The Global Commission on the Stability of Cyberspace (GCSC) has called for an end to cyber-attacks on electoral infrastructure.
The GCSC works to develop “norms” of behaviour it hopes governments and others will adopt in order to leave internet infrastructure untouched during conflict. The body believes that as the internet is now critical to civil society, international agreements should protect its operation so that bystanders to conflicts aren’t harmed by disruptions to online services. Microsoft, the Internet Society and the governments of The Netherlands, France and Singapore have all funded the group.
The Commission met last week and resolved that “State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.”
Attackers can cause potentially harmful hard drive and operating system crashes by playing sounds over low-cost speakers embedded in computers or sold in stores, a team of researchers demonstrated last week. The attacks use sonic and ultrasonic sounds to disrupt magnetic HDDs as they read or write data. The researchers showed how the technique could stop some video-surveillance systems from recording live streams. Just 12 seconds of specially designed acoustic interference was all it took to cause video loss in a 720p system made by Ezviz. Sounds that lasted for 105 seconds or more caused the stock Western Digital 3.5 HDD in the device to stop recording altogether until it was rebooted. The device uses flash storage to house its firmware, but by default it uses a magnetic HDD to store the large quantities of video it records.
Attackers can cause potentially harmful hard drive and operating system crashes by playing sounds over low-cost speakers embedded in computers or sold in stores, a team of researchers demonstrated last week.
The attacks use sonic and ultrasonic sounds to disrupt magnetic HDDs as they read or write data.
“For such systems, the integrity of the recorded data is vital to the usefulness of the system, which makes them susceptible to acoustic interference or vibration attacks,” the researchers wrote in a paper titled “Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems.”
The technique was also able to disrupt HDDs in desktop and laptop computers running both Windows and Linux. In some cases, it even required a reboot before the PCs worked properly. The technique took as little as 45 seconds to cause a Dell XPS 15 9550 laptop to become temporarily unresponsive when it was exposed to a “self-stimulation attack”
The technique works because audible sound can cause an HDD’s head stack assembly to vibrate outside of normal bounds. The vibrations push the head far enough from the center of the drive track to temporarily prevent writing.
The researchers, who demonstrated the technique at last week’s IEEE Symposium on Security and Privacy, have proposed several methods for detecting and preventing the attacks, some of which can be implemented with simple firmware tweaks.
Magnetic HDDs remain common [
1
] because of the long
tail of legacy systems and the relatively inexpensive cost for
high capacity storage. However, sudden movement can damage
the hard drive or corrupt data because of the tight operating
constraints on the read/write head(s) and disk(s). Thus, modern
drives use shock sensors to detect such movement and safely
park the read/write head.
Previous research has indicated that
loud audible sounds, such as shouting or fire alarms, can cause
drive components to vibrate, disturbing throughput
Audible sounds can even cause HDDs to become
unresponsiv
What remains a mystery is
how
and
why
intentional
vibration causes bizarre malfunctions in HDDs and undefined
behavior in operating systems. In our work, we explore how
sustained, intentional vibration at resonant frequencies can
cause permanent data loss, program crashes, and unrecoverable
physical loss in HDDs from three different vendors
Our work assumes an adversary that uses vibration to
interfere with a HDD on a target machine, typically induced
through use of a speaker.
An adversary can attack a
HDD by inducing vibration via acoustic emitters built into the
victim system (or a nearby system).
A self-stimulated attack may use a standard phishing attack,
malicious email, or malicious javascript to deliver audio to a
laptop’s speakers. Most laptops have speakers and the ability to
browse the Internet. Modern browsers support JavaScript and
HTML5, both of which are capable of playing audio without
user permission. Therefore, should a victim visit a page owned
by the attacker, the attacker would be able to play audio over
the victim’s speakers.
Physical Proximity Attacks.
An attacker can induce
vibration using a speaker near the victim system. T
When the attacker is able to physically place the speaker,
the attacker can choose a speaker with the desired frequency
range (audible, near ultrasound, or ultrasound). In addition, the
attacker can choose non-traditional acoustic emitters that may
beamform signals to attack a drive from long distance. A Long
Range Acoustic Device (LRAD) can send audible acoustic
waves above 95 dB SPL miles away in open ai
The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.
