Britain’s critical national infrastructure is vulnerable to hackers and neither UK.gov nor privatised operators are doing enough to tighten things up, a Parliamentary committee has warned.
The Joint Committee on the National Security Strategy has laid into the government for its slapdash approach to IT security, claiming that officials are “not acting with the urgency and forcefulness that the situation demands”.
Kyle Wiggers / VentureBeat:
Microsoft now supports standards-based FIDO2 security key devices, letting Windows 10 users access their Microsoft Account without entering username or password
Rutgers University researchers have developed a WiFi-based system for detecting dangerous objects that is faster and less expensive than scanners seen in airports and other venues.
There are few events in the engineering calendar quite like DesignCon, as much for the serious nature of design issues and problems as the environment in which they’re being addressed and solved.
A well known Russian state-sponsored cyber-espionage group has used a new Trojan as a secondary payload in recent attacks targeting government entities around the globe, Palo Alto Networks reports.
As part of the attacks, the cyber-spies used documents mentioning the recent Lion Air disaster as a lure and delivered not only the previously documented Zebrocy Trojan, but also a new piece of malware called Cannon.
The new Trojan, the researchers say, contains a novel email-based command and control (C&C) communication channel, likely in an attempt to decrease detection rates, given the common use of email in enterprises.
The administration of US President Donald Trump is exploring curbing exports of sensitive technologies including artificial intelligence for national security reasons, according to a proposal this week.
The proposal to control sales of certain technologies “essential to the national security of the United States” comes amid growing trade friction with Beijing — and fears that China may overtake the US in some areas such as artificial intelligence.
Facebook on Tuesday announced important updates to its bug bounty program. The social media giant says it’s prepared to pay out as much as $40,000 for vulnerabilities that can lead to account takeover.
Security updates released on Tuesday by Adobe for Flash Player address a critical vulnerability whose details were disclosed a few days earlier.
The security hole, tracked as CVE-2018-15981, has been described by Adobe as a type confusion bug that allows an attacker to execute arbitrary code in the context of the current user. The flaw has been assigned a priority rating of “1,” which means users should update as soon as possible due to the high risk of exploitation.
Popular European online contact lenses supplier Vision Direct on Monday revealed that customer data was compromised in a data breach earlier this month.
Customers who ordered products or updated their information on the company’s UK website (VisionDirect.co.uk) between November 3 and November 8 likely had their information stolen, the company said in a disclosure.
The data became compromised when the users entered it on the website, and not from the Vision Direct database website.
The attackers were able to extract customer personal and financial details such as full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.
A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.
In a breach notification submitted last week to the Office of the Attorney General in California, OSIsoft revealed that hackers used stolen credentials to remotely access some of its systems. While the company has found evidence of malicious activity on 29 devices and 135 accounts, it believes all OSI domain accounts are impacted.
This report is part of “A Blueprint for the Future of AI,” a series from the Brookings Institution that analyzes the new challenges and potential policy solutions introduced by artificial intelligence and other emerging technologies.
“Artificial intelligence is the future, not only for Russia, but for all humankind. It comes with colossal opportunities, but also threats that are difficult to predict. Whoever becomes the leader in this sphere will become the ruler of the world.”1 – Russian President Vladimir Putin, 2017.
“A people that no longer can believe anything cannot make up its mind. It is deprived not only of its capacity to act but also of its capacity to think and to judge. And with such a people you can then do what you please.”2 – Hannah Arendt, 1978
FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting.
The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.
Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29.
APT29 is known to transition away from phishing implants within hours of initial compromise.
When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on the FLARE malware queue.
A new bug discovered in Gmail affects the web app’s user experience by hiding the source address of an email, a situation that comes with an obvious potential for abuse.
Tampering with the ‘From:’ header by replacing some text with an , or tag causes the interface to show a blank space instead of the sender’s address.
Germany’s federal office for Information Security, the BSI, made its recommendations in this document (PDF), saying it wanted a “manageable level of security” and defining security features it believed should be “available by design and by default”.
The document seeks to protect home and SOHO routers from internet-facing attacks, by way of:
Restricting LAN/Wi-Fi default services to DNS, HTTP/HTTPS, DHCP/DHCPv6, and ICMPv6, and a minimum set of services available on the public interface (CWMP for configuration, SIP if VoIP is supported, and ICMPv6);
Ensuring guest Wi-Fi services should not have access to device configuration;
Setting WPA2 encryption as a minimum default, with a strong password that excludes identifiers like manufacturer, model, or MAC address;
Strong password protection on the configuration interface, secured by HTTPS if it’s available on the WAN interface;
Firewall features are mandatory;
Remote configuration must be off by default, and only accessible via an encrypted, server-authenticated connection; and
User-controlled firmware updates, with an option for push-updates.
The guidelines also note factory resets should put the router back into a secure default state, and all personal data should be deleted from the unit during a factory reset.
