Cyber Security December 2018

This posting is here to collect security alert news in September 2018.

I post links to security vulnerability news to comments of this article.

You are also free to post related links.

486 Comments

  1. Tomi Engdahl says:

    How a Hacker Proved Cops Used a Secret Government Phone Tracker to Find Him
    https://www.politico.com/magazine/story/2018/06/03/cyrus-farivar-book-excerpt-stingray-218588

    And how it might change what cops can do with our smartphones.

    Reply
  2. Tomi Engdahl says:

    Cyberattack hits US newspaper distribution
    https://www.google.com/amp/s/www.cnbc.com/amp/2018/12/30/cyberattack-hits-us-newspaper-distribution.html

    The cyberattack appeared to originate outside the United States, the Los Angeles Times reported, citing a source with knowledge of the situation.
    The attack led to distribution delays in the Saturday edition of The Los Angeles Times, the Chicago Tribune, The Baltimore Sun and others.

    Reply
  3. Tomi Engdahl says:

    Cyber-attack disrupts printing of major US newspapers
    https://www.google.com/amp/s/amp.theguardian.com/technology/2018/dec/30/cyber-attack-disrupts-printing-of-major-us-newspapers

    Los Angeles Times, Chicago Tribune, Wall Street Journal and New York Times among titles affected by virus that hit shared systems

    Tribune Publishing, which owns the Chicago Tribune and the Sun, as well as the New York Daily News and Orlando Sentinel, said it first detected the malware on Friday.

    The west coast editions of the Wall Street Journal and New York Times

    Reply
  4. Tomi Engdahl says:

    Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
    https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html

    What first arose as a server outage was identified Saturday as a malware attack, which appears to have originated from outside the United States and hobbled computer systems and delayed weekend deliveries of the Los Angeles Times and other newspapers across the country.

    Reply
  5. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    CenturyLink says all consumer services impacted by a ~32-hour outage that started on Thursday, including its 911 emergency services, have been restored — 911 emergency services in several states across the U.S. went down after a massive outage at a CenturyLink data center.
    https://techcrunch.com/2018/12/28/911-service-outage-centurylink/

    911 emergency services in several states across the U.S. went down after a massive outage at a CenturyLink data center.

    CenturyLink, one of the largest telecommunications providers in the U.S., provides internet and phone backbone services to major cell carriers, including AT&T and Verizon. Data center or fiber issues can have a knock-on effect to other companies, cutting out service and causing cell site blackouts.

    In this case, the outage affected only cellular calls to 911, and not landline calls.

    Reply
  6. Tomi Engdahl says:

    Los Angeles Times:
    Malware attack on Tribune Publishing’s network disrupts the printing and distribution of Saturday editions of LA Times, WSJ, NYT, and other papers

    Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
    https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html

    What first arose as a server outage was identified Saturday as a malware attack, which appears to have originated from outside the United States and hobbled computer systems and delayed weekend deliveries of the Los Angeles Times and other newspapers across the country.

    Technology teams worked feverishly to quarantine the computer virus, but it spread through Tribune Publishing’s network and reinfected systems crucial to the news production and printing process. Multiple newspapers around the country were affected because they share a production platform.

    The attack delayed distribution of Saturday editions of the Los Angeles Times and San Diego Union Tribune. It also stymied distribution of the West Coast editions of the Wall Street Journal and New York Times, which are printed at the Los Angeles Times’ Olympic printing plant in downtown Los Angeles.

    the company suspected the cyberattack originated from outside the United States,

    “We believe the intention of the attack was to disable infrastructure, more specifically servers, as opposed to looking to steal information,” said the source,

    “Every market across the company was impacted,”

    After identifying the server outage as a virus, technology teams made progress Friday quarantining it and bringing back servers, but some of their security patches didn’t hold and the virus began to reinfect the network, impacting a series of servers used for news production and manufacturing processes.

    Malware attacks are extremely common, affecting millions of computers in homes, offices and other organizations every day

    Neino also said that tracking the identity of attackers can be difficult since malware code is often freely distributed online.

    Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group, said that “usually when someone tries to disrupt a significant digital resource like a newspaper, you’re looking at an experienced and sophisticated hacker.”

