This posting is here to collect cyber security news in May 2019.
I post links to security vulnerability news to comments of this article.
If you are interested in cyber security trends, read my Cyber security trends 2019 posting.
You are also free to post related links.
355 Comments
Tomi Engdahl says:
Top-Tier Russian Hacking Collective Claims Breaches of Three Major Anti-Virus Companies
https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies
“Fxmsp” is a high-profile Russian- and English-speaking hacking collective. They specialize in breaching highly secure protected networks to access private corporate and government information.
They have a long-standing reputation for selling sensitive information from high-profile global government and corporate entities.
In March 2019, Fxmsp stated they could provide exclusive information stolen from three top anti-virus companies located in the United States.
Tomi Engdahl says:
Kieren McCarthy / The Register:
FBI arrested the CFO of school lunch provider Choicelunch for allegedly hacking competitor The LunchMaster and stealing data on hundreds of Bay Area students
https://www.theregister.co.uk/2019/05/06/school_lunch_data/
Feds nab top exec on allegations he hacked a competitor, stole info… about school lunches?!
The cutthroat world of children’s food in the spotlight
Tomi Engdahl says:
Hackers are collecting payment details, user passwords from 4,600 sites
https://www.zdnet.com/article/hackers-are-collecting-payment-details-user-passwords-from-4600-sites/
Same hacker group compromises Alpaca Forms and Picreel to deploy malicious code to thousands of sites.
Hackers have breached analytics service Picreel and open-source project Alpaca Forms and have modified JavaScript files on the infrastructure of these two companies to embed malicious code on over 4,600 websites, security researchers have told ZDNet.
The attack is ongoing, and the malicious scripts are still live, at the time of this article’s publishing.
Tomi Engdahl says:
WhatsApp voice calls used to inject Israeli spyware on phones
https://amp.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab?__twitter_impression=true
Messaging app discovers vulnerability that has been open for weeks
NSO’s Pegasus software can allegedly penetrate any iPhone via one simple missed call on WhatsApp
WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function.
Tomi Engdahl says:
Fxmsp Chat Logs Reveal the Hacked Antivirus Vendors, AVs Respond
https://www.bleepingcomputer.com/news/security/fxmsp-chat-logs-reveal-the-hacked-antivirus-vendors-avs-respond/
A report last week about Fxmsp hacker group claiming access to the networks and source code of three antivirus companies with offices in the U.S. generated from alleged victims statements that are disputed by the firm that sounded the alarm.
Up until this week, the names of the victims remained undisclosed to the public due to the sensitive nature of the matter and because authorities had been alerted of the incidents.
a conversation about source code files for various products from antivirus companies Symantec, McAfee, and Trend Micro.
The company also sent us a screenshot showing the properties of a video file to support their findings. According to AdvIntel, the video shows content from the hop server and transfer of gigabytes of data from the compromised antivirus company, with file timestamps, actor commentary, source code, and walkthrough of the actual code.
Fxmsp talked about getting into the network of Trend Micro and stealing source code from the company, all without triggering detection.
Multiple news outlets received a statement from Symantec denying having been contacted by AdvIntel researchers.
AdvIntel says that Trend Micro was the first of the companies they contacted
Tomi Engdahl says:
A CISCO ROUTER BUG HAS MASSIVE GLOBAL IMPLICATIONS
https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/
THE CISCO 1001-X series router doesn’t look much like the one you have in your home. It’s bigger and much more expensive, responsible for reliable connectivity at stock exchanges, corporate offices, your local mall, and so on.
Now, researchers are disclosing a remote attack that would potentially allow a hacker to take over any 1001-X router and compromise all the data and commands that flow through it.
And it only gets worse from there.
To compromise the routers, researchers from the security firm Red Balloon exploited two vulnerabilities
Once the researchers gain root access, they can bypass the router’s most fundamental security protection. Known as the Trust Anchor
“We’ve shown that we can quietly and persistently disable the Trust Anchor,” says Ang Cui, the founder and CEO of Red Balloon, who has a history of revealing major Cisco vulnerabilities. “That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything.”
Tomi Engdahl says:
Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution
https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/
Linux machines running distributions powered by kernels prior to 5.0.8 are affected by a race condition vulnerability leading to a use after free, related to net namespace cleanup, exposing vulnerable systems to remote attacks.
The attacks can be launched with the help of specially crafted TCP packets sent to vulnerable Linux boxes which can trigger use-after-free errors and enable the attackers to execute arbitrary code on the target system.