Microsoft today announced that users can sign into Microsoft accounts on Microsoft’s Edge browser password-free, either by using Windows Hello — the biometrics-based authentication platform built into Windows 10 — or with a FIDO2-compatible device from Yubico, Feitian, or another manufacturer. Alternatively, they can use a phone running the Microsoft Authenticator app.
Password-free login goes live this week in Windows 10 (version 1809) on Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing, and MSN.com. Alex Simons, corporate vice president at Microsoft’s Identity Division, said that Edge is among the first to implement WebAuthn and CTAP2, and that it supports the “widest array of authenticators” compared to other browsers. He also said that starting next year, the same sign-in experience will come to work and school accounts in Azure Active Directory, and that enterprise customers will be able to preview it before the end of 2018.
Thanksgiving and re:Invent are nearly upon us, and that means attackers will once again have their annual ~9-day window where development and security teams are busy eating turkey (or Tofurky) and spending time in Vegas. From an attacker’s perspective, this combination is liquid gold. If you knew that every year between Thanksgiving and re:Invent, you had 9+ days where eyes on glass were at their lowest, would you not take advantage of this? I know I would. Yet despite this knowledge, we continue to see companies not taking advantage of security standards – such as the CIS benchmarks – or public cloud provider APIs to automate monitoring the security posture of their cloud environments.
At least a dozen mobile apps with no legitimate functionality made it into Google Play and have been installed over half a million times. They would silently install another app and trick the user into approving its installation.
At least a dozen mobile apps with no legitimate functionality made it into Google Play and have been installed over half a million times. They would silently install another app and trick the user into approving its installation.
The end game is to make money from pushing unsolicited advertisements to the user when they unlock the device.
Yes, even the Tor browser can be spied on by this nasty code
“The attack we demonstrated compromises ‘human secrets’: by finding out which websites a user accesses, it can teach the attacker things like a user’s sexual orientation, religious beliefs, political opinions, health conditions, etc.,” said Yossi Oren (Ben-Gurion University) and Yuval Yarom (University of Adelaide) in an email to The Register this week.
“Cache occupancy measures what percentage of the entire cache has been accessed over a certain time period,” explained Oren and Yarom. “The browser is very memory intensive, since it receives large amounts of data from the network and draws various outputs to the screen. This means it uses a significant portion of the cache as it loads a page.”
What’s more, it doesn’t depend on the layout of the cache, which makes cache layout randomization – a risk mitigation technique – useless for this particular approach.
The new tool combines data theft and cryptocurrency mining as a go-to product for attacking Windows machines.
A new hacking tool making the rounds in underground forums has been deemed the latest “go-to” universal offering for attackers targeting Microsoft Windows PCs.
Another day, another critical WordPress plugin vulnerability. The popular AMP for WP plugin, which helps WordPress sites load faster on mobile browsers, has a privilege-escalation flaw that allows WordPress site users of any level to make administrative changes to a website.
THE DATA THEFT technique called “Rowhammer” has fascinated and worried the cybersecurity community for years now, because it combines digital and physical hacking in ways that are both fascinating and unaccounted for. Since its discovery, researchers have steadily refined the attack, and expanded the array of targets it works against. Now, researchers have significantly increased the scope of the potential threat to include critical devices like servers and routers—even when they have components that were specifically thought to be immune.
The authentication process via German ID cards with RFID chips to certain web services can be manipulated to allow identity spoofing and changing the date of birth.
German identity cards issued since 2010 come with a radio frequency identification chip that stores information about the holder. This includes name, date of birth and a biometric picture. If the holder so chooses, it can also store their fingerprints.
RFID chip used for logging in
The new cards are machine-readable and can be used as travel documents in most countries in Europe, as well as for authentication into online government services (tax, mail) or for age verification.
Authenticating with Goethe’s name and address
Wolfgang Ettlinger researched the vulnerability for SEC Consult Vulnerability Lab abd and able to bypass protections from the authentication server and fool the web application to accept the altered data.
The German government-issued identity card (nPA) allows German citizens to not only prove their identity in person, but also against online services (by using the embedded RFID chip). SEC Consult conducted a short security test on a software component commonly used to implement this authentication mechanism. A critical security vulnerability was found during this security test, allowing an attacker to impersonate arbitrary users against affected web applications.
A mobile spyware that turned into a banking trojan with ransomware capabilities managed to launch over 70,000 attacks in the course of just three months.
The name of the beast is Rotexy now but it used to be detected as SMSThief back in its spying days.
Malware analysts at Kaspersky Lab took a closer look at this mobile threat that was noticed for the first time in 2014 and proved to be highly versatile since its early releases.
The researchers found that it can get instructions via the Google Cloud Messaging (GCM) service that delivers messages in JSON format to mobile devices.
This channel, however, won’t work beyond April 11, 2019, because Google has deprecated it.
Another method Rotexy uses to deliver commands to the compromised target is from a command and control (C2) server, as it is typical for most malware.
The third method is SMS based and allows the operator to control the actions of malware by sending a text message to the infected mobile phone.