The latest alert attributes the Joanap backdoor trojan and the Brambul worm to the North Korean government. It provides IP addresses and other indicators of compromise (IoC) associated with these threats in an effort to help organizations protect their networks against attacks.
The threat actor tracked by the U.S. government as Hidden Cobra is known in the cybersecurity community as Lazarus Group
The European Union’s law enforcement agency today announced the creation of a dedicated team that will be investigating activity across the dark web.
The newly established Dark Web Investigations Team, embedded within Europol’s European Cybercrime Centre (EC3), is the result of a Europol initiative “to create a coordinated law enforcement approach to tackle crime on the dark web.”
The dedicated team will have participation from EU law enforcement agencies, operational third parties, and other relevant partners.
Through EC3, Europol has been long supporting investigations of criminal marketplaces on the dark web, and helped last year with the takedown of some of the largest dark web markets, such as AlphaBay.
A group of German researchers has devised a new attack method capable of bypassing AMD’s Secure Encrypted Virtualization (SEV).
Used by AMD data-center processors, SEV is a hardware feature that provides secure encryption of virtual machines (VMs) to protect VM memory from physical attacks and cross-VM and hypervisor-based attacks.
In a whitepaper (PDF), Fraunhofer AISEC researchers present an attack carried out from a malicious hypervisor and capable of “extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines.” Named SEVered, the attack requires a remote communication service running in the VM.
A newly discovered banking Trojan uses innovative techniques to detect when a bank’s website is accessed and to inject malicious code into targeted pages, ESET warns.
Dubbed BackSwap, the malware no longer relies on complex process injection methods to keep track of browsing activity, but hooks key window message loop events instead.
“This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks,” the security firm explains.
FireEye has released GeoLogonalyzer, an open source tool that can help organizations detect malicious logins based on geolocation and other data.
Many organizations need to allow their employees to connect to enterprise systems from anywhere in the world. However, threat actors often rely on stolen credentials to access a targeted company’s systems.
Identifying legitimate logins and malicious ones can be challenging, but FireEye hopes to solve the problem with its GeoLogonalyzer, which leverages what the company calls GeoFeasibility.
GeoLogonalyzer analyzes authentication logs containing timestamps, usernames, and IP addresses, and highlights any changes, including related to anomalies, data center hosting information, location data, ASN information, and time and distance metrics.
GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources. https://github.com/fireeye/GeoLogonalyzer
A recent investigation into 115 of the world’s most popular VPN services revealed that many are antithetical to their stated claims. To build trust, providers make promises not to track users through logs or other identifying information. But as a popular VPN comparison site found out, this isn’t always true.
The Best VPN recently peeked under the hood of over 100 of the biggest VPN services. All told, 26 of them collect three or more important log files that could contain personal and identifying information — things like your IP address, location, bandwidth data, and connection timestamps.
Salesforce CEO Marc Benioff thinks the USA needs “a national privacy law … that probably looks a lot like GDPR.”
“This is going to help our industry,” he said on an earnings call for Salesforces Q1 2019 results. “It’s going to set the guardrails around trust, around safety. It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”
Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of “ERR! 418 I’m a teapot” whenever they tried to update or install a new JavaScript/Node.js package.
Catalin Cimpanu / BleepingComputer.com:
Ubiquitous code repository project Git patches two flaws, including one letting an attacker execute code on systems that recursively cloned a malicious Git repo
The developers behind Git and various companies providing Git repository hosting services have pushed out a fix to patch a dangerous vulnerability in the Git source code versioning software.
The fix is included with Git 2.17.1, which patches two security bugs, CVE-2018-11233 and CVE-2018-11235.
Deb Riechmann / Associated Press:
FBI and DHS say North Korea used two pieces of malware to target US infrastructure and aerospace, financial, and media companies over nine years
Paul Elias / Associated Press:
US judge sentences Toronto man to five years in prison and fines him $250K for using data stolen in giant Yahoo data breach to hack into private email accounts
A young computer hacker who prosecutors say unwittingly worked with a Russian spy agency was sentenced to five years in prison Tuesday for using data stolen in a massive Yahoo data breach to gain access to private emails.
