Shodan already publishes a ship tracker. We think this only uses AIS data, publicly available. We’ve broken new ground by linking satcom terminal version details to live GPS position data.
Many satcom terminals on ships are available on the public internet. Many have default credentials, admin/1234 being very common.
So that’s an easy way to hijack the satellite communications and take admin rights on the terminal on board.
We applied our expertise in IoT, automotive and SCADA hardware security to a Cobham (Thrane & Thrane) Fleet One satellite terminal
Caveat: all of the vulnerabilities we cover here are resolved by setting a strong admin password, as per the manufacturers guidance. Either that, or they aren’t particularly significant.
First, we found that the admin interfaces were over telnet and HTTP. Pulling the firmware, we found a lack of firmware signing – the validation check was simply a CRC
Then, we discovered that we could edit the entire web application running on the terminal. That lends itself to attacks.
Further, there was no rollback protection for the firmware.
admin interface passwords were embedded in the configs, hashed with unsalted MD5.
Hardly ‘defence in depth’! Reminder: these are all fixed by setting a strong admin password. We found lots more, but can’t disclose these yet.
Sending a ship the wrong way: hacking the ECDIS
ECDIS are the electronic chart systems that are needed to navigate. They can slave directly to the autopilot – most modern vessels are in ‘track control’ mode most of the time, where they follow the ECDIS course.
Hack the ECDIS and you may be able to crash the ship, particularly in fog.
We tested over 20 different ECDIS units and found all sorts of crazy security flaws.
we could ‘jump’ the boat by spoofing the position of the GPS receiver on the ship.
Worse, we could reconfigure the ECDIS to make the ship appear to be a kilometre square
Other ships AIS will alert the ships captain to a collision scenario.
The ethernet and serial networks are often ‘bridged’ at several points, including the GPS, the satcom terminal, the ECDIS and many other points
OT systems are used to control the steering gear, engines, ballast pumps and lots more. They communicate using NMEA 0183 messages.
There is no message authentication, encryption or validation of these messages. They’re plain text.
If the autopilot is engaged, one could change the rudder command by modifying a GPS autopilot command
Conclusion
Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems.
If you are about to start implementing an ISO 27001-compliant ISMS (information security management system), then you should probably know that there is a tight link between a successful ISMS implementation project and penetration testing.
An ISMS covers three key components: people, processes and technology.
As part of this research, VDOO researchers found zero-day vulnerabilities in devices of several vendors. These vulnerabilities were disclosed to the vendors, according to responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded.
Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet). VDOO has responsibly disclosed these vulnerabilities (CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832) and engaged with Foscam security team to solve the matter.
To the better of our knowledge, these vulnerabilities were not exploited in the wild, and therefor did not lead to any concrete privacy violation or security threat to Foscam customers.
Brian Krebs: “If indeed the MyHeritage user database was taken and stored by a malicious hacker (as opposed to inadvertently exposed by an employee), there is a good chance that the attackers will be trying to crack all user passwords. And if any of those passwords are crackable, the attackers will then of course get access to the more personal data on those users.”
In its years-long efforts to censor the Internet by blocking access to a large number of websites in the country, Russia has now approved a new bill introducing fines for search engines that provide links to banned sites, VPN services, and anonymization tools.
According to the bill, individuals who break the law will face fine of 3,000 to 5,000 rubles (approx. $48 to $80), officials will face fines up to 50,000 rubles (approx. $800), and legal entities could be fined 500,000 to 700,000 (nearly $8,019 to $11,227), reports Russian State Duma Government site.
Many Russian citizens use VPNs and other Internet proxy services to access blocked content by routing their traffic through servers outside the country.
F-Secure has fixed a severe vulnerability in its home and enterprise antivirus products that could have allowed an attacker to execute malicious code on the user’s machine and take over affected PCs
The actual vulnerability doesn’t affect F-Secure directly, but the 7-Zip file archiving software, which F-Secure uses to decompress archives, scan them for threats, and repackage the original file.
Vulnerability really resides in 7-Zip
A security researcher going by the pseudonym of “landave” discovered this particular vulnerability (CVE-2018-10115) in March and worked with 7-Zip team to fix the problem.
KillDisk has been around for several years, and was used in attacks targeting Ukraine’s energy sector in 2015, orchestrated by the Russia-linked threat actor BlackEnergy.
Initially designed to wipe hard drives and render systems inoperable, the malware received file-encrypting capabilities in late 2016, with a Linux-targeting variant of the ransomware spotted shortly after.
In January, Trend Micro security researchers observed a new variant of the malware in Latin America, and revealed that the threat was once again deleting files and wiping the disk.
One of the attacks, the security firm reveals, was related to a foiled heist on the organization’s system connected to the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).
The threat can wipe all of the physical hard disks on the infected system. To wipe the MBR, it retrieves the handle of the hard disk, overwrites the first sector of the disk (512 bytes) with “0×00”, attempts the same routine on all hard disks, then forces the machine to shut down.
Ben Wallach is Theresa May’s security minister; he has proposed that the UK follow China’s example and require that any place providing internet access use bank-account verification to affirmatively identify all the people who use the internet so they can be punished for bullying.
The minister characterised this as a choice between “the wild west or a civilised society”; he claimed that forcing people to identify themselves before they speak would end “mob rule on the internet.”
He said that social media companies should bear the cost of tracking the identities of all their users.
Real-name policies have proved to be a boon to authoritarian rulers; in Cambodia, dictator Hun Sen has embraced Facebook, creating a direct pipeline to Facebook’s real-name compliance team that his government uses to force critics to reveal their real identities (exposing them to arrest and torture), or leave the platform.
In the UK — where libel laws favour the rich and powerful — the ability to speak anonymously has been key to uncovering the historic sex abuse scandal
Britain’s “great firewall” has been vastly expanded under Blair’s Labour government, the Tory/Libdem coalition, and the current Tory government. Originally a secret blacklist of sites alleged to host images of the sexual abuse of children, the firewall is now a sprawling list of “extremist” sites, sites alleged to promote copyright infringement, markets alleged to sell counterfeit goods, etc.
While the world’s eyes watch Donald Trump and Kim Jong-Un meet in Singapore, journalists have seemingly been treated rather well while covering the event.
But caution has been advised over one tiny freebie.
Not only have the 3,000 journalists been well-fed during the summit, they’ve also received a goody bag.
However, also enclosed was a blue, innocent-looking mini USB fan, a nod to Singapore’s searing temperatures.
“Do not plug this in. Do not keep it,” tweeted journalist Barton Gellman, who led coverage on the U.S. National Security Agency after receiving top secret documents from Edward Snowden.
The risk is the device could be a covert method of installing malware onto the computers of journalists covering the summit.
“It certainly can be a security risk,” Matthew Warren, professor of cyber security at Australia’s Deakin University, explained to Mashable.
“The idea of the USB is a way of connecting devices to computers, and either exchanging data or drawing power for operations. The problem is, there’s been a number of examples where USB devices can be hijacked and malicious code can be put on them.”
Security researchers Karsten Nohl and Jakob Lell demonstrated malware they had developed, called BadUSB, at the Black Hat Conference back in 2014.
“Security hasn’t been built in to these USB devices,” Warren added. “I certainly wouldn’t be putting [the fan] in my machine.”
In the first quarter of 2018 alone, Americans on Android mobile phones accessed 23 suspected malicious URLs per minute. From fake virus alerts to phoney dating sites, new Android scams have targeted a huge number of victims so far this year.
A massive report just out from PSafe’s dfndr lab has analyzed 200 million digital files from more than 21 million active users of their security app.
So, what type of scams gained the most clicks from those 21 million smartphone owners? Here’s the rundown on the top three scams that worked the most often in the first few months of this year, as well as a few other fascinating insights the PSafe team gleaned from their app data.
#3: Fake Giveaways
One popular method scammers have been using to phish for personal data on Android mobile phones? Fake promotional stunts and sweepstakes.