The remotely exploitable vulnerability has been assigned a 8.1 high severity base score by NIST’s NVD, it is being tracked as CVE-2019-11815 (Red Hat, Ubuntu, SUSE, and Debian) and it could be abused by unauthenticated attackers without interaction from the user.
Tomi Engdahl says:
CVE-2019-11815 Detail
https://nvd.nist.gov/vuln/detail/CVE-2019-11815
Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11815
An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.
Tomi Engdahl says:
Analysis Report (AR19-133A)
Microsoft Office 365 Security Observations
https://www.us-cert.gov/ncas/analysis-reports/AR19-133A
As the number of organizations migrating email services to Microsoft Office 365 (O365) and other cloud services increases, the use of third-party companies that move organizations to the cloud is also increasing. Organizations and their third-party partners need to be aware of the risks involved in transitioning to O365 and other cloud services.
This Analysis Report provides information on these risks as well as on cloud services configuration vulnerabilities; this report also includes recommendations for mitigating these risks and vulnerabilities.
Tomi Engdahl says:
ScarCruft continues to evolve, introduces Bluetooth harvester
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
After publishing our initial series of blogposts back in 2016, we have continued to track the ScarCruft threat actor. ScarCruft is a Korean-speaking and allegedly state-sponsored threat actor that usually targets organizations and companies with links to the Korean peninsula. The threat actor is highly skilled and, by all appearances, quite resourceful.
Tomi Engdahl says:
Russia Is Targeting Europe’s Elections. So Are Far-Right Copycats.
https://www.nytimes.com/2019/05/12/world/europe/russian-propaganda-influence-campaign-european-elections-far-right.html
Less than two weeks before pivotal elections for the European Parliament, a constellation of websites and social media accounts linked to Russia or far-right groups is spreading disinformation, encouraging discord and amplifying distrust in the centrist parties that have governed for decades.
European Union investigators, academics and advocacy groups say the new disinformation efforts share many of the same digital fingerprints or tactics used in previous Russian attacks, including the Kremlin’s interference in the 2016 U.S. presidential campaign.
The activity offers fresh evidence that despite indictments, expulsions and recriminations, Russia remains undeterred in its campaign to widen political divisions and weaken Western institutions. Despite online policing efforts by American technology companies, it remains far easier to spread false information than to stop it.
Russia remains a driving force, but researchers also discovered numerous copycats, particularly on the far right.
Conspiracy theories are peddled freely, including that last month’s Notre-Dame fire was the work of Islamic terrorists, a spy agency, or an elite cabal that secretly runs the world.
Often, these messages come directly from Russian news media and are repeated and amplified elsewhere.
The European Parliament elections, which will be held between May 23 and May 26, are regarded as a test of rising populism in the European Union. Populist leaders, many of them sympathetic to Russia, have loosely joined together in hopes of expanding their influence in the Parliament and, in turn, redirecting or subverting policymaking in Brussels.
Intelligence officials have not publicly accused the Kremlin of backing specific candidates in Europe
Russia dismisses accusations of meddling.
“The election has yet to come, and we are already suspected of doing something wrong?” the Russian prime minister, Dmitri A. Medvedev, said in March. “Suspecting someone of an event that has not yet happened is a bunch of paranoid nonsense.”
Yet even as Russia remains a concern, officials say political groups across the Continent — particularly supporters of the far right — are adopting many of the Kremlin’s tactics, further blurring who is behind the messages.
Technology companies have toughened policies to eliminate fake accounts, but researchers say their platforms will always be fertile ground for influence campaigns. Algorithms reward content that keeps users engaged, which means posts that stir anger spread and get clicks.
“We are fundamentally dealing with a security challenge,” said Nathaniel Gleicher, head of Facebook’s cybersecurity policy. “There are a set of actors that want to manipulate public debate.”
Tomi Engdahl says:
Website Infections Holding Steady at 1%, But Attacks Becoming Stealthier: Report
https://www.securityweek.com/website-infections-holding-steady-1-attacks-becoming-stealthier-report
Only 1% of websites are infected with malware at any given time, but this translates to a colossal 17.6 million websites overall, a new report shows. Many visitors, and website owners, rely on their search engine of choice to tell them whether any particular site is infected — but only 15% of infected websites are blacklisted by the search engines.