In a December 2011 Forbes article entitled “How To Waste $100 Billion: Weapons That Didn’t Work Out”, author Loren Thompson discusses a number of government weapons programs that were scrapped after billions of dollars were sunk. The circumstances under which each project went south vary, but they do share one very interesting point in common. What is that point? That the question of when to cut losses should have been asked and discussed at several different points along the way. Unfortunately, it never was, and the results speak for themselves.
Managing a large, complex military project is, not surprisingly, extremely complex. Nonetheless, as with any project, checkpoints should be installed along the way to ensure that the project is moving towards achieving its goals on time and within budget. When this doesn’t happen, projects can veer off course into the realm of over time and over budget, as was the case with the projects referenced in Loren Thompson’s Forbes article.
So what does this have to do with information security? I would argue that lessons from the field of project management can offer us valuable insight that we can leverage to improve and strengthen our respective security programs. How so? Allow me to elaborate.
Any information security organization will have a number of different initiatives and projects going on at any given time.
So what are some ways in which organizations can avoid the trap of a wasteful project Though not an exhaustive list, I provide five suggestions here:
1. Go back to basics: When we ask ourselves how we can assess what activities bring added value to the security organization, we need to go back to basics to find the answer.
2. Enforce project management: If you think that project management best practices are only for weapons programs and software projects, think again. Everyone should be familiar with project management techniques. Why should security efforts be run any less formally than any other project?
3. Keep an eye on budgets: It goes without saying that budgets in security are never large enough to cover all of the bases that a security organization wants to cover. So why throw money towards people, process, and technology that don’t bring value? The amount of money being spent on various different efforts should be correlated to the value-add those efforts bring.
4. Keep an eye on schedules: Who loves to see a project run over schedule and be delivered late or never at all? No one. Absolutely no one. So why let things get out of hand? Set up gates and checkpoints along the way to evaluate progress against project goals.
5. Avoid bright shiny objects: The security profession seems to get distracted by bright shiny objects every now and again. Every so often, a new type of product or service comes along that generates an unwarranted amount of buzz, hype, and hysteria. Often, all of this attention comes without any mapping back to real operational problems that organizations are looking to solve.
Recently patched vulnerabilities in the popular AMP for WP plugin are being targeted in an active Cross-Site Scripting (XSS) campaign, Wordfence reports.
With over 100,000 installs, the plugin adds Accelerated Mobile Pages (Google AMP Project) functionality to websites, which makes them faster for mobile users.
Given its popularity, AMP for WP also represents a lucrative target for cybercriminals, especially if site admins are behind with their patching efforts. To exploit the newly discovered vulnerabilities, an attacker needs a minimum of subscriber-level access on a vulnerable site.
Revealed last week, the vulnerabilities allow an attacker to leverage privileges and make administrative changes to a website. Thus, any website using a vulnerable version of the AMP for WP plugin could be targeted with malware/code injection. Version 0.9.97.20 of AMP for WP addresses the issue.
A U.S. government report ahead of a meeting between Presidents Donald Trump and Xi Jinping accuses China of stepping up hacking aimed at stealing American technology as a tariff dispute escalated.
In the battle for online privacy, U.S. search giant Google is a Goliath facing a handful of European Davids.
The backlash over Big Tech’s collection of personal data offers new hope to a number of little-known search engines that promise to protect user privacy.
Sites like Britain’s Mojeek , France’s Qwant , Unbubble in Germany and Swisscows don’t track user data, filter results or show “behavioral” ads.
These sites are growing amid the rollout of new European privacy regulations and numerous corporate data scandals, which have raised public awareness about the mountains of personal information companies stealthily gather and sell to advertisers.
Amazon informed some customers this week that their name and email address were exposed due to a “technical error,” but the company provided very few other details.
The e-commerce giant claims the issue has been addressed and has told users that they do not need to change their password or take any other action. It has also revealed that the incident is not a result of something customers have done.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
558 Comments
Tomi Engdahl says:
Subject: Invoice. The cause of 6 out of 10 of the most effective phishing campaigns in 2018
https://www.pandasecurity.com/mediacenter/security/subject-invoice-phishing-campaigns/
Tomi Engdahl says:
Security
Britain may not be able to fend off a determined cyber-attack, MPs warn
And those utility price controls? Er, not helpful
https://www.theregister.co.uk/2018/11/19/uk_cni_report_parliament/
Britain’s critical national infrastructure is vulnerable to hackers and neither UK.gov nor privatised operators are doing enough to tighten things up, a Parliamentary committee has warned.
The Joint Committee on the National Security Strategy has laid into the government for its slapdash approach to IT security, claiming that officials are “not acting with the urgency and forcefulness that the situation demands”.