AUTHOR: LILY HAY NEWMANLILY HAY NEWMAN
SECURITY
05.23.1807:02 PM
‘SIGNIFICANT’ FBI ERROR REIGNITES DATA ENCRYPTION DEBATE
FBI HeadquartersT.J. KIRKPATRICK/BLOOMBERG/GETTY IMAGES
LAW ENFORCEMENT AGENCIES including the FBI have long criticized data encryption as a threat to their ability to fight crime. They argue that encryption allows bad actors to “go dark,” impeding agents’ ability to access the data of suspects, even with court orders or warrants. After years of raising the alarm about the going-dark problem, though, officials have yet to convince privacy advocates that undermining encryption protections would do more good than harm. And critics say that the FBI in particular has failed to show the problem is significant.
A Tuesday report in the Washington Post fueled this debate, revealing that the FBI had vastly overstated the number of devices to which it could not gain access.
Lorenzo Franceschi-Bicchierai / Motherboard:
Researcher discovers bug in Valve’s platform, present for 10 years, that exposed all 125M users to exploitation until Valve fixed it in March 2018
A security researcher found a serious vulnerability that allowed hackers to take control of a Steam user’s computer.
Hackers could have taken advantage of a nasty bug in the hugely popular video game platform Steam to take over victims’ computers.
“This bug could have been used as the basis for a highly reliable exploit,” Court wrote. “This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections.”
In other words, by exploiting this bug, hackers could have executed code on the victim’s machine, effectively taking full control over it.
Court said that the takeaway for this bug is that developers need to constantly review old and aging code and make sure it conforms to “modern security standards.”
Court also published a proof-of-concept video on YouTube in which he launches the calculator app (a standard trick for a hacking demo) on the target’s system taking advantage of this bug.
Devin Coldewey / TechCrunch:
Government investigation finds 73% of federal agencies at risk of being unable to detect data access attempts, 84% fail at encrypting data at rest, more
The Office of Management and Budget reports that the federal government is a shambles — cybersecurity-wise, anyway. Finding little situational awareness, few standard processes for reporting or managing attacks and almost no agencies adequately performing even basic encryption, the OMB concluded that “the current situation is untenable.”
All told, nearly three quarters of federal agencies have cybersecurity programs that qualified as either “at risk” (significant gaps in security) or “high risk” (fundamental processes not in place).
1. “Agencies do not understand and do not have the resources to combat the current threat environment.”
2. “Agencies do not have standardized cybersecurity processes and IT capabilities.”
3. “Agencies lack visibility into what is occurring on their networks, and especially lack the ability to detect data exfiltration.”
4. “Agencies lack standardized and enterprise-wide processes for managing cybersecurity risks”
73 percent can’t detect attempts to access large volumes of data.
84 percent of agencies failed to meet goals for encrypting data at rest.
Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.
The breaches occurred in January and February, the officials said, speaking on the condition of anonymity to discuss an ongoing investigation.
The officials did not identify the contractor.
Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.
The data stolen was of a highly sensitive nature despite being housed on the contractor’s unclassified network.
The breach is part of China’s long-running effort to blunt the U.S. advantage in military technology and become the preeminent power in East Asia.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
269 Comments
Tomi Engdahl says:
Cyber-stability wonks add election-ware to ‘civilised nations won’t hack this’ standard
Bad Vlad won’t care, but this puts voting infrastructure on par with DNS and BGP
https://www.theregister.co.uk/2018/05/29/global_commission_on_the_stability_of_cyberspace_electoral_infrastructure_norm/
The Global Commission on the Stability of Cyberspace (GCSC) has called for an end to cyber-attacks on electoral infrastructure.