#2: Adult Dating Sites
We all know that sex sells, but it turns out it scams, as well.
#1: Fake Virus Alerts
The biggest type of scam on Android phones in the first few months of 2018? False virus warnings.
In this scam, a banner ads pops up on a phone claiming to be a system alert from the phone itself. It states that the phone is infected and urges the user to immediately download an antivirus app. Of course, the software isn’t an antivirus at all, but the malware that the user was trying to avoid in the first place.
Before I explain the details of the vulnerability, you should take a look at the proof-of-concept.
Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters.
From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn–pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack.
Fortunately modern browsers have mechanisms in place to limit IDN homograph attacks. The page IDN in Google Chrome highlights the conditions under which an IDN is displayed in its native Unicode form. Generally speaking, the Unicode form will be hidden if a domain label contains characters from multiple different languages.
A Chinese infosec researcher has reported about an “almost impossible to detect” phishing attack that can be used to trick even the most careful users on the Internet.
He warned, hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.
What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right?
Okay, then before going to the in-depth details, first have a look at this demo web page
Tech rookie put decimal point in wrong place, cost insurer zillions
Colleagues kindly told him error had him marked for death by angry drug cartel https://www.theregister.co.uk/2018/06/11/who_me/
“The year was 1988,” Paul told Who, me? “I had just left school at 16 and started my first job as a clerical assistant at Lloyds of London.”
Paul was a clever chap and understood computers “so was given a task relating to updating the exchange rates for all currencies” to convert the value of an insurance claim into the currency used by claimants.
But Paul put the decimal point in the wrong place, “effectively wiping millions of pounds off the value of the claims.”
This being 1988, the output of the system was processed manually and the volume of transactions – several hundred thousand per day – meant the error went undetected for “almost two weeks.”
But then Lloyds “began to get calls from irate brokers across the globe demanding to know why their claims had been drastically slashed!”
“While there was no hiding from the fact it was my fault, I never got the blame: that fell squarely on to my boss’ shoulders for not checking my work!”
Spanish soccer league “La Liga” is using its official Android app to create an army of millions of piracy spies. The app can access microphone and location data to scan for restaurants, bars, and other establishments that broadcast their matches without a license. “Protect your team,” La Liga notes, while encouraging users to enable the functionality.
Even though sports streaming services are widely available in most countries, people are not always willing to pay for them.
This applies to individuals, who turn to pirate sites or other unauthorized channels, but also to businesses such as bars and restaurants.
The latter group is seen as a thorn in the side by many rightsholders.
With consent from the user, the app will analyze the audio in its surroundings to check if one of La Liga’s matches is being played. It then pairs that with GPS data to see if that location is an authorized broadcaster.
The microphone will only be activated when La Liga is broadcasting its football matches, the policy further clarifies.
The spying tool was spotted by Eldiario.es, which reached out to “La Liga” for additional information.
The organization states that it has to resort to these kinds of measures since piracy is resulting in losses of up to 150 million euros. It doesn’t mention how the data will be used
You probably have come across many websites that let you install browser extensions without ever going to the official Chrome web store.
It’s a great way for users to install an extension, but now Google has decided to remove the ability for websites to offer “inline installation” of Chrome extensions on all platforms.
Google announced today in its Chromium blog that by the end of this year, its Chrome browser will no longer support the installation of extensions from outside the Web Store in an effort to protect its users from shady browser extensions.
At least 5% of all the Monero cryptocurrency currently in circulation has been mined using malware, and about 2% of the total daily hashrate comes from devices infected with cryptocurrency-mining malware.
These numbers are the results of in-depth research of the coin-mining malware scene by security researchers from Palo Alto Networks.
According to researchers, 84% of all malware samples they’ve detected were focused on mining for the Monero cryptocurrency, by far the most popular coin among malware groups.
Because Monero-based coin-mining malware must embed in its source code the mining pool and Monero address through which the malware operates and collects ill-gotten funds, researchers have been able to track most of the money these groups generated on infected devices.
According to Palo Alto Networks researchers, criminal groups have mined an approximate total of 798,613.33 Monero coins (XMR) using malware on infected devices.
That’s over $108 million in US currency, just from coin-mining operations alone. This sum also represents around 5% of all the Monero currently in circulation —15,962,350 XMR.
Over 43 million email addresses have leaked from the command and control server of a spam botnet, a security researcher has told Bleeping Computer today.
The leaky server came to light while a threat intelligence analyst from Vertek Corporation, was looking into a recent malware campaign distributing a version of the Trik trojan, which was later infecting users with a second-stage payload —the GandCrab 3 ransomware.
Okta Rex (Research and Exploitation) researcher Josh Pitts has discovered a method of exploiting the code signing mechanism in MacOS. If exploited, the flaw could allow malicious untrusted code to masquerade as legitimate trusted code and bypass checks by other security software.
“To date, the popularity of malicious cryptocurrency mining activity continues to skyrocket. The large growth of malware mining cryptocurrencies is a direct result of a previous spike in value, which has since corrected to a value that is more in line with expectations. As this correction has taken place, only time will tell if cryptocurrency miners will continue in popularity. It is clear that such activities have been incredibly profitable for individuals or groups who have mined cryptocurrency using malicious techniques for a long period of time,” Palo Alto concludes.
A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.
Dubbed PyRoMineIoT, the malware is similar to the PyRoMine crypto-currency miner that was detailed in late April. Both mine for Monero, both are Python-based, and both use the EternalRomance exploit for propagation purposes (the vulnerability was patched in April last year).
Many vendors ship Android devices with the Android Debug Bridge (ADB) feature enabled, thus rendering them exposed to various attacks, security researcher Kevin Beaumont has discovered.
ADB is a feature meant to provide developers with the ability to easily communicate with devices remotely, to execute commands and fully control the device. Because it doesn’t require authentication, ADB allows anyone to connect to a device, install apps and execute commands.
In theory, the device should be first connected via USB to enable ADB, but Beaumont has discovered that some vendors ship Android devices with the feature enabled right from the start. The Debug Bridge listens on port 5555, and anyone can connect to the device over the Internet.
“During research for this article, we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition,” the security researcher notes.
Android has a feature called Android Debug Bridge (ADB for short) which allows developers to communicate with a device remotely, to execute commands and fully control the device.
“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.” — Android’s developer portal
It is completely unauthenticated, meaning anybody can connect to a device running ADB to execute commands. However, to enable it — in theory — you have to physically connect to a device using USB and first enable the Debug Bridge.
Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.
This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’* — the administrator mode — and then silently install software and execute malicious functions.
These are not problems with Android Debug Bridge itself; ADB is not designed to be deployed in this manner.
*in theory root shouldn’t be available in non-Development builds, but there’s an apparent bypass on some devices – adb shell “su -c command”.
Hardware wallets are devices used exclusively to store the highly sensitive cryptographic information that authenticates cryptocurrency transactions. They are useful if one is worried about the compromise of a general purpose computer leading to the loss of such secrets (and thus loss of the funds the secrets identify).
There were some discussions on reddit whether TREZOR, a hardware wallet for securely storing Bitcoins, can be attacked using side channels like power fluctuations, electromagnetic radiations or similar. Such an attack would allow for retrieving the private key that gives access to the Bitcoins stored on the TREZOR. Usually the discussions of side-channel attacks mention the code that signs a Bitcoin transaction. To sign a transaction on the TREZOR, you need to enter the secret PIN first. So this is not useful in the scenario where the attacker has physical access to the device but does not know the PIN.
However, also the generation of the public key may leak some information via a side channel. Until firmware 1.3.2 of TREZOR this was not PIN protected. Therefore, I investigated whether it is possible to use a side channel to recover the private key from the public key computation.
I found a cheap oscilloscope (Hantek 6022BE) for 62 EUR. (By now, the price has risen to 73 EUR at amazon). The goal was to measure power consumption of my TREZOR over time to see whether I can detect which code it is executing or even recover the private keys.