These figures come from the SiteLock 2019 Website Security Report. SiteLock sampled 6,056,969 websites, looking at both infections and vulnerabilities. SiteLock sampled 6,056,969 websites, looking at both infections and vulnerabilities. It found that sites with an external-facing vulnerability are 3.3 times more likely to be infected. XSS vulnerabilities are found in 1.44% of sites, and 3% of those contain malware.
SQLi vulnerabilities are found in 6% of sites, and 2% of those have malware. Cross-site request forgery (CSRF) vulnerabilities are present in 1% of sites, and of those, 3% have malware.
Overall, website attacks grew by 59% during 2018, averaging 62 attacks per day over the year from 330 different bots.
Tomi Engdahl says:
Facebook Patches WhatsApp Flaw Exploited to Spy on Users
https://www.securityweek.com/facebook-patches-whatsapp-flaw-exploited-spy-users
Facebook has patched a critical zero-day vulnerability in WhatsApp that can and has been exploited to remotely install spyware on phones by calling the targeted device.
The flaw, tracked as CVE-2019-3568, has been described by Facebook as a buffer overflow in the WhatsApp VOIP stack. The security hole allows an attacker to remotely execute arbitrary code by sending specially crafted SRTCP packets to the targeted phone number.
Tomi Engdahl says:
US, EU Spar Over Sharing Electronic Evidence in Investigations
https://www.securityweek.com/us-eu-spar-over-sharing-electronic-evidence-investigations
Tomi Engdahl says:
Nine Charged in SIM Hijacking Scheme
https://www.securityweek.com/nine-charged-sim-hijacking-scheme
The United States has indicted nine individuals with online identity theft and related charges, the U.S. Department of Justice announced.
Six of the individuals were charged with wire fraud in connection to the hacking group “The Community,” while three former employees of mobile phone providers were charged with wire fraud in relation to the conspiracy.
Tomi Engdahl says:
GAO Makes Recommendations to Improve Security of Taxpayer Data
https://www.securityweek.com/gao-makes-recommendations-improve-security-taxpayer-data
The U.S. Internal Revenue Service (IRS) is required by federal law to protect the security of the sensitive taxpayer information it holds on its systems. What it does not do, and currently believes it cannot do, is protect the information that is held by third-party tax preparers before it reaches the IRS. During 2018, 80.3 million tax returns were prepared and filed electronically in this manner, with a further 55.2 million prepared via tax preparation software.
This not an idle concern. According to IRS figures, it detected and prevented at least $11.7 billion fraud attempts, but still paid out at least $0.1 billion to fraudsters during 2017.
The threat is twofold.
Tomi Engdahl says:
New Bill Proposes Cybersecurity Training for U.S. House Members
https://www.securityweek.com/new-bill-proposes-cybersecurity-training-us-house-members
A bill introduced last week requires all members, officers and employees of the U.S. House of Representatives to undergo annual cybersecurity training.
Tomi Engdahl says:
Hackers Add Security Software Removal to Banload Banking Malware
https://www.securityweek.com/hackers-add-security-software-removal-banload-banking-malware
There are two primary characteristics of the Brazilian hacking scene: a focus on Brazil, and the adaptability of the hackers. Very strict money laws make trans-border money movement difficult, ensuring that most targets remain local; and the hackers tend to move on to new targets when the current one becomes too difficult.
Tomi Engdahl says:
Cameron Faulkner / The Verge:
Amazon says Alexa Guard, which lets Echo speakers listen for security incidents in homes and send Smart Alerts in case of danger, is now rolling out in the US
Alexa Guard is coming soon for all Echo owners in the US
https://www.theverge.com/2019/5/14/18618098/alexa-guard-amazon-echo-speaker-security-feature
This free feature turns your smart speaker into a useful security device
Amazon’s Alexa Guard feature is now rolling out in the US, following an invite-only preview that lasted a few months. This free update lets your Echo speaker listen for signs of danger in your home while you’re away. Sounds like glass breaking (caused by a burglar or a moody cat) or a smoke alarm going off will trigger Alexa to send out Smart Alerts consisting of audio clips. If your Echo has a built-in camera, it will show a direct video feed into your home.