The GCSC works to develop “norms” of behaviour it hopes governments and others will adopt in order to leave internet infrastructure untouched during conflict. The body believes that as the internet is now critical to civil society, international agreements should protect its operation so that bystanders to conflicts aren’t harmed by disruptions to online services. Microsoft, the Internet Society and the governments of The Netherlands, France and Singapore have all funded the group.
The Commission met last week and resolved that “State and non-state actors should not pursue, support or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda or plebiscites.”
Tomi Engdahl says:
Sonic and Ultrasonic Attacks Damage Hard Drives and Crash OSes
https://hardware.slashdot.org/story/18/05/30/0349202/sonic-and-ultrasonic-attacks-damage-hard-drives-and-crash-oses
Attackers can cause potentially harmful hard drive and operating system crashes by playing sounds over low-cost speakers embedded in computers or sold in stores, a team of researchers demonstrated last week. The attacks use sonic and ultrasonic sounds to disrupt magnetic HDDs as they read or write data. The researchers showed how the technique could stop some video-surveillance systems from recording live streams. Just 12 seconds of specially designed acoustic interference was all it took to cause video loss in a 720p system made by Ezviz. Sounds that lasted for 105 seconds or more caused the stock Western Digital 3.5 HDD in the device to stop recording altogether until it was rebooted. The device uses flash storage to house its firmware, but by default it uses a magnetic HDD to store the large quantities of video it records.
Sonic and ultrasonic attacks damage hard drives and crash OSes
Sounds played over off-the-shelf or embedded speakers often require a reboot.
https://arstechnica.com/information-technology/2018/05/attackers-can-send-sounds-to-ddos-video-recorders-and-pcs/
Attackers can cause potentially harmful hard drive and operating system crashes by playing sounds over low-cost speakers embedded in computers or sold in stores, a team of researchers demonstrated last week.
The attacks use sonic and ultrasonic sounds to disrupt magnetic HDDs as they read or write data.
“For such systems, the integrity of the recorded data is vital to the usefulness of the system, which makes them susceptible to acoustic interference or vibration attacks,” the researchers wrote in a paper titled “Blue Note: How Intentional Acoustic Interference Damages Availability and Integrity in Hard Disk Drives and Operating Systems.”
The technique was also able to disrupt HDDs in desktop and laptop computers running both Windows and Linux. In some cases, it even required a reboot before the PCs worked properly. The technique took as little as 45 seconds to cause a Dell XPS 15 9550 laptop to become temporarily unresponsive when it was exposed to a “self-stimulation attack”
The technique works because audible sound can cause an HDD’s head stack assembly to vibrate outside of normal bounds. The vibrations push the head far enough from the center of the drive track to temporarily prevent writing.
The researchers, who demonstrated the technique at last week’s IEEE Symposium on Security and Privacy, have proposed several methods for detecting and preventing the attacks, some of which can be implemented with simple firmware tweaks.
Tomi Engdahl says:
Blue Note: How Intentional Acoustic Interference
Damages Availability and Integrity in Hard Disk
Drives and Operating Systems
https://spqr.eecs.umich.edu/papers/bolton-blue-note-IEEESSP-2018.pdf
Magnetic HDDs remain common [
1
] because of the long
tail of legacy systems and the relatively inexpensive cost for
high capacity storage. However, sudden movement can damage
the hard drive or corrupt data because of the tight operating
constraints on the read/write head(s) and disk(s). Thus, modern
drives use shock sensors to detect such movement and safely
park the read/write head.
Previous research has indicated that
loud audible sounds, such as shouting or fire alarms, can cause
drive components to vibrate, disturbing throughput
Audible sounds can even cause HDDs to become
unresponsiv
What remains a mystery is
how
and
why
intentional
vibration causes bizarre malfunctions in HDDs and undefined
behavior in operating systems. In our work, we explore how
sustained, intentional vibration at resonant frequencies can
cause permanent data loss, program crashes, and unrecoverable
physical loss in HDDs from three different vendors
Our work assumes an adversary that uses vibration to
interfere with a HDD on a target machine, typically induced
through use of a speaker.
An adversary can attack a
HDD by inducing vibration via acoustic emitters built into the
victim system (or a nearby system).