Cyber Security of the
UK’s Critical National
Infrastructure
https://publications.parliament.uk/pa/jt201719/jtselect/jtnatsec/1708/1708.pdf
Tomi Engdahl says:
Azure, Office 365 go super-secure: Multi-factor auth borked in Europe, Asia, USA
Microsoft’s cloudy service finds Mondays just as hard as the rest of us
https://www.theregister.co.uk/2018/11/19/azure_down/
Tomi Engdahl says:
Kyle Wiggers / VentureBeat:
Microsoft now supports standards-based FIDO2 security key devices, letting Windows 10 users access their Microsoft Account without entering username or password
You can now sign into your Microsoft account without a password
https://venturebeat.com/2018/11/20/you-can-now-sign-into-your-microsoft-account-without-a-password/
Tomi Engdahl says:
Detecting Bombs and Weapons with WiFi
https://www.designnews.com/electronics-test/detecting-bombs-and-weapons-wifi/21821247859822?ADTRK=UBM&elq_mid=6575&elq_cid=876648
Rutgers University researchers have developed a WiFi-based system for detecting dangerous objects that is faster and less expensive than scanners seen in airports and other venues.
Tomi Engdahl says:
DesignCon: Go Because I Need To; Stay Because I Want To
https://www.designnews.com/content/designcon-go-because-i-need-stay-because-i-want/189381360959818?ADTRK=UBM&elq_mid=6575&elq_cid=876648
There are few events in the engineering calendar quite like DesignCon, as much for the serious nature of design issues and problems as the environment in which they’re being addressed and solved.
Tomi Engdahl says:
Infamous Russian Hacking Group Used New Trojan in Recent Attacks
https://www.securityweek.com/infamous-russian-hacking-group-used-new-trojan-recent-attacks
A well known Russian state-sponsored cyber-espionage group has used a new Trojan as a secondary payload in recent attacks targeting government entities around the globe, Palo Alto Networks reports.
As part of the attacks, the cyber-spies used documents mentioning the recent Lion Air disaster as a lure and delivered not only the previously documented Zebrocy Trojan, but also a new piece of malware called Cannon.
The new Trojan, the researchers say, contains a novel email-based command and control (C&C) communication channel, likely in an attempt to decrease detection rates, given the common use of email in enterprises.
Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan
https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
Tomi Engdahl says:
U.S. Mulls Curbs on Artificial Intelligence Exports
https://www.securityweek.com/us-mulls-curbs-artificial-intelligence-exports
The administration of US President Donald Trump is exploring curbing exports of sensitive technologies including artificial intelligence for national security reasons, according to a proposal this week.
The proposal to control sales of certain technologies “essential to the national security of the United States” comes amid growing trade friction with Beijing — and fears that China may overtake the US in some areas such as artificial intelligence.
Tomi Engdahl says:
Facebook Increases Rewards for Account Hacking Vulnerabilities
https://www.securityweek.com/facebook-increases-rewards-account-hacking-vulnerabilities
Facebook on Tuesday announced important updates to its bug bounty program. The social media giant says it’s prepared to pay out as much as $40,000 for vulnerabilities that can lead to account takeover.
Tomi Engdahl says:
Flash Player Update Patches Disclosed Code Execution Flaw
https://www.securityweek.com/flash-player-update-patches-disclosed-code-execution-flaw
Security updates released on Tuesday by Adobe for Flash Player address a critical vulnerability whose details were disclosed a few days earlier.
The security hole, tracked as CVE-2018-15981, has been described by Adobe as a type confusion bug that allows an attacker to execute arbitrary code in the context of the current user. The flaw has been assigned a priority rating of “1,” which means users should update as soon as possible due to the high risk of exploitation.
Tomi Engdahl says:
Vision Direct Reveals Data Breach
https://www.securityweek.com/vision-direct-reveals-data-breach
Popular European online contact lenses supplier Vision Direct on Monday revealed that customer data was compromised in a data breach earlier this month.
Customers who ordered products or updated their information on the company’s UK website (VisionDirect.co.uk) between November 3 and November 8 likely had their information stolen, the company said in a disclosure.
The data became compromised when the users entered it on the website, and not from the Vision Direct database website.
The attackers were able to extract customer personal and financial details such as full name, billing address, email address, password, telephone number and payment card information, including card number, expiry date and CVV.
https://www.visiondirect.co.uk/customer-data-theft
Tomi Engdahl says:
Attackers Target Drupal Web Servers with Chained Vulnerabilities
https://www.securityweek.com/attackers-target-drupal-web-servers-chained-vulnerabilities
A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.
Tomi Engdahl says:
OSIsoft Warns Employees, Contractors of Data Breach
https://www.securityweek.com/osisoft-warns-employees-contractors-data-breach
In a breach notification submitted last week to the Office of the Attorney General in California, OSIsoft revealed that hackers used stolen credentials to remotely access some of its systems. While the company has found evidence of malicious activity on 29 devices and 135 accounts, it believes all OSI domain accounts are impacted.
https://oag.ca.gov/system/files/Memorandum-on-Credential-Theft-Incident-CA_0_1.pdf
Tomi Engdahl says:
TalkTalk Hackers Sentenced to Prison
https://www.securityweek.com/talktalk-hackers-sentenced-prison
Tomi Engdahl says:
Weapons of the weak: Russia and AI-driven asymmetric warfare
https://www.brookings.edu/research/weapons-of-the-weak-russia-and-ai-driven-asymmetric-warfare/
Editor’s Note:
This report is part of “A Blueprint for the Future of AI,” a series from the Brookings Institution that analyzes the new challenges and potential policy solutions introduced by artificial intelligence and other emerging technologies.