Tomi Engdahl says:
Dell Cameron / Gizmodo:
Symantec says it wasn’t impacted by Fxmsp hack, denies being contacted by researchers, who refute Symantec’s claim; Trend Micro calls hack a “low risk” incident — Symantec and Trend Micro are two of the three top U.S. antivirus companies that a group of Russian-speaking hackers claim …
Antivirus Makers Confirm—and Deny—Getting Breached by Hackers Looking to Sell Stolen Data
https://gizmodo.com/antivirus-makers-confirm-and-deny-getting-breached-afte-1834725136
Symantec and Trend Micro are among the list of leading antivirus companies that a group of Russian-speaking hackers allege to have compromised, Gizmodo has learned. It remains unclear to what degree the claim is true, if any.
The hackers, known as “Fxmsp,” are said to be offering to sell the stolen data—around 30 terabytes’ worth—for over $300,000. Gizmodo has not itself reviewed or verified any of allegedly stolen documents.
Symantec, maker of Norton Antivirus software, confirmed that it was contacted last week with researchers at AdvIntel, who discovered that Symantec was among the list of alleged victims. Symantec told Gizmodo it is aware of the claim, but does not believe there’s reason for its customers to be concerned. “There is no indication that Symantec has been impacted by this incident,” the company said.
Previously, AdvIntel said it believed Fxmsp was a “credible threat” and said the group had raked in close to $1 million already by selling off data stolen in “verifiable corporate breaches.”
Tomi Engdahl says:
New secret-spilling flaw affects almost every Intel chip since 2011
https://techcrunch.com/2019/05/14/zombieload-flaw-intel-processors/
Security researchers have found a new class of vulnerabilities in Intel chips which, if exploited, can be used to steal sensitive information directly from the processor.,
The bugs are reminiscent of Meltdown and Spectre
“ZombieLoad,” as it’s called, is a side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. Intel said ZombieLoad is made up of four bugs, which the researchers reported to the chip maker just a month ago.
Almost every computer with an Intel chips dating back to 2011 are affected by the vulnerabilities. AMD and ARM chips are not said to be vulnerable like earlier side-channel attacks.
ZombieLoad takes its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.
the researchers showed in a proof-of-concept video
Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device.
Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said.
What does this mean for the average user? There’s no need to panic, for one.
These are far from drive-by exploits where an attacker can take over your computer in an instant. Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack.
But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said.
ntel has released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips. Intel Kaby Lake, Coffee Lake, Whiskey Lake and Cascade Lake chips are also affected, as well as all Atom and Knights processors.
Computer makers Apple and Microsoft and browser makers Google have released patches, with other companies expected to follow.
Intel’s technical note on the issue
https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html
Tomi Engdahl says:
Taylor Hatmaker / TechCrunch:
San Francisco passes a ban on the use of facial recognition technology by city agencies, the first ban of its kind for a major American city — On Tuesday, San Francisco’s Board of Supervisors voted to approve a ban on the use of facial recognition tech by city agencies.
San Francisco passes city government ban on facial recognition tech
https://techcrunch.com/2019/05/14/san-francisco-facial-recognition-ban/
On Tuesday, San Francisco’s Board of Supervisors voted to approve a ban on the use of facial recognition tech by city agencies, including the police department. The Stop Secret Surveillance Ordinance, introduced by San Francisco Supervisor Aaron Peskin, is the first ban of its kind for a major American city and the seventh major surveillance oversight effort for a municipality in California.
“I want to be clear — this is not an anti-technology policy,”
Importantly, the ordinance also includes a provision that would require city departments to seek specific approval before acquiring any new surveillance equipment. The ban would not impact facial recognition tech deployed by private companies, though it would affect any companies selling tech to the city government.
Tomi Engdahl says:
Tom Warren / The Verge:
Microsoft warns of major WannaCry-like Windows security exploit affecting older versions like XP that could spread malware via RDS protocol, releases patches — Windows 10 and Windows 8 are safe — Microsoft is warning users of older versions of Windows to urgently apply a Windows Update today …
Microsoft warns of major WannaCry-like Windows security exploit, releases XP patches
https://www.theverge.com/2019/5/14/18623565/microsoft-windows-xp-remote-desktop-services-worm-security-patches
Windows 10 and Windows 8 are safe
Microsoft is warning users of older versions of Windows to urgently apply a Windows Update today to protect against a potential widespread attack. The software giant has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in Windows XP, Windows 7, and server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft is taking the highly unusual approach of releasing patches for Windows XP and Windows Server 2003 even though both operating systems are out of support. Windows XP users will have to manually download the update from Microsoft’s update catalog.