    Dixon added that the holidays are “a well known time for mischief” by digital troublemakers, because organizations are more thinly staffed.

    “It’s an optimal time to attack a major target,” she said.

    Reply
  7. Tomi Engdahl says:

    Madhumita Murgia / Financial Times:
    Privacy International: popular Android apps like TripAdvisor, Kayak, Indeed, MyFitnessPal share data with Facebook without user consent, possibly violating GDPR

    Popular apps share data with Facebook without user consent
    Developers say social network’s default option puts them in breach of EU regulations
    https://www.ft.com/content/62f74704-0abf-11e9-9fe8-acdb36967cfc

    Some of the most popular apps for Android smartphones, including Skyscanner, TripAdvisor and MyFitnessPal, are transmitting data to Facebook without the consent of users in a potential breach of EU regulations.

    send certain data to Facebook the second that they are opened on a phone, before users can be asked for permission.

    mobile apps are required to have the explicit consent of users before collecting their personal information

    Reply
  8. Tomi Engdahl says:

    Guardzilla Home Cameras Open to Anyone Wanting to Watch Their Footage
    https://threatpost.com/guardzilla-cameras-flaw/140415/

    The home surveillance cams have hard-coded credentials.

    Another day, another internet of things (IoT) issue: A design flaw in the Guardzilla home video surveillance system has been discovered that allows users to watch other homeowners’ Guardzilla videos.

    The Guardzilla All-In-One Video Security System is a home security platform that provides indoor video surveillance. The GZ501W model camera contains a shared, hard-coded Amazon S3 credential used for storing saved video data in the Amazon cloud – so all users of the Guardzilla All-In-One Video Security System have the same password, and thus can access each other’s saved home video. And, any unauthenticated user can collect the data from any of the systems over the internet as long as they know the storage details.

    Reply
  9. Tomi Engdahl says:

    In January, the EU starts running Bug Bounties on Free and Open Source Software
    https://juliareda.eu/2018/12/eu-fossa-bug-bounties/

    Reply
  10. Tomi Engdahl says:

    India empowers agencies to snoop on computers; critics decry ‘surveillance state’
    https://www.reuters.com/article/us-india-surveillance/india-empowers-agencies-to-snoop-on-computers-critics-decry-surveillance-state-idUSKCN1OK1E6

    India has authorized 10 federal government agencies to intercept and monitor information from any computer, a move opposition parties said on Friday risked creating a “surveillance state”.

    Reply
  11. Tomi Engdahl says:

    Hackers Steal Personal Information of North Koreans in South Korea
    https://www.wsj.com/articles/hackers-steal-personal-information-of-north-korean-defectors-in-south-korea-11546001022

    A likely culprit is North Korea, which attempts an estimated 1.5 million cyberattacks daily, or 17 every second

    Reply
  12. Tomi Engdahl says:

    Windows Zero-Day Bug Allows Overwriting Files with Arbitrary Data
    https://www.bleepingcomputer.com/news/security/windows-zero-day-bug-allows-overwriting-files-with-arbitrary-data/

    A security researcher has disclosed exploit code for a fourth zero-day vulnerability in Windows operating system in just as many months. The bug enables overwriting a target file with arbitrary data.

    Running the proof-of-concept (PoC) code provided by the researcher that uses the online alias SandboxEscaper results in overwriting ‘pci.sys’ with information about software and hardware problems, collected through the Windows Error Reporting (WER) event-based feedback infrastructure.

    Reply
  13. Tomi Engdahl says:

    Drew Harwell / Washington Post:
    How deepfakes, AI-generated videos that graft a person’s face onto another’s body, have been weaponized to harass and humiliate their subjects, mostly women — “Deepfake” creators are making disturbingly realistic, computer-generated videos with photos taken from the Web, and ordinary women are suffering the damage.