To measure the power consumption, I measured the current going through the USB cable. Since an oscilloscope can only measure voltage, I inserted a 10 Ohm resistor (for 0.05 EUR) into the mass wire of the USB cable. Thus, the voltage over this resistor is directly proportional to the current through the resistor, which is more or less proportional to the power consumption of the TREZOR.
To compute the master private key, an algorithm called PBKDF-2 is executed. During this period, the power consumption of the processor is higher than when the algorithm pauses to refresh the display (which it does eight times). After the last refresh the public key of the TREZOR is computed. When zooming close into the different parts, one can distinguish the PBKDF-2 algorithm from the part where the public key is computed.
Jack Nicas / New York Times:
Apple says an upcoming software update will disable an iPhone’s Lightning port if phone isn’t used for an hour, closing loophole letting police crack devices
into iPhones, angering police and other officials and reigniting a debate over whether the government has a right to get into the personal devices that are at the center of modern life.
Apple said it was planning an iPhone software update that would effectively disable the phone’s charging and data port
an hour after the phone is locked. While a phone can still be charged, a person would first need to enter the phone’s password to transfer data to or from the device using the port.
Such a change would hinder law enforcement officials, who have typically been opening locked iPhones by connecting another device running special software to the port, often days or even months after the smartphone was last unlocked.
Kyle Wiggers / VentureBeat:
Oracle debuts Internet Intelligence Map, a free real-time visualization of internet threats, so hijacks, submarine cable breaks, and more can easily be spotted — Distributed denial of service attacks. Malware. State-imposed internet blackouts. It’s hard to keep abreast of every bad actor …
Distributed denial of service attacks. Malware. State-imposed internet blackouts. It’s hard to keep abreast of every bad actor and natural disaster impacting the internet,
Internet Intelligence Map, a real-time graphical representation of service interruptions and emerging threats.
Emil Protalinski / VentureBeat:
Google disables inline installation for Chrome extensions, which let users install them from third-party sites; existing extensions will be affected in 3 months
Google today announced that Chrome will no longer support inline installation of extensions. New extensions lose inline installation starting today, existing extensions will lose the ability in three months
Disabling inline installation, which lets users install extensions directly from websites, will affect Windows, Mac, Linux, and Chrome OS users. Unlike Firefox, Chrome still does not support extensions on mobile platforms.
Yoko Kubota / Wall Street Journal:
Records and sources say China will begin using electronic identification system to track cars nationwide on July 1; compliance will be compulsory from Jan. 2019 — National plan to electronically scan autos adds to the ways Beijing can monitor its citizens, also including video cameras and facial recognition technology
National plan to electronically scan autos adds to the ways Beijing can monitor its citizens, also including video cameras and facial recognition technology
Kaspersky Suspends Collaboration With Europol and NoMoreRansom
Kaspersky Lab has suspended its collaboration with Europol and the NoMoreRansom initiative after the European Parliament passed a resolution that describes the company’s software as being “malicious.”
Kaspersky is not trusted by some governments due to its alleged ties to Russian intelligence, which has sparked concerns that the company may be spying for Moscow.
The call for a ban on Kaspersky’s products in the European Union is part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs.
The next-to-last proposal in the report “Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.”
The resolution was approved with 476 votes in favor and 151 against. In response, Kaspersky Lab’s founder and CEO, Eugene Kaspersky, said his company would be freezing collaboration with Europol and the NoMoreRansom project, and highlighted that the EU’s decision “welcomes cybercrime in Europe.”
Kaspersky is one of the private sector companies that founded NoMoreRansom, and it has helped Europol in several major cybercrime investigations, including a $1 billion cyber-heist.
A China-linked cyber espionage group has targeted a national data center in Central Asia and experts believe the goal is to conduct watering hole attacks on the country’s government websites.
The threat actor is tracked as LuckyMouse, Emissary Panda, APT27 and Threat Group 3390. The group has been active since at least 2010, targeting hundreds of organizations around the world, including U.S. defense contractors, financial services firms, a European drone maker, and the U.S.-based subsidiary of a French energy management company.
Researchers at Kaspersky Lab recently identified a new attack carried out by this actor. The security firm spotted the campaign in March 2018, but believes it was launched in the fall of 2017.
The attack targeted a national data center in an unnamed country in Central Asia. Researchers say the goal is likely to inject malicious JavaScript code into the government websites connected to the data center in order to conduct watering hole attacks.
When accessed, the compromised government websites served either the Browser Exploitation Framework (BeEF), a penetration testing suite that focuses on the web browser, or the ScanBox reconnaissance framework.
A top US intelligence official warned football fans traveling to Russia for the World Cup that their phones and computers could be hacked by Moscow’s cyber spies.
William Evanina, Director of the National Counterintelligence and Security Center, said that in Russia, even people who believe they are too unimportant to be hacked can be targeted.
“Anyone traveling to Russia to attend the World Cup should be clear-eyed about the cyber risks involved,” Evanina said in a statement.
“If you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you — make no mistake — any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals.”
Dixons Carphone, a household name in the UK, announced (PDF) today that it is investigating “unauthorised access to certain data held by the company.” It describes this access as “an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores,” and “1.2m records containing non-financial personal data, such as name, address or email address…”
This may turn out to be the biggest ever breach in the UK.
Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.
The first of the flaws is CVE-2018-4878, a security bug in Adobe’s Flash Player discovered in late January, when it was exploited by a North Korean hacker group in attacks aimed at individuals in South Korea. Adobe released a patch within a week after the bug became public, but it continued to be targeted in numerous other attacks.
The second is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows, and which was addressed with the May 2018 Patch Tuesday updates. The bug is an update to a 2-year-old VBScript vulnerability (CVE-2016-0189) that continues to be abused in attacks.
Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password.
With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user’s privileges.
With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana
Microsoft has classified the flaw as “important” because exploitation of this vulnerability requires an attacker to have physical or console access to the targeted system and the targeted system also needs to have Cortana enabled.
Calls on the EU to perform a comprehensive review of software, IT and
communications equipment and infrastructure used in the institutions in order to
exclude potentially dangerous programmes and devices,
and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab
US law enforcement announced today the arrests of 74 individuals accused of orchestrating BEC (business email compromise) scams through which they stole millions from users across the world.
New technologies such as Google Nearby and Silverpush use ultrasonic sounds to exchange information between devices via loudspeakers and microphones (also called “data over audio”).
Ultrasonic communication allows devices to be paired and information to be exchanged. It also makes it possible to track users and their behaviour over a number of devices, much like cookies on the Web. Almost every device with a microphone and a loudspeaker can send and receive ultrasonic sounds. Users are usually unaware of this inaudible and hidden data transmission.
The SoniControl project of St. Pölten University of Applied Sciences has developed a mobile application that detects acoustic cookies, brings them to the attention of users and if desired, blocks the tracking. The app is thus, in a sense, the first available ultrasound-firewall for smartphones and tablets. “
One of the vulnerabilities Microsoft addressed with the June 2018 security patches was a flaw in Cortana that could allow an attacker to elevate privileges and execute code from the lock screen.
The issue, discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee, is tracked as CVE-2018-8140. The bug can be abused to execute code on the impacted machine, directly from the lock screen.
In an advisory, Microsoft explains that the vulnerability “exists when Cortana retrieves data from user input services without consideration for status.” The company confirms the possible exploitation to execute commands with elevated permissions.
Security companies Fortinet and Kromtech found seventeen tainted Docker containers that were essentially downloadable images containing programs that had been designed to mine cryptocurrencies. Further investigation found that they had been downloaded 5 million times, suggesting that hackers were able to inject commands into insecure containers to download this code into otherwise healthy web applications. The researchers found the containers on Docker Hub, a repository for user images.
A new security standard called TLS 1.3 is the latest big change to how our browsers communicate, but the process by which it was created is a little weirder and less structured than you might think.