“This vulnerability is pre-authentication and requires no user interaction,” explains Simon Pope, director of incident response at Microsoft’s Security Response Center. “In other words, the vulnerability is ‘wormable’,
Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
Tomi Engdahl says:
Kaitlyn Tiffany / Vox:
An examination of the opaque data collection practices in mobile games, which have largely escaped the level of scrutiny applied to social media companies — Seemingly simple mobile games made us all way too comfortable with giving away our personal information. — Angry Birds is so 2009, you might say.
Angry Birds and the end of privacy
https://www.vox.com/explainers/2019/5/7/18273355/angry-birds-phone-games-data-collection-candy-crush
Seemingly simple mobile games made us all way too comfortable with giving away our personal information.
Tomi Engdahl says:
The Keyword:
Google opens a Safety Engineering Center in Munich as a global hub for its cross-product privacy efforts, to double privacy engineers to 200+ this year
A global hub for privacy engineering, in the heart of Europe
https://www.blog.google/around-the-globe/google-europe/global-hub-privacy-engineering-heart-europe/
Tomi Engdahl says:
MI5 slapped on the wrist for ‘serious’ surveillance data breach
Auditors poked around for a week after too many Peeping Toms had a trawl
https://www.theregister.co.uk/2019/05/15/mi5_data_breach_investigatory_powers/
Home Secretary Sajid Javid has confessed to Parliament that MI5 bungled the security of “certain technology environments used to store and analyse data,” including that of ordinary Britons spied on by the agency.
In a lengthy Parliamentary statement made last week, Javid obliquely admitted that spies had allowed more people to help themselves to its treasure troves of data on British citizens than was legally allowed.
Tomi Engdahl says:
Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry
Plus plenty of other fixes from Redmond and Adobe – and special guest star Citrix
https://www.theregister.co.uk/2019/05/15/may_patch_tuesday/
Tomi Engdahl says:
Linux Kernel Prior to 5.0.8 Vulnerable to Remote Code Execution
https://www.bleepingcomputer.com/news/security/linux-kernel-prior-to-508-vulnerable-to-remote-code-execution/
Tomi Engdahl says:
WhatsApp discovers ‘targeted’ surveillance attack
https://www.bbc.com/news/technology-48262681
Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.
WhatsApp has 1.5bn users, but it believed the attacks were highly-targeted.
The surveillance software involved was developed by Israeli firm NSO Group, according to a report in the Financial Times.
WhatsApp promotes itself as a “secure” communications app because messages are end-to-end encrypted
the surveillance software would have let an attacker read the messages on the target’s device
How was the security flaw used?
It involved attackers using WhatsApp’s voice calling function to ring a target’s device.
Even if the call was not picked up, the surveillance software could be installed. According to the FT report, the call would often disappear from the device’s call log.
Tomi Engdahl says:
Google recalls its Bluetooth Titan Security Keys because of a security bug
https://techcrunch.com/2019/05/15/google-recalls-its-bluetooth-titan-security-keys-because-of-a-security-bug/
Tomi Engdahl says:
Huawei ‘prepared to sign no-spy agreement with UK government’
https://www.theguardian.com/technology/2019/may/14/huawei-founder-shut-down-china-eavesdrop
Chinese telecoms company’s chairman says concerns about surveillance are overblown
Huawei’s chairman has said the Chinese company would be prepared to sign a “no-spy agreement” with the British government to reassure politicians it has no intention of allowing its technology to be used for surveillance.
“We are willing to sign a no-spy agreement with the UK government,” the company’s chairman told reporters, the first time he has made the offer of such a commitment public. “No spying, no back doors.”
He said Huawei had not been asked to conduct any surveillance by the Chinese government and insisted there were “no laws requiring the companies to collect intelligence from foreign governments”.
Tomi Engdahl says:
Ice Hockey World Championship: The risks of free live streaming
https://www.welivesecurity.com/2019/05/15/ice-hockey-world-championship-streaming/
You think you’re watching the games for free, but are you sure that’s the case? Let’s review some of the risks that may come with free live streaming websites
Malicious ads on streaming sites often involve covering the player with faux [Close] buttons that scream for being clicked, as they obscure most of or the entire player. The site may also ask you to download software such as a ‘plugin’ to watch the games, which, too, results in a malware infection. Or the site may display a fake alert that your device has been compromised with malicious software and that, in order to ‘clean up’, you need to download a tool from the site or call the phone number displayed in the pop-up window.