A self-stimulated attack may use a standard phishing attack,
malicious email, or malicious javascript to deliver audio to a
laptop’s speakers. Most laptops have speakers and the ability to
browse the Internet. Modern browsers support JavaScript and
HTML5, both of which are capable of playing audio without
user permission. Therefore, should a victim visit a page owned
by the attacker, the attacker would be able to play audio over
the victim’s speakers.
Physical Proximity Attacks.
An attacker can induce
vibration using a speaker near the victim system. T
When the attacker is able to physically place the speaker,
the attacker can choose a speaker with the desired frequency
range (audible, near ultrasound, or ultrasound). In addition, the
attacker can choose non-traditional acoustic emitters that may
beamform signals to attack a drive from long distance. A Long
Range Acoustic Device (LRAD) can send audible acoustic
waves above 95 dB SPL miles away in open ai
Tomi Engdahl says:
U.S. Attributes Two More Malware Families to North Korea
https://www.securityweek.com/us-attributes-two-more-malware-families-north-korea
The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.
The latest alert attributes the Joanap backdoor trojan and the Brambul worm to the North Korean government. It provides IP addresses and other indicators of compromise (IoC) associated with these threats in an effort to help organizations protect their networks against attacks.
The threat actor tracked by the U.S. government as Hidden Cobra is known in the cybersecurity community as Lazarus Group
Tomi Engdahl says:
Europol Creates Dark Web Investigations Team
https://www.securityweek.com/europol-creates-dark-web-investigations-team
The European Union’s law enforcement agency today announced the creation of a dedicated team that will be investigating activity across the dark web.
The newly established Dark Web Investigations Team, embedded within Europol’s European Cybercrime Centre (EC3), is the result of a Europol initiative “to create a coordinated law enforcement approach to tackle crime on the dark web.”
The dedicated team will have participation from EU law enforcement agencies, operational third parties, and other relevant partners.
Through EC3, Europol has been long supporting investigations of criminal marketplaces on the dark web, and helped last year with the takedown of some of the largest dark web markets, such as AlphaBay.
Tomi Engdahl says:
Attack Bypasses AMD’s Virtual Machine Encryption
https://www.securityweek.com/attack-bypasses-amds-virtual-machine-encryption
A group of German researchers has devised a new attack method capable of bypassing AMD’s Secure Encrypted Virtualization (SEV).
Used by AMD data-center processors, SEV is a hardware feature that provides secure encryption of virtual machines (VMs) to protect VM memory from physical attacks and cross-VM and hypervisor-based attacks.
In a whitepaper (PDF), Fraunhofer AISEC researchers present an attack carried out from a malicious hypervisor and capable of “extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines.” Named SEVered, the attack requires a remote communication service running in the VM.
https://arxiv.org/pdf/1805.09604.pdf
Tomi Engdahl says:
BackSwap Trojan Uses New Browser Monitoring and Injection Techniques
https://www.securityweek.com/backswap-trojan-uses-new-browser-monitoring-and-injection-techniques
A newly discovered banking Trojan uses innovative techniques to detect when a bank’s website is accessed and to inject malicious code into targeted pages, ESET warns.
Dubbed BackSwap, the malware no longer relies on complex process injection methods to keep track of browsing activity, but hooks key window message loop events instead.
“This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks,” the security firm explains.
BackSwap malware finds innovative ways to empty bank accounts
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/
Tomi Engdahl says:
Open Source Tool From FireEye Helps Detect Malicious Logins
https://www.securityweek.com/open-source-tool-fireeye-helps-detect-malicious-logins
FireEye has released GeoLogonalyzer, an open source tool that can help organizations detect malicious logins based on geolocation and other data.
Many organizations need to allow their employees to connect to enterprise systems from anywhere in the world. However, threat actors often rely on stolen credentials to access a targeted company’s systems.
Identifying legitimate logins and malicious ones can be challenging, but FireEye hopes to solve the problem with its GeoLogonalyzer, which leverages what the company calls GeoFeasibility.