“Anyone can participate from anywhere. There’s no cost — you can just send your stuff in,”
“This time we did things a little different,” Sean said. “We actually put the document on GitHub and let anyone comment. And then we were getting these comments where we were like, who are these people and how are they so good at this?”
Despite said facilitation, the process of creating TLS 1.3 took four years, which for people in the security world is simultaneously forever and no time at all.
Standards must be ruthlessly vetted and optimized, since once in place they’ll be used billions of times a day
“Every week there was another attack and people were like, ‘please make this stop,’ ”
“We had participation from lots of people: browser makers, privacy advocates, Mozilla, the ACLU.
“We don’t vote, we use things like hum,”
“It gives a chance to be more anonymous rather than raising a hand or vote,”
Dan Goodin / Ars Technica:
Researcher details SigSpoof, a recently patched critical flaw in PGP that allowed hackers to spoof digital email signatures, says the bug dates back to 1998 — SigSpoof flaw fixed inGnuPG, Enigmail, GPGTools, and python-gnupg. — For their entire existence, some of the world’s …
For their entire existence, some of the world’s most widely used email encryption tools have been vulnerable to hacks that allowed attackers to spoof the digital signature of just about any person with a public key, a researcher said Wednesday. GnuPG, Enigmail, GPGTools, and python-gnupg have all been updated to patch the critical vulnerability. Enigmail and the Simple Password Store have also received patches for two related spoofing bugs.
Digital signatures are used to prove the source of an encrypted message, data backup, or software update. Typically, the source must use a private encryption key to cause an application to show that a message or file is signed. But a series of vulnerabilities dubbed SigSpoof makes it possible in certain cases for attackers to fake signatures with nothing more than someone’s public key or key ID, both of which are often published online. The spoofed email shown at the top of this post can’t be detected as malicious without doing forensic analysis that’s beyond the ability of many users.
The flaw, indexed as CVE-2018-12020, means that decades’ worth of email messages many people relied on for sensitive business or security matters may have in fact been spoofs. It also has the potential to affect uses that went well beyond encrypted email.
“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure,” Marcus Brinkmann, the software developer who discovered SigSpoof, wrote in an advisory published Wednesday. “GnuPG is not only used for email security but also to secure backups, software updates in distributions, and source code in version control systems like Git.”
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
282 Comments
Tomi Engdahl says:
Tracking and hacking ships: satellite communications
https://www.pentestpartners.com/security-blog/hacking-tracking-stealing-and-sinking-ships/
Shodan already publishes a ship tracker. We think this only uses AIS data, publicly available. We’ve broken new ground by linking satcom terminal version details to live GPS position data.
Many satcom terminals on ships are available on the public internet. Many have default credentials, admin/1234 being very common.
So that’s an easy way to hijack the satellite communications and take admin rights on the terminal on board.
We applied our expertise in IoT, automotive and SCADA hardware security to a Cobham (Thrane & Thrane) Fleet One satellite terminal
Caveat: all of the vulnerabilities we cover here are resolved by setting a strong admin password, as per the manufacturers guidance. Either that, or they aren’t particularly significant.
First, we found that the admin interfaces were over telnet and HTTP. Pulling the firmware, we found a lack of firmware signing – the validation check was simply a CRC
Then, we discovered that we could edit the entire web application running on the terminal. That lends itself to attacks.
Further, there was no rollback protection for the firmware.
admin interface passwords were embedded in the configs, hashed with unsalted MD5.
Hardly ‘defence in depth’! Reminder: these are all fixed by setting a strong admin password. We found lots more, but can’t disclose these yet.
Sending a ship the wrong way: hacking the ECDIS
ECDIS are the electronic chart systems that are needed to navigate. They can slave directly to the autopilot – most modern vessels are in ‘track control’ mode most of the time, where they follow the ECDIS course.
Hack the ECDIS and you may be able to crash the ship, particularly in fog.
We tested over 20 different ECDIS units and found all sorts of crazy security flaws.
we could ‘jump’ the boat by spoofing the position of the GPS receiver on the ship.
Worse, we could reconfigure the ECDIS to make the ship appear to be a kilometre square
Other ships AIS will alert the ships captain to a collision scenario.
The ethernet and serial networks are often ‘bridged’ at several points, including the GPS, the satcom terminal, the ECDIS and many other points
OT systems are used to control the steering gear, engines, ballast pumps and lots more. They communicate using NMEA 0183 messages.
There is no message authentication, encryption or validation of these messages. They’re plain text.
If the autopilot is engaged, one could change the rudder command by modifying a GPS autopilot command
Conclusion
Ship security is in its infancy – most of these types of issues were fixed years ago in mainstream IT systems.
Tomi Engdahl says:
How does penetration testing fit in with your ISO 27001 ISMS project?
https://www.itgovernance.co.uk/blog/how-does-penetration-testing-fit-in-with-your-iso-27001-isms-project/
If you are about to start implementing an ISO 27001-compliant ISMS (information security management system), then you should probably know that there is a tight link between a successful ISMS implementation project and penetration testing.
An ISMS covers three key components: people, processes and technology.
Tomi Engdahl says:
Major Vulnerabilities in Foscam Cameras
https://blog.vdoo.com/2018/06/06/vdoo-has-found-major-vulnerabilities-in-foscam-cameras/
As part of this research, VDOO researchers found zero-day vulnerabilities in devices of several vendors. These vulnerabilities were disclosed to the vendors, according to responsible disclosure best practices, and will be shared gradually after the disclosure periods are concluded.
Combining the discovered vulnerabilities, if an adversary successfully obtains the address of the camera, he can gain root access to the affected cameras remotely (over LAN or the internet). VDOO has responsibly disclosed these vulnerabilities (CVE-2018-6830, CVE-2018-6831 and CVE-2018-6832) and engaged with Foscam security team to solve the matter.
To the better of our knowledge, these vulnerabilities were not exploited in the wild, and therefor did not lead to any concrete privacy violation or security threat to Foscam customers.
Tomi Engdahl says:
Brian Krebs: “If indeed the MyHeritage user database was taken and stored by a malicious hacker (as opposed to inadvertently exposed by an employee), there is a good chance that the attackers will be trying to crack all user passwords. And if any of those passwords are crackable, the attackers will then of course get access to the more personal data on those users.”
https://krebsonsecurity.com/2018/06/researcher-finds-credentials-for-92-million-users-of-dna-testing-firm-myheritage/
Tomi Engdahl says:
https://twofactorauth.org
Tomi Engdahl says:
Russia to Fine Search Engines for Linking to Banned VPN services
Saturday, June 09, 2018 Mohit Kumar
https://thehackernews.com/2018/06/russian-vpn-services.html
In its years-long efforts to censor the Internet by blocking access to a large number of websites in the country, Russia has now approved a new bill introducing fines for search engines that provide links to banned sites, VPN services, and anonymization tools.
According to the bill, individuals who break the law will face fine of 3,000 to 5,000 rubles (approx. $48 to $80), officials will face fines up to 50,000 rubles (approx. $800), and legal entities could be fined 500,000 to 700,000 (nearly $8,019 to $11,227), reports Russian State Duma Government site.
Many Russian citizens use VPNs and other Internet proxy services to access blocked content by routing their traffic through servers outside the country.
Tomi Engdahl says:
F-Secure Fixes Serious Vulnerability in Antivirus Products
https://www.bleepingcomputer.com/news/security/f-secure-fixes-serious-vulnerability-in-antivirus-products/
F-Secure has fixed a severe vulnerability in its home and enterprise antivirus products that could have allowed an attacker to execute malicious code on the user’s machine and take over affected PCs
The actual vulnerability doesn’t affect F-Secure directly, but the 7-Zip file archiving software, which F-Secure uses to decompress archives, scan them for threats, and repackage the original file.
Vulnerability really resides in 7-Zip
A security researcher going by the pseudonym of “landave” discovered this particular vulnerability (CVE-2018-10115) in March and worked with 7-Zip team to fix the problem.