“Artificial intelligence is the future, not only for Russia, but for all humankind. It comes with colossal opportunities, but also threats that are difficult to predict. Whoever becomes the leader in this sphere will become the ruler of the world.”1 – Russian President Vladimir Putin, 2017.
“A people that no longer can believe anything cannot make up its mind. It is deprived not only of its capacity to act but also of its capacity to think and to judge. And with such a people you can then do what you please.”2 – Hannah Arendt, 1978
Tomi Engdahl says:
Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
Introduction
FireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting.
The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.
Shared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to previously observed activity suspected to be APT29.
APT29 is known to transition away from phishing implants within hours of initial compromise.
Tomi Engdahl says:
Cmd and Conquer: De-DOSfuscation with flare-qdb
https://www.fireeye.com/blog/threat-research/2018/11/cmd-and-conquer-de-dosfuscation-with-flare-qdb.html
When Daniel Bohannon released his excellent DOSfuscation paper, I was fascinated to see how tricks I used as a systems engineer could help attackers evade detection. I didn’t have much to contribute to this conversation until I had to analyze a hideously obfuscated batch file as part of my job on the FLARE malware queue.
DOSfuscation: Exploring the Depths
https://www.fireeye.com/blog/threat-research/2018/03/dosfuscation-exploring-obfuscation-and-detection-techniques.html
Tomi Engdahl says:
Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America
https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/
Tomi Engdahl says:
OceanLotus: New watering hole attack in Southeast Asia
https://www.welivesecurity.com/2018/11/20/oceanlotus-new-watering-hole-attack-southeast-asia/
ESET researchers identified 21 distinct websites that had been compromised including some particularly notable government and media sites
Tomi Engdahl says:
New Gmail Bug Allows Sending Messages Anonymously
https://www.bleepingcomputer.com/news/security/new-gmail-bug-allows-sending-messages-anonymously/
A new bug discovered in Gmail affects the web app’s user experience by hiding the source address of an email, a situation that comes with an obvious potential for abuse.
Tampering with the ‘From:’ header by replacing some text with an , or tag causes the interface to show a blank space instead of the sender’s address.
Tomi Engdahl says:
Germany pushes router security rules, OpenWRT and CCC push back
Hacker coalition wants device support timeline clarified, free firmware mandates
https://www.theregister.co.uk/2018/11/20/germany_versus_openwrt_ccc/
Germany’s federal office for Information Security, the BSI, made its recommendations in this document (PDF), saying it wanted a “manageable level of security” and defining security features it believed should be “available by design and by default”.
The document seeks to protect home and SOHO routers from internet-facing attacks, by way of:
Restricting LAN/Wi-Fi default services to DNS, HTTP/HTTPS, DHCP/DHCPv6, and ICMPv6, and a minimum set of services available on the public interface (CWMP for configuration, SIP if VoIP is supported, and ICMPv6);
Ensuring guest Wi-Fi services should not have access to device configuration;
Setting WPA2 encryption as a minimum default, with a strong password that excludes identifiers like manufacturer, model, or MAC address;
Strong password protection on the configuration interface, secured by HTTPS if it’s available on the WAN interface;
Firewall features are mandatory;
Remote configuration must be off by default, and only accessible via an encrypted, server-authenticated connection; and
User-controlled firmware updates, with an option for push-updates.
The guidelines also note factory resets should put the router back into a secure default state, and all personal data should be deleted from the unit during a factory reset.
Tomi Engdahl says:
You can now sign into your Microsoft account without a password
https://venturebeat.com/2018/11/20/you-can-now-sign-into-your-microsoft-account-without-a-password/
Microsoft today announced that users can sign into Microsoft accounts on Microsoft’s Edge browser password-free, either by using Windows Hello — the biometrics-based authentication platform built into Windows 10 — or with a FIDO2-compatible device from Yubico, Feitian, or another manufacturer. Alternatively, they can use a phone running the Microsoft Authenticator app.
Password-free login goes live this week in Windows 10 (version 1809) on Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live on the PC, Mixer, the Microsoft Store, Bing, and MSN.com. Alex Simons, corporate vice president at Microsoft’s Identity Division, said that Edge is among the first to implement WebAuthn and CTAP2, and that it supports the “widest array of authenticators” compared to other browsers. He also said that starting next year, the same sign-in experience will come to work and school accounts in Azure Active Directory, and that enterprise customers will be able to preview it before the end of 2018.