    Fake-porn videos are being weaponized to harass and humiliate women: ‘Everybody is a potential target’
    https://www.washingtonpost.com/technology/2018/12/30/fake-porn-videos-are-being-weaponized-harass-humiliate-women-everybody-is-potential-target/?utm_term=.7e0e0fa378f1

    ‘Deepfake’ creators are making disturbingly realistic, computer-generated videos with photos taken from the Web, and ordinary women are suffering the damage

    The video showed the woman in a pink off-the-shoulder top, sitting on a bed, smiling a convincing smile.

    It was her face. But it had been seamlessly grafted, without her knowledge or consent, onto someone else’s body: a young pornography actress, just beginning to disrobe for the start of a graphic sex scene. A crowd of unknown users had been passing it around online.

    She felt nauseated and mortified: What if her co-workers saw it? Her family, her friends? Would it change how they thought of her? Would they believe it was a fake?

    “I feel violated — this icky kind of violation,”

    But recent breakthroughs in machine-learning technology, employed by creators racing to refine and perfect their fakes, have made fake-video creation more accessible than ever. All that’s needed to make a persuasive mimicry within a matter of hours is a computer and a robust collection of photos, such as those posted by the millions onto social media every day.

    Reply
  14. Tomi Engdahl says:

    Zack Whittaker / TechCrunch:
    All photos uploaded to Twinning, Popsugar’s tool to match a user’s photo with a celebrity’s, were accessible from a public AWS storage bucket that is now locked

    Popsugar’s Twinning app was leaking everyone’s uploaded photos
    https://techcrunch.com/2018/12/31/popsugar-twinning-leak-selfie-photos/

    I thought the worst thing about Popsugar’s Twinning tool was that it matched me with James Corden.

    Turns out, the hundreds of thousands of selfies uploaded to the tool were easily downloadable by anyone who knew where to look.

    The popular photo-matching tool is fairly simple. “It analyzes a selfie or uploaded photo, compares it to a massive database of celebrity photos to find matches, and finally gives you a ‘twinning percentage’ for your top five look-alikes,” according to Popsugar, which developed the tool. Then, you share those matched photos on Facebook and Twitter so everyone knows that you don’t look at all like one of the many Kardashians.

    All of the uploaded photos are stored in a storage bucket hosted on Amazon Web Services. We know because the web address of the bucket is in the code on the Twinning tool’s website. Open that in your web browser, and we saw a real-time stream of uploaded photos.

    Reply
  15. Tomi Engdahl says:

    Researchers develop artificial fingerprints, claiming they could hack into a third of smartphones
    https://www.cnbc.com/2018/12/28/research-claims-fake-fingerprints-could-hack-a-third-of-smartphones.html

    Researchers at New York University and the Michigan State University have developed images of fingerprints that have the potential to unlock devices.
    They told CNBC their findings suggested such an attack could be profitable for hackers.
    The way devices store images of fingerprints could be made more secure, the researchers said.

    Reply
  16. Tomi Engdahl says:

    Meng Jing / South China Morning Post:
    Beijing plans to adopt facial recognition-enabled smart locks in its public housing projects involving 120K tenants in 2019 to crack down on illegal subletting — – The smart lock is one of the latest hi-tech tools authorities are using to keep an eye on its citizens

    Beijing turns to facial recognition to combat public housing abuses
    https://www.scmp.com/tech/innovation/article/2179819/beijing-turns-facial-recognition-combat-public-housing-abuses

    The smart lock is one of the latest hi-tech tools authorities are using to keep an eye on its citizens

    Reply
  17. Tomi Engdahl says:

    Aria Thaker / Quartz:
    Aadhaar, India’s biometric ID program, had its constitutional status upheld in a year of breaches, food rations being denied due to scanning failures, and more

    REUTERS/Saumya Khandelwal
    Should old biometrics be forgot, and never brought to mind?
    BANNER YEAR
    In a year of data breaches, India’s massive biometric programme finally found legitimacy
    https://qz.com/india/1501568/in-2018-supreme-court-backed-indias-aadhaar-despite-data-leaks/

    After almost a decade since its launch, India’s controversial biometric identity programme, Aadhaar, finally got a measure of clarity and legitimacy in 2018—but not before a few egregious breaches were exposed.

    Having enrolled over 1.22 billion Indians till November, the project saw several breaches and multiple accounts of data leaks being reported this year, intensifying fears about its security.