Tomi Engdahl says:
Over a third of EU businesses are suffering data theft
https://www.itproportal.com/news/over-a-third-of-eu-businesses-are-suffering-data-theft/
By Sead Fadilpašić 2018-06-08T10:00:17.158ZNews
Last year, three in four businesses suffered a DNS attack, according to new figures from EfficientIP.
Tomi Engdahl says:
New KillDisk Variant Hits Latin America
https://www.securityweek.com/new-killdisk-variant-hits-latin-america
KillDisk has been around for several years, and was used in attacks targeting Ukraine’s energy sector in 2015, orchestrated by the Russia-linked threat actor BlackEnergy.
Initially designed to wipe hard drives and render systems inoperable, the malware received file-encrypting capabilities in late 2016, with a Linux-targeting variant of the ransomware spotted shortly after.
In January, Trend Micro security researchers observed a new variant of the malware in Latin America, and revealed that the threat was once again deleting files and wiping the disk.
One of the attacks, the security firm reveals, was related to a foiled heist on the organization’s system connected to the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).
The threat can wipe all of the physical hard disks on the infected system. To wipe the MBR, it retrieves the handle of the hard disk, overwrites the first sector of the disk (512 bytes) with “0×00”, attempts the same routine on all hard disks, then forces the machine to shut down.
Tomi Engdahl says:
UK security minister proposes “Digital IDs” to enforce online civility
https://boingboing.net/2018/06/11/authoritarian-britain.html
Ben Wallach is Theresa May’s security minister; he has proposed that the UK follow China’s example and require that any place providing internet access use bank-account verification to affirmatively identify all the people who use the internet so they can be punished for bullying.
The minister characterised this as a choice between “the wild west or a civilised society”; he claimed that forcing people to identify themselves before they speak would end “mob rule on the internet.”
He said that social media companies should bear the cost of tracking the identities of all their users.
Real-name policies have proved to be a boon to authoritarian rulers; in Cambodia, dictator Hun Sen has embraced Facebook, creating a direct pipeline to Facebook’s real-name compliance team that his government uses to force critics to reveal their real identities (exposing them to arrest and torture), or leave the platform.
In the UK — where libel laws favour the rich and powerful — the ability to speak anonymously has been key to uncovering the historic sex abuse scandal
Britain’s “great firewall” has been vastly expanded under Blair’s Labour government, the Tory/Libdem coalition, and the current Tory government. Originally a secret blacklist of sites alleged to host images of the sexual abuse of children, the firewall is now a sprawling list of “extremist” sites, sites alleged to promote copyright infringement, markets alleged to sell counterfeit goods, etc.
Tomi Engdahl says:
Not everyone is so hot about this free USB fan handed to journalists at Trump-Kim summit
https://uk.finance.yahoo.com/news/not-everyone-hot-free-usb-044521887.html?guccounter=1
While the world’s eyes watch Donald Trump and Kim Jong-Un meet in Singapore, journalists have seemingly been treated rather well while covering the event.
But caution has been advised over one tiny freebie.
Not only have the 3,000 journalists been well-fed during the summit, they’ve also received a goody bag.
However, also enclosed was a blue, innocent-looking mini USB fan, a nod to Singapore’s searing temperatures.
“Do not plug this in. Do not keep it,” tweeted journalist Barton Gellman, who led coverage on the U.S. National Security Agency after receiving top secret documents from Edward Snowden.
The risk is the device could be a covert method of installing malware onto the computers of journalists covering the summit.
“It certainly can be a security risk,” Matthew Warren, professor of cyber security at Australia’s Deakin University, explained to Mashable.
“The idea of the USB is a way of connecting devices to computers, and either exchanging data or drawing power for operations. The problem is, there’s been a number of examples where USB devices can be hijacked and malicious code can be put on them.”
Security researchers Karsten Nohl and Jakob Lell demonstrated malware they had developed, called BadUSB, at the Black Hat Conference back in 2014.
“Security hasn’t been built in to these USB devices,” Warren added. “I certainly wouldn’t be putting [the fan] in my machine.”
Tomi Engdahl says:
The Top Scams that Android Users Fall For
https://tech.co/the-top-scams-android-users-fall-for-2018-06
In the first quarter of 2018 alone, Americans on Android mobile phones accessed 23 suspected malicious URLs per minute. From fake virus alerts to phoney dating sites, new Android scams have targeted a huge number of victims so far this year.
A massive report just out from PSafe’s dfndr lab has analyzed 200 million digital files from more than 21 million active users of their security app.
So, what type of scams gained the most clicks from those 21 million smartphone owners? Here’s the rundown on the top three scams that worked the most often in the first few months of this year, as well as a few other fascinating insights the PSafe team gleaned from their app data.
#3: Fake Giveaways
One popular method scammers have been using to phish for personal data on Android mobile phones? Fake promotional stunts and sweepstakes.
#2: Adult Dating Sites
We all know that sex sells, but it turns out it scams, as well.
#1: Fake Virus Alerts
The biggest type of scam on Android phones in the first few months of 2018? False virus warnings.
In this scam, a banner ads pops up on a phone claiming to be a system alert from the phone itself. It states that the phone is infected and urges the user to immediately download an antivirus app. Of course, the software isn’t an antivirus at all, but the malware that the user was trying to avoid in the first place.
Tomi Engdahl says:
Phishing with Unicode Domains
https://www.xudongz.com/blog/2017/idn-phishing/
Before I explain the details of the vulnerability, you should take a look at the proof-of-concept.
Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters.
From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “xn–pple-43d.com”, which is equivalent to “аpple.com”. It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack.
Fortunately modern browsers have mechanisms in place to limit IDN homograph attacks. The page IDN in Google Chrome highlights the conditions under which an IDN is displayed in its native Unicode form. Generally speaking, the Unicode form will be hidden if a domain label contains characters from multiple different languages.
Tomi Engdahl says:
This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera
Monday, April 17, 2017 Mohit Kumar
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html
A Chinese infosec researcher has reported about an “almost impossible to detect” phishing attack that can be used to trick even the most careful users on the Internet.
He warned, hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.
What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right?
Okay, then before going to the in-depth details, first have a look at this demo web page
https://xn--80ak6aa92e.com/
Tomi Engdahl says:
Tech rookie put decimal point in wrong place, cost insurer zillions
Colleagues kindly told him error had him marked for death by angry drug cartel
https://www.theregister.co.uk/2018/06/11/who_me/
“The year was 1988,” Paul told Who, me? “I had just left school at 16 and started my first job as a clerical assistant at Lloyds of London.”
Paul was a clever chap and understood computers “so was given a task relating to updating the exchange rates for all currencies” to convert the value of an insurance claim into the currency used by claimants.
But Paul put the decimal point in the wrong place, “effectively wiping millions of pounds off the value of the claims.”
This being 1988, the output of the system was processed manually and the volume of transactions – several hundred thousand per day – meant the error went undetected for “almost two weeks.”
But then Lloyds “began to get calls from irate brokers across the globe demanding to know why their claims had been drastically slashed!”
“While there was no hiding from the fact it was my fault, I never got the blame: that fell squarely on to my boss’ shoulders for not checking my work!”
Tomi Engdahl says:
Soccer League Turns App Users Into Piracy Spies
By Ernesto on June 11, 2018
https://torrentfreak.com/soccer-league-turns-app-users-into-piracy-spies-180611/
Spanish soccer league “La Liga” is using its official Android app to create an army of millions of piracy spies. The app can access microphone and location data to scan for restaurants, bars, and other establishments that broadcast their matches without a license. “Protect your team,” La Liga notes, while encouraging users to enable the functionality.
Even though sports streaming services are widely available in most countries, people are not always willing to pay for them.
This applies to individuals, who turn to pirate sites or other unauthorized channels, but also to businesses such as bars and restaurants.
The latter group is seen as a thorn in the side by many rightsholders.
With consent from the user, the app will analyze the audio in its surroundings to check if one of La Liga’s matches is being played. It then pairs that with GPS data to see if that location is an authorized broadcaster.
