25. Tomi Engdahl says:

    Flight Simulator Add-On Tried to Catch Pirates By Installing Password-Stealing Malware on Their Computers

    Malware included in the installer for pirated versions of the game steals usernames and passwords from Chrome: ‘This is by far one of the most extreme, and bizarre, methods of DRM we’ve ever seen.’

    “The inclusion of a malware, in the form of a password dumper, in a trusted installer for the sake of combating piracy is absolute insanity,” Andrew Mabbitt, founder of cybersecurity company Fidus Information Security

    FSLabs makes add-ons for the hyper popular Microsoft Flight Simulator

    included a file called “text.exe,” which is actually a password stealer

    When run, the program extracts all saved usernames and passwords from the Chrome browser and appears to send them to FSLabs.

    did not deny bundling a piece of malware with his product

    “There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites,”

    But, the malware file itself, even if not activated, was still “dropped on every single PC it [the FSLabs software] was installed on,” Mabbitt said.

    The company has released an updated version of its installer, this time without the password stealer.

  26. Tomi Engdahl says:

    FedEx customer information exposed in data breach

    An unsecured FedEx server was breached, exposing thousands of customers’ personal information, a prominent security research firm discovered earlier this month.

    Package forwarding service Bongo International was acquired by FedEx in 2014

    But an unsecured Amazon S3 server, according to the white hat research group Kromtech, was holding more than 100,000 scanned documents including passports, drivers licenses, and security IDs. The white hat group responsibly disclosed the breach.

    In a statement a FedEx spokesperson said the server has since been secured, and the data wasn’t “misappropriated.”


Leave a Comment

Your email address will not be published. Required fields are marked *