    Unique Identification Authority of India (UIDAI) has a record of trying to muzzle critics challenging the very legitimacy of the programme

    Though critics in India had already spoken of Aadhaar’s compromised data security practices, The Tribune report was perhaps the first to stir up an international media storm.

    Vulnerabilities in the enrolment system also came up for scrutiny this year: For instance, an alleged Pakistani spy and the Hindu god Hanuman were found to have Aadhaar numbers issued to them.

    Reports even said that a version of the enrolment software had been manipulated

    Once again, the UIDAI denied these reports.

    To prove that such security breaches weren’t possible, India’s telecom regulator, and the first director-general of the UIDAI, tweeted out his Aadhaar number in July, challenging anyone to try and do him harm. The Twittersphere obliged, with some even creating fake Aadhaar cards that passed as genuine when submitted as online ID proofs.

    The awkwardness of the situation forced the UIDAI to issue a statement urging people to not reveal their Aadhaar numbers in public.

    “More security breaches come out when more people are paying attention to the issue,”

    The supreme court judgment confirmed that basic benefits such as rations, pensions, and daily wages would require Aadhaar. This seemed to have overlooked a key problem: the acute hardship faced by rural India.

    Certain state welfare benefits, such as food rations, are distributed after biometric Aadhaar authentication, where a person must undergo fingerprint scanning to prove one’s Aadhaar identity. However, authentication failures have been frequent in rural India, wherein people’s fingerprints do not scan properly due to multiple reasons

    Often, such technical failures have resulted in people being denied their rations and, in extreme cases reportedly leading to starvation deaths. So far in 2018, up to 28 starvation deaths—14 of which were Aadhaar-related—have been documented, according to a report this September.

    “The starvation deaths are one very extreme manifestation of the problem,” Reetika Khera, an economics professor who has researched Aadhaar extensively, told Quartz.

    The supreme court judgment’s ban on private-sector Aadhaar use

    But recent reports now indicate that Modi’s cabinet, the reports claim, approved the idea of amending the law to let private companies use Aadhaar on a voluntary basis

    “Initially, they said Aadhaar is for welfare. Then they tried it with mobile, bank, and everything. And now that function creep is coming back,” she said. “Tomorrow, they’ll say ‘we want to do biometric authentication at the time of voting.’”

    Reply
  18. Tomi Engdahl says:

    Critics of Aadhaar project say they have been harassed, put under surveillance
    https://in.reuters.com/article/india-aadhaar-breach/critics-of-aadhaar-project-say-they-have-been-harassed-put-under-surveillance-idINKCN1FX1SS

    Researchers and journalists who have identified loopholes in India’s massive national identity card project have said they have been slapped with criminal cases or harassed by government agencies because of their work.

    Reply
  19. Tomi Engdahl says:

    Student Finds Hidden Devices in the College Library – Are they nefarious?
    https://www.youtube.com/watch?v=UeAKTjx_eKA

    A reddit user finds raspberry pi zeros hidden behind trash cans, vending machines and other places in the college library. We reverse engineer them and determine if they are malicious.

    Reply
  20. Tomi Engdahl says:

    Ex-MtGox Bitcoin Chief Maintains Innocence in Trial Closing Arguments
    https://www.securityweek.com/ex-mtgox-bitcoin-chief-maintains-innocence-trial-closing-arguments

    The former head of collapsed bitcoin exchange MtGox apologised Thursday for losses that bankrupted the firm but insisted he was innocent of charges including embezzlement at closing arguments in his Tokyo trial, local media reported.

    Reply
  21. Tomi Engdahl says:

    US Investigating CenturyLink Internet Outage, 911 Failures
    https://www.securityweek.com/us-investigating-centurylink-internet-outage-911-failures

    U.S. officials and at least one state said Friday that they have started investigations into a nationwide CenturyLink internet outage that has disrupted 911 service.

    Federal Communications Commission Chairman Ajit Pai called the outage that began Thursday “completely unacceptable” because people who need help couldn’t use the emergency number.

    “Its breadth and duration are particularly troubling,” he said.