The microphone will only be activated when La Liga is broadcasting its football matches, the policy further clarifies.
The spying tool was spotted by Eldiario.es, which reached out to “La Liga” for additional information.
The organization states that it has to resort to these kinds of measures since piracy is resulting in losses of up to 150 million euros. It doesn’t mention how the data will be used
Tomi Engdahl says:
Google Blocks Chrome Extension Installations From 3rd-Party Sites
Tuesday, June 12, 2018 Swati Khandelwal
https://thehackernews.com/2018/06/chrome-extension-intallation.html
You probably have come across many websites that let you install browser extensions without ever going to the official Chrome web store.
It’s a great way for users to install an extension, but now Google has decided to remove the ability for websites to offer “inline installation” of Chrome extensions on all platforms.
Google announced today in its Chromium blog that by the end of this year, its Chrome browser will no longer support the installation of extensions from outside the Web Store in an effort to protect its users from shady browser extensions.
Tomi Engdahl says:
Around 5% of All Monero Currently in Circulation Has Been Mined Using Malware
https://www.bleepingcomputer.com/news/security/around-5-percent-of-all-monero-currently-in-circulation-has-been-mined-using-malware/
At least 5% of all the Monero cryptocurrency currently in circulation has been mined using malware, and about 2% of the total daily hashrate comes from devices infected with cryptocurrency-mining malware.
These numbers are the results of in-depth research of the coin-mining malware scene by security researchers from Palo Alto Networks.
According to researchers, 84% of all malware samples they’ve detected were focused on mining for the Monero cryptocurrency, by far the most popular coin among malware groups.
Because Monero-based coin-mining malware must embed in its source code the mining pool and Monero address through which the malware operates and collects ill-gotten funds, researchers have been able to track most of the money these groups generated on infected devices.
According to Palo Alto Networks researchers, criminal groups have mined an approximate total of 798,613.33 Monero coins (XMR) using malware on infected devices.
That’s over $108 million in US currency, just from coin-mining operations alone. This sum also represents around 5% of all the Monero currently in circulation —15,962,350 XMR.
Tomi Engdahl says:
Trik Spam Botnet Leaks 43 Million Email Addresses
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/
Over 43 million email addresses have leaked from the command and control server of a spam botnet, a security researcher has told Bleeping Computer today.
The leaky server came to light while a threat intelligence analyst from Vertek Corporation, was looking into a recent malware campaign distributing a version of the Trik trojan, which was later infecting users with a second-stage payload —the GandCrab 3 ransomware.
Tomi Engdahl says:
Email attacks still biggest threat to UK businesses
By Sead Fadilpašić 2018-06-12T10:00:03.162ZNews
Growing cost of email attacks linked to increasing risk of employee behaviour.
https://www.itproportal.com/news/email-attacks-still-biggest-threat-to-uk-businesses/
Tomi Engdahl says:
Microsoft June 2018 Patch Tuesday Pushes 11 Critical Security Updates
Tuesday, June 12, 2018 Mohit Kumar
https://thehackernews.com/2018/06/microsoft-june-security-patch.html
Tomi Engdahl says:
Microsoft Releases Mitigations for Spectre-Like ‘Variant 4′ Attack
https://www.securityweek.com/microsoft-releases-mitigations-spectre-variant-4-attack
Tomi Engdahl says:
Code Signing Flaw Affects all Mac OS Versions Since 2005
https://www.securityweek.com/code-signing-flaw-affects-all-mac-os-versions-2005
Okta Rex (Research and Exploitation) researcher Josh Pitts has discovered a method of exploiting the code signing mechanism in MacOS. If exploited, the flaw could allow malicious untrusted code to masquerade as legitimate trusted code and bypass checks by other security software.
Tomi Engdahl says:
$175 Million in Monero Mined via Malicious Programs: Report
https://www.securityweek.com/175-million-monero-mined-malicious-programs-report
“To date, the popularity of malicious cryptocurrency mining activity continues to skyrocket. The large growth of malware mining cryptocurrencies is a direct result of a previous spike in value, which has since corrected to a value that is more in line with expectations. As this correction has taken place, only time will tell if cryptocurrency miners will continue in popularity. It is clear that such activities have been incredibly profitable for individuals or groups who have mined cryptocurrency using malicious techniques for a long period of time,” Palo Alto concludes.
Tomi Engdahl says:
New ‘PyRoMineIoT’ Malware Spreads via NSA-Linked Exploit
https://www.securityweek.com/new-pyromineiot-malware-spreads-nsa-linked-exploit
A recently discovered piece of crypto-currency miner malware isn’t only abusing a National Security Agency-linked remote code execution exploit to spread, but also abuses infected machines to scan for vulnerable Internet of Things (IoT) devices.
Dubbed PyRoMineIoT, the malware is similar to the PyRoMine crypto-currency miner that was detailed in late April. Both mine for Monero, both are Python-based, and both use the EternalRomance exploit for propagation purposes (the vulnerability was patched in April last year).
Tomi Engdahl says:
Many Android Devices Ship with ADB Enabled
https://www.securityweek.com/many-android-devices-ship-adb-enabled
Many vendors ship Android devices with the Android Debug Bridge (ADB) feature enabled, thus rendering them exposed to various attacks, security researcher Kevin Beaumont has discovered.
ADB is a feature meant to provide developers with the ability to easily communicate with devices remotely, to execute commands and fully control the device. Because it doesn’t require authentication, ADB allows anyone to connect to a device, install apps and execute commands.
In theory, the device should be first connected via USB to enable ADB, but Beaumont has discovered that some vendors ship Android devices with the feature enabled right from the start. The Debug Bridge listens on port 5555, and anyone can connect to the device over the Internet.
“During research for this article, we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition,” the security researcher notes.
Root Bridge — how thousands of internet connected Android devices now have no security, and are being exploited by criminals.
https://doublepulsar.com/root-bridge-how-thousands-of-internet-connected-android-devices-now-have-no-security-and-are-b46a68cb0f20?gi=cd7686af2bf8
Android has a feature called Android Debug Bridge (ADB for short) which allows developers to communicate with a device remotely, to execute commands and fully control the device.
“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.” — Android’s developer portal
It is completely unauthenticated, meaning anybody can connect to a device running ADB to execute commands. However, to enable it — in theory — you have to physically connect to a device using USB and first enable the Debug Bridge.
Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.
This is highly problematic as it allows anybody — without any password — to remotely access these devices as ‘root’* — the administrator mode — and then silently install software and execute malicious functions.
These are not problems with Android Debug Bridge itself; ADB is not designed to be deployed in this manner.
*in theory root shouldn’t be available in non-Development builds, but there’s an apparent bypass on some devices – adb shell “su -c command”.
Tomi Engdahl says:
A Close Eye on Power Exposes Private Keys
https://hackaday.com/2018/06/11/a-close-eye-on-power-exposes-private-keys/
Hardware wallets are devices used exclusively to store the highly sensitive cryptographic information that authenticates cryptocurrency transactions. They are useful if one is worried about the compromise of a general purpose computer leading to the loss of such secrets (and thus loss of the funds the secrets identify).
Extracting the Private Key from a TREZOR
… with a 70 $ Oscilloscope
https://jochen-hoenicke.de/trezor-power-analysis/
There were some discussions on reddit whether TREZOR, a hardware wallet for securely storing Bitcoins, can be attacked using side channels like power fluctuations, electromagnetic radiations or similar. Such an attack would allow for retrieving the private key that gives access to the Bitcoins stored on the TREZOR. Usually the discussions of side-channel attacks mention the code that signs a Bitcoin transaction. To sign a transaction on the TREZOR, you need to enter the secret PIN first. So this is not useful in the scenario where the attacker has physical access to the device but does not know the PIN.
However, also the generation of the public key may leak some information via a side channel. Until firmware 1.3.2 of TREZOR this was not PIN protected. Therefore, I investigated whether it is possible to use a side channel to recover the private key from the public key computation.