Tomi Engdahl says:
Patches Released for Flaws Affecting Dell EMC, VMware Products
https://www.securityweek.com/patches-released-flaws-affecting-dell-emc-vmware-products
Several vulnerabilities have been found by researchers in Dell EMC Avamar and Integrated Data Protection Appliance products. VMware’s
vSphere Data Protection, which is based on Avamar, is also impacted.
Dell EMC informed customers this week that several versions of Avamar Server and Integrated Data Protection Appliance (IDPA) are
affected by remote code execution and open redirection vulnerabilities.
The first flaw, tracked as CVE-2018-11066 and rated “critical,” allows an unauthenticated attacker to remotely execute arbitrary
commands on the server.
VMware has also published an advisory, since its vSphere Data Protection (VDP) product is based on Avamar Virtual Edition.
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/8738-yrityksen-identiteetin-varkaudesta-ei-yleensa-jaa-kiinni
Tomi Engdahl says:
https://www.uusiteknologia.fi/2018/11/21/valvontajarjestelma-verkkohyokkayksia-vastaan/
F-secure Rapid Detection & Response
https://www.f-secure.com/fi_FI/web/business_fi/rapid-detection-and-response
Tomi Engdahl says:
Cybersecurity a big concern in Canada as cybercrime’s impact grows
https://www.welivesecurity.com/2018/11/19/cybersecurity-big-concern-canada-cybercrime/
90% of Canadians surveyed agreed that cybercrime was an important “challenge to the internal security of Canada”
Tomi Engdahl says:
Thanksgiving + re:Invent – Who’s Watching Your Cloud?
https://researchcenter.paloaltonetworks.com/2018/11/thanksgiving-reinvent-whos-watching-cloud/
Thanksgiving and re:Invent are nearly upon us, and that means attackers will once again have their annual ~9-day window where development and security teams are busy eating turkey (or Tofurky) and spending time in Vegas. From an attacker’s perspective, this combination is liquid gold. If you knew that every year between Thanksgiving and re:Invent, you had 9+ days where eyes on glass were at their lowest, would you not take advantage of this? I know I would. Yet despite this knowledge, we continue to see companies not taking advantage of security standards – such as the CIS benchmarks – or public cloud provider APIs to automate monitoring the security posture of their cloud environments.
Tomi Engdahl says:
Fake Apps in Google Play Get over Half a Million Installs
https://www.bleepingcomputer.com/news/security/fake-apps-in-google-play-get-over-half-a-million-installs/
At least a dozen mobile apps with no legitimate functionality made it into Google Play and have been installed over half a million times. They would silently install another app and trick the user into approving its installation.
At least a dozen mobile apps with no legitimate functionality made it into Google Play and have been installed over half a million times. They would silently install another app and trick the user into approving its installation.
The end game is to make money from pushing unsolicited advertisements to the user when they unlock the device.
Tomi Engdahl says:
Talk about a cache flow problem: This JavaScript can snoop on other browser tabs to work out what you’re visiting
https://www.theregister.co.uk/2018/11/21/unmasking_browsers_side_channels/
Yes, even the Tor browser can be spied on by this nasty code
“The attack we demonstrated compromises ‘human secrets’: by finding out which websites a user accesses, it can teach the attacker things like a user’s sexual orientation, religious beliefs, political opinions, health conditions, etc.,” said Yossi Oren (Ben-Gurion University) and Yuval Yarom (University of Adelaide) in an email to The Register this week.
“Cache occupancy measures what percentage of the entire cache has been accessed over a certain time period,” explained Oren and Yarom. “The browser is very memory intensive, since it receives large amounts of data from the network and draws various outputs to the screen. This means it uses a significant portion of the cache as it loads a page.”
What’s more, it doesn’t depend on the layout of the cache, which makes cache layout randomization – a risk mitigation technique – useless for this particular approach.
Tomi Engdahl says:
L0rdix becomes the new Swiss Army knife of Windows hacking
https://www.zdnet.com/article/l0rdix-becomes-the-new-swiss-army-knife-of-hacking/
The new tool combines data theft and cryptocurrency mining as a go-to product for attacking Windows machines.
A new hacking tool making the rounds in underground forums has been deemed the latest “go-to” universal offering for attackers targeting Microsoft Windows PCs.
Tomi Engdahl says:
Unmasked:
What 10 million passwords reveal
about the people who choose them
https://wpengine.com/unmasked/
Tomi Engdahl says:
Russian hacking tool gets extra stealthy to target US, European computers
https://www.cnet.com/news/new-russian-hacking-tool-gets-extra-stealthy-to-target-us-european-computers/
This malicious software will email your hacker from your computer without you ever knowing.
Tomi Engdahl says:
Remote Code Execution Vulnerability in the Austrian Electronic Banking Application ELBA5
https://pentestmag.com/remote-code-execution-vulnerability-in-the-austrian-electronic-banking-application-elba5/?doing_wp_cron=1542828884.3817830085754394531250
Tomi Engdahl says:
Cylance researchers discover powerful new nation-state APT
https://www.csoonline.com/article/3319787/advanced-persistent-threats/cylance-researchers-discover-powerful-new-nation-state-apt.html
The new APT, dubbed White Company, is likely Middle Eastern, but shows fingerprints of U.S.-trained personnel.