    The commission’s Public Safety and Homeland Security Bureau will investigate the cause and effect of the outage, he said.

    Reply
  22. Tomi Engdahl says:

    Cyberattack Hits US Newspaper Deliveries: Report
    https://www.securityweek.com/cyberattack-hits-us-newspaper-deliveries-report

    A malware attack that appears to have originated outside the US delayed the hardcopy distribution of several major newspapers, according to a report.

    The LA Times said Saturday that the attack, which was first assumed to have been a server outage, hit a computer network at Tribune Publishing which is connected to the production and printing process of multiple newspapers around the country.

    Reply
  23. Tomi Engdahl says:

    National Guard From 4 States Will Help With Cyber Operations
    https://www.securityweek.com/national-guard-4-states-will-help-cyber-operations

    National Guard soldiers from Colorado, North Dakota, South Dakota and Utah are deploying to Fort Meade, Maryland, as part of a cyber protection team supporting U.S. military operations in Afghanistan.

    Reply
  24. Tomi Engdahl says:

    Vulnerabilities in WibuKey Could Lead to Code Execution
    https://www.securityweek.com/vulnerabilities-wibukey-could-lead-code-execution

    Vulnerabilities in the WibuKey Digital Rights Management (DRM) solution could be leveraged to disclose information, elevate privileges, or even execute code on affected systems.

    Available for many interfaces and operating systems, WibuKey has been used in numerous solutions, including Straton, Archicad, GRAPHISOFT, V-Ray and others. However, Wibu Systems recommends that new projects use another of its technologies instead.

    Reply
  25. Tomi Engdahl says:

    Evasive Malware, Meet Evasive Phishing
    https://www.securityweek.com/evasive-malware-meet-evasive-phishing

    In a previous column, I wrote about how evasive malware has become commoditized and described how the techniques being used in any given piece of malware had grown in number and sophistication—the layering of multiple techniques being its own form of sophistication. At the time, we had been digging around in our sandbox array and found that 98 percent of malware sent for analysis was using at least one evasive technique, and one-third of malwares were using a combination of six or more detection evasion techniques. Then there are malwares like Cerber ransomware, which is very sandbox aware and runs 28 evasive processes or, if you like, uses 28 techniques intended to confound security systems and thus evade detection.

    Reply
  26. Tomi Engdahl says:

    Ryuk Ransomware Involved in Cyberattack Stopping Newspaper Distribution
    https://www.bleepingcomputer.com/news/security/ryuk-ransomware-involved-in-cyberattack-stopping-newspaper-distribution/

    A cyberattack reportedly bearing the signature of Ryuk ransomware caused disruption over the weekend in printing and delivery of major newspapers in the US from Tribune Publishing and Los Angeles Times.

    Among the publications affected by the attack include the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune, and Baltimore Sun, Lake County News-Sun, Post-Tribune, Hartford Courant, Capital Gazette, and Carroll County Times.

    Ryuk ransomware strain came to attention in August 2018 when it was reported to have made over $640,000 in Bitcoin to the group behind it. It is typically used in targeted attacks carried out through phishing, but it could also be planted through insecure remote desktop connections.

    An analysis from security company Check Point shows code similarities with Hermes, a ransomware strain attributed to the North Korean hacker group Lazarus.

    A statement explaining the incident from Los Angeles Times informs that it was caused by a computer breakdown.

    The publication offered more details in a later article where it says that the outage was due to a “malware attack, which appears to have originated from outside the United States and hobbled computer systems and delayed weekend deliveries of the Los Angeles Times and other newspapers across the country.”

    Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
    https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html

    Reply
  27. Tomi Engdahl says:

    Ransomware vs. printing press? US newspapers face “foreign cyberattack”
    https://www.welivesecurity.com/2018/12/31/ransomware-printing-press-newspapers/

    Did malware disrupt newspaper deliveries in major US cities? Here’s what’s known about the incident so far and the leading suspect: Ryuk ransomware. Plus, advice on defending your organization against such attacks.

    Reply
  28. Tomi Engdahl says:

    How Facebook Tracks Non-Users via Android Apps
    https://threatpost.com/how-facebooks-tracks-non-users-via-android-apps/140436/

    If you quit Facebook or never joined because of its data collecting practices the odds are good the social network is still tracking you – despite your protest.