I found a cheap oscilloscope (Hantek 6022BE) for 62 EUR. (By now, the price has risen to 73 EUR at amazon). The goal was to measure power consumption of my TREZOR over time to see whether I can detect which code it is executing or even recover the private keys.
To measure the power consumption, I measured the current going through the USB cable. Since an oscilloscope can only measure voltage, I inserted a 10 Ohm resistor (for 0.05 EUR) into the mass wire of the USB cable. Thus, the voltage over this resistor is directly proportional to the current through the resistor, which is more or less proportional to the power consumption of the TREZOR.
To compute the master private key, an algorithm called PBKDF-2 is executed. During this period, the power consumption of the processor is higher than when the algorithm pauses to refresh the display (which it does eight times). After the last refresh the public key of the TREZOR is computed. When zooming close into the different parts, one can distinguish the PBKDF-2 algorithm from the part where the public key is computed.
Tomi Engdahl says:
Jack Nicas / New York Times:
Apple says an upcoming software update will disable an iPhone’s Lightning port if phone isn’t used for an hour, closing loophole letting police crack devices
Apple to Close iPhone Security Hole That Police Use to Crack Devices
https://www.nytimes.com/2018/06/13/technology/apple-iphone-police.html
into iPhones, angering police and other officials and reigniting a debate over whether the government has a right to get into the personal devices that are at the center of modern life.
Apple said it was planning an iPhone software update that would effectively disable the phone’s charging and data port
an hour after the phone is locked. While a phone can still be charged, a person would first need to enter the phone’s password to transfer data to or from the device using the port.
Such a change would hinder law enforcement officials, who have typically been opening locked iPhones by connecting another device running special software to the port, often days or even months after the smartphone was last unlocked.
Tomi Engdahl says:
Kyle Wiggers / VentureBeat:
Oracle debuts Internet Intelligence Map, a free real-time visualization of internet threats, so hijacks, submarine cable breaks, and more can easily be spotted — Distributed denial of service attacks. Malware. State-imposed internet blackouts. It’s hard to keep abreast of every bad actor …
Oracle’s Internet Intelligence Map presents a real-time view of online threats
https://venturebeat.com/2018/06/13/oracles-internet-intelligence-map-presents-a-real-time-view-of-online-threats/
Distributed denial of service attacks. Malware. State-imposed internet blackouts. It’s hard to keep abreast of every bad actor and natural disaster impacting the internet,
Internet Intelligence Map, a real-time graphical representation of service interruptions and emerging threats.
It’s available for free starting today.
https://internetintel.oracle.com/index.html
https://map.internetintel.oracle.com/
Tomi Engdahl says:
Emil Protalinski / VentureBeat:
Google disables inline installation for Chrome extensions, which let users install them from third-party sites; existing extensions will be affected in 3 months
Google disables inline installation for Chrome extensions
https://venturebeat.com/2018/06/12/google-disables-inline-installation-for-chrome-extensions/
Google today announced that Chrome will no longer support inline installation of extensions. New extensions lose inline installation starting today, existing extensions will lose the ability in three months
Disabling inline installation, which lets users install extensions directly from websites, will affect Windows, Mac, Linux, and Chrome OS users. Unlike Firefox, Chrome still does not support extensions on mobile platforms.
https://developer.chrome.com/webstore/inline_installation
Tomi Engdahl says:
Tom Simonite / Wired:
Fired employee alleges in a lawsuit that Clarifai, an AI startup working on Project Maven, was hacked from Russia and did not promptly report it to the Pentagon
https://www.wired.com/story/startup-working-on-contentious-pentagon-ai-project-was-hacked/
Tomi Engdahl says:
Yoko Kubota / Wall Street Journal:
Records and sources say China will begin using electronic identification system to track cars nationwide on July 1; compliance will be compulsory from Jan. 2019 — National plan to electronically scan autos adds to the ways Beijing can monitor its citizens, also including video cameras and facial recognition technology
A Chip in the Windshield: China’s Surveillance State Will Soon Track Cars
https://www.wsj.com/articles/a-chip-in-the-windshield-chinas-surveillance-state-will-soon-track-cars-1528882203
National plan to electronically scan autos adds to the ways Beijing can monitor its citizens, also including video cameras and facial recognition technology
Tomi Engdahl says:
European Parliament Votes to Ban Kaspersky Products
https://www.securityweek.com/european-parliament-votes-ban-kaspersky-products
Kaspersky Suspends Collaboration With Europol and NoMoreRansom
Kaspersky Lab has suspended its collaboration with Europol and the NoMoreRansom initiative after the European Parliament passed a resolution that describes the company’s software as being “malicious.”
Kaspersky is not trusted by some governments due to its alleged ties to Russian intelligence, which has sparked concerns that the company may be spying for Moscow.
The call for a ban on Kaspersky’s products in the European Union is part of a report on cyber defense written by Estonian MEP Urmas Paet of the Committee on Foreign Affairs.
The next-to-last proposal in the report “Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab.”
The resolution was approved with 476 votes in favor and 151 against. In response, Kaspersky Lab’s founder and CEO, Eugene Kaspersky, said his company would be freezing collaboration with Europol and the NoMoreRansom project, and highlighted that the EU’s decision “welcomes cybercrime in Europe.”
Kaspersky is one of the private sector companies that founded NoMoreRansom, and it has helped Europol in several major cybercrime investigations, including a $1 billion cyber-heist.
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A8-2018-0189+0+DOC+PDF+V0//EN
Tomi Engdahl says:
Chinese Cyberspies Target National Data Center in Asia
https://www.securityweek.com/chinese-cyberspies-target-national-data-center-asia
A China-linked cyber espionage group has targeted a national data center in Central Asia and experts believe the goal is to conduct watering hole attacks on the country’s government websites.
The threat actor is tracked as LuckyMouse, Emissary Panda, APT27 and Threat Group 3390. The group has been active since at least 2010, targeting hundreds of organizations around the world, including U.S. defense contractors, financial services firms, a European drone maker, and the U.S.-based subsidiary of a French energy management company.
Researchers at Kaspersky Lab recently identified a new attack carried out by this actor. The security firm spotted the campaign in March 2018, but believes it was launched in the fall of 2017.
The attack targeted a national data center in an unnamed country in Central Asia. Researchers say the goal is likely to inject malicious JavaScript code into the government websites connected to the data center in order to conduct watering hole attacks.
When accessed, the compromised government websites served either the Browser Exploitation Framework (BeEF), a penetration testing suite that focuses on the web browser, or the ScanBox reconnaissance framework.
Tomi Engdahl says:
World Cup: US Spy Warns Russians Will Hack Phones, Computers
https://www.securityweek.com/world-cup-us-spy-warns-russians-will-hack-phones-computers
A top US intelligence official warned football fans traveling to Russia for the World Cup that their phones and computers could be hacked by Moscow’s cyber spies.
William Evanina, Director of the National Counterintelligence and Security Center, said that in Russia, even people who believe they are too unimportant to be hacked can be targeted.
“Anyone traveling to Russia to attend the World Cup should be clear-eyed about the cyber risks involved,” Evanina said in a statement.
“If you’re planning on taking a mobile phone, laptop, PDA, or other electronic device with you — make no mistake — any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals.”
Tomi Engdahl says:
5.9 Million Card Details Accessed in Dixons Carphone Hack
https://www.securityweek.com/59-million-card-details-accessed-dixons-carphone-hack
Dixons Carphone, a household name in the UK, announced (PDF) today that it is investigating “unauthorised access to certain data held by the company.” It describes this access as “an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores,” and “1.2m records containing non-financial personal data, such as name, address or email address…”
This may turn out to be the biggest ever breach in the UK.
Tomi Engdahl says:
Exploit Kits Target Recent Flash, Internet Explorer Zero-Days
https://www.securityweek.com/exploit-kits-target-recent-flash-internet-explorer-zero-days
Exploit kits (EKs) might not be as dominant as they were several years ago, but they continue to exist and most of them already adopted exploits for recently discovered Flash and Internet Explorer zero-day vulnerabilities.