GeoLogonalyzer analyzes authentication logs containing timestamps, usernames, and IP addresses, and highlights any changes, including related to anomalies, data center hosting information, location data, ASN information, and time and distance metrics.
https://www.fireeye.com/blog/threat-research/2018/05/remote-authentication-geofeasibility-tool-geologonalyzer.html
Tomi Engdahl says:
GeoLogonalyzer is a utility to analyze remote access logs for anomalies such as travel feasibility and data center sources.
https://github.com/fireeye/GeoLogonalyzer
Tomi Engdahl says:
26 of the 115 most popular VPNs are secretly keeping tabs on you
https://thenextweb.com/security/2018/03/27/26-popular-115-vpns-keeping-tabs-saying-theyre-not/
A recent investigation into 115 of the world’s most popular VPN services revealed that many are antithetical to their stated claims. To build trust, providers make promises not to track users through logs or other identifying information. But as a popular VPN comparison site found out, this isn’t always true.
The Best VPN recently peeked under the hood of over 100 of the biggest VPN services. All told, 26 of them collect three or more important log files that could contain personal and identifying information — things like your IP address, location, bandwidth data, and connection timestamps.
Tomi Engdahl says:
USA needs law ‘a lot like GDPR’ says Salesforce CEO Marc Benioff
As his company smashes Q1 2019
https://www.theregister.co.uk/2018/05/30/salesforce_q1_2019/
Salesforce CEO Marc Benioff thinks the USA needs “a national privacy law … that probably looks a lot like GDPR.”
“This is going to help our industry,” he said on an earnings call for Salesforces Q1 2019 results. “It’s going to set the guardrails around trust, around safety. It’s going to provide the ability for the customers to interact with great next generation technologies in a safe way.”
Tomi Engdahl says:
NPM Fails Worldwide With “ERR! 418 I’m a Teapot” Error
https://www.bleepingcomputer.com/news/technology/npm-fails-worldwide-with-err-418-im-a-teapot-error/
Users of the NPM JavaScript package manager were greeted by a weird error yesterday evening, as their consoles and applications spewed a message of “ERR! 418 I’m a teapot” whenever they tried to update or install a new JavaScript/Node.js package.
Tomi Engdahl says:
Catalin Cimpanu / BleepingComputer.com:
Ubiquitous code repository project Git patches two flaws, including one letting an attacker execute code on systems that recursively cloned a malicious Git repo
Malicious Git Repository Can Lead to Code Execution on Remote Systems
https://www.bleepingcomputer.com/news/security/malicious-git-repository-can-lead-to-code-execution-on-remote-systems/
The developers behind Git and various companies providing Git repository hosting services have pushed out a fix to patch a dangerous vulnerability in the Git source code versioning software.
The fix is included with Git 2.17.1, which patches two security bugs, CVE-2018-11233 and CVE-2018-11235.
Tomi Engdahl says:
Deb Riechmann / Associated Press:
FBI and DHS say North Korea used two pieces of malware to target US infrastructure and aerospace, financial, and media companies over nine years
US says North Korea behind malware attacks
https://www.apnews.com/9fb4327df4994d93a3b5c49ee227b2e0/US-says-North-Korea-behind-malware-attacks
Tomi Engdahl says:
Paul Elias / Associated Press:
US judge sentences Toronto man to five years in prison and fines him $250K for using data stolen in giant Yahoo data breach to hack into private email accounts
Hacker gets 5 years for Russian-linked Yahoo security breach
https://www.apnews.com/2664cefa070e470584a59bd56f8688a5/Hacker-sentenced-to-5-years-for-major-Yahoo-security-breach
A young computer hacker who prosecutors say unwittingly worked with a Russian spy agency was sentenced to five years in prison Tuesday for using data stolen in a massive Yahoo data breach to gain access to private emails.