    Facebook collects data of non-users of its social network via dozens of mainstream Android apps that send tracking and personal information back to the social network. Some of the dozens of apps sharing data with Facebook include Kayak, Yelp and Shazam, according a report presented by Privacy International on Saturday here at 35C3.

    Reply
  29. Tomi Engdahl says:

    Hackers Make a Fake Hand to Beat Vein Authentication
    https://motherboard.vice.com/en_us/article/59v8dk/hackers-fake-hand-vein-authentication-biometrics-chaos-communication-congress

    Security researchers disclosed new work at the Chaos Communication Congress showing how hackers can bypass vein based authentication.

    Devices and security systems are increasingly using biometric authentication to let users in and keep hackers out, be that fingerprint sensors or perhaps the iPhone’s FaceID. Another method is so-called ‘vein authentication,’ which, as the name implies, involves a computer scanning the shape, size, and position of a users’ veins under the skin of their hand.

    But hackers have found a workaround for that, too. On Thursday at the annual Chaos Communication Congress hacking conference in Leipzig, Germany, security researchers described how they created a fake hand out of wax to fool a vein sensor.

    Reply
  30. Tomi Engdahl says:

    ‘Roma225’ campaign targets companies in the Italian automotive sector
    https://securityaffairs.co/wordpress/79324/malware/roma225-campaign-italian-automotive.html

    The malware was spread through well-written phishing email trying to impersonate a senior partner of one of the major Brazilian business law firms: “Veirano Advogados”.

    Reply
  31. Tomi Engdahl says:

    China’s APT10
    https://www.schneier.com/blog/archives/2018/12/chinas_apt10.html

    Wired has an excellent article on China’s APT10 hacking group. Specifically, on how they hacked managed service providers in order to get to their customers’ networks.

    HOW CHINA’S ELITE HACKERS STOLE THE WORLD’S MOST VALUABLE SECRETS
    https://www.wired.com/story/doj-indictment-chinese-hackers-apt10/

    the country’s elite APT10—short for “advanced persistent threat”—hacking group decided to target not just individual companies in its long-standing efforts to steal intellectual property, but instead focus on so-called managed service providers. They’re the businesses that provide IT infrastructure like data storage or password management. Compromise MSPs, and you have a much easier path into all these clients. They’re the super.

    “MSPs are incredibly valuable targets. They are people that you pay to have privileged access to your network,” says Benjamin Read, senior manager for cyberespionage analysis at FireEye. “It’s a potential foothold into hundreds of organizations.”

    Reply
  32. pentesteracademy says:

    top 5 Web_Server_Exploitation for penetration testers
    Arachni could be a feature-full, modular, superior Ruby framework aimed towards serving to penetration testers and directors valuate the protection of net applications.
    It is sensible, it trains itself by watching and learning from the net application’s behavior throughout the scan method and is ready to perform meta-analysis employing a range of things in order to properly assess the trustiness of results and showing intelligence determine (or avoid) false-positives.

    Reply
  33. Durgesh says:

    Bypassing Duo Two-Factor Authentication (Fail Open)
    Often times whereas performing arts penetration tests it should be useful to attach to a system via the Remote Desktop Protocol (RDP). I usually use rdesktop or xfreerdp to attach to host once I actually have obtained credentials to try to to all types of things like use Active Directory Users and Computers or SQL Management Studio. one in every of the roadblocks I even have saw is that my consumer is protective access to RDP on Windows with couple. this could be a true pain, particularly once port 3389 is that the solely port open on the jump box that i want to be ready to pivot to a different network. Last time this happened I found a writing by Alex Lomas on Pen take a look at Partners that careful the ways that you simply will use to bypass this.

    These attack ways ar valid presumptuous that the target had designed their couple implementation to “fail open”. this can be really quite common, because it is that the default setting. If a system has couple 2FA designed to fail closed and that they lose net property or have problems with DNS, they get utterly barred out of their workstations/servers. this can be not acceptable for about many organizations and so fail open is that the commonest selection.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*