Tomi Engdahl says:
Foscam Security Cameras Full of Security Flaws
https://www.tomsguide.com/us/foscam-camera-flaws,news-25254.html
Tomi Engdahl says:
Critical WordPress Plugin Flaw Grants Admin Access to Any Registered Site User
https://threatpost.com/critical-wordpress-flaw-grants-admin-access-to-any-registered-site-user/139162/?fbclid=IwAR32fHUOkqGS5CXxwNx5RAgBoLcHxRQiFOXZiPCx9OHUQEYrySAUBfzTzM0
Another day, another critical WordPress plugin vulnerability. The popular AMP for WP plugin, which helps WordPress sites load faster on mobile browsers, has a privilege-escalation flaw that allows WordPress site users of any level to make administrative changes to a website.
Tomi Engdahl says:
How to Tell if Your Account Has Been Hacked
How to check if your Gmail, Facebook, Instagram, Twitter, and other accounts have been hacked.
https://motherboard.vice.com/en_us/article/bjeznz/how-do-you-know-when-youve-been-hacked-gmail-facebook
Tomi Engdahl says:
Russia ‘sought access to UK visa issuing system’
https://www.bbc.com/news/world-europe-46237634
Tomi Engdahl says:
Technical foul: Amazon suffers data snafu days before Black Friday, emails world+dog
https://www.theregister.co.uk/2018/11/21/amazon_data_breach/
$1tn biz doesn’t answer very basic questions – like how or why it happened
Tomi Engdahl says:
AN INGENIOUS DATA HACK IS MORE DANGEROUS THAN ANYONE FEARED
https://www.wired.com/story/rowhammer-ecc-memory-data-hack/
THE DATA THEFT technique called “Rowhammer” has fascinated and worried the cybersecurity community for years now, because it combines digital and physical hacking in ways that are both fascinating and unaccounted for. Since its discovery, researchers have steadily refined the attack, and expanded the array of targets it works against. Now, researchers have significantly increased the scope of the potential threat to include critical devices like servers and routers—even when they have components that were specifically thought to be immune.
Tomi Engdahl says:
How to Find a Lost Smartphone
https://www.youtube.com/watch?v=sXSjDGol_rs
Losing your smartphone can feel like a catastrophe. How can you get it back?
Tomi Engdahl says:
Beijing is moving forward with controversial social rating system
https://www.techspot.com/news/77533-beijing-moving-forward-controversial-social-rating-system.html
Rating citizens based on their behavior
Tomi Engdahl says:
I asked an online tracking company for all of my data and here’s what I found
https://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found
Tomi Engdahl says:
German eID Authentication Flaw Lets You Change Identity
https://www.bleepingcomputer.com/news/security/german-eid-authentication-flaw-lets-you-change-identity/
The authentication process via German ID cards with RFID chips to certain web services can be manipulated to allow identity spoofing and changing the date of birth.
German identity cards issued since 2010 come with a radio frequency identification chip that stores information about the holder. This includes name, date of birth and a biometric picture. If the holder so chooses, it can also store their fingerprints.
RFID chip used for logging in
The new cards are machine-readable and can be used as travel documents in most countries in Europe, as well as for authentication into online government services (tax, mail) or for age verification.
Authenticating with Goethe’s name and address
Wolfgang Ettlinger researched the vulnerability for SEC Consult Vulnerability Lab abd and able to bypass protections from the authentication server and fool the web application to accept the altered data.
My name is Johann Wolfgang von Goethe – I can prove it
https://sec-consult.com/en/blog/2018/11/my-name-is-johann-wolfgang-von-goethe-i-can-prove-it/
The German government-issued identity card (nPA) allows German citizens to not only prove their identity in person, but also against online services (by using the embedded RFID chip). SEC Consult conducted a short security test on a software component commonly used to implement this authentication mechanism. A critical security vulnerability was found during this security test, allowing an attacker to impersonate arbitrary users against affected web applications.
Tomi Engdahl says:
Rotexy Mobile Trojan Launches 70k+ Attacks in Three Months
https://www.bleepingcomputer.com/news/security/rotexy-mobile-trojan-launches-70k-attacks-in-three-months/
A mobile spyware that turned into a banking trojan with ransomware capabilities managed to launch over 70,000 attacks in the course of just three months.
The name of the beast is Rotexy now but it used to be detected as SMSThief back in its spying days.
Malware analysts at Kaspersky Lab took a closer look at this mobile threat that was noticed for the first time in 2014 and proved to be highly versatile since its early releases.
The researchers found that it can get instructions via the Google Cloud Messaging (GCM) service that delivers messages in JSON format to mobile devices.
This channel, however, won’t work beyond April 11, 2019, because Google has deprecated it.