Tomi Engdahl says:
‘SIGNIFICANT’ FBI ERROR REIGNITES DATA ENCRYPTION DEBATE
https://www.wired.com/story/significant-fbi-error-reignites-data-encryption-debate/
SUBSCRIBE
AUTHOR: LILY HAY NEWMANLILY HAY NEWMAN
SECURITY
05.23.1807:02 PM
‘SIGNIFICANT’ FBI ERROR REIGNITES DATA ENCRYPTION DEBATE
FBI HeadquartersT.J. KIRKPATRICK/BLOOMBERG/GETTY IMAGES
LAW ENFORCEMENT AGENCIES including the FBI have long criticized data encryption as a threat to their ability to fight crime. They argue that encryption allows bad actors to “go dark,” impeding agents’ ability to access the data of suspects, even with court orders or warrants. After years of raising the alarm about the going-dark problem, though, officials have yet to convince privacy advocates that undermining encryption protections would do more good than harm. And critics say that the FBI in particular has failed to show the problem is significant.
A Tuesday report in the Washington Post fueled this debate, revealing that the FBI had vastly overstated the number of devices to which it could not gain access.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
Researcher discovers bug in Valve’s platform, present for 10 years, that exposed all 125M users to exploitation until Valve fixed it in March 2018
An Exploit Left Millions of Steam Users Vulnerable for the Past 10 Years
https://motherboard.vice.com/en_us/article/9k8qv5/steam-exploit-left-users-vulnerable-for-10-years
A security researcher found a serious vulnerability that allowed hackers to take control of a Steam user’s computer.
Hackers could have taken advantage of a nasty bug in the hugely popular video game platform Steam to take over victims’ computers.
“This bug could have been used as the basis for a highly reliable exploit,” Court wrote. “This was a very simple bug, made relatively straightforward to exploit due to a lack of modern exploit protections.”
In other words, by exploiting this bug, hackers could have executed code on the victim’s machine, effectively taking full control over it.
Court said that the takeaway for this bug is that developers need to constantly review old and aging code and make sure it conforms to “modern security standards.”
Court also published a proof-of-concept video on YouTube in which he launches the calculator app (a standard trick for a hacking demo) on the target’s system taking advantage of this bug.
Tomi Engdahl says:
Devin Coldewey / TechCrunch:
Government investigation finds 73% of federal agencies at risk of being unable to detect data access attempts, 84% fail at encrypting data at rest, more
Government investigation finds federal agencies failing at cybersecurity basics
https://techcrunch.com/2018/05/30/government-investigation-finds-federal-agencies-failing-at-cybersecurity-basics/
The Office of Management and Budget reports that the federal government is a shambles — cybersecurity-wise, anyway. Finding little situational awareness, few standard processes for reporting or managing attacks and almost no agencies adequately performing even basic encryption, the OMB concluded that “the current situation is untenable.”
All told, nearly three quarters of federal agencies have cybersecurity programs that qualified as either “at risk” (significant gaps in security) or “high risk” (fundamental processes not in place).
1. “Agencies do not understand and do not have the resources to combat the current threat environment.”
2. “Agencies do not have standardized cybersecurity processes and IT capabilities.”
3. “Agencies lack visibility into what is occurring on their networks, and especially lack the ability to detect data exfiltration.”
4. “Agencies lack standardized and enterprise-wide processes for managing cybersecurity risks”
73 percent can’t detect attempts to access large volumes of data.
84 percent of agencies failed to meet goals for encrypting data at rest.
https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018-Release.pdf
Tomi Engdahl says:
Washington Post:
China hacked a US Navy contractor early this year and stole 614GB of classified data, including plans for a supersonic anti-ship missile for US submarines — Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related …
http://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html
Chinese government hackers have compromised the computers of a Navy contractor, stealing massive amounts of highly sensitive data related to undersea warfare — including secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020, according to American officials.
The breaches occurred in January and February, the officials said, speaking on the condition of anonymity to discuss an ongoing investigation.
The officials did not identify the contractor.
Taken were 614 gigabytes of material relating to a closely held project known as Sea Dragon, as well as signals and sensor data, submarine radio room information relating to cryptographic systems, and the Navy submarine development unit’s electronic warfare library.
The data stolen was of a highly sensitive nature despite being housed on the contractor’s unclassified network.
The breach is part of China’s long-running effort to blunt the U.S. advantage in military technology and become the preeminent power in East Asia.