In some cases, dodgy sports streaming sites automatically redirect users to other websites that use social engineering in a bid to steal people’s personal data.
Covert cryptocurrency mining is another threat, as many streaming websites aim to hijack users’ machines to mine virtual currencies. Some miners are even explicitly designed to harness mobiles, so users streaming on mobile aren’t necessarily safe either.
Tomi Engdahl says:
Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
Tomi Engdahl says:
The NSO WhatsApp Vulnerability – This is How It Happened
https://research.checkpoint.com/the-nso-whatsapp-vulnerability-this-is-how-it-happened/
Facebook’s advisory describe it as a “buffer overflow vulnerability” in the SRTCP protocol, so we started by patch-diffing the new WhatsApp version for android (v2.19.134, 32-bit program) in search for a matching code fix. Soon enough we stumbled upon two code fixes in the SRTCP module:
Conclusion
WhatsApp implemented their own implementation of the complex SRTCP protocol, and it is implemented in native code, i.e. C/C++ and not Java. During our patch analysis of CVE-2019-3568, we found two newly added size checks that are explicitly described as sanitation checks against memory overflows when parsing and handling the network packets in memory.
As the entire SRTCP module is pretty big, there could be additional patches that we’ve missed.
Tomi Engdahl says:
Hackers Inject Magecart Card Skimmer in Forbes’ Subscription Site
https://www.bleepingcomputer.com/news/security/hackers-inject-magecart-card-skimmer-in-forbes-subscription-site/
Tomi Engdahl says:
Bots Tampering with TLS to Avoid Detection
https://blogs.akamai.com/sitr/2019/05/bots-tampering-with-tls-to-avoid-detection.html
Researchers at Akamai observed attackers using a novel approach for evading detection. This new technique – which we call Cipher Stunting – has become a growing threat, with its roots tracing back to early-2018. By using advanced methods, attackers are randomizing SSL/TLS signatures in an attempt to evade detection attempts.
Attackers have continued to change the way they operate, adding complexity and sophistication to their evasion techniques as they target businesses like airlines, banking, and dating websites. Over the last few months, attackers have been tampering with SSL/TLS signatures at a scale never before seen by Akamai.
A majority (~82%) of the malicious traffic (including application attacks, web scraping, credential abuse, etc.) Akamai witnesses is carried out using secure connections over SSL/TLS. This number has grown over the last few years, since more web applications have started using SSL/TLS as their default method of data transport.
Tomi Engdahl says:
The radio navigation planes use to land safely is insecure and can be hacked
Radios that sell for $600 can spoof signals planes use to find runways.
https://arstechnica.com/information-technology/2019/05/the-radio-navigation-planes-use-to-land-safely-is-insecure-and-can-be-hacked/
Like many technologies built in earlier decades, the ILS was never designed to be secure from hacking. Radio signals, for instance, aren’t encrypted or authenticated. Instead, pilots simply assume that the tones their radio-based navigation systems receive on a runway’s publicly assigned frequency are legitimate signals broadcast by the airport operator. This lack of security hasn’t been much of a concern over the years, largely because the cost and difficulty of spoofing malicious radio signals made attacks infeasible.
Now, researchers have devised a low-cost hack that raises questions about the security of ILS, which is used at virtually every civilian airport throughout the industrialized world. Using a $600 software defined radio, the researchers can spoof airport signals in a way that causes a pilot’s navigation instruments to falsely indicate a plane is off course.
ILS malfunctions are a known threat to aviation safety, and experienced pilots receive extensive training in how to react to them. A plane that’s misaligned with a runway will be easy for a pilot to visually notice in clear conditions, and the pilot will be able to initiate a missed approach fly-around.
Another reason for measured skepticism is the difficulty of carrying out an attack. In addition to the SDR, the equipment needed would likely require directional antennas and an amplifier to boost the signal. It would be hard to sneak all that gear onto a plane in the event the hacker chose an onboard attack.
Tomi Engdahl says:
Israeli TV Eurovision webcast hacked with fake missile alert
https://www.theguardian.com/world/2019/may/15/israeli-tv-eurovision-webcast-hacked-with-fake-missile-alert
Song contest semi-final interrupted with warnings of imminent attack on Tel Aviv
The online stream of the Eurovision semi-finals in Israel was hacked to show warnings of a missile strike and images of blasts in the host city, Tel Aviv.