The first of the flaws is CVE-2018-4878, a security bug in Adobe’s Flash Player discovered in late January, when it was exploited by a North Korean hacker group in attacks aimed at individuals in South Korea. Adobe released a patch within a week after the bug became public, but it continued to be targeted in numerous other attacks.
The second is CVE-2018-8174, a critical issue that allows attackers to remotely execute arbitrary code on all supported versions of Windows, and which was addressed with the May 2018 Patch Tuesday updates. The bug is an update to a 2-year-old VBScript vulnerability (CVE-2016-0189) that continues to be abused in attacks.
Tomi Engdahl says:
Cortana Software Could Help Anyone Unlock Your Windows 10 Computer
Wednesday, June 13, 2018 Swati Khandelwal
https://thehackernews.com/2018/06/cortana-hack-windows-password.html
Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password.
With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user’s privileges.
With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana
Microsoft has classified the flaw as “important” because exploitation of this vulnerability requires an attacker to have physical or console access to the targeted system and the targeted system also needs to have Cortana enabled.
https://thehackernews.com/2018/06/microsoft-june-security-patch.html
Tomi Engdahl says:
http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A8-2018-0189+0+DOC+PDF+V0//EN
Calls on the EU to perform a comprehensive review of software, IT and
communications equipment and infrastructure used in the institutions in order to
exclude potentially dangerous programmes and devices,
and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab
Tomi Engdahl says:
US Arrests 74 BEC Scammers, Including 29 Nigerians
https://www.bleepingcomputer.com/news/security/us-arrests-74-bec-scammers-including-29-nigerians/
US law enforcement announced today the arrests of 74 individuals accused of orchestrating BEC (business email compromise) scams through which they stole millions from users across the world.
Tomi Engdahl says:
Ultrasound-Firewall For Mobile Phones
https://www.wirelessdesignmag.com/news/2018/05/ultrasound-firewall-mobile-phones#.Wx8U38Ogt4k.facebook
New technologies such as Google Nearby and Silverpush use ultrasonic sounds to exchange information between devices via loudspeakers and microphones (also called “data over audio”).
Ultrasonic communication allows devices to be paired and information to be exchanged. It also makes it possible to track users and their behaviour over a number of devices, much like cookies on the Web. Almost every device with a microphone and a loudspeaker can send and receive ultrasonic sounds. Users are usually unaware of this inaudible and hidden data transmission.
The SoniControl project of St. Pölten University of Applied Sciences has developed a mobile application that detects acoustic cookies, brings them to the attention of users and if desired, blocks the tracking. The app is thus, in a sense, the first available ultrasound-firewall for smartphones and tablets. “
Tomi Engdahl says:
The state of encryption: How the debate has shifted
https://opensource.com/article/18/6/listening-susan-landau?sc_cid=7016000000127ECAAY
Long-term leader in the encryption fight, Susan Landau, shares her insights.
Tomi Engdahl says:
Cortana Flaw Allows for Code Execution from Lock Screen
https://www.securityweek.com/cortana-flaw-allows-code-execution-lock-screen
One of the vulnerabilities Microsoft addressed with the June 2018 security patches was a flaw in Cortana that could allow an attacker to elevate privileges and execute code from the lock screen.
The issue, discovered by Cedric Cochin, Cyber Security Architect and Senior Principle Engineer at McAfee, is tracked as CVE-2018-8140. The bug can be abused to execute code on the impacted machine, directly from the lock screen.
In an advisory, Microsoft explains that the vulnerability “exists when Cortana retrieves data from user input services without consideration for status.” The company confirms the possible exploitation to execute commands with elevated permissions.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8140
Tomi Engdahl says:
Tainted, crypto-mining containers pulled from Docker Hub
https://techcrunch.com/2018/06/15/tainted-crypto-mining-containers-pulled-from-docker-hub/?utm_source=tcfbpage&sr_share=facebook
Security companies Fortinet and Kromtech found seventeen tainted Docker containers that were essentially downloadable images containing programs that had been designed to mine cryptocurrencies. Further investigation found that they had been downloaded 5 million times, suggesting that hackers were able to inject commands into insecure containers to download this code into otherwise healthy web applications. The researchers found the containers on Docker Hub, a repository for user images.
Tomi Engdahl says:
LinuxForums.org Hack Exposes 276,000 User Accounts
https://www.linuxuprising.com/2018/06/linuxforumsorg-hack-exposes-276000-user.html?m=1
Tomi Engdahl says:
Admins Aren’t Patching Open Source, Says Black Duck Security Report
http://www.itprotoday.com/open-source/admins-arent-patching-open-source-says-black-duck-security-report
According to the latest Black Duck security report, the average unpatched vulnerability running on data center servers is six years old.
Tomi Engdahl says:
Why don’t most people become radicalised?
https://horizon-magazine.eu/article/why-don-t-most-people-become-radicalised_en.html
Tomi Engdahl says:
https://threatpost.com/microsoft-reveals-which-bugs-it-wont-patch/132817/
Tomi Engdahl says:
The messy, musical process behind the web’s new security standard
https://techcrunch.com/2018/06/11/the-messy-musical-process-behind-the-webs-new-security-standard/?sr_share=facebook&utm_source=tcfbpage
A new security standard called TLS 1.3 is the latest big change to how our browsers communicate, but the process by which it was created is a little weirder and less structured than you might think.
“Anyone can participate from anywhere. There’s no cost — you can just send your stuff in,”
“This time we did things a little different,” Sean said. “We actually put the document on GitHub and let anyone comment. And then we were getting these comments where we were like, who are these people and how are they so good at this?”
Despite said facilitation, the process of creating TLS 1.3 took four years, which for people in the security world is simultaneously forever and no time at all.
Standards must be ruthlessly vetted and optimized, since once in place they’ll be used billions of times a day
“Every week there was another attack and people were like, ‘please make this stop,’ ”
“We had participation from lots of people: browser makers, privacy advocates, Mozilla, the ACLU.
“We don’t vote, we use things like hum,”
“It gives a chance to be more anonymous rather than raising a hand or vote,”
http://ietf.org/about/
Tomi Engdahl says:
Dan Goodin / Ars Technica:
Researcher details SigSpoof, a recently patched critical flaw in PGP that allowed hackers to spoof digital email signatures, says the bug dates back to 1998 — SigSpoof flaw fixed inGnuPG, Enigmail, GPGTools, and python-gnupg. — For their entire existence, some of the world’s …
Decades-old PGP bug allowed hackers to spoof just about anyone’s signature
SigSpoof flaw fixed inGnuPG, Enigmail, GPGTools, and python-gnupg.
https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/
For their entire existence, some of the world’s most widely used email encryption tools have been vulnerable to hacks that allowed attackers to spoof the digital signature of just about any person with a public key, a researcher said Wednesday. GnuPG, Enigmail, GPGTools, and python-gnupg have all been updated to patch the critical vulnerability. Enigmail and the Simple Password Store have also received patches for two related spoofing bugs.
Digital signatures are used to prove the source of an encrypted message, data backup, or software update. Typically, the source must use a private encryption key to cause an application to show that a message or file is signed. But a series of vulnerabilities dubbed SigSpoof makes it possible in certain cases for attackers to fake signatures with nothing more than someone’s public key or key ID, both of which are often published online. The spoofed email shown at the top of this post can’t be detected as malicious without doing forensic analysis that’s beyond the ability of many users.
The flaw, indexed as CVE-2018-12020, means that decades’ worth of email messages many people relied on for sensitive business or security matters may have in fact been spoofs. It also has the potential to affect uses that went well beyond encrypted email.
“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure,” Marcus Brinkmann, the software developer who discovered SigSpoof, wrote in an advisory published Wednesday. “GnuPG is not only used for email security but also to secure backups, software updates in distributions, and source code in version control systems like Git.”