Another method Rotexy uses to deliver commands to the compromised target is from a command and control (C2) server, as it is typical for most malware.
The third method is SMS based and allows the operator to control the actions of malware by sending a text message to the infected mobile phone.
Tomi Engdahl says:
When to Cut Your Losses on a Wasteful Security Project
https://www.securityweek.com/when-cut-your-losses-wasteful-security-project
In a December 2011 Forbes article entitled “How To Waste $100 Billion: Weapons That Didn’t Work Out”, author Loren Thompson discusses a number of government weapons programs that were scrapped after billions of dollars were sunk. The circumstances under which each project went south vary, but they do share one very interesting point in common. What is that point? That the question of when to cut losses should have been asked and discussed at several different points along the way. Unfortunately, it never was, and the results speak for themselves.
Managing a large, complex military project is, not surprisingly, extremely complex. Nonetheless, as with any project, checkpoints should be installed along the way to ensure that the project is moving towards achieving its goals on time and within budget. When this doesn’t happen, projects can veer off course into the realm of over time and over budget, as was the case with the projects referenced in Loren Thompson’s Forbes article.
So what does this have to do with information security? I would argue that lessons from the field of project management can offer us valuable insight that we can leverage to improve and strengthen our respective security programs. How so? Allow me to elaborate.
Any information security organization will have a number of different initiatives and projects going on at any given time.
So what are some ways in which organizations can avoid the trap of a wasteful project Though not an exhaustive list, I provide five suggestions here:
1. Go back to basics: When we ask ourselves how we can assess what activities bring added value to the security organization, we need to go back to basics to find the answer.
2. Enforce project management: If you think that project management best practices are only for weapons programs and software projects, think again. Everyone should be familiar with project management techniques. Why should security efforts be run any less formally than any other project?
3. Keep an eye on budgets: It goes without saying that budgets in security are never large enough to cover all of the bases that a security organization wants to cover. So why throw money towards people, process, and technology that don’t bring value? The amount of money being spent on various different efforts should be correlated to the value-add those efforts bring.
4. Keep an eye on schedules: Who loves to see a project run over schedule and be delivered late or never at all? No one. Absolutely no one. So why let things get out of hand? Set up gates and checkpoints along the way to evaluate progress against project goals.
5. Avoid bright shiny objects: The security profession seems to get distracted by bright shiny objects every now and again. Every so often, a new type of product or service comes along that generates an unwarranted amount of buzz, hype, and hysteria. Often, all of this attention comes without any mapping back to real operational problems that organizations are looking to solve.
Tomi Engdahl says:
Attackers Exploit Recently Patched Popular WordPress Plugin
https://www.securityweek.com/attackers-exploit-recently-patched-popular-wordpress-plugin
Recently patched vulnerabilities in the popular AMP for WP plugin are being targeted in an active Cross-Site Scripting (XSS) campaign, Wordfence reports.
With over 100,000 installs, the plugin adds Accelerated Mobile Pages (Google AMP Project) functionality to websites, which makes them faster for mobile users.
Given its popularity, AMP for WP also represents a lucrative target for cybercriminals, especially if site admins are behind with their patching efforts. To exploit the newly discovered vulnerabilities, an attacker needs a minimum of subscriber-level access on a vulnerable site.
Revealed last week, the vulnerabilities allow an attacker to leverage privileges and make administrative changes to a website. Thus, any website using a vulnerable version of the AMP for WP plugin could be targeted with malware/code injection. Version 0.9.97.20 of AMP for WP addresses the issue.
Tomi Engdahl says:
US Says China Hacking Increasing Ahead of Trump-Xi Meeting
https://www.securityweek.com/us-says-china-hacking-increasing-ahead-trump-xi-meeting
A U.S. government report ahead of a meeting between Presidents Donald Trump and Xi Jinping accuses China of stepping up hacking aimed at stealing American technology as a tariff dispute escalated.
Tomi Engdahl says:
European Privacy Search Engines Aim to Challenge Google
https://www.securityweek.com/european-privacy-search-engines-aim-challenge-google
In the battle for online privacy, U.S. search giant Google is a Goliath facing a handful of European Davids.
The backlash over Big Tech’s collection of personal data offers new hope to a number of little-known search engines that promise to protect user privacy.
Sites like Britain’s Mojeek , France’s Qwant , Unbubble in Germany and Swisscows don’t track user data, filter results or show “behavioral” ads.
These sites are growing amid the rollout of new European privacy regulations and numerous corporate data scandals, which have raised public awareness about the mountains of personal information companies stealthily gather and sell to advertisers.
Tomi Engdahl says:
Amazon Exposes Customer Names, Email Addresses
https://www.securityweek.com/amazon-exposes-customer-names-email-addresses
Amazon informed some customers this week that their name and email address were exposed due to a “technical error,” but the company provided very few other details.
The e-commerce giant claims the issue has been addressed and has told users that they do not need to change their password or take any other action. It has also revealed that the incident is not a result of something customers have done.