The website for KAN’s television stations was interrupted on Tuesday evening – just as the competition’s first round was beginning – with a fake alert from Israel’s army telling of an impending attack.
Messages such as: “Risk of Missile Attack, Please Take Shelter” and: “Israel is NOT Safe. You Will See!” appeared on the screen. Animated satellite footage showed explosions in the coastal city.
“We know that at a certain stage there was an attempt, apparently by Hamas, to commandeer our digital broadcast,” the chief executive of KAN, Eldad Koblenz, told Israel’s Army Radio.
“But I am happy to say that within a few minutes we managed to assume control over this phenomenon.”
Tomi Engdahl says:
Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers
https://news.slashdot.org/story/19/05/15/1846237/firms-that-promised-high-tech-ransomware-solutions-almost-always-just-pay-the-hackers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
As ransomware attacks crippled businesses and law enforcement agencies, two U.S. data recovery firms claimed to offer an ethical way out. Instead, they typically paid the ransom and charged victims extra.
The Trade Secret
https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/
Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers
“It is easy to take the position that no one should pay a ransom in a ransomware attack because such payments encourage future ransomware attacks,” he said. “It is much harder, however, to take that position when it is your data that has been encrypted and the future of your company and all of the jobs of your employees are in peril. It is a classic moral dilemma.”
No U.S. laws prohibit paying ransoms. The FBI frowns on it officially — and winks at it in practice. Ransom payment “encourages continued criminal activity, leads to other victimizations, and can be used to facilitate serious crimes,” an FBI spokesperson told ProPublica in an email. But in 2015, the assistant special agent in charge of the FBI’s cyber program in Boston said at a cybersecurity conference that the bureau will “often advise people just to pay the ransom,” according to news reports.
Tomi Engdahl says:
Bitcoin scammers net nearly $1M by telling people they can see them masturbate
https://thenextweb.com/security/2019/05/16/bitcoin-scammers-net-nearly-1m-by-telling-people-they-can-see-them-masturbate/
A new kind of scam has accrued almost $1 million in bitcoin from frightened porn viewers, says a new report — and they’re staining the good names of Shakespeare and Austen to do it.
According to the report, from cybersecurity firm Area 1, this scam involves a threatening email, in which the victim is told videos or pictures of them watching pornography will be leaked to their contacts, along with whatever they were watching, unless they pay a ransom in Bitcoin
Phishing with Fear Report
The Rising Threat of PhishedCoin
https://www.area1security.com/phishing-with-fear/
Tomi Engdahl says:
No, end-to-end encryption isn’t a marketing gimmick
https://thenextweb.com/security/2019/05/14/no-end-to-end-encryption-isnt-a-marketing-gimmick/
WhatsApp, like many messaging apps, uses end-to-end encryption, which ensures that an intermediary cannot snoop on what’s being said. Bershidsky’s argument, summed up roughly, is that while WhatsApp remains vulnerable to other attacks, end-to-end encryption is nothing short of a “marketing device” designed to “lull consumers wary about cyber-surveillance into a false sense of security.”
It’s important that his arguments, which are misleading and technically inaccurate, do not go unaddressed.
This is downright irresponsible and dangerous to claim. End-to-end encryption isn’t broken. If the device is pwned, the data is pwned. Saying end-to-end encryption is broken will deter people from using it — when it’s perfectly fine to use. https://t.co/5hx6lLtpg6
— Zack Whittaker (@zackwhittaker) May 14, 2019
Firstly, let’s address his criticism that the term “end-to-end encryption” is a “marketing device.”
It isn’t. It just fucking isn’t. I don’t know what else to say here. It’s a technical term with a very precise, universally-accepted definition. That just isn’t up for debate.
Bershidsky’s argument hinges primarily on the fact that applications that use end-to-end encryption are susceptible to other threats, like zero-day flaws and sophisticated Israeli spyware. But the thing is, no credible person has ever argued that end-to-end encryption is a security cure-all. Rather, it addresses two serious security problems.
Firstly, end-to-end encryption prevents an adversary sitting in the middle of a connection from intercepting and analyzing the contents of data packets.
The second problem end-to-end encryption solves is that it makes it significantly harder for an adversary to launch session hijacking attacks.
This isn’t hypothetical. Before Facebook introduced SSL-by-default in 2012, ensuring the connection between users and its servers were protected, wresting control of someone’s account was embarrassingly easy. There was even a Firefox plugin called FireSheep, released in 2010, that made it a one-click process.
Tomi Engdahl says:
Washington Post:
Trump issues order blocking US companies from doing business with information and communications technology companies owned or controlled by a foreign adversary — Amid a deepening trade war with China, President Trump on Wednesday declared a “national emergency” to protect U.S. communications networks …
https://www.washingtonpost.com/world/national-security/trump-signs-order-to-protect-us-networks-from-foreign-espionage-a-move-that-appears-to-target-china/2019/05/15/d982ec50-7727-11e9-bd25-c989555e7766_story.html?utm_term=.2dd8eca9c015
Tomi Engdahl says:
Washington Post:
White House won’t sign Christchurch Call to Action, an effort by governments and social media companies to fight online extremism, citing free speech concerns — The White House will not sign an international call to combat online extremism brokered between French and New Zealand officials …
https://www.washingtonpost.com/technology/2019/05/15/white-house-will-not-sign-christchurch-pact-stamp-out-online-extremism-amid-free-speech-concerns/?utm_term=.4663990ed949
Facebook:
Facebook, Microsoft, Twitter, Google, and Amazon sign on to the Christchurch Call to Action, commit to a 9-point plan to stop spread of terrorist content online — Today, Facebook’s Vice President for Global Affairs and Communications Nick Clegg joined G7 government and industry leaders …
Facebook Joins Other Tech Companies to Support the Christchurch Call to Action
https://newsroom.fb.com/news/2019/05/christchurch-call-to-action/
Tomi Engdahl says:
Troijalaiset yleistyivät huhtikuussa
http://www.etn.fi/index.php/13-news/9473-troijalaiset-yleistyivat-huhtikuussa
Tomi Engdahl says:
Trump Bars U.S. Companies From Foreign Telecoms Posing Security Risk
https://www.securityweek.com/trump-bars-us-companies-foreign-telecoms-posing-security-risk
President Donald Trump declared a national emergency Wednesday barring US companies from using foreign telecoms equipment deemed a security risk — a move that appeared aimed at Chinese giant Huawei.
The order signed by Trump prohibits purchase or use of equipment from companies that pose “an unacceptable risk to the national security of the United States or the security and safety of United States persons.”
“This administration will do what it takes to keep America safe and prosperous and to protect America from foreign adversaries,” White House spokeswoman Sarah Sanders said.
Tomi Engdahl says:
Researchers Link Disparate Chinese Hacking Groups
https://www.securityweek.com/researchers-link-disparate-chinese-hacking-groups
The Chinese government appears to have centralized control over several hacking groups previously believed to be separate threat actors, the BlackBerry Cylance Threat Intelligence security researchers say.
Tomi Engdahl says:
Hackers Exploit ASUS Update Process to Install Backdoor
https://www.securityweek.com/hackers-exploit-asus-update-process-install-backdoor
The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.
Tomi Engdahl says:
Feds seek to up their cybersecurity game
https://www.synopsys.com/blogs/software-security/government-cybersecurity/
Recent government cybersecurity initiatives assume that the federal government has a role to play in securing the IoT and critical infrastructure. Does it?
Tomi Engdahl says:
Thomas Brewster / Forbes:
Europol and FBI arrest the leader and ten members of the GozNym criminal network, who broke into 44K computers and tried to steal ~$100M — Paying money and buying online concept, couple doing internet shopping with computer, customers making secure payment on laptop via e-banking service, close up view of hand holding credit card
Alleged Cybercrime Kingpin Who Tried To Steal $100 Million From 44,000 PCs Charged
https://www.forbes.com/sites/thomasbrewster/2019/05/16/alleged-cybercrime-kingpin-who-tried-to-steal-100-million-from-44000-pcs-charged/#495266317ec6
Tomi Engdahl says:
Owen Bowcott / The Guardian:
UK Supreme Court finds in favor of civil rights organizations and rules that GCHQ’s powers to hack into internet services should be subject to judicial review
UK government security decisions can be challenged in court, judges rule
https://www.theguardian.com/uk-news/2019/may/15/government-security-gchq-decisions-can-be-challenged-in-court-judges-rule
Supreme court says GCHQ’s hacking powers should be subject to judicial review
Tomi Engdahl says:
Stack Overflow confirms breach, but customer data said to be unaffected
https://techcrunch.com/2019/05/16/stack-overflow-data-breach/
Developer knowledge sharing site Stack Overflow has confirmed hackers breached its systems, but said customer data is unaffected.